HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format | HIPAA Compliance for Medical Practices | Scoop.it

This month, Atlantic Information Services reported that covered entities must provide patients with their ePHI when they request it, in a format that the patient can open on their computer. Does this mean Covered Entities may have to send unencrypted emails containing electronic Personal Health Information (ePHI) to their patients? It depends on what the patient requests.

The HHS statement that patients have the right to access their ePHI and that covered entities “must provide this access in the manner requested by the individual” has created confusion. Covered entities are now left trying to find ways to provide patients access to their ePHI without violating HIPAA requirements.

The Privacy Rule “allows the use of unencrypted email when communicating ePHI between the healthcare provider and the patient…provided they apply reasonable safeguards when doing so”. 1

Examples of safeguards include:

  1. Check the email address for accuracy.
  2. Send email to confirm the recipient before sending the ePHI.
  3. Limit the amount of information disclosed.
  4. Encrypt emails.

Many covered entities have policies in place requiring all email containing ePHI be encrypted, and we at Total HIPAA Compliance fully support these policies. Patients may complain about opening an encrypted email, but the alternative is that you are potentially exposing their unencrypted Protected Health Information to all kinds of unknown risks. An unencrypted email can go through multiple servers before it reaches its final destination, and every server it stops in on its way to its final destination is another potential failure point.

How do you protect your patients while giving them access to their information in the format requested?

  1. Don’t explicitly offer unencrypted communication– I know this sounds disingenuous, but if you have a communication request from a patient, it’s always best to default by sending those communications encrypted.
  2. Explain the risks of sending unencrypted communications– Most non-technical people don’t understand the risks they are taking by sending communications unencrypted. You can relate the privacy level to sending an electronic postcard listing all their requested information. It is estimated that medical identity theft costs an individual $13,500.2 This is a major reason to insist that all communications with patients be encrypted.
  3. Make the barrier for unencrypted communication high. HHS states, if the healthcare provider feels the patient is not aware of the risks of using unencrypted emails for ePHI, or has concerns about liability, they can inform the patients of those risks and allow the patient to make the decision. If the patient then decides to request the receipt of the ePHI using unencrypted email, the covered entity will be exempt of possible liability because the patient has given their explicit permission to receive the ePHI in an unencrypted form. Make sure the client signs off each time there is a requested unencrypted communication. This burden may push a client to receive information encrypted.
  4. Here is a form you can use if a client insists on having communications sent unencrypted.

Ways to Make Patient Communication Easier While Using Encryption:

Patient Portals
A patient portal is a secure website that patients can access with a username and password. Portals allow patients to access their ePHI through an internet connection. This is an elegant way to provide the patient with their PHI and not expose the information to hackers.

Use a different encrypted email provider
There are many HIPAA compliant email encryption services you can use. Some are easier for patients to use than others. If your patients are consistently complaining, maybe it’s time to look into a new provider. There are many great options out there that will integrate with your EHR.

Two of our favorite encrypted email platforms for ease of use and cost are:

  1. Virtru This application allows users to integrate with almost any email provider. Vitru Pro is HIPAA compliant and will sign a Business Associate Agreement. Virtru offers end-to-end encryption with the ability to revoke a message at any time. Vitru makes it easy for the sender to encrypt messages and the receiver to respond encrypted.
  2. Protected Trust is also another great product. The email recipient has to be registered with Protected Trust, but this is free for your patients. Protected Trust offers many different verification options for the recipient, including sending recipients a phone call or text message to verify their identity. This application is easy to use for the receiver since they do not have to install any software or create a new email address.

The HIPAA Omnibus update strives to make communication between providers and patients easier as well as protect the privacy of your patients. This can be tricky for the health care provider, but patients always have the right to access their own PHI, and it is up to healthcare providers to grant them that access. As patients begin to demand more communication, covered entities will have to figure out the best way to do this, while remaining HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Patients Demand the Best Care … for Their Data

Patients Demand the Best Care … for Their Data | HIPAA Compliance for Medical Practices | Scoop.it

Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.


Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.


But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.


In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster. Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.


Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.


Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.


And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.


It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:


  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly


Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

more...
No comment yet.
Scoop.it!

HITECH Act Stage 3: Security Concerns

HITECH Act Stage 3: Security Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Some healthcare associations, including those representing IT and security leaders, are seeking more clarity from federal regulators about proposed security and privacy requirements for Stage 3 of the HITECH Act "meaningful use" incentive program for electronic health records. Among the concerns raised were issues related to EHR risk assessments and patients' electronic access to their health information.


Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018. Beginning in January 2018, healthcare providers lacking a certified EHR system will begin to face financial penalties.

The concerns cited by the various healthcare associations echoed some of the worries expressed by security and privacy experts shortly after the proposed rules were issued in March.


May 29 was the deadline for public comment on proposed rulemaking by the Department of Health and Human Services. On March 20, HHS' Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking for Stage 3 of the Medicare and Medicaid EHR incentive program. Meanwhile, HHS' Office of the National Coordinator for Health IT issued a proposed rule spelling out updated requirements for EHR software that qualifies for the incentive program: 2015 Edition Health Information Technology Certification Criteria.

Security Assessment Concerns

Under Stage 3 of the HITECH incentive program, which already has provided nearly $30 billion in incentives to eligible hospitals and healthcare professionals for "meaningfully" using EHRs, these healthcare providers can qualify to receive additional incentives by achieving a proposed new list of objectives. One of those proposed requirements deals with risk assessments.


While healthcare providers are still expected to conduct a broader HIPAA security risk analysis, the Stage 3 proposal states that healthcare providers must conduct an assessment that specifically looks at risks to information maintained by the certified EHR technology.


Here's the language in the HHS proposal, which some commenters found confusing, or even unnecessary, in light of existing HIPAA requirements: "The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]."


The College of Healthcare Information Management Executives, an association of healthcare CIOs and other IT leaders, in its comments to HHS called the risk assessment proposal "superfluous, given the fact that the HIPAA privacy and security requirements already apply to providers and we see no need to impose any additional requirements through the EHR meaningful use program."


But CHIME added in its comments to HHS: "We understand and agree with the need to protect electronic personal health information. As such, our concern is that providers may be confused over the timing of required assessments or reviews."


To clarify and simplify the objective, CHIME suggested HHS rework the proposal to state that eligible healthcare providers must conduct the security risk analysis upon initial installation of certified EHR technology or upon upgrade to a new edition of certified EHR technology.


CHIMS contends that this clarification "will help providers understand their responsibilities vis-à-vis this objective and avoid any possible misunderstanding that reviews be required every time a provider receives a patch or other update to their EHR from a vendor."

Guidance Sought

Meanwhile, another association of health IT professionals, the Healthcare Information and Systems Management Systems Society, said it generally supports the government's risk assessment proposal, but that more guidance is still needed by many healthcare sector organizations on how to conduct a risk analysis.


"HIMSS observes that providers today likely need to increase the frequency of their security risk analysis," the organization says in its feedback. "However, merely doing the security risk analysis without addressing the risks may not lead to adequate safeguarding of the ePHI. Accordingly, risk management should be done as well, and providers need to be educated on how to manage risk in today's electronic environment."


HIMSS recommends the proposed requirement for Stage 3 be modified "so that providers not only do the security risk analysis, but also address the risks themselves." HIMSS also recommends that providers receive guidance on where to obtain security updates and how to correct deficiencies. "HIMSS recommends that providers need guidance on what an acceptable baseline is for a security risk analysis - without such guidance, some providers may conduct [minimal] security risk analysis, expending only a handful of hours to do such a task."

Other Concerns

Some healthcare associations also wrote in their feedback that they were concerned about a Stage 3 proposal regarding providing patients with access electronic access to their records.


Under the HHS proposal, patients may either be provided access to view online, download, and transmit their health information through a patient Web portal or provided access to an application program interface certified by ONC. Those APIs can be used by third-party applications or devices.


In its comments, CHIME says it opposes the API provision. "There is tremendous uncertainty regarding APIs, including potential security and authentication issues, and even whether they will be readily available in [technology] vendor products by 2018."


Similarly, the American Hospital Association wrote in its comments: "Stage 3 proposals, such as relying on third-party applications to access sensitive patient data in EHRs, may be a successful mechanism for the exchange of patient data information, but they raise important questions about patient privacy and information security that must be carefully considered."


An HHS spokesman tells Information Security Media Group that ONC and CMS "are now reconciling and beginning to review all of the comments. We don't yet have a total count of the number of comments, nor have we had time to separate them by issue. We are now beginning the process to get us to the issuance of the final rules, which we expect to be later this summer."

more...
No comment yet.
Scoop.it!

Medical Staff Resistance to HIPAA Compliance

Medical Staff Resistance to HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish.


At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.


One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential.


Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:


• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one — along with the date they were executed.

• Never give your user id/password to anyone; the system administrator has it.


more...
No comment yet.
Scoop.it!

The New World of Healthcare Cybercrime

The New World of Healthcare Cybercrime | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).


We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.


And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”


All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.


In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.


more...
No comment yet.
Scoop.it!

Hospital email hack compromises PHI of 4,400 patients

Hospital email hack compromises PHI of 4,400 patients | HIPAA Compliance for Medical Practices | Scoop.it

Hackers gained access to the email accounts of employees at St. Mary’s Health in Evansville, Indiana, by uncovering their usernames and passwords. The hack exposed the PHI of nearly 4,400 St. Mary’s patients, according to a breach notice.

What’s more, some have speculated that St. Mary’s may have violated the HIPAA Breach Notification Rule as it appears it did not notify individuals of the breach within 60 days of initial discovery. On December 3, 2014, St. Mary’s learned that its employees’ usernames and passwords were compromised. After launching an investigation, the healthcare facility discovered January 8 that the compromised email accounts contained patient PHI. St. Mary’s posted a breach notification letter on its website March 5 stating that it would also notify affected individuals by mail and alert media outlets.

PHI linked to the compromised email accounts included:

    Names
    Dates of birth
    Gender
    Dates of service
    Insurance information
    Limited health information
    Some Social Security numbers


more...
No comment yet.
Scoop.it!

Illinois hospital blackmailed with release of patient data

Illinois hospital blackmailed with release of patient data | HIPAA Compliance for Medical Practices | Scoop.it

Clay County Hospital in Flora, Ill., has received an anonymous email blackmail threat threatening to release some patient data unless the email sender receives a "substantial payment from the hospital," according to a news release.

The hospital notified law enforcement, launched an investigation to determine the source and scope of the threat and notified all affected patients.

The compromised data pertains to patients who visited a Clay County Hospital clinic on or before February 2012 and includes patient names, addresses, Social Security numbers and birth dates. No medical information has been accessed, according to the release.

A CIO report indicates the hospital is not disclosing how many people are involved in the data breach, but it does not believe the data has been released so far.

The forensic investigation also determined that hospital servers have not been hacked and remain secure.

Clay County Hospital plans to implement extra internal security measures to prevent future incidences like this, including additional logging systems and auditing features to track and control data access.



more...
No comment yet.
Scoop.it!

HIPAA Criminal Violations on the Rise

HIPAA Criminal Violations on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen. The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others. This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.


While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider. The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information. Examples of criminally motivated insiders, unfortunately, are increasing.


One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients. The hospital employee then sold the information for as little as $3 per record. The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.

Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK. In Anchorage, a financial worker at a hospital provided information about a patient to a friend. Unfortunately, that friend he had injured for which he was under criminal investigation. The friend wanted to know if either of the patients had reported him to the police. Clearly, the access by the financial worker was improper.


While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency. What should organizations do? Is this conduct actually preventable? As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce. If someone is unaware of HIPAA requirements, it is hard to comply.

However, it can also be extremely difficult to prevent criminal conduct altogether. If an individual has an improper motive, that individual will likely find a way to do what they want to do. From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information. It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate. Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.

more...
No comment yet.
Scoop.it!

State agency HIPAA security gaffe puts patient data on the Internet

State agency HIPAA security gaffe puts patient data on the Internet | HIPAA Compliance for Medical Practices | Scoop.it

A Texas state agency has come forward to notify its Medicaid recipients that due to security shortfalls, their Social Security numbers and protected health information became accessible on the Internet.


The Texas Department of Aging and Disability Services, a state agency responsible for administering support and services for the aging individuals and people with disabilities, announced June 11 a data breach following the "unintentional release" of personal data. The breach impacted 6,600 of its Medicaid recipients, state officials said, including the compromise of their names, dates of birth, addresses, Social Security numbers, Medicaid numbers and clinical diagnoses and treatment information.


According to the agency notice, the department was notified that patient information was available via the Internet April 21, 2015. Officials provided no additional details on the incident. As of publication time, they had not responded toHealthcare IT News' inquiries around details of what occurred and whether a third-party vendor was involved.


In the notice, there were no apologies issued from department officials over the incident, but they did indicate they had "strengthened" Web-app security and policies "in an effort to prevent such a breach from occurring again."


To date, nearly 135 million people have had their protected health information compromised in reportable HIPAA breaches, according to data from the Office for Civil Rights, the HHS division responsible for enforcing HIPAA. In this tally, only HIPAA breaches involving 500 or more individuals are counted.


In Texas, specifically, since the HIPAA breach notification rule went into effect in 2009, nearly 3.6 million people have had their protected health information compromised. One of the biggest HIPAA violators in the state has been the University of Texas MD Anderson Cancer Center, with officials reporting three HIPAA breaches since 2012, impacting nearly 35,000 individuals.


The HealthTexas Provider Network, which is affiliated with Baylor Scott & White Health, has also reported three HIPAA breaches since 2011, including a case of hacking, unauthorized access and theft of an unencrypted laptop.

more...
Cameron's curator insight, July 2, 2015 5:59 PM

The article involves a situation where health information was leaked into the Internet due to security breaches in the system of a Texas cancer treatment facility. 

Medical information is something I believe a lot of healthy, less frequent doctor visitors, and everyone forgets about and is one of the most identifiable things when it comes to finding out who someone is. The hack that happened in Texas caused Social Security numbers to be leaked as well as patient diagnoses and treatment information. Social Security information in the wrong hands can ultimately ruin lives. Once your identity in the most technical form, such as your Social Security Number, are stolen there is not much you can do to get it back. In health communications class we have seen the dangerous amount of information that insurance and medical facilities have on people. The Internet just turns it into an even bigger sea to fish your personal data out of. 

Scoop.it!

Data Breach Insurance: Does Your Policy Have You Covered?

Data Breach Insurance: Does Your Policy Have You Covered? | HIPAA Compliance for Medical Practices | Scoop.it

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL)policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.

more...
No comment yet.
Scoop.it!

4 Ways That HIPAA Encourages the Disclosure of Health Information - HITECH Answers

4 Ways That HIPAA Encourages the Disclosure of Health Information - HITECH Answers | HIPAA Compliance for Medical Practices | Scoop.it

What’s the first word that comes to mind when you see the term “HIPAA”? For many individuals in the healthcare market, the word is “NO.” “Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.


But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information. Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.


Disclosures for Treatment Purposes


Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.


A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.


This is not true.


I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.


This is not true.


In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.


The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription. The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.


Patient Access


One common idea is that patients do not have an unfettered right to access their entire medical record.


Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.


This opinion has lead to more than one Office of Civil Rights investigation.


In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.


But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.


Denial of such access could constitute a HIPAA violation.


Disclosures to minimize an imminent danger or assist law enforcement
Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.


HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.


There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.


However, these are important exceptions that can prevent danger to members of the community.


Disclosures Required By Law State


Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).


The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.


Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.


Conclusion


HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype. The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.


However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

more...
No comment yet.
Scoop.it!

Premera knew systems were vulnerable prior to attack

Premera knew systems were vulnerable prior to attack | HIPAA Compliance for Medical Practices | Scoop.it

An audit report received by Premera three weeks before the Mountlake Terrace, Washington-based health payer's systems were breached warned of looming network security issues. The health insurer revealed this week that a "sophisticated cyberattack" led to the personal information for 11 million customers to be put at risk.

The report, sent by the U.S. Office of Personnel Management's Office of the Inspector General to Premera on April 18, 2014, outlined several vulnerabilities, including:

  • A lack of timely patch implementations
  • Lack of methodology to "ensure that unsupported or out-of-date software is not utilized"
  • Insecure server configurations

Premera's systems initially were breached on May 5, 2014, but were not detected until Jan. 29 of this year.

The final report was published publicly in November 2014.

OPM made several recommendations to Premera, based on the report's findings, including:

  • Reconfiguration of the company's information systems
  • Implementation of procedures and controls to update production servers in a timely manner
  • Implementation of procedures to implement supported software systems
  • Routine audits to all security settings

OPM also called on Premera to improve the physical access controls at its data center, recommending "multi-factor authentication" for access to the computer room.

"Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached," the report stated. In addition, OPM said failure to remove outdated software "increases the risk of a successful malicious attack on the information system."

Premera told OPM it would resolve its issues by Dec. 31, 2014.

The Health Information Trust Alliance announced Thursday that it published reports that included threat indicators of suspicious activity associated with Premera on Feb. 20 of this year. According to HITRUST, there is early speculation that this breach is tired to "threat actor Deep Panda," who also was linked to a recent Anthem breach.

"HITRUST is continuing to monitor the Premera situation and will continue to distribute information as it becomes available, and work with the industry to disseminate any findings and lessons learned that can help other organizations better prepare and respond to these types of cyber incidents," the announcement said.


more...
No comment yet.
Scoop.it!

Patient discharged with paperwork of 20 other patients

Patient discharged with paperwork of 20 other patients | HIPAA Compliance for Medical Practices | Scoop.it
The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.
more...
No comment yet.