The Ultimate HIPAA Guide
Table of Contents:
- What is HIPAA?
- HIPAA History
- Who Must Comply with HIPAA
- HIPAA Privacy Rules
- HIPAA Security Regulations
- HIPAA Compliance
- HIPAA Enforcement
- HIPAA Violation Fines and Penalties
- Examples of HIPAA Violation Cases
- HIPAA Certification Process
- HIPAA Guidelines on Telemedicine
- Texting and HIPAA Compliance
- Electronic Medical Records and HIPAA
- HIPAA Audit Checklist
What is HIPAA?
The United States passed legislation in 1996 in an effort to ensure the privacy and safeguarding of all individuals’ medical data. In August of that year, the Health Insurance Portability and Accountability Act (HIPAA) was signed by President Bill Clinton and contains five main sections (titles):
HIPAA Title I
The first title provides protection for maintaining health insurance coverage for any individual changing or losing their job. It also prohibits group plans from denying persons with preexisting conditions and diseases access to coverage and bars them from setting lifetime coverage limits.(1)
HIPAA Title II
Title II states that the US Department of Health and Human Services must establish a national standard for electronic healthcare transaction processing. All healthcare organizations must also implement security measures for health data access and comply with privacy laws.(1)
HIPAA Title III
Title III of the HIPAA act provides guidelines for tax provisions and medical care.(1)
HIPAA Title IV
The fourth title defines the health insurance reform in greater detail and states the provisions for those who seek continued coverage under the act and the laws regarding pre-existing conditions.(1)
HIPAA Title V
Under the last title, provisions are laid out for individuals who choose to give up their US citizenship (expatriate) and how this affects their income tax. It also states rules for company-owned life insurance policies.(1)
For anyone working in healthcare information technology, HIPAA compliance means adhering to the requirements of Title II, known as the provisions of Administrative Simplification.
Compliance Requirements of Title II:
- Every healthcare entity (providers, plans, employers and individuals) must have a 10 digit national provider identifier number (NPI).
- Organizations must submit and process claims following a standardized electronic data interchange (EDI) protocol.
- The Standards for Privacy of Individually Identifiable Health Information, or Privacy Rule, establishes nationwide standards for the protection of patient health information.
- The Security Standards for the Protection of Electronic Protected Health Information, or Security Rule, sets the standard for data security of patient records.
- The HIPAA Enforcement Rule states guidelines for investigating compliance violations of HIPAA.
The HIPAA Omnibus Rule, established in 2013, implements modifications to HIPAA concerning any associate of a covered entity. It further increases compliance violation penalties to a maximum of $1.5 million per incident.
As you can see, a HIPAA violation can be a severe financial burden for a healthcare organization. Under Omnibus, the HIPAA Breach Notification Rules states all business associates must notify all patients of the breach and bear the cost of such notifications. The entity is then audited and faces fines. Lastly, providers could face criminal prosecution for their violations.
HIPAA compliance training programs reduce an organization’s risk of regulatory action. There is no official compliance certification for HIPAA, but many companies offer credentials to show that compliance training has been completed. The US Office for Civil Rights (OCR) offers six programs teaching compliance rules, and there are numerous private groups and consultants that can be hired as well.
Regulations such as HIPAA require transparency first and foremost. Any activity revolving around regulated data systems may be audited. Therefore, there must be checks and balances and policies in place within the organizational structure to guarantee that electronic protected health information (EPHI) is:
- Not accessible to anyone except those who have a verified business need for it
- Carefully monitored during such access
- Encrypted while in storage and during transfer on any unprotected network, and only move to authorized locations
The above requirements reflect four primary practices central to HIPAA compliance as outlined below. Within these are many other facets imperative to data security, such as data loss protection, secure backup of data, process and technical controls, network configuration and the human element necessary for everything to work efficiently.
- Identity Management and Access Controls
Access controls are an excellent example of the need for technology within the flow of data. Custodians, supervisors and owners must be involved in who can access secure EPHI. There is no standard for technology in this, however employing identity and access management tools is wise for any entity wishing to comply with HIPAA. Without such technology, it would be nearly impossible to maintain control of access and related records of requests, approvals, and denials. Technological systems can further help by automating the requisite account privilege recertification.
- System and Environment Configuration Controls
Any system that stores protected data must be configured under stringent guidelines. It is imperative to know the state of critical systems at any given time within the regulated environment; simple monitoring is not sufficient when protecting data of this magnitude.
Each individual system should be separate, configured solely for their unique purpose, monitored for vulnerability and ensure that all software versions are up-to-date, and they are being administered securely.
It is essential while controlling sensitive data to know who has access at all times. Under HIPAA, it is not just the data that is monitored but the access to said data. Any application or technology that allows access to information must have in place a means of logging access, which should also be stringently monitored.
- Information Flow Control and Encryption
Obviously, data must be protected where it is stored. But in this age of technology, information never sits long at one place. Therefore, the fourth and final compliance element must secure data at all times. It must always be encrypted during transfer and may only be moved to secure, previously approved locations.
HIPAA compliance is not an easy task to achieve. As a whole, it can seem quite confusing and almost undecipherable. But when broken down into fundamental elements, HIPAA compliance is quite doable for any organization choosing to be proactive in their efforts. Decide who will be in charge of compliance within the organization, and set the policies necessary to comply. Get the technology required to maintain access controls and data security. Have those responsible trained through a compliance class. You can smooth out the rough patches and adjust policies as necessary as you go, but the first steps must be in identifying what needs to be protected, who will do so and how they will do it!
The Healthcare Insurance Portability and Accountability Act, commonly known as HIPAA, became law on August 21, 1996. The law was intended to enhance manageability and accountability of medical insurance for people who are looking for another job. It was also meant to minimize abuse, waste and scams in the medical insurance and healthcare industries. HIPAA also featured language to encourage medical savings accounts by creating tax incentives, offering insurance coverage for workers with pre-existing health issues and streamlining the way medical insurance is administrated.
The process of streamlining medical insurance administration became a way to spur the medical industry to convert medical records into an electronic format. In 2009, this portion of HIPAA gave rise to the Health Information Technology for Economic and Clinical Health Act, known as HITECH. HITECH then prompted the creation of the Meaningful Use program, which is widely regarded by medical workers as one of the most critical pieces of healthcare law to be enacted in several decades.
HIPAA Privacy and Security Rules
After HIPAA officially became law, the United States Department of Health and Human Services began working on the Act’s Privacy and Security Rules. The rules regarding privacy became effective on April 14, 2003. These rules explicitly considered Protected Health Information (PIH) to be any information in the possession of a covered entity that relates to medical care provision, health status or payment that may be connected to a specific person.
Instructions were also created on how this information should be divulged and that the individual’s permission must be obtained before their PHI is used for research, marketing, or fundraising. Furthermore, patients were given the right to conceal their healthcare-related information from insurance companies if their care is funded privately.
HIPAA’s Security Rules became effective two years later on April 21, 2005. These governed the use of PHI that is stored electronically (ePHI) and created three layers of security: Technical, physical and administrative. Adherence to these rules is required under HIPAA. They each have the following intent:
- Technical: To safeguard media that contains PHI when being electronically sent across open networks
- Physical: To restrict access to information storage areas and prevent unauthorized access
- Administrative: To put procedures and policies in place to delineate how an entity must comply with HIPAA
Introducing the Enforcement Rule
When it was first introduced, many entities failed to comply fully with the rules laid out under HIPAA, which lead to the March 2006 creation of the Enforcement Rule. This rule provided the Department of Health and Human Services with the authority to look into any violation claims against a covered entity for failure to adhere to the Privacy Rule. The department also gained the authority to fine these entities for preventable ePHI breaches that resulted from failure to comply with the safeguards set forth by the Security Rule.
The Department of Health and Human Services’ Office for Civil Rights also obtained the authority to press criminal charges against repeat offenders who neglect to take corrective action within 30 days. In addition, affected patients were given the right to bring civil suits against the offender if their PHI was divulged without their authorization and if it resulted in serious harm.
HITECH and the Breach Notification Rule
The 2009 establishment of the Health Information Technology for Economic and Clinical Health Act (HITECH) was meant to urge medical authorities to adopt Electronic Health Records (EHR) and lead to the development of the Meaningful Use incentive program. The first part of Meaningful Use, which was introduced a year later, gave healthcare companies and organizations incentives to store their patients’ PHI electronically instead of on paper.
This lead to an expansion of HIPAA Rules to Business Associates and third-party medical industry suppliers. It also resulted in the creation of the Breach Notification Rule, which stated that ePHI breaches that affected more than 500 patients are required to be reported to the Department of Health and Human Services’ Office for Civil Rights. The rules for ePHI breach reports were expanded in March 2013 under the Final Omnibus Rule.
The Final Omnibus Rule
The newest law impacting HIPAA is the Final Omnibus Rule. This rule created little new legislation, but it addressed some flaws in the HITECH and HIPAA regulations. For instance, it set forth the standards for encryption in order to make ePHI unreadable, unusable and non-decryptable should a security breach occur.
Numerous definitions were added or changed to address gray areas, such as altering the meaning of “workforce” to mean “trainees, volunteers, employees or any other individual whose conduct, while performing work under a Business Associate or covered entity, is under the Business Associate’s or entity’s direct control.”
Amendments were also made to the Privacy and Security Rules to allow individuals’ health information to be kept permanently (the old law required it to be kept for 50 years), and updated procedures were applied to the Breach Notification Rule. Furthermore, additional penalties were also created, as decreed under HITECH, for covered entities that violated the Enforcement Rule.
Updates were also made to account for changes in work practices due to advancements in technology. This particularly addressed the use of mobile devices. Large numbers of medical professionals now use personal mobile devices to communicate and access ePHI, and the Final Omnibus Rule imposed new administrative policies and procedures to address this, as well as to address other issues that were unforeseeable in 1996. You can find the complete Final Omnibus Rule text here.
