Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.

HIPAA and Social Media can be Problematical

HIPAA and Social Media
Social Media and HIPAA

 

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI,  all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.    Learn more.

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.

Permitted Uses and Disclosures of PHI

Privacy & Compliance

Sharing Protected Health Information

Authorization

Sharing with Healthcare Providers

The Privacy, Security and Breach notification rules under the Health Insurance Portability and Accountability Act of 1996 was intended to allow information sharing by ensuring that sensitive health data is maintained securely and shared only for appropriate purposes or with the authorization of the individual.

There are permitted uses and disclosures of PHI for different purposes within the healthcare sector.   All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines.   It is always permitted to use and disclose PHI for treatment, payment and health care operations.  If the reason for disclosing the PHI is not for one of these purposes an authorization must be obtained. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information.

“Disclosure” refers to the transfer, release, provision of access to, or divulging in any other manner of information outside the entity holding the information.  These definitions are applicable to the sharing of electronic, paper or oral communications.  This does not include the disclosure of PHI to the Individual himself or herself.

“Use” is a sharing, employment, application, use, examination or analysis identifiable health information within the entity that maintains such information.

A major difference between “Disclosure” and “Use” is that use pf PHI is internal to the covered entity while disclosure focuses on external communication of PHI.

Authorizations

Health care providers, health care clearinghouses and health plans are obligated to obtain authorizations prior to using or disclosing PHI for purposes other than treatment, payment or health care operations.  Psychotherapy notes cannot be disclosed to any other entity, for any purpose, without specific authorization.

A covered entity can use one authorization form for all purposes.  Of course, if the authorization is for multiple purposes, it must give a description of each purpose of the use or disclosure.

The authorization must be for a limited amount of time.  The documentations must be retained for six years from the date of its creation or the date it last was in effect.  

Creating Authorizations

Authorizations must be simply written using plain language.  It must focus on the needs of the reader.  It must contain the following items:

  • A description of the information to be used or disclosed.
  • The name of the person who will be authorized to make the requested use or disclosure.
  • The person to whom the covered entity may make the covered the requested use or disclosure
  • An expiration date that relates to the individual or purpose of the use or disclosures.
  • A description of each purpose of the use or disclosure.
  • The signature of the individual and the date

In addition to the above elements, the authorization must also contain other statements.  These must contain the following:

  • The individual has the right to revoke the authorization in writing and the exceptions to the right to revoke.  There may also be a description of how the individual may revoke the authorization.
  • A statement that treatment, payment, enrollment or eligibility for benefits is not affected by the refusal to sign the authorization.
  • The potential for the information to be redisclosed by the recipient.
  • If the authorization is signed by the personal representative of the individual, a description of such representative’s authority to act for the individual. 

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Doctor Providing Care
Doctor Giving Care

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This has expanded the “permitted uses and disclosures of PHI.”  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.  This information must be shared with all employees of the organization.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI.  One must also realize that there are other ways that one may safely share PHI without having to obtain permission.  An example would be if there is an order from a court or for law enforcement purposes.

The Right to Access

Healthcare providers are frequently unsure how to handle an access to protected health information (PHI)request, that cites HITECH and the right of a patient to access a copy of their records electronically at a reasonable fee.   However, while its common to deal with authorizations to disclose copies of the designated record set, the access requests weren’t received on a regular basis until recently.

Delivering Records

When a covered entity is capable of readily producing records in an electronic format it must do so. On the other hand, if it is unable, it must deliver in a format mutually agreed upon by the parties within the 30-day deadline. In addition, if the paper records are retrieved from storage there is an exception that permits an extension.

Firstly, patients have the right to access protected health information in an electronic format, or to direct that a copy will be provided to a third party if the choice is clear, conspicuous and specific.  Most importantly, the access request must be in writing and signed by the patient.  It does not require an additional authorization.  Finally, a third party, at the patient’s request may send the access request on their behalf and it must comply in the same manner as if patient requests the records in person.

Permissible Fees for Sharing Patient Records

Above all, there are limits on permissible fee for records. An access request covers cost of labor for copying the PHI requested, whether in paper or electronic form; supplies for creating the paper or electronic copy; and postage. Meanwhile organizations cannot charge state fees for access that exceed this amount.

