The First Steps to Becoming HIPAA Compliant

When we schedule an appointment to go over HIPAA compliance with a new client, we are always asked, “Where do I even start?” by the owner or practice manager. Becoming HIPAA compliant is a complex proposition that takes time, knowledge, and persistence. There are many steps involved, but the first steps are always the same: appoint a Compliance Officer and perform a full Security and Privacy Risk Assessment.

Appointing a compliance officer should be the easier of those two steps. Pick a person who has enough time to dedicate to compliance. For a smaller practice, this might be a couple of hours per week. For a larger organization, you may need someone who devotes all of their time to compliance.

Choose a compliance officer who will care about compliance. It is their job to watch for violations throughout the organization. A complacent compliance officer will likely result in violations being overlooked or no action taken when violations are found.

Your compliance officer will need to learn the laws, prioritize compliance tasks, and be able to delegate certain tasks to the proper departments. Do not pick an employee who has trouble delegating these tasks. A compliance officer will generally be unable to complete all compliance tasks on their own.

After choosing a compliance officer, the next step is possibly the most important aspect of compliance: the full security and privacy risk assessment. This assessment will take at least a day or two to complete for a smaller practice and could take many days or weeks for larger organizations.

A risk assessment is a basically a full inventory of your technology, your privacy and security policies, and your employee training levels. You will start by documenting every piece of equipment that stores or has access to PHI (protected health information). You will then be tasked with deciding if PHI is adequately protected (according to the law) against unauthorized access. Unauthorized access includes access by employees who shouldn’t be accessing a particular record and non-employees who shouldn’t have access to any records.

Next, you will be reviewing company policies regarding patient privacy, and data security. If you do not have any policies in place, you will be writing those policies from scratch. If you have some policies, but are missing others, you will need to add the missing policies. For instance, if your organization doesn’t have a documented policy for handling suspected breaches, you will need to write one. Or if your organization doesn’t have a policy for employee passwords (how often they should be changed, two factor authorization for remote access, password sharing, etc) you will need these policies added to your employee handbook.

Now comes employee training documentation. You will need to find out the last time each employee was trained on HIPAA policies. If it’s been more than 12 months, that employee should be retrained immediately. All employees should be retrained every 12 months whether there have been changes to HIPAA policies or not.

After you finish this initial risk assessment, then you begin the task of remediating all of the gaps you found. If few gaps were found, this process can be quick. Maybe a few weeks. If you find that your organization is missing lots of documentation, policies, or proper security measures, the process of remediating these gaps can take months or years depending on the size of your organization.

HIPAA Incident Response and Reporting

Healthcare organizations must take extra special care of protected health information (PHI). And part of the HIPAA security rule is a group of rules regarding how to respond to a security incident and how to go about reporting that incident depending on the severity.

Make sure your organization understands the following policies and has them all in place.

The purpose of these policies is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents to the extent possible, and the documentation of security incidents and their outcomes. It is imperative that a formal reporting and response policy be followed when responding to security incidents.

Your healthcare organization shall employ tools and techniques to monitor events, detect attacks and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (EPHI).

YOUR IT TEAM’S RESPONSIBILITY

All security incidents, threats or violations that affect or may affect the confidentiality, integrity or availability of EPHI shall be reported and responded to promptly.

Incidents that shall be reported include, but are not limited to:

Virus, worm or other malicious code attacks
Network or system intrusions
Persistent intrusion attempts from a particular entity
Unauthorized access to EPHI, an EPHI based system or an EPHI based network
EPHI data loss due to disaster, failure, error, theft
Loss of any electronic media that contains EPHI
Loss of the integrity of EPHI
Unauthorized person found in a facility

The organization’s Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.

YOUR COMPLIANCE OFFICER’S RESPONSIBILITY

Your Compliance Officers shall track the incident. The Compliance Officers must determine if a report of the incident shall be forwarded to the Health and Human Services (HHS). The criteria for this varies depending on the particular incident. But err on the side of caution and report to the HHS if you suspect a breach. Reporting to the HHS does not normally result in a fine if you are being proactive.

Compliance Officers are the only employee’s that can fully resolve an incident. Other employees, the IT department, management, etc should not be making the final decision about classifying an incident as a breach or not. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if your organization’s lawyers, law enforcement, Human Resources, or any other department should be contacted about this incident.

All HIPAA security related incidents and their outcomes need to be logged and documented by the Compliance Officers. This includes all relevant information (who, what, when, where, and why) of the incident. A timeline should be kept from the very beginning of any incident and made available to the HHS and OCR if requested.

All incidents should be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS at this site http://ocrnotifications.hhs.gov/.

Your organization and its Compliance Officers must record all incidents and retain these incident reports for six years.

