Read to learn the basics of the HIPAA Privacy Rule and how to train your staff about HIPAA compliance.
This post contains the text from the White Paper: HIPAA Privacy Rule 101.
When it comes to the HIPAA Privacy Rule, healthcare organizations often think they have everything covered. For the most part, this is true. You likely have your privacy practices posted throughout your workplace, and there are usually limited instances where employees leak PHI to the public (such as in football star Jason Pierre-Paul’s case).
However, if covered entities (and other individuals) intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule, they may be fined up to $50,000 and receive up to one year in prison. But if the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up
to 10 years in prison.
For example, here are several common HIPAA Privacy Rule violations:
With all the financial consequences and prevalence of HIPAA violations, you need to take HIPAA compliance seriously and make sure you have adequate HIPAA Privacy Rule policies and procedures in place.
In this white paper, you will learn the basics about the HIPAA Privacy Rule, how you should handle PHI, what policies you need to have in place, and how to train your staff about HIPAA compliance.
The Privacy Rule addresses appropriate PHI use and disclosure practices for healthcare organizations, as well as defines the right for individuals to understand, access, and regulate how their medical information is used.
The HIPAA Privacy Rule:
To start your compliance efforts, you need to know where you fit in with HIPAA requirements, since the Privacy Rule applies to all healthcare providers, including those who do not use an EHR, and includes all mediums: electronic, paper, and oral. It guarantees patients’ rights to their own protected health information, access to records, and disclosure on how that information is used or shared.
A covered entity (CE) is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans, etc.). While a member of the covered entity’s workforce is not a business associate, a healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity.
On the other hand, a business associate (BA) is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories, etc.). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include:
For example, a business associate can be a third-party administrator that assists a healthcare organization with claims processing. They can also be a consultant performing utilization reviews for a hospital.
In healthcare, there are two basic types of patient records: designated and legal health records. While these two record sets are fairly similar and often contain identical information, there are slight differences that you will need to gather from and for patients.
Designated records are medical and/or billing records that are maintained by or for a covered entity. These records are often used in part or whole to make care decisions for patients.
Designated record sets are:
Designated record sets should also include the information about: amendments, restrictions, and authorized access to patient data.
Legal health records are the official business and legal record for an organization, and they contain information about services provided by a healthcare provider to a patient.
Legal health records can and often do include similar PHI as the designated record set, though they are used for different purposes. Specifically, legal health records are used to document and defend an organization’s care decisions.
Legal health records are often used for the following additional purposes:
Before sharing patient data, make sure you have thorough policies and procedures established on how you are allowed to use and disclose patient data. For example, you are required to disclose PHI in the following instances: individuals (or their representatives) request this information or the Department of Health and Human Services (HHS) undertakes a compliance investigation or review.
You are allowed (though not required) to use and disclose PHI without an individual’s authorization under the following situations:
However, there are some exceptions to this rule, such as most uses and disclosures of psychotherapy notes require authorization from patients (i.e., written permission from individuals to use and disclose PHI). Also, you typically must receive patient authorization to use and disclose PHI for marketing purposes, unless it fits within HIPAA exceptions.
A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist (or someone that doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do their job.
The HHS states “if a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.”
It’s a covered entity’s responsibility to limit who within an organization has access to each specific part or component of PHI. The easiest way to take charge of the data is by creating individual user accounts on a network. In the ideal scenario, each user account in a network, EHR/EMR, or computer system, would be given certain privileges based on the job title or role of the user.
For example, a doctor’s privilege would get access to all PHI in their patient database because they need it to do their job, while an IT admin would have restricted access to PHI because they’re not involved with patient care.
The minimum necessary also applies to the information shared externally with third parties and subcontractors. Organizations are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business. Remember, passing too much PHI to a business associate or third party could get your organization slapped with a fine. Be careful about how much data you send and receive.
However, both covered entities and business associates have a minimum necessary responsibility under HIPAA. That means either party can be fined by the HHS for misapplying (or completely disregarding) the minimum necessary rule.
To avoid these issues, covered entities and business associates should assess their responsibilities concerning minimum necessary data accordingly:
By limiting PHI access to the smallest number of people possible, the likelihood of a breach or HIPAA violation decreases significantly.
The minimum necessary requirement is a core principle of the Privacy Rule, and it affects a large amount of decisions surrounding the privacy and security of PHI. The goal of this requirement is to limit the amount of PHI that an organization uses, discloses, or requests to the minimum necessary to accomplish the intended purpose.