When a third-party submits a request for sharing patient records on its own behalf with an authorization and cites HITECH fees as the highest charged, they are in error.  Most importantly, the access fee limits don’t apply.

Sharing Mental Health Information

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result, they can identify the potential or likely risk and determine who can help lessen it.

Ways to Share Mental Health Information

There are several ways the provider may address the situation. If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable).  

They can also share with family or friends involved in their care if it’s determined in the patients’ best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

OCR Won’t Second Guess

The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

Psychotherapy Uses and Disclosures

“Psychotherapy notes” are described by the rule as notes recorded, either orally, written or otherwise, by a mental health professional who is documenting or analyzing the conversation with a counseling session.  The psychotherapy notes generally do not include medication prescriptions and monitoring; the form and frequency of treatment; clinical test results; and summaries of diagnoses, functional status, the treatment plan, symptoms, prognosis and progress to date.

The disclosure of psychotherapy notes by a covered entity requires patient authorization, including when using or disclosing for another covered entity’s treatment, payment or health care operation purposes.  The entity may use and disclose psychotherapy notes without an authorization to carry out its own treatment, payment and health care operation purposes as long as the originator of the notes uses it for treatment, the entity is using or disclosing the notes for its own training purposes for its mental health professionals, students and trainees or the entity is using or disclosing the notes to defend itself in a legal action or other proceeding brought by the individual.

If the notes are PHI for research that includes treatment of individuals it must obtain an authorization for the use or disclosure of such information.

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists.

A picture of a police with a warrant
Police With Warrant

When to Respond

It may be disclosed as required by law including those that require the reporting of certain types of wounds or other physical injuries, except for laws that require special reporting to special agencies.

This may be necessary to respond to subpoena’s and court orders or court-ordered warrant, or a summons issued by a judicial officer, grand jury or administrative request provided that the information sought is relevant and material the request is reasonably specific and limited in scope and if de-identified information could not reasonably be used. requirements.  

In addition, this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what the permissible disclosures to law enforcement are.

Disclose Protected Health Information

An authorization to disclose Protected Health Information is frequently required from the patient in many circumstances.  No authorization is needed if PHI is used for treatment, payment or healthcare operation purposes.  It is also not required  when another law requires the use or disclosure.  It is important for all covered entities and business associates to know the exceptions.

Authorization to Disclose PHI Required

There are many circumstances when an authorization to disclose PHI is required.  This should be obtained directly from the patient or their personal representative.

Disclosure to an attorney’s office, and to a life or disability insurance company is an example of when an authorization is needed.

An Authorization must be obtained to disclose medical records in certain circumstances.  First, one is not required when a patient consent to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.

Authorization Not Required

When there is a court order signed by a judge from a court with jurisdiction  there is no need for an authorization to disclose Protected Health Information.  A report of an infectious disease required by state law also does not require authorization.  No authorization is required if PHI is disclosed for research if an IRB (Institutional Review Board) grants a waiver of authorization.

Requirements Permitting Use of Protected Health Information

The HIPAA compliant authorization permitting use of protected health information must contain certain elements.  It is important to not forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules.   Organizations will require additional elements added to the authorization.  It is necessary for the covered entity and/or business associate to determine which is most restrictive.

Specific Authorizations

To use the PHI of an individual one must often obtain an authorization.   Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition, if there are specific laws an authorization is not required.

An authorization is required for disclosure to an attorney’s office, and to a life or disability insurance company.

Research Projects

One must obtain authorization to disclose medical records when a patient gives consent to participate in a research project and when they request a transfer of medical records to another medical providers office.

Court Orders

A request with a court order signed by a judge from a court with jurisdiction will not require authorization.  To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.

HIPAA Penalties
Judge & Court Orders

State Law is Important

The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI.  In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule.  The disclosure of PHI may be made also for payment purposes as with a billing company.  Finally, the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of Ohio.

New Disclosures of PHI

We now see the need to share data with health care providers for purposes of care coordination.   When HIPAA was first written this activity didn’t exist.  On the other hand, today CMS requires this disclosure and is part of a treatment plan.  As a result, a health care provider may disclose PHI to another for this treatment purposes without patient authorization.