Impact of the Final Omnibus Rule
One of the biggest achievements of the Final Omnibus Rule was raising covered entities’ awareness of the HIPAA safeguards that they are required to comply with. Many medical organizations, which had been violating HIPAA rules for nearly 20 years, put in place a variety of measures to ensure compliance, like encrypting data on computer networks and mobile devices, introducing solutions for secure messaging among internal care teams and implementing more secure networks and firewalls.
The financial consequences of information security breaches, as well as the enormous costs of notifying affected patients, monitoring credit and mitigating damage makes adopting new data protection technologies comparatively affordable.
Who Must Comply with HIPAA?
HIPAA rules apply to all business associates and covered entities. This includes, organizations, individuals and also agencies as they are considered covered entities. The requirements put forth by HIPAA must be followed by these entities to provide respect and rights to protect their private health information.
If a covered entity partners with another company or entity to establish or maintain healthcare needs for their business, this other business associate must have a written contract stating that all business conducted with the business associate will follow HIPAA guidelines and rules as indicated in the contract. This must mention rules pertaining to protecting the privacy of protected health information, Although the business associate has the contract in place, they are still directly liable for compliance of certain provisions of the HIPAA rules.
Examples of covered entities are as follows:
Providers, Such As:
- Nursing Homes
Health Plans, Such As:
- Company Health Plans
- Government Health Plans that Pay for Health Care
- Health Ins Companies
Healthcare Clearinghouses (electronic or data format)
The Privacy Rule provides federal protection for an individual’s health information that is held within an entity. It also gives the patient specific rights to that information. This private information is only disclosed for patient care needs or other important reasons in which it is necessary for this information to be disclosed.
Because the Privacy Rules does not require a signed consent in order for information to be shared, healthcare provides can share information for treatment purposes at their discretion.
It is not required that you eliminate all incidental disclosures as the Privacy Rules recognizes that this would not be practical. Special modifications were made to the rule that clarify that incidental disclosures cannot violate the Privacy Rule when there are policies in place that safely guard the patient’s protected health information and appropriately limit the distribution of this information. These modifications were put forth in August of 2002.
The Privacy Rule does not stop you from sharing your information with those that you grant permission to. As long as the patient gives consent, their information can be shared with whomever they desire. Information can also be disclosed when the person indicated needs to be notified about the patient. The information will be shared on a need to know basis and will have the patient’s needs as the main interest.
Unless the patient objects, the Privacy Rule doesn’t stop calls or visits to hospitals by family, friends or others. The Privacy Rule doesn’t stop basic information from being posted, unless the patient objects.
This information includes:
- Room Number
- Phone Number
- General Condition
This information can be given out in the following ways:
- Hospital Directory
- Clergy – if provided by the patient
Child abuse is no exception to the Privacy Rule. Follow standard policies put in place for reporting neglect and abuse.
The Privacy Rule applies to electronic transactions as well. Communication between providers and patients is appropriate through email, fax, or phone as long as certain safe measures are followed to protect patient privacy.
HIPAA Privacy Rules
The Health Insurance Portability and Accountability Act (HIPAA) applies to health care providers, health plans, and health care clearinghouses (“covered entities”) and their business associates.
As a HIPAA covered entity, you should be knowledgeable about HIPAA regulations. Any potential and even harmless disclosure of a patient’s protected health information can leave a physician, hospital, or health care provider susceptible to several severe criminal and civil penalties. A breach or violation of HIPAA occurs when a health care provider impermissibly uses or discloses information that compromises the security or privacy of the “protected health information.” To compete in the market without being liable for sanctions, a health care provider must have a thorough understanding of how to properly run a business without violating HIPAA.(2)
Below is a summary of the important aspects of HIPAA privacy rules.
2. Medical information uses and disclosures: Basics
The HIPAA Privacy Rule provides individuals with control over if, how, and when their protected health information is used or disclosed for marketing purposes. Pursuant to HIPAA, a covered entity shall not use or disclose a patient’s protected health information for marketing purposes unless HIPAA permits it or the patient authorizes it in writing. However, this rule is not as simple as it appears to be. There are several prohibitions, limitations, allowances, exceptions, and nuances to the HIPAA regulation.
It is important that a covered entity understand the differences between marketing communications and communications about goods, treatment, and other health care services.
So what is marketing? HIPAA defines marketing as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Typically, if the communication is a marketing communication, the covered entity must obtain an individual’s authorization.(2)
3. When may a covered entity use or disclose protected health information without obtaining consent?
A covered entity is not legally required to obtain an individual’s authorization for face-to-face communications (even if the communication would otherwise be considered marketing.) For example, an insurance agent can sell a health insurance policy in person to a customer, and proceed to also market a casualty and life insurance policy. However, a healthcare provider cannot provide personal health information to the insurance agent for him to call the individual on the phone to sell the insurance.
Also, if the covered entity offers a promotional gift of nominal value, it does not have to obtain an authorization. For example, if a health care provider offers free baby items to new parents. However, a covered entity cannot disclose the patient’s address to an authorized third party to send new baby items to the new parents.
Additionally, refill reminders regarding a patient’s current prescription does not require an authorization as it is not considered marketing. However, any payment that the covered entity receives to send the communication to the patient must be reasonably related to the cost to send the communication.(2)
Furthermore, a covered entity can make a communication to a patient without an authorization to recommend treatment alternatives. However, if they receive payment, whether direct or indirect, from a third party marketer, it has to obtain an authorization from the patient. For example, if a patient has been diagnosed with Parkinson’s, a pharmaceutical sales representative wants the physician to recommend a new drug, the physician must obtain an authorization. Nonetheless, be cautious when dealing with third party marketers. The legality of the ways in which marketers influence providers to use their products and services is still a gray area.
Finally, covered entities do not have to obtain patient authorizations, as long as they do not receive payment, in the following situations:
- communication with a patient regarding treatment, including but not limited to case management, care coordination, recommendations on alternative treatment, therapy, or setting of care
- communication with a patient to describe a product or service that it provides or includes in a benefits plan
- communication on regarding a treatment alternatives for case management or care coordination activities
For more information about HIPAA compliance and marketing, read 45 CFR § 164.501 and 164.508(a)(3).
4. When must a covered entity obtain patient authorization?
A health care provider or a covered entity must obtain a written authorization from a patient to use or disclose protected health information unless the Privacy rule permits disclosure. The Privacy Rule permits the use or disclosure for treatment, payment, and health care operations.
What is protected health information? Protected health information is a patient’s private information; this includes, but is not limited to: names, birth date, age, social security number, email address, telephone or fax numbers, medical record numbers, biometric identifiers, geographic information and full-face photographic images (or any comparable images). Essentially, it is any information used to could allow any unauthorized third party to ascertain a patient’s identity, medical condition, or injury.
Nonetheless, there are three extremely specific situations where a covered entity absolutely must obtain written authorization:
- for the use and disclosure of psychotherapy notes;
- for the use and disclosure of PHI for marketing; and
- for any disclosure of PHI which is a sale.
Additionally, substance abuse treatment programs are subject to the HIPAA authorization requirement if the program operates as a covered entity. A treatment program is a covered entity if it handles health plans, coordinates benefits, or inquires about a patient’s eligibility, coverage, or benefits. It is important to note that HIPAA does not address whether authorizations are required to disclose a patient’s identifiable information about sexually transmitted diseases or HIV. Please review your state’s authorization requirements to get up-to-date laws on authorization requirements.(2)
What must be included in an authorization? An authorization must include the following:
- a description of the information that the covered entity wishes to use or disclose;
- the person who is authorized or permitted to use or disclosure the information;
- the person to whom the covered entity may disclose the information;
- a description of each purpose of the requested use or disclosure;
- an expiration date;
- the patient’s signature (or a personal representative who has shown his/her authority to act on behalf of the individual) and date. 45 CFR § 164.508(c)(1)(i)-(vi);
- a statement which states the individual’s right to revoke the authorization in writing; and,
- a statement that the provider cannot condition treatment on a patient signing an authorization
4. When does a covered entity need to provide individuals with an opportunity to consent?
Under the Privacy Rules, if a hospital or any covered entity wants to publish a patient’s protected information in a directory, it must provide that individual with an opportunity to consent.
A directory allows loved ones, including family members, friends, coworkers, clergy members, attorneys, or anyone else who asks for the individual by name to find that patient in the hospital. If the patient does not permit the hospital to disclose this information, then the hospital would not be able to tell the visitor that he or she is there, route calls, or deliver flowers. The directory contains the patient’s protected health information, including the patient’s name, location, and sometimes general information about the patient’s condition and religion (which is only accessible by the patient’s clergy).(2)
A patient can choose whether to disclose information on the directory when he or she is admitted to the hospital. At that time, the patient may agree, disagree, or specify what information can be shared. A health care provider can also obtain verbal consent from a patient; however, if the patient wants to prohibit certain people from having access to the directory information, for example, a reporter, it is best if the patient puts the request in writing.
If there is an emergency and the patient is unable to give verbal consent, the health care provider or physician must use his or her best judgment.
For more information, see 45 CFR § 164.510(a) and HHS’ information about hospital directories.
A covered entity might also share personal health care information with a patient’s family, friends, or anyone else the patient approves. They might use or disclose personal health care information to notify a family member, personal representative, or someone responsible for the patient’s care, location, death, and/or general condition.
Obviously, if the patient is awake, cognizant, and has the mental capacity to determine who the covered entity should disclose the personal health care information, the health care provider should obtain the patient’s agreement. However, if the patient is not awake, cognizant or lacks mental capacity, the covered entity should use professional judgement to determine whether it is in the patient’s best interest to disclose a patient’s personal health care information.
If the patient died, the provider can disclose the protected health care information to the people who provided care to the patient or paid the patient’s hospital bills. HIPAA permits an entity to disclose only the information relevant to a patient’s health.
The U.S. Department of Health and Human Services (HHS) provides the following examples:
- A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
- A hospital may discuss a patient’s payment options with an adult child.
- A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.
5. When may a covered entity use or disclose PHI for fundraising purposes?
A covered entity is permitted to use or disclose a patient’s protected health information to a business associate or an institutionally related foundation to raise funds for its own benefit. A business associate provides specialized services to a covered entity. This includes legal, actuarial, debt collection, and financial services. However, the business associate may not use or disclose PHI in any way that would violate its contract or HIPAA.
Under HIPAA, a covered entity are permitted to use or disclose only the following information:
- demographic information including name, address, other contact information, age, gender, and date of birth;
- dates of health care provided to the individual;
- department of service information (e.g. cardiology);
- treating physician;
- outcome information; and
- health insurance status.
However, an individual may opt out of receiving fundraising communication. In fact, when a health care provider or covered provider sends a fundraising communication to an individual, it must provide a “clear and conspicuous” opportunity to opt out of receiving further communications.(2)
But be forewarned, any individuals who receive these communications should pay attention to the scope of the opt out every, single time they receive one. Why? Because a covered entity exercises sole discretion when crafting the opt out. It decides whether to apply an opt out to a specific campaign or to all fundraising in general.
Also, the covered entity’s notice of privacy must specifically state its’ right to contact the individual to raise funds for the covered entity; but, that the individual has a right to opt out of receiving the communications. 45 CFR § 164.514(f)
6. How does the HIPAA Privacy Rule apply to uses and disclosures of genetic information?
The Privacy Rule prevents most health insurers from disclosing genetic information for underwriting purposes, such as determining eligibility or setting the cost of premiums. Genetic information includes a patient’s genetic test results, the patient’s family member’s genetic test results, evidence or documents concerning the manifestation of a disease or disorder in the individual’s family members, and, any and all requests for or receipt of genetic services, or participation in a clinical research (that includes genetic research) by a family member or the individual.
This prohibition also applies to group health plans (employers), health insurance issues (PPOs and HMOs), and issues of Medicare supplemental policies. However, it does not apply to long-term insurers.
For more information and the precise definition of genetic information, see 45 CFR §160.103.
HIPAA Security Rules
The transformation from a paper-based record system to an electronic one is undoubtedly going to result in some hiccups. The more we begin to rely on electronic records, the more our data is susceptible to inappropriate access. For this reason, it is essential for health care workers to notify patients immediately if their data is lost or stolen. You have probably heard of the Health Insurance Portability and Accountability Act, also known as HIPAA. Vital steps must be taken to ensure HIPAA is upheld in today’s tech-based society. The importance of holding responsible parties accountable cannot be emphasized enough.(3)
Electronic Health Records
Electronic health records, sometimes called EHRs, are medical records that have been stored digitally. Whereas it was once commonplace to store records in paper charts, the government has begun to encourage medical professionals to transition to electronic databases. The goal is to improve the quality and efficiency of the health care system. Still, privacy is a big concern among patients who want to ensure that authorized users are the only ones with access to records.
The information included in an EHR is private, generally consisting of in-patient and electronic communications. A patient’s entire medical history, notes written by medical professionals, and list of allergies will be included. So will medications, results from lab tests, images, and billing information. Records may even contain immunization and diagnosis history.
While there is no centralized database of EHRs, there could possibly be one in the future. A Nationwide Health Information Network would make it easy to exchange information about one’s health over a secure Internet connection. According to the Health Information Technology for Economic and Clinical Health Act, this system would share data between EHR software by 2014.(3)
While this did not happen, that may very well be a good thing. There are still quite a few security issues to work out. For starters, some of the data formats just aren’t compatible at this time. Additionally, the network will need to work with policies adapted by different health institutions.
The best thing about electronic health records is that they allow information to be easily shared between physicians, specialists, emergency rooms, and other healthcare professionals. Fortunately, this allows every healthcare professional to have complete records. Not only does this improve the level of care you receive, but it also improves efficiency and lowers costs associated with staying healthy.
There is also a community benefit to the availability of EHRs. Using this information, mandatory health reporting is simple. So is medical research.(3)
Of course, there are still some security risks to consider. HIPAA does apply to any of the information found in EHRs. Simply because you can find the data electronically does negate any HIPAA obligation. This is where the HIPAA Security Rule comes in.
You don’t want your health information everywhere for good reason, but it is much more accessible now than ever before thanks to the Internet. Getting rid of records is no longer as easy as shredding a document. It is easier now than ever to send and access records, so it makes sense that you are concerned. After all, one need only to read the news to see how often security breaches occur.
Unauthorized data breaches and access happen all the time. Occasionally, hackers are responsible, but not always. Computers are stolen or lost, as are flash drives. There is no telling where your data could end up.(3)
HIPAA Security Rule
The HIPAA Security Rule lays out guidelines that instruct different organizations on how to deal with personal health information (PHI) that is electronic. Patients need to understand how their healthcare professionals deal with information on a national level. Every organization that collects or transmits PHI electronically must use safeguards to keep it inaccessible to those who should not have access.
The HIPAA Security Rule is meant to protect protected health information stored or transmitted electronically. These guidelines do not necessarily apply to paper documents you might find in a cabinet or folder.
Of course, there are still some rules that apply to paper documents. They are still covered by HIPAA Privacy Rules, as are any forms of protected health information. If paper documents were disclosed to an unauthorized party, it still applies as a Breach of Notification.
In cases during which the records of more than 500 people are compromised or affected, the HHS website will post about the incident. Generally, these incidents are a result of careless employees or security practices with the papers. For instance, somebody could have forgotten to remove records from a cabinet or documents could have been stolen from a car. Typically, the United States Department of Health & Human services oversees the Security Rule and determines what action needs to be taken.(3)
Additionally, the Security Rule requires every business or organization to have a security plan for its data provided in writing. These plans must contain administrative, physical, and technical safeguards.
Administrative safeguards are those you can implement in the office. For instance, you can train employees on proper procedures as well as implement a system to identify potential security risks. Much of this type of safeguard relies on training and maintaining staff member vigilance.
Physical safeguards are just that: physical barriers. These are the steps you put in place to prevent unauthorized access to files, devices, and work areas. These could include locked doors and cabinets.
Technical safeguards are those that use technology to control access to records. For instance, you may put into place computer passwords or barriers that do not allow electronic transmission outside of the office network.
Generally, there are no specific laws as to how healthcare providers can get rid of documents. There are penalties that can result from improperly disposing of certain items, like medication bottles with prescription information attached.
When a patient is given a Notice of Privacy from their healthcare provider, they may not see any sign of the organization or business’s privacy practices. According to HIPAA, an organization is not required to give out specifics on their plans for secure data. They are only obligated to notify a patient if their protected health information might have been compromised.(3)
All of this is good, considering the modern types of security breaches. Risks come from the familiarity of mobile devices, including smartphones, tablets, desktops, and laptops. Healthcare professionals and patients both use them. In fact, PHI breaches tend to involve theft or loss of these devices. Taking steps to add security to these items is essential.
Medical identity theft is also increasingly common. When somebody commits this crime, they use another person’s information, obtained from personal health files, in order to seek insured treatment. If you think your health history is the only information available, you are wrong. These files list your social security number and even financial accounts. Even your insurance information could be available to somebody looking to commit fraud.
Breach Notification Rule
Any compromise involving one’s protect health information must result in notification according to HIPAA. In addition to notifying the individuals affected, the businesses and organizations must also get in contact with the United States Department of Health & Human Services, specifically the Office of Civil Rights. All breaches of security must be reported. In rare cases, the organization or business must also get in touch with local media.(4)
This begs one question: what is a breach or compromise of data? According to HIPAA, a breach is defined as the unauthorized access, use, or disclosure of health information deemed protected. A breach ultimately leads to lack of privacy and security.
It is important to note that not every data breach requires notification. Protected health information must have been unencrypted or otherwise unsecured at the time of the breach.
There are several other cases in which the HIPAA breach Notification Rule does not apply. For instance, if a member of the organization’s staff accesses the information without disclosing it to anybody else, no notification is necessary. Two people who are both authorized to access personal health information may also inadvertently discuss it without sending a notification. HIPAA also makes an adjustment for times in which the unauthorized individual would be unable to retain the information. For instance, this may apply to a young child or infant.(4)
Ultimately, a business or organization was once not obligated to disclose a breach of information unless it has been determined that physical, financial, or emotional harm may result because of it. As of 2013, the guidelines are more strict.
In most cases, an organization or business is at liberty to determine when data has been compromised. These organizations go through risk analysis, determining the type of breach and the extent of the information divulged.
For instance, a name being leaked is much different from breach of names, home addresses, and social security numbers. The organization will also take into account the person who had unauthorized access, whether information was actually viewed or simple accessed, and which actions the organization can take for the future.(4)
Overall, risk management can suggest that there is no need to alert patients, as personal health information was not compromised. This could be the result if the wrong physician picks up a fax about a patient, for example.
While the HIPAA guidelines reach organizations on a national level, each state has its own guidelines. Typically, organizations notify individuals via email or first-class postal mail, depending on the patient’s notification preferences. If the company is unable to reach at least 10 of the individuals compromised, posting the information on a website is acceptable. If unable to reach fewer than 10 people, the business can make phone calls instead.
This communication must be sent within 60 days of the breach or discovery of said breach. An exception is made for cases in which law enforcement delays notification due to an investigation.
In this notification, the organization must include a description of the breach that occurred, as well as the date it occurred and date the organization discovered it. The patient must know what type of information was included in the breach, as well as how the disclosure was found out. The patient must also have a way to contact the business following the breach (toll-free number, website, business address, email address) and steps to take to provide protection from identity theft.(4)
Of course, HIPAA requires notification for media and the government as well, at least in some cases. If the breach has affected 500 or more residents in one particular state, media outlets need to be made aware so that individuals can be alerted of the breach on a public network.
Notification of the Department of Human & Health Services is essential in some cases as well. If the breach influenced 500 people or fewer, the notification must occur within one year of the incident. In cases in which 500 or more people have been compromised, immediate notification is mandatory. Those incidents need to be posted on the entity’s website too.
The Department of HHS does list some incidents, specifically those in which insiders were involved and that affected 500 or more patients. You would find these listed under the heading “Unauthorized Access.”
The Federal Trade Commission, also known as the FTC, also has some involvement in the way personal health information is cared for. In cases in which data is stored by a web-based vendor that specializes in personal health records and was breached, the FTC may issue its own guidelines. Still, these companies are not necessarily subjected to HIPAA, so rules may be much different.