You can extend this philosophy to how much and what types of PHI an organization creates as well. Every time you grant employee access to PHI or receive a request to send PHI to another organization or individual, ask yourself what is the minimum amount of information required to accomplish the requested task.
Yes, it’s difficult, but you need to find balance between maintaining patient health and respecting their individual rights.
There are several exceptions to the minimum necessary: disclosures from one healthcare provider to another for purposes of treatment, patient and any authorized party requests, and uses and disclosures to the HHS Secretary and for any legal purposes.
-RYAN MARSHALL
SecurityMetrics HIPAA Fulfillment Manager | HCISPP
Sometimes healthcare organizations need to use patient data for research, public health, and healthcare operations (e.g., comparative effectiveness studies, policies, assessments); when this happens, make sure you properly de-identify PHI. Specifically, you need to make sure to remove all information that could identify an individual, such as the 18 PHI identifiers, which are:
Once PHI has been adequately de-identified, it is no longer protected by the Privacy Rule. This means that you can disclose this information to anyone without authorization.
However, codes and other data used to re-identify coded or de-identified PHI are considered PHI if disclosed. But these codes are not considered PHI if they are not related to and cannot be used to identify patients without an appropriate mechanism (which cannot be disclosed).
When using or disclosing de-identified PHI (or limited data sets), don’t share codes or other data that can be used to identify a patient.
You can also use a limited data set without patient authorization for the following purposes: healthcare operations, research, or public health. A limited data set is similar to de-identified data, except the limited data set can exclude the following information:
But if you disclose the limited data set outside of your organization, make sure to have a data use agreement in place with the organization receiving this data. Your data use agreement must include:
If this outside organization is one of your business associates, then your business associate agreement (BAA) can be used as a data use agreement.
In addition to knowing how you can use and disclose data, make sure your organization implements a data retention policy. Start by deciding how long data needs to be kept and when it should be deleted. Specifically, you need to determine how long data needs to be stored for regulatory purposes and how long you need to store the data.
HIPAA retention requirements require you to keep the data for 7 years, though individual states may require longer retention. If you decide to keep data after 7 years (or however long your state requires), you need to protect it for 50 years after the patient has died. Due to these regulations, organizations often choose to destroy and/or delete data after this time period.
Permanently destroying electronic data may require a few different techniques, depending on how you want it done and whether you want to reuse the media where the data is stored. Here are a few techniques to securely delete your data:
Overriding data runs over the data with a sequence of 1’s (some methods use a different set of binary sequences to ensure all the data has been overwritten). There still could be some type of recoverable data on the media, so this method may not be the most secure.
This method is useful if you have magnet tapes and hard drives. Degaussing uses a powerful magnet to erase data on magnetic media. This method is particularly helpful if you want to reuse the media.
This is one of the most secure methods to permanently delete data. If you don’t plan to use the media again, it’s highly recommended you physically destroy it. You can go to companies that have industrial-sized shredders to dispose of larger hardware. Some types of media require physical destruction for secure data deletion. Solid state drives (SSD) and optical media like DVDs and CDs generally must be destroyed physically.
Compliance with the Privacy Rule might seem easy for healthcare organizations, but HIPAA Privacy Rule requirements on the various policies and procedures may take up an entire shelf or filing cabinet,
if not more.
If you don’t have all policies and procedures properly in place, your organization faces legal and financial consequences. For instance, when organizations undergo an Office for Civil Rights (OCR) audit or investigation, OCR auditors often review documented policies and procedures, interview staff, and observe if procedures are actually taking place. If all three of these factors don’t match requirements exactly, organizations may be issued hefty fines, such as:
If you’re like most healthcare organizations, you already have organizational policies in place. But they probably haven’t been reviewed or updated in years. Or perhaps you do have policies, but they haven’t been properly documented.
To maintain HIPAA compliance, regularly update your policy and procedure documentation, and ensure employees receive proper training.
However, policies aren’t just paperwork. They outline in writing what you promise to do to protect your patient’s medical data. In addition to having written policies, make sure that your policies and procedures are frequently updated and stored in a place where it can be easily disseminated to your staff.
Though there are numerous HIPAA Privacy Rule policies, make sure to include the following policies:
Most healthcare professionals are familiar with Notices of Privacy Practices (NPPs) as being part of HIPAA. Most patients have seen them, and most Covered Entities have them in place and know what they are for. But the most common errors in NPPs are updating how the organization deals with a refusal to acknowledge receipt of privacy practices by a patient and making sure all foreign language versions (e.g., Spanish NPPs) are up to date.