The Right to Access

Healthcare providers are frequently unsure how to handle an access to protected health information (PHI)request, that cites HITECH and the right of a patient to access a copy of their records electronically at a reasonable fee.   However, while its common to deal with authorizations to disclose copies of the designated record set, the access requests weren’t received on a regular basis until recently.

Delivering Records

When a covered entity is capable of readily producing records in an electronic format it must do so. On the other hand, if it is unable, it must deliver in a format mutually agreed upon by the parties within the 30-day deadline. In addition, if the paper records are retrieved from storage there is an exception that permits an extension.

Patients have the right to access protected health information in an electronic format, or to direct that a copy will be provided to a third party if the choice is clear, conspicuous and specific.  Most importantly, the access request must be in writing and signed by the patient.  It does not require an additional authorization.  Finally, a third party, at the patient’s request may send the access request on their behalf and it must comply in the same manner as if patient requests the records in person.

Permissible Fees for Sharing Patient Records

Above all, there are limits on permissible fee for records. An access request covers cost of labor for copying the PHI requested, whether in paper or electronic form; supplies for creating the paper or electronic copy; and postage. Meanwhile organizations cannot charge state fees for access that exceed this amount.

When a third-party submits a request for sharing patient records on its own behalf with an authorization and cites HITECH fees as the highest charged, they are in error.  Most importantly, the access fee limits don’t apply.

HIPAA Privacy in Emergency Situations

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The purpose of the bulletin was to assure that covered entities and their business associates know how protected health information.  Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe.  In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients’ protected health information (PHI).  Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern.  They want to know how to serve the communities’ healthcare needs and stay in compliance with the HIPAA rule.

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA.  OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made.  This allows them to treat patients, protect the nation’s public health and perform other critical functions.

The OCR stated, “The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.”

The Privacy Rule allows covered entities to disclose necessary PHI without the individual’s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

Disclosing to Family

Most importantly covered entities can also disclose information to family, friends and other involved in an individual’s care for notification purposes.  One may disclose information to identify, locate and notify family members, guardians or anyone responsible for the care of the patient.

HIPAA and Imminent Danger

OCR allows disclosure of information if there is imminent danger to the patient.  In addition, you may share if the information will lessen serious or imminent threat to the health and safety of the patient.

In any emergency covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations.  This will allow them to continue to protect PHI even in a catastrophic situation.

HIPAA and Same-sex Marriage

The HIPAA Privacy Rule recognizes the important role that family members, such as spouses, often play in a patient’s health care.  Most importantly HIPAA and Same Sex marriage has become an important topic to be understood. It requires covered entities to treat an individual’s personal representative, who may be a spouse, as the individual responsible under the Privacy Rule, including the right to access the individual’s health information.  In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes. 

Same Sex Marriage

A Major Court Decision

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Additional Decisions

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Effects of the Decisions

In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriagespouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.     

Marriage, Spouse & Family Member

The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage.  The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction if a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages.  In addition, the terms marriagespouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.

family member is relevant to the application of §164.510(b) regarding permitted uses and disclosures of PHI related to another person’s involvement in an individual’s care, and for making notifications about the individual’s location, general condition, or death.  In addition, under certain circumstances, HIPAA permits covered entities to share an individual’s protected health information with a family member of the individual.  Legally married spouses are family members for the purposes of applying this provision.

SaveSave

PHI Can Be Disclosed For Treatment

PHI Can be Disclosed for Treatment

Disclosing PHI for Treatment
Doctor Treating a Child

PHI can be disclosed for treatment.  A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures.  For instance, covered entities are permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI.  In addition, it  assists treatment providers in caring for the patient without requiring patient authorization to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule.  The disclosure of PHI may be made also for payment purposes as with a billing company.  Finally the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of OHIO.

New Disclosures of PHI

We now see the need to share data with health care providers for purposes of care coordination.   When HIPAA was first written this activity didn’t exist.  On the other hand, today CMS requires this disclosure and is part of a treatment plan.  As a result, a health care provider may disclose PHI to another for this treatment purposes without patient authorization.

HIPAA has been around for some time but continues to change.  It is important for providers to continuously monitor the HIPAA rule and offer HIPAA training to your organization

Contact us for more information on this important topic.

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave