Getting Started

HIPAA is the Health Insurance Portability and Accountability Act of 1996. To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

http://www.hhs.gov/hipaa/for-professionals/index.html

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

http://www.hhs.gov/hipaa/for-professionals/security/index.html

Read the actual rule here – http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

http://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Read the actual rule here – http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/privacyrule/privruletxt.txt

Omnibus is an amendment to the HITECH Act that was introduced in order, “To strengthen the privacy and security protection for individuals’ health information.” Omnibus also modified the Breach Notification rule for Unsecured Protected Health Information under the HITECH Act to address public comment received on the interim final rule. It changed the HIPAA Privacy Rule to strengthen the privacy protections for the sake of the GINA (Genetic Information Non-Discrimination Act of 2008). The intent was to improve these provisions workability and effectiveness, as well as increase flexibility for and decrease burden on the regulated entities. The final rule went into effect on 3/26/2013.

Read the actual rule here – https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

HITECH is the Health Information Technology for Economic and Clinical Health Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

http://www.hhs.gov/hipaa/for-professionals/security/guidance/proposed-rulemaking-to-implement-HITECH-act-modifications/index.html

Read the actual rule here – http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html

Read the actual rule here – https://www.gpo.gov/fdsys/pkg/FR-2006-02-16/html/06-1376.htm

Can we allow a patient to access their health record from another, completely different medical facility on one of our facilities computers as long as we are present and monitoring what they access? The other Entity is a Hospital and we do have privileges but not access to their EHR.

No you cannot do that. This would be considered a breach via sharing the information. The way to mitigate this would be to sign off on a Business Associate Agreement between your facility and the Hospital.

Business Associate and Vendor Management

By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

What is the ‘Review Date’ for Business Associate Agreements?

Business Associate Agreements do require review annually. Upon first entering a Business Associate Agreement into The Guard the ‘Review Date’ will be one year following the initial date it was signed. 

When that year comes up you would want to read over the agreement to ensure that the relationship / contract has not changed. From there, please enter these exact words in the ‘Notes’ tab for this particular Vendor – “Reviewed by YOUR NAME on DATE. No changes to BA found. Current BA is still active on TODAY’S DATE”

Who do I contact and how do I go about getting a Business Associate Agreement in place when we bill Medicare directly?

If you bill directly to Medicare no BAA is required. Only if they were billing to a clearinghouse would a BAA be necessary.

We have a lot of people that come in to observe therapy to get observation hours required by their school. Do I need to put them in the Guard also or can I just have the confidentiality agreement signed?

Depends on how many times these people come in. Also, depends on whether they were trained on HIPAA from the school. Confidentiality Agreements are a must and depending on what your answer is in regards to training you may want them to go through and attest to HIPAA 101 training as well.

We recommend utilizing only the BAA which we provide, since it has been heavily vetted and covers everything required by the law. Please consult with an Attorney prior to signing any BA agreement which is not coming from Compliancy Group.

I’ve hired a web designer to maintain my practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI.

No, the web designer is not a Business Associate due to their inability to access PHI. However, you may want to consider having them sign a Confidentiality Agreement if the potential for accidental exposure to PHI is present at all.

I’ve hired a web designer to maintain my practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. 

Yes, the web designer is a Business Associate due to the regularity in which they must access patient records.

I’ve hired a company to turn my accounting records from visits into coded claims for submission to an insurance company for payment. Are they a Business Associate?

Yes, the Company is your Business Associate for payment purposes.

I’ve hired a case management service to identify my diabetic and pre-diabetic patients at high risk of non-compliance and recommend optimal interventions to you for those patients. Are they a Business Associate?

Yes, the case management service is a Business Associate, acting on your behalf, by providing case management services to you.

I’ve hired a janitorial company to clean my office nightly, including vacuuming the file room. Are they a Business Associate?

If the Janitors do not have access to PHI, then the janitors are not a Business Associate. However, since they clean the file room, make sure that each individual who enters the facility signs off on a Confidentiality Agreement stating they will not disclose or misuse any PHI stumbled upon by chance. The staff themselves would sign individually, as opposed to the company who they work for.

Incident Management

Where do I go on the web to report HIPAA violations?

http://www.hhs.gov/hipaa/ 

May physician’s offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in.

http://www.hhs.gov/hipaa/for-professionals/faq/199/may-health-care-providers-use-sign-in-sheets/index.html

I am a Doctor/Nurse. Would it be a violation if a patient begins discussing health information while family or friends are present in the examining room while I am there?

No. This is a “circumstance that clearly gave the individual the opportunity to agree, acquiesce, or object.” You do not need a written authorization to continue the discussion.

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

We are a Covered Entity and have experienced a breach which affected less than 500 Individuals. What would my next steps be in regards to reporting this?

A Covered Entity must notify Individuals affected and Secretary of HHS of breach no later than 60 days after the end of the calendar year in which the breaches occurred.

We are a Covered Entity and have experienced a breach which affected more than 500 Individuals. What would my next steps be in regards to reporting this?

Health care providers must promptly notify those affected, the Secretary of HHS and they must notify the media if the breach affects more than 500 residents based on state or jurisdiction.

Are health care providers restricted from consulting with other providers about a patient’s condition without the patient’s written authorization?

No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual.

http://www.hhs.gov/hipaa/for-professionals/faq/261/are-health-care-providers-restricted-from-consulting-other-providers/index.html

What is the difference between ‘consent’ and ‘authorization’ under the HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

Document, Employee and Training Management

I have been in practice a very long time and have patient records for deceased individuals who passed away over 50 years ago. Is this considered protected information?

Health information of an individual that has been deceased for more than 50 years is not PHI and therefore not subject to the Privacy Rule use and disclosure standards. You may use and disclose the information without patient authorization.

Auditing, Assessments and Remediation

Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic protected health information (e-PHI) held by a covered entity, and the likelihood of occurrence. The risk analysis may include taking inventory of all systems and applications that are used to access and house data, and classifying them by level of risk. A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage. Risk management is the actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its e-PHI and to meet the general security standards.

http://www.hhs.gov/hipaa/for-professionals/faq/2013/what-is-the-difference-between-risk-analysis-and%20risk-management-in-the-security-rule/index.html

Miscellaneous FAQ’s

The Privacy Rule relates to uses and disclosures of protected health information, not to whether a patient consents to the health care itself. As such, the Privacy Rule does not affect informed consent for treatment, which is addressed by State law.

http://www.hhs.gov/hipaa/for-professionals/faq/258/how-does-privacy-rule-change-laws/index.html