Companies that fit into these guidelines might include programs for tracking weight or fitness goals. Apps that fulfill these goals are commonly found on smartphones and tablets, and they are not ruled by HIPAA guidelines.
Organizations that are required to report to the United States government may also be required to report breaches to the FTC. Incidents will be posted on the agency’s website as well.
HIPAA takes security seriously, and even a single breach can be devastating for individuals and businesses alike.(4)
In the mid-90s, the internet and various advancing technologies were an inescapable part of everyday life. The World Wide Web, computers, and software became commonplace fixtures in any business or health care related profession. While these advances increased workplace efficiency and increased the ease in which one could access company and patient information, it opened organizations and individuals up to security breaches and unsecured information.(5)
Overall, these developments brought to light the need for enhanced security and patient control over medical records and treatment. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and is now a legal standard in health care and an accepted method of ensuring patient and business privacy. In 2003, the privacy aspect of HIPAA was expanded upon with the Privacy Rule, which is a Federal law and entitles patients to certain rights and authority over health information, allowing the individual to set limits on how their health records are distributed and viewed.
This applies to all written, electronic, or oral communications. Furthermore, the Security Rule is another Federal law that solidifies the requirement for all covered entities to take specific security measures to ensure the protection of electronically based health information.(5)
A covered entity is a term that covers a broad range of professionals and businesses involved in administering and regulating health care. This includes health plans, such as Medicare, Medicaid, all health insurance companies, business health plans, and HMOs. In addition, a majority of health care providers are included, such as doctors, hospitals, mental health professionals, dentists, pharmacies, and alternative medicine providers, such as chiropractors.
Health Care Clearinghouses fall under the covered entities heading and refer to those businesses that deal with nonstandard health information. Businesses that have any involvement with one of the listed covered entities, such as billing companies, lawyers, information technology specialist, or accounting firm are also legally bound by HIPAA and the subsequent Privacy and Security Acts. There are certain groups of people and companies that are not required to adhere to these acts, and they include worker compensation companies, life insurers, law enforcement and state agencies, schools, and employers.(5)
It is important for the both the patient and health care provider to understand what information is being protected, as to avoid any security breaches. Protected information includes any information in various medical records, patient conversations with all health care professionals about care and treatment, billing data, and a majority of other information regarding patient health. Any patient has the right to see and receive a copy of all health records, request correction be made to health-related documents, control over who the medical records are shared with, receive a report of who and why health care information was shared with, and the ability to file a complaint if the patient feels any of his or her rights have been violated.
HIPAA and its subsequent acts are not only in place to protect patient information and the transmission of that information, they are designed to improve individual health care practices. The Health Information Technology for Economic and Clinical Health Act, more commonly known as the HITECH Act is one such measure enacted to improve quality of patient care.
This act was passed in 2009 and aims to integrate various electronic health care systems, such as the doctor’s office with a patient’s chosen pharmacy, to create instances of meaningful use of electronic health records (EHR). Meaningful use denotes that information will only be shared, in accordance with HIPAA laws, to make noticeable improvements in patient care. The goal of the HITECH Act is to make improvements in health care efficiency, safety, and quality standards.(5)
Example of meaningful use covers a broad range of practices and include e-prescribing, drug-allergy checks, records of appropriate demographics, maintenance of a current list of patient’s diagnoses, lists of medications used, sending electronic reminders to patients about follow-up care and appointment, and a plethora of other examples.
The government is investing enough in the act that they offer incentive payments to professionals, businesses, and programs that successfully institute the HITECH Act. In addition, those doctors who do not institute the HITECH Act will be penalized a percentage of their business’ earnings.
Due to the fact that the HITECH Act deals with electronic information, it stands to reason that there is a sizable software and IT component. The Obama Administration created an IT program that would be funded with investments on a federal level to stimulate measures such as the implementation of the HITECH Act. With the advent of the IT component, businesses are being scrutinized for proper HIPAA compliance more than in the past.(5)
This pushes companies to conduct an assessment of security risks and employment of measures of control to offset any risks. These measures are known as the Security Rule, mentioned above, and apply to all covered entities and their associates.
Risk analysis must operate in accordance with professional standards such as the repeatability of testing methods that analyze the sensitivity of the information, volume that is being handled, content, any possible threats, quality and accessibility of protected health information (PHI), and the strength of in-place security measures. The goal is not to automatically push through a report that indicates the company is secure, but to thoroughly assess risk.
If weak areas of security are found, it is the health care provider’s responsibility to increase or update security measures in that area. Risk assessment should be carried out often, under the supervision of administration, as breaches of security can be grounds for civil or criminal charges.(5)
The HIPAA Security Rule and subsequent risk analysis have contributed to a rise of high-quality software and applications that ensure security while providing vital functions within the health care realm. A crucial aspect of HIPAA requirements and the Security Rule is that information is accessible, but only to those who have approved clearance.
This requires software and programs that aid in user login security. These programs are known as systems of Identity and Access Management (IAM) and ensure that a company’s access-control mechanisms are secure and up-to-date.
While this advanced technology may be considered too costly for smaller companies, it is a key feature that can secure PHI. Other methods to ensure compliance with the Security Rule include proper encryption of data, entering into contractual agreements that specify partners who will be handling PHI are abiding by Security Rule standards, and strong wireless internet protection and internet monitoring.
The HITECH Act and Security Rule have created both a streamlined system for the meaningful sharing of EHR and the need for improved security features and assessments within an organization.
Understanding HIPAA and HITECH is different that a practical implementation of a plan for compliance with each act. Putting together all the above information with the requirements of the Security and Privacy act, risk assessment, security measures etc. requires a business to have a HIPAA compliance plan. Following are eight key steps to ensure that your company does not become liable for a breach in security.(5)
Outline and Solidify Privacy Practices
The first step to HIPAA compliance is to develop a clear understanding of what privacy practices and policies your company is responsible for. The development, adoption, and implementation of all such policies is the goal, but creating a physical document that outlines what regulations are at play is crucial to avoid any ambiguity or misunderstanding between parties at a later date.
2. Allocating a Position for Security and Privacy Officers
While the Security and Privacy Officer position may be held by the same person in a small practice setting, it is generally more efficient to have a different person for each role in larger practices. These officers are in charge of implementing and assessing the HIPAA compliance plan. Furthermore, these two positions are required to exist within any organization that handles PHI or EHR in order to be considered HIPAA compliant.
3. Risk Analysis/Assessment
This is the process that has been thoroughly described above. Remember to assess both the security, integrity, and accessibility of PHI of both your practice and all associated covered entities, such as associates, billing companies, legal teams, PHI document disposal companies, etc. This includes security measures such as the IAM and encryption services, but risks posed by extenuating circumstances such natural disasters, fire, or outside hackers should be taken into account. Something to take into consideration is that it is possible to hire an outside contractor to conduct the risk assessment, which can be an excellent option for a large and busy practice. Due to the frequency that risk assessment needs to be performed, every few years or when major system changes or practice policies have been changed, the cost may be a burden to smaller businesses who can perform the in-house analysis.
4. E-mail and Mobile Phone Policies
While HIPAA does not restrict the use of e-mail or mobile phone for transmission of PHI, it is important to have clear documentation of what safety policies are in place to secure this type of transmission. The e-mails are not required to be encrypted, but this step is preferable to ensure the integrity of transmission. Perhaps the most important step a practice can take to safeguard against breaches or complaints is to have a clear documentation that a patient understands the risk associated with e-mail and mobile phone communication.
5. Covered Entities Associate Contracts
The companies that help you run your organization or practice are known as “Business Associates” and undoubtedly will be handling a great deal of PHI. While these business associates are separately run companies, it is your responsibility to assess their risk of HIPAA breaches and enter into a contract with them that clearly states their responsibilities to your practice and the PHI you handle. If a business associate violates HIPAA guidelines with PHI from your patients, your practice could be held, at least partially, legally responsible.
6. Employee Training
7. Patient Privacy Practice Notices
Every patient should receive a Notice of Privacy Policies upon becoming a client of your practice. This can be given with initial paperwork packets, either mailed to the patient or handed to them at their first doctor’s visit. The patient’s signature, or the signature of the patient’s legal guardian, should be displayed on a document stating that the Notice of Privacy Policies were received and understood. In addition, a copy of the document must be available on the practice’s website and all physical and electronic copies must be updated as policies change.
8.Protocol for Potential Breaches
All breaches must be secured and investigated in a timely manner. Having a protocol for doing so is a must, as it ensures the breach can be rectified swiftly and efficiently. Frequent risk assessment is one tool that can be used to check for any potential breaches. If a breach has been found, it is the responsibility of the practice to notify the authorities and document as much information as they have on the infraction. Breaches may be unavoidable over a long span of time, but knowing how to deal with the problem quickly can save the practice from potential litigation and lawsuits.
Fully adhering to HIPAA guidelines, the HITECH Act, the Security Act, and the Privacy Act demands a full understanding of what each act requires, is used for, and how it needs to be implemented. Allocation of a practice’s time and finances are unavoidable but necessary. If a company takes the time to put quality effort into creating a HIPAA compliance plan while training employees on these procedures, the time and money spent now will surely save vital resources in the future.
The HIPAA Privacy Rule protects patients’ privacy regarding their medical records and other sensitive health information, which may be in the hands of certain entities covered by the federal HIPAA regulations. Typically, these covered entities include, health plans (both private and some government health plans),doctors, hospitals, health care providers, and health care clearinghouses. Not only do HIPAA regulations ensure that patients have access to their own records and personal health information, they also set requirements for how these records can be distributed or disclosed.(6)
As of April 14, 2003 many of the HIPAA regulations took effect and compliance was required by the covered health care entities as of April 20, 2005. Since 2009, the Office for Civil Rights (OCR) has been responsible for monitoring compliance with HIPAA regulations for covered health care providers. Specifically, the HIPAA Enforcement Rule, codified at 45 CFR Part 160, Subparts C, D, and E, provides for the enforcement process and investigation procedures for an entity covered under HIPAA that is not in compliance with the HIPAA Privacy Rule. The enforcement process and typical outcomes of investigations by OCR of covered entities are discussed below.
OCR investigates compliance issues with HIPAA through investigating complaints filed with OCR and undertaking compliance reviews of covered entities. Additionally, OCR provides various education, training and outreach opportunities to inform covered health care providers of their obligations under HIPAA and encourage necessary compliance before a complaint is filed.
Once OCR accepts a complaint or begins an investigation, it notifies both the party who filed the complaint and the entity involved in writing. OCR may request additional information from the covered entity to complete its investigation. OCR will communicate directly with the health care provider. If OCR concludes that a violation of HIPAA has occurred, OCR can work with the entity to encourage compliance, require a corrective action, and/or enter into a resolution agreement.(6)
Once the OCR and the covered entity have reached a resolution, all parties to the complaint and investigation will be notified of the result in writing.
The vast majority of cases investigated by OCR arise from complaints received rather than OCR’s own fact finding investigations. Since compliance with the HIPAA Privacy Rule has been required, OCR has received over 125,445 HIPAA complaints. In addition to the complaints received by OCR, OCR has initiated at least 854 HIPAA compliance reviews on its own accord. OCR boasts a high resolution rate for all compliance cases, now at 96%, or 119,964 resolved cases.
Rather than simply imposing sanctions on entities that OCR finds have violated HIPAA Privacy Rules, OCR takes an active role in working with the entities investigated to reform practices that do not comply with HIPAA regulations. In more than 24,047 cases, OCR resolved the matters by identifying and assisting with implementing corrective practices to ensure that the same violations do not repeat themselves.(6)
Just because OCR responds to a complaint or initiates an investigation on its own accord does not mean the entity being investigated is assumed to be in noncompliance with HIPAA. In fact, in 10,928 cases investigated by OCR, it was determined that no HIPAA violation occurred and no corrective action was taken. In addition, OCR can respond to a complaint without necessarily undertaking an investigation of the entity. Indeed, in 11,701 cases, OCR responded to a complaint by providing compliance advice to the entity without formally investigating the entity.
OCR is not always able to intervene, even if there is a perceived HIPAA violation. In 73,288 cases, OCR determined that no investigation or action could be taken because OCR did not have the jurisdiction to investigate the entity subjected to the complaint or the perceived privacy violation was simply not covered under HIPAA. For example, OCR will not have the jurisdiction to investigate if a complaint was not timely filed or the entity named in the complaint is not one of the entities covered by HIPAA.
In 2014, OCR reported that four percent of cases investigated resulted in a finding of no violation, and only seven percent of cases investigated resulted in a corrective action. This shows that the vast majority of cases reported to OCR or investigated on its own behalf, result in some sort of resolution or technical assistance on the part of OCR to the covered entity rather than corrective action or some sort of penalty. 2014 saw the lowest total number and percentage of cases investigated by OCR resulting in a corrective action since the start of enforcement of HIPAA Privacy Rules.
In some cases, OCR will refer a case to the Department of Justice (DOJ) if it suspects that criminal activity is involved in the HIPAA violation. So far, this has occurred in only 566 cases.
As of 2014, the most common issues subject of investigated cases which resulted in some form of corrective action by OCR include impermissible use and disclosures, safeguards, administrative issues, access and technical safeguards.(6)
OCR may elect to enter into a resolution agreement with an entity it has found to be in noncompliance of HIPAA regulations. The U.S. Department of Health and Human Services (HHS) signs off on the agreement along with the noncomplying entity. The resolution agreement will typically consist of obligations and reporting requirements that the covered entity will have to meet in order to avoid any penalties levied by OCR for its HIPAA violation(s). The monitoring period under the resolution agreement usually lasts for three years. Monitoring responsibilities are undertaken by HHS, with whom the covered entity will be communicating.(7)
Although resolution agreements can be an option offered by OCR in lieu of imposing a monetary fine against the covered entity, resolution agreements may also require the payment of a certain amount by the covered entity. After entering into the resolution agreement, if the covered entity fails to comply with the obligations imposed by HHS, a civil monetary penalty can result.
HIPAA Violation Fines and Penalties
In today’s world, the personal health information of patients is in some ways harder to protect than ever before. Whether it is a computer hacker attempting to hijack a hospital’s records or an employee stealing the information for identity theft purposes, keeping a patient’s personal information confidential is a top priority for any healthcare organization. With the introduction of the Health Insurance Portability and Accountability Act in 1996, it has become easier to safeguard information as well as who is given access to the information. But despite this, numerous healthcare providers still violate HIPAA on a regular basis, prompting many different types of fines and other penalties to be enforced.(8)
Application of HIPAA Fines and Penalties
Applying to healthcare providers, health plans, healthcare clearinghouses, and other Covered Entities as well as Business Associates of Covered Entities, the Office for Civil Rights of the U.S. Department of Health and Human Services enforces various levels of fines and violations on those who fail to comply with HIPAA rules. Based on changes made to the Health Information Technology for Economic and Clinical Health Act, the fines and penalties have been updated to reflect the seriousness of certain violations. The purpose of the penalties is to not only act as a deterrent, but also hold violators accountable for their actions. While some violators claim ignorance of HIPAA rules, that defense is by no means a way to avoid fines and penalties. However, in some cases it may affect the level of fines and penalties imposed, depending upon the circumstances of the individual case.(8)
HIPAA Penalty Structure
In order to make the penalties as fair as possible, the Office for Civil Rights has established a tiered structure for penalties. Based on the knowledge a covered entity had of the violation, the OCR will determine the penalty to be assessed from the seriousness of the violation as well as other factors that were in play at the time of the violation. The penalty structure, divided into four categories, varies in seriousness. For example, a Category 1 violation is one in which a covered entity was unaware of and could not have avoided even by using a reasonable amount of care. Category 2 violations are one in which the CE should have been aware of, yet still could not have avoided despite using reasonable care. However, Category 3 violations are deemed to be the direct result of willful neglect on part of the CE, while Category 4 violations are the most serious. In these instances, HIPAA rules are willfully violated, and there were no attempts made to correct the situation.(8)
Once violations are deemed to have occurred, the Office for Civil Rights will use its discretion to assess financial penalties. Some of the factors taken into consideration include:
- Length of time the violation persisted
- How many people were affected
- Type of data that was compromised
- Willingness of the organization to cooperate with investigation
In addition to these factors, the prior history of the accused organization, along with its current financial condition and level of harm caused by the violation, are assessed by the OCR prior to implementing fines and penalties. Category 1 violations are fined at the rate of $100 per violation, up to a maximum of $50,000. Category 2 violations are fined $1,000 each, also up to $50,000. More serious violations, such as those in Category 3, carry fines of $10,000 each up to $50,000. For those organizations whose violations fall into Category 4, the minimum fine is $50,000 per violation. Maximum limits are in effect for all fines, while the maximum fine per category annually cannot exceed $1.5 million.
In certain situations where HIPAA violations are present, separate fines and penalties may be imposed. For example, if a data breach or other incident involving a security breach occurs, separate fines could be brought against the violators. Using multiple security and privacy standards, the Office for Civil Rights may decide to levy a fine of $50,000 for any violation in which they see fit to do so, no matter how minor it may be. However, in most cases this rarely happens. In other situations, fines can be applied daily. This happens most often when patients have been denied access to their medical records for a long period of time, such as one year. In these cases, the certified entity would be fined a certain amount per day until compliance is met. Otherwise, additional penalties may be brought by the OCR.(8)
The Role of Attorney Generals
In addition to fines and penalties imposed at the federal level, state Attorney Generals also have the power to penalize violators if necessary. Possessing this authority since February 2009, state Attorney Generals can impose minimum fines of $100 per violation as well as file civil lawsuits with federal district courts.
Along with monetary penalties, some HIPAA violators may also face criminal charges for their actions. Much like financial penalties, criminal penalties are grouped into tiers. Decided by a judge per each individual case, violators who had no knowledge of the violation could face up to one year in jail, while those who obtained Protected Health Information under false pretenses may face up to five years in jail. However, the harshest penalties are reserved for those who obtain PHI with malicious intent or for personal gain. In these instances, violators could face up to 10 years in jail.
While penalties can vary due to different states having different laws, it has become clear that state and federal officials are intent on cracking down on these incidents. As the value of Protected Health Information increases on the black market, the number of employees convicted of stealing PHI has greatly increased. Therefore, it’s recommended that all staff who deal with PHI be trained to understand the seriousness of HIPAA violations. By doing so, healthcare providers and patients can all have peace of mind, knowing their records will remain safe and secure.(8)
Examples of HIPAA Violation Cases
1. Hospital Implements New Minimum Necessary Policies for Telephone Messages
Due to a hospital employee not following proper procedure, private medical information was disclosed to the daughter of a man. Upon performing an OCR investigation, it was confirmed that confidential communication requirements were not met. Originally, the hospital worker was suppose to contact the woman through her work phone number. In response, the hospital created a new set of guidelines, educating the workers about what information can and cannot be shared, especially when leaving messages. These guidelines have to be visited by the workers every year to ensure proper training.
2. HMO Revises Process to Obtain Valid Authorizations
HMO sent a patient’s entire medical record, including PHI, to her disability insurance company. Understandably, this patient made a big issue and complaint. An OCR investigation determined that the information on the transferred form violated certain privacy guidelines. To compensate for the mistake, HMO created a new set of rules. Not only were the new privacy rules stricter, but they must obtain a patient signature before sending any type of information whatsoever, even if the patient requests it.
3. Mental Health Center Corrects Process for Providing Notice of Privacy Practices
A man’s daughter was not given a written notice of privacy policies before undergoing her mental health evaluation. After a thorough OCR investigation, the mental health center admitted to not giving the patient a written privacy notice before performing the evaluation. To correct the error, the center began implementing new guidelines that changed the way in which patients get booked. From that point on, staff must obtain the patient’s signature, confirming that the patient received a receipt of the privacy disclosure statement. Some of the company’s policies were changed as well.
4. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees
An anonymous entity failed to give a patient access to their medical records and history. To add insult to injury, the entity billed the patient 100 dollars for both administrative and record costs after getting a warning from the OCR. However, the Privacy Rule only includes services that involve copying, postage or preparation services. The patient’s request did not involve any of these services. As a result, the entity had to refund the patient’s 100 dollars.
5. Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety
A hospital violated health, safety and privacy guidelines by disclosing a patient’s medical history, including a copy of an x-ray and medical condition description, to local news without the patient’s authorization. This resulted in the patient’s x-ray and medical condition description being posted on the front pages of the newspaper. In fact, the patient’s age, location, gender and other information was disclosed as well. At first, the hospital tried covering up their mistake through an excuse, saying that the disclosure was done in the name of preventing a serious threat to health or safety. However, privacy guidelines showed that hospital had no legitimate reason to disclose such information. In turn, the OCR made the hospital revise all privacy guidelines and retrain all staff members.
6. Private Practice Implements Safeguards for Waiting Rooms
HIV testing procedures were discussed by a staff member to the patient in the middle of a waiting room. This resulted in PHI information being disclosed to several other patients who were also in the room at the time. OCR made the hospital revise PHI discussion procedure, retrain all staff and even install privacy screens on all computers and electronics. Almost all computers in medical buildings today have this screen-privacy technology.
7. Pharmacy Chain Enters into Business Associate Agreement with Law Firm
A law firm working for a pharmacy chain disclosed a patient’s private PHI information. Although an OCR investigation found no evidence confirming the unauthorized disclosure, it was found that both the pharmacy chain and law firm didn’t enter into a business associate agreement, making it illegal to disclose any information whatsoever. Both the law firm and pharmacy chain were forced to enter into a business associate agreement. One can’t help but think about the possibility of the pharmacy chain and law firm destroying evidence.
8. Radiologist Revises Process for Workers Compensation Disclosures
A radio logical summary of a patient’s test results were transferred to the patient’s employer, attempting to make a compensation claim. It turned out that the patient never had worker’s compensation, nor did he recognize the specific compensation plan. Upon investigating, OCR concluded that the staff wrongfully relied on incorrect billing information. Strict corrective measures were immediately put in place, involving a revision of guidelines, sanctioning of staff members responsible, apologizing to the patient and retraining all employees of both the insurance company and radiology practice center. Workers compensation must now be specifically requested before submitting any test results.
9. Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books
A pharmacy contained within a grocery store kept log books of private patient health information right on the counter area, disclosing private information in plain sight. At first, the pharmacy never admitted to the log books containing private, protected information. In response, OCR demanded them to comply with new privacy standards, requiring them to implement national codes as a way to protect private information in log books. All staff members had to be retrained accordingly to the new set of guidelines and procedures. In the end, the pharmacy chain finally admitted that private information was contained within the log books.
10. Pharmacy Chain Revises Process for Disclosures to Law Enforcement
A pharmacy chain was pressured by municipal law enforcement to disclose a patient’s protected health information as enforced by the Privacy Rule. To correct his, OCR made the entire chain revise their national guidelines regarding the disclosure of private information to law enforcement. Written requests from law enforcement officials no longer warrants a disclosure of private information, unless required by court or state law. Every storefront of the pharmacy chain across the nation had to follow the new set of guidelines and procedures.
11. Large Medicaid Plan Corrects Vulnerability that Resulted in Disclosure to Non-BA Vendors
While processing Medicaid applications, a social service agency wrongfully disclosed a client’s private health information to a non-business associate. Not only did OCR limit the agency to disclose such information to business associates only, but a new set of guidelines made it more difficult to warrant transfers of private information all together. The revised set of rules were implemented in both Medicaid offices and other health care programs, requiring a retraining of all staff members and workers.
12. Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons
A health maintenance organization sent records of a patient’s medical history, including EOB, to a family member. Not only that, but a coding error in the computer system put the private medical history of over 2,000 people in danger of being disclosed. OCR made the company correct and analyze any corrupted information within a six-month time frame. All computers and other electronics were fixed and thoroughly checked for any other bugs. Even transactions that were completely legal had to be reviewed, as required by the OCR.
13. Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers
A science center made the mistake of disclosing private information of a client to their employer. From that moment on, the center made drastic changes to their policies, requiring a patient’s permission before transferring any private information to an employer. The entire staff had to be retrained as well. It’s not known if whether or not the mistake was intentional.
14. National Pharmacy Chain Extends Protections for PHI on Insurance Cards
Accidentally, a pharmacy employee misplaced a patient’s insurance card inside another patient’s medical bag. Not surprisingly, the pharmacy did not recognize the insurance as being PHI, or protected health insurance. On the contrary, the OCR opposed the pharmacy’s statement, confirming that the patient’s card was indeed PHI, and therefore protected. This resulted in the pharmacy revising their entire PHI policies and guidelines, requiring all employees to be retrained. This not only put that particular pharmacy under the new set of guidelines, but every other store in the pharmacy chain as well. Therefore, the entire chain had to be revised and retrained. Perhaps the OCR would’ve been nicer if the pharmacy chain took a little more responsibility for the mistake.
15. Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions
Without following procedure, an employee of a health insurance company released private medical information of a member. Overall, no error was found in the privacy guidelines and procedures themselves. However, the staff and employees were found responsible for the mistake, probably due to a lack of training. As a result, OCR made the company retrain all their employees. The exact employee who was solely responsible for the mistake was given a written warning, as well as extra training and counseling. Although the patient was compensated for their inconvenience, the exact avenue of compensation is unknown.
16. Private Practice Revises Process to Provide Access to Records
A private practice refused to give a mother the records of her son’s medical history, but regrettably so. The practice was not entirely sure if whether or not such an action would violate company guidelines and procedures. OCR determined this to be true, making it clear to the private practice that such an action is completely legal, as long as they get permission from the patient prior to sending the records. Not only did the patient and her son receive the records, but OCR made the practice revise their guidelines.
17. Private Practice Revises Process to Provide Access to Records Regardless of Payment Source
An insurance company requested a patient to be evaluated through a thorough medical exam. However, the practice completely refused to give the patient a copy of their records. OCR, on the other hand, determined the action to be completely compliant with privacy rules. At that point, the company had to change their entire set of guidelines and procedures, giving any patient the right to a copy of their records, regardless of the payment source.
18. Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena
Pressured by a subpoena, a public hospital felt the need to disclose the private information of a patient. The hospital ultimately failed to provide a legitimate reason for disclosing the patient’s PHI information. Consequently, the hospital had to revise their privacy guidelines that dealt with subpoena situations, as well as retrain their staff and workers. Basically, the new set of guidelines stated that any subpoena that did not follow privacy guidelines had to be rejected, as well as a thorough explanation of privacy guidelines to the party seeking the subpoena.
19. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
In the name of research and recruitment, a surgical facility transferred private information of a patient to a research entity without the patient’s consent. The facility claimed that they thought the action was completely compliant with privacy rules. The OCR then made it clear to the facility that such actions require either the patient’s consent, Institutional Review Board or a privacy-board alteration. Not only was the facility forced to revise their guidelines and retrain workers, buy they now have to log all disclosures of private information.
20. Clinic Sanctions Supervisor for Accessing Employee Medical Record
After examining a patient’s medical records and information, the supervisor disclosed the patient’s private information. The OCR found the action to be against privacy guidelines, requiring consent from both the patient and employer. The supervisor responsible for the action received a letter from the OCR, reprimanding them about the disclosure. The supervisor received counseling on proper procedure and guidelines as well.
HIPAA Certification Process
The purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is to ensure the protection of patients and their private health information. It also seeks to reduce paperwork while ensuring total electronic confidentiality.
This rule sets the standard across the nation, establishing that anyone covered must:
- Ensure safeguards against unauthorized access to patient information
- Establish procedure with service providers regarding the functions or activities they may perform. The intention is to ensure that any parties with access to the information will only use it appropriately.
- Ensure all access given to patient information is the minimum required to complete a task
- Limit who can access information
Is HIPAA Certification Required?
While all medical companies much comply with the law, there is no standard specification to adhere to in order to acquire certification as a guarantee.
Put simply, nobody can guarantee you’re always compliant. No standard, national organization exists to ensure that a company keeps HIPAA compliant, nor does the Department of Health and Human Services endorse any such certifications.
This doesn’t mean you don’t have to pay mind to policy. Periodic technical and non-technical evaluations must be performed, but internal inspection is as permitted as external inspection.
The Trouble with Certification
Those who are searching for HIPAA compliance certification may be surprised to know that there isn’t a standard company to go with. A company offering certification is quite similar to any other vendor who can offer periodic evaluations.
This is because while a person can become certified, a healthcare organization cannot. A company compliant on one day could suddenly be in violation of new laws due to changes enforced by HIPAA the next day, or due to mere lack of policy enforcement within the company. Everything could be compliant on Thursday, but the firewall is no longer up-to-date, causing noncompliance the next day if IT fails to patch it.
In this way, the best thing that can be done as far as the HIPAA certification process goes is regularly auditing your company to verify it is still compliant with current laws. Vendors offering certification can provide these audits, but realize that passing the test once does not guarantee future, ongoing compliance.
How to Undergo the HIPAA Certification Process
Before hiring a company for HIPAA evaluation and certification, it’s a good idea to update company policy. Organizations must ensure all of their policies are compliant with HIPAA as this is the first thing an auditor will check. It may happen in five years, or it could happen next month — in all cases, you want to ensure the organization runs as safely as possible.
To start, hire a security officer if one cannot be appointed from within. Certain healthcare organizations require a security officer to ensure compliance. This can either be a physician or an employee in charge of interacting with third-party vendors.
In either case, a security officer needs to know what their job is and how to do it, but don’t delay in appointing someone for the role; it’s better to have someone training on the job than to have nobody in charge of security at all.
Finally, ensure all employees are fully educated on the measures necessary to keep patient information safe. One critical part of ensuring ongoing HIPAA compliance is ensuring all staff members are trained in this matter. Especially in as busy an environment as an ambulatory surgery center, staff members need to ensure patient privacy where thousands may be present.
One example is to ensure you always know how often information for a patient has been viewed by staff members when the individual goes from the operating room and into recovery. Other employees may also wish to obtain additional credentials through certification in areas like security, transactions, medical coding, electronic data, HIPAA encrypted files and more.
HIPAA Certification Process
Once all of your policies have been updated and your employees have been trained on identifying and stopping breaches, select a reputable HIPAA training company that can offer evaluations, training and certification as necessary. Receiving a certification for your compliance, at the very least, shows that the organization is aware of the necessity of security and privacy.
Some companies may also offer additional training depending on your needs and their services. Some of these training courses may include online courses or offline courses that require travel to specific facilities. However, there are plenty of companies that will also travel to you to complete the training, especially for larger companies employing thousands.
Finally, once training is complete, you must take the certification test. Some of the most basic training organizations may not require a test, providing a certificate merely for completing the training. Regardless of this step, it’s important to continually monitor the Department of Health and Human Services website for any changes.
HIPAA Certification Companies
Several companies provide certification services, though their value certainly ranges in all aspects. Still, it’s a good idea to consider evaluation, even if the certification doesn’t carry official weight. Websites like the following all provide training and evaluation:
Keep in mind that even if you do receive your certification, security violations can be found. It’s important to ensure that you fully understand compliance and your legal obligations under the act.
Once you obtain certification, it’s important to stay compliant. It might seem like a difficult path, especially for a larger organization, but third parties can help in this regard. For example, a consulting firm can help ensure all employees remain in check according to policy.
Regardless of how you strive to maintain compliance, be sure to evaluate the program yourself on a regular basis. No regulation may exist, but regularly evaluating your company to ensure compliance will leave you in the best possible spot in the event of an audit.
HIPAA Guidelines on Telemedicine
When it comes to the HIPAA guidelines related to telemedicine, it affects every aspect of the medical profession and healthcare organization that decide to provide a remote service to patients in their community centers. A lot of people believe that ePHI communication from a distance is acceptable when you communicate directly between the patient and the physician. That is what the HIPAA Privacy Rule seems to imply, but the communication channel used for communicating ePHI at distance will also have importance to medical professionals. It has to comply with the guidelines from HIPAA that concern telemedicine. That element related to HIPAA guidelines has been written in the HIPAA Security Rule.
The rule says that only authorized users will be allowed access to ePHI. They will also have to have a security communication channel that protects the ePHI’s integrity. The monitoring with this system will contain ongoing monitoring because that prevents accidental or breaches from cyber criminals. The ultimate goal of these guidelines boils down to keeping unauthorized parties from accessing data that could do damage in the wrong hands. An unsecured channel includes communication methods such as:
All three of these methods should be avoided at all costs when physicians want to communicate ePHI from a distance. When it comes to the telemedicine HIPAA guidelines, all systems that communicate ePHI from a distance should have security in place that will monitor and delete information if needed.
Why Avoid Using Skype, SMS and Email?
You should avoid these methods of communication for ePHI because when medical professionals create it, they will usually store it with a neutral third party. The covered entity or medical organization must have a Business Associate Agreement with that third party for storing sensitive information. The Business Associate Agreement will cover the methods that the third party uses for protecting data and what they will do to audit the security of medical data. The problem with Skype, email and SMS is that that information will remain on the servers of the service providers, and it could contain identifiable information related to healthcare. In order for the healthcare company to use Skype, Verizon or Google, they would have to have a BAA if they wanted to stay compliant to the guidelines from HIPAA related to telemedicine.
Both Skype and Google avoid entering into BAAs because they can be held liable for civil action and fines if an ePHI data breach occurs. They also do not have security that is compliant with HIPAA measures. Another problem is that these companies have a high change of failing an audit from HIPAA, which could have an impact on the receipt of payments.
What is the Solution for Communicating ePHI?
Many of the healthcare organizations use a secure messaging solution that stays compliant with the HIPAA standards related to telemedicine. With a secured messaging solution, people still receive the same convenience and speed that they might find with a respectable method such as Skype, SMS or email, but it remains compliant with the Security Rule that can be found in the HIPAA guidelines.
Solutions for Communicating ePHI
Most physicians will be familiar with ePHI at distance work through easy-to-use apps because it will give them an interface that looks similar to what can be found with commercially available messaging apps. An authorized user will log into their app using a username and password that had been previously issued. With that app, they can communicate with other people within their private network.
About All Communication with Telemedicine
All the communications with telemedicine that use videos, documents and images should have encrpytion that makes them unreadable and unusable. Even if cyber criminals manage to intercept a message over a public Wi-Fi network, there will still be safeguards put in place that prevent the ePHI from leaving the private network of the entity. Whether it happens accidentally or maliciously, all activity on the network receive rigorous monitoring with a cloud-based platform that secures the message. The cloud-based system used for storing the data will also remain compliant with the HIPAA standards for the healthcare industry.
Secure Messaging for Patient Communication
Communicating with medical professionals, patients and throughout healthcare companies will involve either authorizing temporary access for the patient with a secured messaging app, or it will involve a secure and temporary browser session that is used with identical platforms. With a lot of healthcare companies, what we have seen is that they integrate their secured messaging system with an EHR. What that does is it eliminates the time-consuming updates given for patients.
In some cases, patients have visited a community medical center, or a community nurse visited them at home. No matter what the situation, they will often use the secured messaging apps because it lets them relay essential patient information, and if there are concerns, they can securely communicate them while remaining compliant with the HIPAA Privacy Rule.
What advantages does a secured messaging system have?
- Send and receive ePHI while Mobile
- Attach images to accelerate the diagnosis and plan for treatment
- Speeds up the Patient Emergency Discharge and admission, ultimately lowering the wait time
Securing the messaging solution for telemedicine is so important because it prevents massive data breaches. Healthcare organizations should stay compliant with HIPAA because it prevents data breaches that can lead to multi-million dollar fines. To give an idea, in a 2009 data breach, Blue Cross was fined $18.5 million because they violated the HIPAA guidelines that led to sensitive information falling into the hands of cyber criminals.
In addition to being more secure, many of the secured messaging features have led to benefits, such as greater productivity and better workflow. It has also reduced the costs of the medical field, and it has upped the healthcare standards that many patients receive. Many healthcare industries have also been surprised by the low cost and ease that they can implement the practices and guidelines for the HIPAA rules related to telemedicine. You do not have to invest in costly hardware or needlessly difficult-to-understand software.
Texting and HIPAA Compliance
For healthcare professionals, texting can be a convenient and expedient way to communicate with clients, patients, and other involved parties. However, texting can be a problem when it comes to HIPAA standards. The importance of HIPAA compliance in text messaging has become more and more important with the inclusion of text messaging under the HIPAA umbrella. Fortunately, in order to keep your texts secure new Health Insurance Portability and Accountability Act (HIPAA) compliant texting applications can be downloaded to your phone or desktop computer. These apps maintain the security of protected health information (PHI) exchanged between authorized users to better to conform to HIPAA standards.
Risks to Texting Protective Health Information
Texting includes use of any service or application to transmit electronic messages between two or more parties. Today, text messages can also include images, sound, and video. There are a number of risks associated with texting protected health information. When a text message is sent to a recipient, there is no definitive way to know that the correct person read the message. Without being able to authenticate the recipient of the message, that individual’s protected health information is put at risk, therefore putting the sender in danger of violating HIPAA. This is where HIPAA Compliant Texting Applications have a lot to offer to the professional healthcare community.
Understanding HIPAA Compliant Texting Apps
A HIPAA Compliant Texting App is a multi-platform software application that places protections on all messages. With the app, messages are encrypted and sent via a completely separate channel, (instead of the standard servers), that can be accessed via a unique username and password. The message is not stored on regular routing servers, and therefore cannot be picked up by third parties through public Wi-Fi. After a user has entered his or her username and password, a timeout feature requires that the information be re-entered before giving access to further use if the phone or computer is left unattended. There are also options for remote wipe and the use of PIN controls to lock the app, ensuring that if the device is lost or stolen, all protected information is eliminated.
After the message is read securely by the correct recipient, measures are in place to prevent the message from being saved to external hard drives, copied and pasted, or forwarded to locations that are deemed to be outside of the secure network. Email and SMS messaging services store messages indefinitely, which is a problem when it comes to PHI. To combat this issue, secure messages sent through the app are removed after a certain period of time that is pre-determined by the app. A HIPAA compliant texting app contains administrative authority to pull up and remotely delete any communications that are a concern for a breach of protective health information. In order to ensure security, a good app will monitor compliance with HIPAA for all messaging activity that goes through the application.
Productivity and Texting in the Professional Realm
A study at the Salt Lake County Adult Detention Center determined that a secure texting app for healthcare workers could streamline workflow, reduce missed communication, “phone tag,” improve productivity, and improve the quality of the healthcare provided to patients.
Prior to using the app at this facility, mobile devices were not permitted for use, and doctors communicated via landline telephones. This meant it could take up to 15 minutes to obtain administrative approval to dispense medication to patients and x-rays and other health images had to be hand delivered. Because of these issues, nurses waited for phone calls for a number of hours every day before being able to do their jobs.
With the application in place, nurses and doctors were able to communicate PHI securely between computers and mobile devices. The sender would be informed when the recipient had received and read the information. Images of wounds and x-rays could be sent and received immediately, allowing doctors to give instructions to be completed by the nurse instantaneously.
Overall, TigerText, a HIPAA compliant texting application provider who administered the study, reported that nurses saved hours a day, freeing up time to increase their patient care by up to fifteen patients per shift. TigerText also reported that all messages were found to be HIPAA compliant.
Other Benefits of HIPAA Compliance in Texting
Besides the benefits of a HIPAA compliant app in a healthcare facility, on-call physicians, community-based nurses, and first responders are able to communicate PHI while working in off-site locations. By improving the speed and accuracy of communication (by allowing quick question and answer clarifications,) these applications have the ability to improve efficiency and care of patients. Patient wait times can be reduced by streamlining hospital admissions and discharges and an open flow of communication regarding different aspects of a patient’s care can be viewed by all parties. Further benefits include quick delivery of lab results and improved accuracy in scheduling of appointments.
