News

P is for Penalties

Our HIPAA ABC is “P is for Penalties.”

The Department of Health and Human Services has published a notice on April 30th that it is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. HHS will use the new penalty structure until further notice.

The Four Categories

Based on four categories of culpability:

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

For Willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

The highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

To read this important Notice visit the Federal Register using the link below.

R is for Reasonable Safeguards

Authorization
Protecting PHI

Protect PHI

Reasonable Safeguards are precautions that a prudent person should take to prevent a disclosure of PHI. These must be applied to protect all forms of PHI: verbal, paper, and electronic.  They help prevent unauthorized uses or disclosures of PHI.

Verbal PHI

Reasonable Safeguards must be applied to all of your verbal disclosures of PHI. When you are working with a patient, first determine who is with the patient before discussing PHI.  Do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure; or ask the persons to leave the room providing the patient an opportunity to object.

Prevent Violations

The use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred which is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

E is for Encryption

Computers & Data Breaches
Safeguarding ePHI

HIPAA Security Rule

The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. It is up to the healthcare provider to decide on the use of encryption based on the results of its risk assessment.

The encryption standard is confusing because it is defined as an addressable requirement which should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI.

No Specific Requirements

When the Security Rule was enacted, it was recognized that due to rapid advances in technology it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated.

Alternative to Encryption

Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate and present their alternative to protect ePHI or it may decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.

D is for Disclosures

See our video

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible.

HIPAA permits disclosures to law enforcement in certain situations. It is always okay when there is a signed authorization from the patient or their legal representative.

When to Respond

Disclosures are permitted when required by law, for example to respond to subpoena’s and court orders when specific requirements are met.  Also, for investigation of a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law reporting may be required by law for reports of child and adult abuse and neglect, and for certain injury and disease reporting.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA and, in that case, state law is followed.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.

 

C is for Complaints

HIPAA ABCs
Mary Lopez presents HIPAA ABCs

Today’s letter is C, “C is for Complaints.”

Procedures

A covered entity must have a procedure for individuals to file a complaint regarding its privacy practices or for an alleged violation of the Privacy Rule.71 The Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information and should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.

On behalf of the covered entity the Privacy Officer responds to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation

Under the HIPAA Rules there is a no retaliation for making a privacy complaint.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.  Follow us on Facebook and Twitter.

 

 

B is for Breaches

Today’s letter is B

B is for Breaches.  A breach is an impermissible use or disclosure of protected health information or PHI that compromises its privacy or security.  This is presumed to be a breach unless the covered entity or business associate can demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. The unauthorized person to whom the disclosure was made.
  3. Whether the PHI was acquired or viewed.
  4. The extent to which the risk to the patient was mitigated.

Paper Breaches

Examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.

All of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

For more information about breaches or about HIPAA please contact us.  Follow us on Facebook or Twitter.

S is for Social Media

Watch Our Video  

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others, offering education, and services.  It is an essential communication and marketing tool and part of strategic marketing plans.  In their role as employer, organizations turn to social media to communicate with their employees.

Authorization to use PHI

However, it is possible to violate HIPAA Rules and patient privacy while using social media if not managed correctly.  It is important for health care organizations to disclose protected health information or PHI only with patient authorization for interviews, photographs and marketing communications.

The Risk of Social Media

For employees posts of PHI will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts aren’t a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember in order to de-identify PHI all 18 identifiers must be removed and there must be low risk it could be used to identify the patient. This includes removal of facial images, and other identifiers such as tattoos.

Preventing Risk

To prevent risk Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy and monitoring of social media activity.

P is for Permitted Uses and Disclosures

HIPAA in the work place
HIPAA in the work place.

Key Disclosures

A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures.  It is always permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.

SaveSave

SaveSave

A is for Authorization

Today’s letter is A, “A is for Authorization”

An authorization signed by an individual whose PHI is to be used or disclosed is frequently required.  No authorization is needed if PHI is used for treatment, payment or healthcare operation purposes or when another law requires the use or disclosure

An example of when an authorization is needed is for disclosure to an attorney’s office, and to a life or disability insurance company.

An Authorization must be obtained to disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office.

An example of when an authorization isn’t required is when there is a court order signed by a judge from a court with jurisdiction.  Another is for a state law required report of an Infectious disease.  No authorization is required if PHI is disclosed for research if an IRB (Institutional Review Board) grants a waiver of authorization.

The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic. Follow us on Facebook and Twitter.

A is for Access

HIPAA ABCs
Mary Lopez presents HIPAA ABCs

A is for access to Protected Health Information or PHI.  An individual has the right to have access to their PHI electronically at a reasonable fee, asap and no longer that 30 days from the date of their request.

When a covered entity is capable of readily producing records in an electronic format it must do so. If unable, it must deliver in a format mutually agreed upon by the parties within the 30-day timeframe. There is an exception that permits a one-time extension if the paper records must be retrieved from storage.

An access request must be in writing and signed by the patient.  A signed authorization is not required.  A third party, at the individual’s request may send the access request on the individual’s behalf and it must be complied with in the same manner as if personally requested.

The permissible fee for an access request is limited to the cost to cover: labor for copying the PHI requested, whether in paper or electronic form; supplies for creating the paper or electronic copy; and postage. State fees that exceed this amount cannot be charged for access requests.

When a third-party submits a request for records on its own behalf with an authorization and cites HITECH fees as the highest that may be charged, they are in error.  The access fee limits don’t apply.