NPPs are legal documents and are commonly created by groups other than the entities themselves. They are usually provided to them by insurance companies or malpractice attorneys or sometimes a healthcare association. While there is nothing wrong with having NPPs supplied by external parties, they do need to accurately reflect your privacy practices and need to be updated when changes to the law occur.
An example would be the change to requirements for uses of PHI for marketing purposes that the Omnibus Rule introduced in 2013. Some NPPs created before 2013 had marketing disclosure practices that would now be a violation of the new requirements.
All NPPs need to be displayed in a prominent location at your organization where a patient would encounter them. If you own a website, it must be published there as well. NPPs must be provided to the patient at first encounter and an attempt to have the patient sign an acknowledgement of receipt form must be made.
A patient is not required to sign the acknowledgment form or waive any right under the Privacy Rule. If a patient refuses, they cannot be denied any service or receive any retaliation as a result of refusal to sign. When a patient refuses to sign, documentation should show that an attempt was made and the reason it was not accepted.
NPPs must contain how your organization intends to use and disclose PHI, what the individual’s rights are with respect to information, and how the individual can exercise them, including how to file a complaint. NPPs should include what your legal duties are with respect to this information including a statement that they are legally required to protect the privacy of the information. NPPs also must contain contact information (e.g., phone number) for the Privacy Officer.
Patients can request an accounting of your disclosures of their PHI made in the last 6 years. They can receive one free accounting in a 12-month period, but after this request, you can charge patients a fee based on the cost of time and material used to provide this accounting.
You need to provide this information within 60 days of the request, unless you receive a 30-day extension by providing the patient with a written statement explaining your reasons for the delay and when they will receive your disclosure information.
Your accounting of disclosures must include the following information:
If PHI disclosures were made for research purposes (involving data from more than 50 individuals), make sure to include:
However, covered entities do not have to provide an accounting of disclosures, when healthcare practice and/or information:Did not require specific notification, authorization, or an opportunity to object (e.g., treatment, payment, healthcare operations)
Though patient records cannot have information removed, patients can request to make amendments to their healthcare records, which offers further explanation, clarification, or revision of health information.
If patients request an amendment, the covered entity should have patients fill out forms that include:
Covered entities have 60 days from receiving a patient’s request to take action, unless they receive a 30-day extension by providing written notice to the individual detailing your reason for delay and the date which you will take action. On request of a patient, covered entities might also be contacted by other covered entities to amend patient records.
Whether or not you amend patient records upon request, inform the patient about your decision in a timely manner.
A covered entity can deny a patient’s request to amend health information for several reasons. For instance, covered entities can deny a request if the record is not part of the Designated Record Set, it was not created by the covered entity, is not part of their access rights under HIPAA requirement §164.524, or the record is reviewed and determined to be accurate and complete.
If covered entities approve to amend a patient’s record, they need to put this amendment in their record or reference a link to this amendment. Make sure to notify the patient, anyone who the patient requests to be notified, and anyone who would need to know the information to not affect the patient with any negative consequences.
If you deny the request to amend a patient’s record, you must inform the patient that their amendment was denied and why you denied their request.
Patients also need to know that they can submit a written statement that they disagree with the denial and have this statement included in their record. If they choose not to submit a statement of disagreement, their request for amendment and subsequent denial will still be included in their record. In addition to this, make sure to also inform patients on how to file a complaint.
Patients (and any person on behalf of someone else) have the right to file a complaint if they believe that their rights and/or information have been violated or breached in any way. They can choose to file a complaint with the covered entity directly and/or with the secretary of the HHS/OCR.
If patients file a complaint with the covered entity, the covered entity must have the following information in place about how to file a complaint:
While the covered entity has no obligation to investigate any complaints, especially within a specific timeframe, it’s in your best interest to do so to avoid a complaint with HHS/OCR and for patient satisfaction and trust. Covered entities must also document all complaints received and their response to complaints.
Covered entities are not allowed to intimidate or retaliate against a patient that files a complaint with either the covered entity or HHS/OCR.
When complaints are filed to the covered entity, patients do not have to file a complaint in any specific timeframe.
If patients file a complaint with HHS/OCR, their complaints must be written within 180 days of the violation or when the patient reasonably should have known about the violation. In this complaint, patients must include the name of the complaint’s subject and a description of the violation. For example, patients should use the online OCR complaint tool.
HHS/OCR will conduct a preliminary investigation of ALL complaints. Once a complaint is determined as valid, they will conduct a further investigation, which might lead to an audit (e.g., desk audit, onsite audit).
After the 2013 HIPAA Final Omnibus Rule, HIPAA compliance for both covered entities and business associates has become an even more important priority. The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, and/or transmits electronic patient information.
In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
Additionally, the HHS makes it clear that covered entities must obtain satisfactory assurance that each business associate safeguards the patient data it receives or creates on behalf of the covered entity. That means covered entities must ensure their business associate complies with the terms of their BAA.
Whether compromised from within your system or the system of a business associate, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. And that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of patient trust that may come as a result of a breach.
With these consequences in mind, remember that you should only share minimal need-to-know data with your business associates, and regularly validate that they are handling your patient’s PHI in a HIPAA compliant manner. That should keep your liability to a minimum. Next, covered entities should do all they can to reduce risks by implementing a business associate compliance program. Such a program should gauge your liability, help you locate business associates, discover what business associates do with your PHI, and help them work towards compliance.
Your business associate plan should evaluate all existing business associate security practices in order to help you address the riskiest vendors first. Then, risk and compliance managers should design, implement, and monitor a mass risk evaluation of business associate networks.
A plan that starts with the highest risk business associates and tracks related progress will help you prove your effort to address business associate compliance if the HHS decides to audit your organization.
After determining which business associate(s) you use, make sure every business associate has an adequate BAA in place. Then you should identify all parties (e.g., business associates, subcontractors) that still need to comply with your BAA. Next, ask your business associates for proof they’ve completed a Risk Analysis and are up to date with their Risk Management Plan. If not, either recommend a trusted source to help or stop using their services. Just remember, patient data is too valuable to deal with business associates that choose to ignore compliance best practices.
Next, classify business associates according to their use of patient data. Determine how much liability each business associate holds by asking a set of risk-evaluating questions, such as:
After this quick risk snapshot, you will clearly be able to categorize individual risk levels that determine which business associates put your patient data in the highest risk. Based on the risk ranking from the preliminary risk analysis, you can then start to customize compliance measures to enable business associate HIPAA compliance.
Remember that HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant.
If a covered entity terminates a business associate contract, the business associate needs to follow the termination clause. Basically, a business associate needs to make sure that any PHI you have received, created, or maintained is:
Every covered entity with business associates is required to obtain assurances that their business associates treat patient data the way you and the HHS want them to. Whether you choose to personally audit each business associate, or require documented data security procedures, take the initiative to secure the future of your organization and safety of patient data.
As your business associates progress towards compliance, track their success to ensure an approved level of compliance. As the riskiest business associates reach compliance, begin to reach out toward medium-risk business associates to start the process with them. Don’t forget to re-evaluate every business associate’s plan and associated vulnerabilities each year. Encourage continual education and training programs, such as regular HIPAA security webinars or even an email newsletter.
-JEN STONE
SecurityMetrics Security Analyst
MCIS | CISSP | CISA | QSA
Most workforce members aren’t malicious, but they often don’t know or forget what is required of them. For example, if you don’t give your workforce members specific rules and train them on those rules, they won’t be able to keep PHI secure. Or if employees are trained only once, they might forget policies.
Workforce member training and education will remind them that both privacy and security are important, and it will show them how to stop any bad security behaviors.
You need to train your staff regularly (e.g., at least quarterly). Training doesn’t have to be lengthy and detailed (e.g., a 20 minute PPT presentation). You can break up training into sections (e.g., monthly small and easy trainings), making it easier to remember and implement procedures. For example, consider having specific training about the following topics:
Specifically, social media use has become even more prevalent. If employees irresponsibly use social media, their actions can easily lead to serious HIPAA violations. Make sure staff understand the consequences of not following your HIPAA policies.
For example, you can share the story of a nurse at Michigan’s Oakwood Hospital that wrote a Facebook post about a patient accused of killing a police officer. Although the nurse didn’t use the patient’s name or social security number, this was still a breach of the HIPAA Privacy Rule.
Workforce members are considered the weakest link in PHI security and HIPAA compliance by most security professionals.
As you set up your training plan, here are some tips to consider:
In addition to your training plan, make sure you have and follow appropriate sanctions (i.e., disciplinary action) for workforce members that do not comply with your policies and procedures.
HIPAA compliance is never completely finished. You will often need to examine how your organization uses and/or discloses patient information and make adjustments to procedures when necessary.
However, compliance to the HIPAA Privacy Rule doesn’t have to be an impossible task. Break your compliance efforts into manageable tasks.
For example, start by reviewing one new HIPAA Privacy Rule policy a week, then you can implement procedures to follow your established policy. Next, train workforce members about this new policy and any procedures they need to follow. Make sure that staff receives specific rules and regular training after your initial training.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
