HIPAA Information & Programs For Healthcare
Information topics are selected from the latest information published by regulatory and advisory agencies and from questions received by TMC Client Services. The latest changes mandated by the HITECH Act are included. The educational programs and products of TMC can assist you and your practice in meeting the requirements of these new regulations and help you with daily issues and questions.
Are You HIPAA Compliant?
Significant HIPAA Changes Began in 2009 and will continue for years due to changes dictated by the American Reinvestment and Recovery Act of 2009 (ARRA). Health and Human Services has published new HIPAA regulations and guidance as a result of the HITECH Act which was a part of ARRA.
Just a few of the significant changes include new Breach regulations effective September 23, 2009; Business Associates became covered entities on February 17, 2010 requiring changes by practices and BAs; and the enforcement of HIPAA has been mandated and funded by Congress. The penalties are higher and mandatory in some cases.
Now is a good time to evaluate your level of compliance. Take a few minutes to go through a few questions. The questions do not represent all that is new or required but are examples of what is needed.
Authorizations
Disclosure of protected health information (PHI) without proper patient authorization and/or releasing information when an authorization form does not meet the regulatory requirements are in the top 5 complaint reasons received by Office for Civil Rights (OCR). Often practices do not realize their authorization process is in violation of the regulation until they receive a patient complaint from the OCR or hear from an angry patient.
Some practices are using a consent process that was replaced in 2003 when the more formal authorization form was adopted. Practices may allow the patient to list others the practice may talk to about patient PHI in a way that is no longer acceptable. Now even more changes are being made as a result of the HITECH Act and subsequent regulations to implement the law. It is a good time to review the old and new requirements.
Guidance on the Breach Risk Analysis
When PHI is accessed or released in an inappropriate manner, a Covered Entity (CE) has an incident. An incident, intentional or accidental, sets in motion a series of actions and documentation that are required.
- Record the incident on an Incident Report and investigate the circumstances
- Record the incident in the patient file
- Determine if the inappropriate use or release is a breach – If a breach has occurred additional action will be required by the practice.
- Take corrective action to prevent another similar incident – correct processes, train employees, impose sanctions, etc.
To determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates will need to perform a risk assessment.
HHSGuidance on Encryption
The HITECH Act of 2009 required Health and Human Services to publish and update annually specific methodologies that could be used to render health information unusable and unreadable. If the data is protected in the approved manner it will provide a safe haven from the reporting requirements defined for a breach in the event the data is lost, stolen, misplaced or an attempt made to hack the data.
A covered entity can be in compliance with the Security Rule and not use the approved encryption methods but if a breach occurs, notification will be required unless the approved encryption method is used.
Personal Representatives – Who are they? How do you deal with them?
When a person other than the patient is making decisions on the use or release of PHI for the patient you need to be very sure that person qualifies as a Personal Representative under HIPAA. Just being a caregiver does not satisfy the requirements of a personal representative. Multiple State and Federal laws may need to be considered in addition to HIPAA.
Understanding and having a policy for dealing with personal representatives in advance of a problem will help your office avoid issues and possible legal situations. If you deal with minors and/or seniors frequently advanced training for employees on handling questions will help them and you avoid unpleasant experiences.
HIPAA Breach – Patient & HHS notification Required
The regulatory amendments for HIPAA and the HITECH Act require a Covered Entity to notify the patient and Health and Human Services of any breach that occurs. Until the Breach amendments to HIPAA in 2009, the HIPAA regulation did not have a mandatory breach notification requirement.
The final Breach regulations from Health and Human Services (HHS) were published in the Federal Register on August 21, 2009. The effective date was September 23, 2009. Take action to help prevent a breach and/or handle one properly when it happens.
Patient Breach Letter Content Requirements
The final breach regulations, effective September 23, 2009, required that the patient whose information was accessed, used or released in an inappropriate manner (breach) must be notified of the breach by letter. The regulation defined what must be included in the required letter to the patient.
While you want to be sure the letter includes the required information, you also want to be sure the letter is easily understood and does not overstate the possibility of significant harm. Poorly written letters can generate more phone calls or patient concern than is required.
What should be in a Business Associate Agreement?
If you have not updated your Business Associate agreements recently (within the last 6 months) you might want to take a look at them now. Breach regulations were effective September 23, 2009 and with the new regulations came the opportunity for a Business Associate to make a mistake that could create significant financial and reputational risk for a Covered Entity (Healthcare Practice); unless your BA contract makes the BA responsible for notification expenses and other financial losses resulting from their actions.
Then in July 2010 Health and Human Services published new proposed regulations on a number of other HIPAA regulations including regulations about Business Associate activities. The HITECH Act made Business Associates Covered Entities in February 2010 and the proposed regulations provide the details of exactly what that means to CEs and BAs. These proposed regulations also cover other changes that impact the relationship between BAs and CEs and therefore the contracts.
Now is a good time to add these new items to your contracts or at least review the ones you have in place to be sure you are protected. It is also a good time for you and your BAs to learn more about these requirements. A delay could be costly.
Encryption & Destruction of PHI – The Only Solutions
Encrypt electronic Protected Health Information (PHI) and you have safe harbor from a breach in the event the data is lost or stolen. No other means used to protect PHI will let you avoid patient, HHS and media notification. Given the expense of breach notification, it is, in most cases, an easy decision to adopt these strict standards to protect electronic PHI.
You can meet the standards of the Security Rule with other means of protection but, if the back up file or laptop or thumb drive is lost or stolen, you will not have safe harbor from breach notification requirements. You are required by law to notify all patients on the file unless encryption was used. Take action now to ensure all data possible is encrypted.
Proposed Regulations add new Patient Right to Access Report
Under proposed regulations, there will be a Right to an Accounting of Disclosures AND a right to receive information on any access to PHI in electronic format even if it was accessed by an employee of the practice for treatment, payment or operational purposes. HHS chose this method to best implement the requirements defined by the HITECH Act on this topic.
The HITECH Act made the reporting of access for treatment, payment and operations mandatory. The only question remaining was how HHS would make that happen. While some parts of the proposed regulations on the Access Report may change before the Final Regulations are published, the core elements will likely remain the same.
Some practices have been using access reports already to detect snooping and inappropriate behavior by employees. We read about the high profile cases such as hospital employees looking at records of celebrities but access audit reports are used in practices to try and prevent breaches.
Accounting of Disclosures – Proposed Revisions
The proposed regulations to implement the required HITECH Act changes related to the Accounting of Disclosures patient right added a new patient right to obtain an Access Report, changed timeframes, placed new responsibilities on business associates and made some significant changes to the old Accounting of Disclosures process and report. See other articles on details of each of the above issues on the TMC website under HIPAA and or in TMC Newsletters.
Five Major Changes to Accounting of Disclosure Regulations
Proposed Regulations Published
Proposed regulations to implement the Accounting of Disclosures changes mandated by the HITECH Act of 2009 have been published by the Department of Health and Human Services.
While there are many details that will change related to each of the items, there are 5 major categories of change. The list of changes with a brief explanation is below. See other articles in the TMC newsletter or on the website for the details and for recommended action by practices and business associates.
- Five Major Changes to Accounting of Disclosure – Proposed Regulations Published
- Accounting of Disclosure Report Changes
- CE & BA Action Now & Later for Accounting of Disclosures
Action Now & Later for Accounting of Disclosures Changes
Healthcare practices and business associates will have to make some changes to comply with the regulations implementing the changes to the Accounting of Disclosure right.
Before you begin taking any action discussed below, be sure you read and understand the changes that are proposed by Health and Human Services related to the current Accounting of Disclosures and the HITECH Act changes required. Read the previous articles written on the subject to better understand the magnitude of the effort and the change. The articles can be found on the TMC website. On the Home page, select HIPAA from the Compliance Information box.
- Proposed Regulations on HITECH Changes for Accounting of Disclosures
- New Patient Right to Receive an Access Report
- Changes to the Accounting of Disclosures Report