Choosing a HIPAA-Compliant Application
Over the past, few years there have been a multitude of apps created for HIPAA compliance. However, not all are equally effective. Besides wanting to find an app that will meet your specific needs, there are some critical keys to ensuring that the app will actually assist with HIPAA compliance. Besides the necessary details listed earlier, including encryption and use of a PIN, there are more details to consider when choosing a HIPAA compliant application. First, make sure that messages will be, at a minimum, 256-bit encrypted. These messages should also be encrypted when the digital device is not in use. Data and communications should also be encrypted on the server itself. The messages should be erased within 24 hours but should have the ability to be archived for as long as the user requests and the archive should be secured in accordance with HIPAA. Many technological professionals also recommend an app with a two-factor authentication. This requires the user to sign in with a personal access code as well as a PIN in the app itself.
Electronic Medical Records and HIPAA
The use of electronic medical records in the healthcare industry continues to evolve. Stage 1, which rolled out in 2010, formed a stable foundation for healthcare providers by encouraging the use of electronic medical records. Stage 2, which rolled out in 2012, addresses how providers and patients access, share, store and update electronic medical records.
In this process, healthcare practitioners are challenged to incorporate and abide by a series of regulations and requirements governing patient health records data reporting and HIPAA (Healthcare Insurance Portability and Accountability Act) compliance.
Stage 1 Requirements Overview
Stage 1 focused heavily on which and how patient data must be stored and maintained in electronic records form. Basic required information continues to include patient medical history, medication (historical and current), allergy information, diagnoses.
Stage 1 also addressed situations where a patient may have originally been treated at one facility but is then treated at a different facility. In this case, all details regarding each treatment, including lab work, diagnoses, images, et al, must be stored in a secure manner in that patient’s e-file. This requirement applies to both new and existing patients.
Because Stage 2 builds on the progress generated during Stage 1, it is important for providers in particular to understand their compliance and reporting requirements for use with electronic medical records.
Major Changes with Stage 2 Meaningful Use
“Meaningful Use” is a term that describes the purpose for instituting an electronic records system and the benefits to all participants – providers, partners, insurers and patients.
As such, there are a number of requirements, some a carry-over from Stage 1 and others brand new, that govern how these records are handled.
Here is an overview of extended and introduced requirements for Stage 2:
- Increased recording requirements, from 50 percent to 80 percent of patients, for gathering more detailed demographic data and reporting it to the Department of Health and Human Services.
- The addition of new required criteria for practitioners providing Medicare and Medicaid who wish to qualify for the incentives to convert over from paper records to the new electronic medical records. The criteria includes meeting nine specific security criteria and meeting the criteria for patient records privacy and security.
- A solid foundation of technical support must be in place for practitioners using the new systems of electronic medical records storage and access.
- Practitioners must include a minimum of 3 required Clinical Quality Measures in each patient file. The measures include these: care coordination, patient safety, clinical processes and effectiveness, patient/family engagement, population and public health, efficient use of healthcare resources.
- Patients must be granted access to their electronic medical records within a 36-hour period from the request date and time.
- Secure texting is now incorporated into the record keeping process.
- The health behavior of patients must be monitored electronically.
- Related images must also be stored in the patient’s e-records file.
- Stricter controls must be implemented to ensure patients do not gain access to unauthorized prescription medications through a hand-off system from practitioner to administrator to pharmacist to patient.
Compliance Aided With the Introduction of Secure Texting
Secure texting is a newer component of electronic medical records keeping. Texting eases challenges related to team-based care and distance care.
Secure texting and reporting of Clinical Quality Measures is designed to work best when all practitioners are working from one central secure database containing electronic medical records.
The use of secure texting for Stage 2 HIPAA compliance can achieve all of the following:
- Make storing and sharing patient data easier and faster.
- Patient medical images and lab work results can be effortlessly added to an existing electronic medical record.
- Patient check-in and check-out wait times can be significantly reduced since paper data is no longer required.
- Patient prescription fulfillment and pickup can be automated to reduce wait times and provide an extra level of security for electronic protected health information (ePHI).
- Private health data can be transmitted, reviewed and discussed without risk of being overhead or mis-relayed. As well, critical cases can be expedited without issues due to phone tag/voice mail or misrouting of documents.
- Data privacy and security can be ensured across all devices and platforms when taking a team-based treatment approach, ensuring patients can be swiftly diagnosed, treated and made well.
- Practitioners who are serving in “on call” roles, such as emergency room staff, telemedicine practitioners and home healthcare workers, can receive and transmit patient records updates securely from any place, enabling faster response and treatment times (especially critical for urgent needs patients).
- Enhanced communications can be achieved by integrated secure texting, secure e-portals, practitioner answering services and electronic medical records so all relevant parties can remain updated on the patient’s progress.
Why Secure Texting is More Secure
One of the key facets that makes secure texting such a unique asset to the Stage 2 rollout is inbuilt use of security controls, including read notifications, app time-outs and message timelines/lifespans to keep confidential data and information out of the wrong hands.
As well, secure texting includes the ability to remotely delete any text-based data that has been sent to a device reported stolen, missing or lost.
A 2012 survey reported that a full 92 percent of mobile users for business find texting to be the most efficient and expedient way to transmit and receive information. Texting carries with it an urgency that cannot be captured via phone or email-based communications.
As the Stage 2 rollout continues, the healthcare industry now has the opportunity to realize the same benefits from the addition of secure texting to other methods of communication and data relay. There is also now additional guidance and specifics available to clarify practitioner and patient questions about how electronic medical records are updated, stored, accessed and shared. Finally, useful guidance and criteria is available for electronic medical records updates in real time and on the go.
HIPAA Audit Checklist
Companies are gearing up for an audit ever since the Health Insurance Portability and Accountability Act (HIPAA) got enacted back in March of 2013. Part of the process involves compiling detailed documentation. Additionally, the audit will investigate how security incidents got handled. Businesses have to prove that they had provided adequate training to their staffs and that they had adhered to all safety measures.
Such changes got put in place as a result of the electronically-stored protected health information (ePHI) breach. Use of mobile devices attributed to the breakdown in security.
Companies should know the timeline for the audit, and they should know what occurs following the audit. Additionally, the audit determines how consumers get affected.
Part of the process involves companies providing documentation of their privacy and security efforts. If anything is lacking, businesses have to prove what actions they would implement to improve their security system.
They would have to disclose data on patient visits and how ePHI gets shared electronically. Companies would also have to disclose their location as well as income. This gets done to determine the size of the company and if an audit is warranted.
Additional inquiries could mean a request for user access lists, system configurations, and the training materials used.
How Security Incidents Got Handled
HIPAA auditors will investigate whether the company had undergone any security breaches. If the firm has had incidents, the auditors will want to know how those problems got handled.
Additional information involves questions regarding how the organization shared their data with other companies. In turn, how are those companies with whom information was shared protecting patients data.
HIPAA Training Proof
Businesses have to disclose whether their staff had adequate training. If a training manual exists, the company has to prove whether employees got trained. Whenever a new security issue comes up, companies need to update their training manual.
The vulnerability exists if a company has had five incidents and their training does not show how to handle such mishaps.
The training manual should make it clear that if anyone violates privacy and security policies, he or she will get penalized to the fullest extent of the security system.
For the compliance program to be effective, employees need to know that there will be repercussions if they do not adhere to safety policies.
Adherence to Security Measures
Companies have to prove that the security they have in place is working. An example will be if the auditor asks to show proof of how a firm handles access control. The organization has to present detailed answers to the question.
Part of adhering to security measures involves a company having confidence that the security they have in place is airtight and that they understand what it entails.
Further adherence requires a preparedness to explain to the auditors the company’s organizational structure. The auditor has to know the environment unique to the company and how the company handles risks.
Sharing Company Data
Part of the security breach involves electronically-stored protected health information (ePHI). Companies with the shared information have to make sure that their messaging system is capable of restricting unauthorized access to their servers.
They have to use a combination of SSL protocols and secure messaging solutions. They have to get fully encrypted for ePHI communication.
Companies have to make sure that they conduct risk assessments on a regular basis. All assessments have to get documented and diagrammed.
The secure messaging system should have capabilities to authenticate user identities. Additionally, the system should also be able to prevent individuals using ePHI from copying and pasting and saving information to an external hard drive.
The security system should come equipped with a Business Continuity Plan and a Disaster Recovery Procedure that is capable of restoring data.
The OCR (Office for Civil Rights) notifies companies between 30 and 90 days before the onsite inspection. The onsite review will take from three to ten business days. It depends on the complexity of the organization and the need to communicate with staff and gain access to written materials.
The company gets notified in writing by the OCR. The letter entails who will be handling the audit. The process gets explained in detail. Moreover, the notice will describe the document and information requests.
Following the onsite visit, the auditor will provide the business with a draft final report. The organization will have about ten days to review the materials and provide any written comments for the auditor.
The auditor will then provide a final draft 30 business days after the company responds to the draft final report. Afterward, the information gets submitted to the OCR.
What Occurs Following the Audit?
The final report gets a review from the OCR. They examine the findings of the auditor’s results and any actions that get taken.
The audit results enable OCR to understand the efforts of the company to comply with HIPAA rules. Typically, OCR would use the audit report to determine any technical assistance that would require the company to get into compliance. If corrective measures are needed, the OCR will make suggestions.
If the audit report shows any significant findings, OCR will put in place a compliance review to deal with the crisis.
Affect Audit Has on Consumers
Consumers get benefited from the OCR audit. The review can determine why there are security breaches in a company’s system. The OCR would put together tools for businesses to use to help protect consumer’s identity and their health care information.
The technical assistance the OCR gives businesses would also help the companies with whom they share data to handle sensitive information more securely.
The OCR acts as a go-between and collects complaints from individuals to assist in determining better ways to secure data. Companies covered should also accept complaints from consumers and share those complaints with the OCR.