HIPAA Gap Analysis and a HIPAA Risk Analysis

HIPAA Gap Analysis
Learn about the HIPAA Gap Analysis

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don’t make the same mistake. We can help you understand the difference.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. §164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis.  Assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

Sharing Mental Health Information

Sharing Mental Health Information
A doctor sharing mental health information with a caregiver

Sharing Mental Health Information

Allowing Providers to Share

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result they can identify the potential or likely risk and determine who can help lessen it.

Ways to Share Mental Health Information

There are several ways the provider may address the situation.

If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable).   They can also share with family or friends involved in their care if it’s determined in the patients’ best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

OCR Wont’t Second Guess

The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.

New HIPAA Penalties from HHS

New HIPAA Penalties
Judge handing out New HIPAA Penalties

 

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

Read about Data Breaches.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In mostcases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.

Reasonable Safeguards for PHI

Reasonable Safeguards for PHI
Reasonable Safeguards Are Important

Protecting  PHI

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information.  To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards.  They help prevent unauthorized uses or disclosures of PHI.  In addition safeguards must be part of every privacy compliance plan.  Organizations must share this with all members of the organization.

Safeguards for Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI.  Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure.  Finally you may ask the persons to leave the room providing the patient an opportunity to object.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person.  Providers must dispose of all paper products that have PHI in a shredder once no longer used.  Personnel must make every effort to give the patients summary to the correct patient.  When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.

Electronic PHI

Password protect all computers in order to protect electronic PHI.  Employees must only use the computer medical accounts to which they are assigned.   One must consider the use of encryption of any email or texts that contains ePHI.

Use of Reasonable Safeguards for PHI Prevent Violations

In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred.   The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

For more information follow this link.

Read about Breaches.

Disclosures to Law Enforcement are Permissible

Disclosing PHI to law enforcement
We often must disclose PHI to law enforcement if we follow the appropriate guidelines.

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists .

When to Respond

The HIPAA Rule permits disclosures when required by law. This may be necessary to respond to subpoena’s and court orders with specific requirements.  In addition this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what are the permissible disclosures to law enforcement.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.

Other ABCs of interest.

Filing a HIPAA Privacy Complaint

Filing a  Privacy Complaint
How to File a Privacy Complaint.

Procedures for Making a Complaint

A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule.  Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.  In addition,  an organization must file complaints within 180 days of when you knew the violation occurred.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information.   The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.  In a filing to the OCR, there should be information about the complainant.  There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.

On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation for Filing a Privacy Complaint

Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization.  On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.

In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.

For more information.

Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.

Permitted Uses and Disclosures of PHI

Permitted uses and disclosure of PHI
Sharing PHI Safely

Sharing Protected Health Information

Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector.  By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules.  All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines.   It is always permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This has expanded the “permitted uses and disclosures of PHI.”  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.  This information must be shared with all employees of the organization.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI.  One must also realize that there are other ways that one may safely share PHI without having to obtain permission.  An example would be if there is an order from a court or for law enforcement purposes.

SaveSave

SaveSave

Disclose Protected Health Information

Authorization to disclose Protected Health Information
Permitting Use of Protected Health Information

An authorization to disclose Protected Health Information is frequently required from the patient in many circumstances.  No authorization is needed if PHI is used for treatment, payment or healthcare operation purposes.  It is also not required  when another law requires the use or disclosure.  It is important for all covered entities and business associates to know the exceptions.

Authorization to Disclose PHI Required

There are many circumstances when an authorization to disclose PHI is required.  This should be obtained directly from the patient or their personal representative.

Disclosure to an attorney’s office, and to a life or disability insurance company is an example of when an authorization is needed.

An Authorization must be obtained to disclose medical records in certain circumstances.  First, one is not required when a patient consents to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.

Authorization Not Required

When there is a court order signed by a judge from a court with jurisdiction  there is no need for an authorization to disclose Protected Health Information.  A report of an infectious disease required by state law also does not require authorization.  No authorization is required if PHI is disclosed for research if an IRB (Institutional Review Board) grants a waiver of authorization.

Requirements Permitting Use of Protected Health Information

The HIPAA compliant authorization permitting use of protected health information must contain certain elements.  It is important to not forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules.   Organizations will require additional elements added to the authorization.  It is necessary for the covered entity and/or business associate to determine which is most restrictive.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic. Follow us on Facebook and Twitter.

Authorization and the HIPAA Rule

Authorization and the HIPAA Rule
HIPAA Authorization

Specific Authorizations

To use the PHI of an individual one must often obtain an authorization.   Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition if there are specific laws an authorization is not required.

An authorization for disclosure to an attorney’s office, and to a life or disability insurance company is another example.

Research Projects

To disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office an entity must obtain authorization.

Court Orders

A request with a court order signed by a judge from a court with jurisdiction will not require authorization.  To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.

State Law is Important

The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.