TRAINING YOUR EMPLOYEES

Your organization must train personnel on how their particular job or position needs to respond to a security incident. Each employee should know how to report an incident and know to whom to report it.

Your employees must have annual training refreshers.

Also, be sure your employees know how to report an incident anonymously if they might fear retaliation for reporting it. Show employees how to use the HHS website to report an incident during their training.

Business Associate Agreements Between Covered Entities

During our mock HIPAA audit process, we always verify Business Associate Agreements (BAAs) for our clients who are either Covered Entities (CEs) or Business Associates (BAs). In the process of deciding which BAAs are required, we are often asked about what agreement needs to be in place between two CEs who are working together.

For instance, one physician may refer a patient to a specialist physician. The first physician may send over medical records to the specialist. My clients want to know if a BAA is required between these two physicians.

At first glance, it seems as though a BAA might be required. Let’s look at the law itself:

Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3)Business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4)Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

The answer, it turns out, is that two CEs both treating the same patient do not need a BAA to share Protected Health Information (PHI).

For Example:

A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

Alternatively, there could be a situation where two Covered Entities want to work together and share PHI for patients that aren’t being treated by both CEs. In that case, a Covered Entity can also be classified as a Business Associate requiring a Business Associate Agreement between the two organizations.

It is unusual for a Covered Entity to be a BA of another Covered Entity, but it does happen. For instance, two research hospitals might be working together on a research project. They may share PHI in the course of their research. If both CEs aren’t treating the patient, depending on other circumstances, the two hospitals may need a BAA on file

If your situation doesn’t involve caring for the same patient, double check the law and see if you need a Business Associate Agreement.

If you fall into the majority by only sharing PHI with other CEs who are also treating your patient, you should not need a formal agreement drawn up and signed.

Discussing PHI With Relatives and Friends of Your Patient

I was recently asked about the following situation:

If a patient’s wife, mother, husband, father, or friend calls in to make an appointment on their behalf, what all can I discuss with them? Do I need a patient’s authorization first before I can discuss PHI with his or her relative or friend?

This is a common situation. And my clients want to be sure they are following the law when it comes to HIPAA compliance. So I set about trying to find a definitive answer to this question.

My search led me to the actual statute itself:

Code of Federal Regulations

Title 45 – Public Welfare

Volume: 1

Date: 2003-10-01

Original Date: 2003-10-01

Title: Section 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object.

Context: Title 45 – Public Welfare. SUBTITLE A – DEPARTMENT OF HEALTH AND HUMAN SERVICES. SUBCHAPTER C – ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS. PART 164 – SECURITY AND PRIVACY. Subpart E – Privacy of Individually Identifiable Health Information.

(3) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.

So according to the statute itself, a covered entity is allowed to speak to a family member or friend on a patient’s behalf and disclose PHI. But only if some qualifications are met:

The healthcare provider must be reasonably sure that this information is directly relevant to this person’s involvement with the individual’s health care. The healthcare provider should use professional judgement on a case by case basis.
The patient must not have previously requested that PHI is not shared with this specific person or to other people.
The patient is not a celebrity. In which case prior authorization should be sought before giving out any PHI as this is a non-routine circumstance.

This brings us to the next question:

If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?

I found the answer to this question right on HHS.gov: Click here to view.

The answer is no. Healthcare providers are not required to obtain proof of identity for someone calling on your behalf.

However, the information a healthcare provider hands out should be limited as much as possible. And a healthcare provider should use professional judgement and consider the difference between a routine and non-routine request for PHI.

Finally, here’s one more similar question we get:

May healthcare providers leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? And may providers mail appointment or prescription refill reminders to patients’ homes?

Again, the answer is on HHS.gov: View the website here

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

How to Prepare For HIPAA Breaches

There are many steps you can take to prepare your organization for a HIPAA breach. If you are proactive, you can mitigate the severity of a breach considerably. And if you have the right policies in place, you can save your practice from large fines and other financial costs. Lets go over the things your practice should do to prepare for a HIPAA breach.

Be Prepared

The first step to handling HIPAA breaches is preparation. Do you have a written policy outlining steps to follow if you suspect or know there is a breach? Your written policy should touch on everything else I will mention below. It should be fairly comprehensive including who is in charge of investigating the breach and how each step will be handled.

Train Your Staff

Writing a plan is not enough, your employees must be taught how to find and follow that plan. During your yearly HIPAA trainings you must review the steps an employee should take if they suspect or know about a breach.

Give Employees A Way To Anonymously Report Breaches

It’s the law that employees should not be afraid of retaliation for reporting a breach. To accomplish this, there must be a way for employees to report breaches anonymously if they feel that they would be retaliated against. You must teach them how to report a breach anonymously during their annual HIPAA trainings.

Teach Your Business Associates To Report Breaches Back To You

Make sure each outside company you do business with that has access to your patients’ data is aware that they must report suspected breaches to you. Make sure your Business Associate Agreements are updated to include who is responsible for contacting patients in the case of a breach. Generally you would want this responsibility to fall on the Business Associate if they cause the breach. This moves most of the liability and cost on to the Business Associate who causes a breach.

As Soon As A Breach Is Known About Or Suspected, Perform A Risk Assessment

After finding out about a breach situation, immediately begin an investigation. Perform a risk assessment to find out what was breached and if any Protected Health Information may have been stolen or lost. Find out what caused the breach so you can remediate any gaps you have in security or policies.

Notify All Affected Parties

You have 60 days from finding out about the breach to notify any patients whose data was breached. You will need to send notices by first class mail (or email if your patients have opted in to receive notices that way) to each patient affected. You will likely be required to provide credit monitoring to the affected patients. You must also notify the Office of Civil Rights about any breaches. If a breach affects fewer than 500 patients, you must notify the OCR within 60 days of the end of the calendar year in which the breach was discovered. If a breach affects 500 or more patients, you must notify the OCR within 60 days of discovery of the breach and you must contact the media and provide them with a press release. Contacting the media allows the affected patients to find out about the potential threat of identity theft more quickly.

Log Everything

If there is a breach. From day one, start logging everything: any discussions you have with employees, any information about the breach, whom you contact, what led to the breach, what you are doing to stop future breaches, etc. Log it all and keep it on hand for the OCR. They will want to see that you acted promptly and did what you could to protect your patients.

HIPAA and Minimum Necessary Disclosures

HIPAA regulations state that when using or disclosing PHI (protected health information) or when requesting PHI from another covered entity (a doctor’s office, dental practice, etc), a covered entity must make reasonable efforts to limit PHI, to the minimum necessary, to accomplish the intended purpose of the use, disclosure or request.

So how do we accomplish the goal of limiting our PHI access and requests to the minimum necessary level? We look at three basic areas: levels of access to PHI, requesting PHI, and sending PHI.

Giving employees specific levels of access to PHI

Each employee should have just enough access to your medical record system to do their job. For instance, an employee who only answers the phone and sets appointments doesn’t generally need access to medical histories, x-rays, and other specific medical information. Therefore, their level of access to your practice software should be limited to seeing the schedule and creating or changing appointments. Alternatively, an employee who only treats patients and never handles billing information should not have access to credit card numbers, health insurance plan ID numbers, or other financial information in your systems.

It may seem easier to just give everyone access to everything. However, consider the consequences of taking that shortcut. If any one of your employees’ software login were to be leaked or guessed by an outside individual, that person would have access to every single piece of information in your records system. A breach like that could cost hundreds of thousands of dollars in fines, costs to notify patients, and credit monitoring fees for affected patients.

Requesting specific amounts of PHI from others

Many practices depend on patient referrals from outside practices. When taking these referrals, often medical information is sent over either electronically or via mail. When working with an outside practice, you should only ever request the minimum amount of PHI to perform the care you have been tasked with. If a patient is coming to you for a specific procedure like a root canal or a surgical procedure, it may be tempting to ask for the entire history of care from the outside practice. However, you’ll likely only need the recent x-rays and other information pertinent to that patient’s current ailment. Limiting the amount of PHI you ask for limits your liability in a situation where a medical record was breached in transit. If PHI gets lost in the mail, that is considered a breach. Accordingly, the more information contained therein, the higher the possible fine from the Office for Civil Rights in the event of a breach.

Sending specific amounts of PHI to others when requested

Most practices refer patients to specialists when a patient needs a procedure outside of the practice’s area of expertise. When doing so, the outside specialist will likely request information about the patient: x-rays, medical histories, insurance information, etc. Therefore, it is important that you and your employees understand the difference between a routine request for information and a non-routine request for information. A routine request for information is the type of request you see all the time. The request is for the right amount of information for the third party specialist to perform their procedure. And the request shouldn’t make you question why they are asking for that specific information.

Alternatively, there are non-routine requests for information. These requests may be for entire medical histories or a specific piece of information you’ve never been asked for. Or the request may be because of an unusual referral situation your practice doesn’t see very often. In these situations, your employees should take a moment to ensure that all of the information requested is really necessary to perform the procedure or care for the patient effectively. Furthermore, if your employee doesn’t agree with the magnitude of the request, they should communicate with the third party and ensure that a particular piece of information is really needed. Only if the third party can give you a compelling reason for needing the information should you make the exception and send it to them.

J.J. Micro’s PracticeProtect platform helps your organization understand and follow HIPAA regulations like minimum access to PHI. Give us a call today at 636-556-0009 to schedule a free risk assessment.