People who work in healthcare every day have the best questions.
HIPAA is a big sprawling law that has been updated and changed multiple times since it began in 1996. It can be technical, confusing, and hard to follow, especially for busy practice managers who are experts in their own field, but not necessarily HIPAA compliance experts.
We believe that HIPAA is easy to follow step-by-step, once you know the steps. And if you have questions, ask them to clear up what you don’t understand.
Some questions we have heard from practice managers, business owners and IT staff include to following:
Right of Access to Medical Records
Question: We are a nursing home and many of our residents have family members involved in their care who we speak to on a regular basis. If a resident of our facility passes away, and a family member later asks for the deceased’s medical records, are we supposed to provide them?
Answer: The HIPAA right of privacy survives death, for fifty years. But a family member who was a personal representative or was authorized by the resident while living is entitled to receive the resident’s medical records after death.
Question: Our fire district operates EMS services for a large metropolitan area. We know we are a covered entity and we follow HIPAA. We get lots of requests for medical information (accident reports, case files) from lawyers representing people injured in accidents. Is that permitted, or should the patient make the request?
Answer: Anyone who has a valid HIPAA authorization signed by the patient, or their personal representative, has a right to receive the medical records. The HIPAA Privacy Rule sets forth six specific elements (including the patient’s signature) and three required statements that must be included. If any one of the elements or statements is missing, the authorization is not valid. To learn more about providing access to third parties read A Current Simple Guide to Right of Access.
Risk Analysis
Question: I’m not sure where to start on a HIPAA Risk Analysis. Wouldn’t it be safer to hire an outside contractor to do it for us?
Answer: The place to start is to take an inventory of all the locations of protected health information (PHI), both electronic and non-electronic. Make a list, and then evaluate whether the PHI is secure. If there are improvements to make in preserving its security, make a plan to accomplish those – are better door locks needed for paper files? Is the software you use to manage your office updated and patched? Is your operating system current?
There are more steps beyond this for a full and complete Risk Analysis. You can either hire an outside contractor or do it yourself. Two big advantages of doing it yourself are that it is much less expensive, and you will have more knowledge about your own gaps and clear ideas about how to close them.
The HIPAA E-Tool® makes it easy, with step-by-step guidance through Risk Analysis and Risk Management. The E-Tool documents and archives all your work in case you are ever audited, and next year’s risk analysis builds on the one you did this year, so you don’t start from scratch each year. Review, update and refine your work each year.
Question: How often should we do our Risk Analysis? I just joined our surgery practice and am reviewing our HIPAA policies and procedures, and it looks like the last one was completed in 2019.
Answer: HIPAA law is not specific about how often a full Risk Analysis should be completed, but most HIPAA advisors agree that it should be done once a year. But HIPAA awareness and HIPAA risk management is a year-round responsibility, so make sure all software updates are completed as they come in, patch software as needed, train staff about cybersecurity risks, especially phishing, provide all staff with security reminders, and make sure staff knows who to call with questions, and how to report security incidents.
Medical Devices and HIPAA
Question: We are a medium size healthcare system offering a full array of services with fifteen locations. We use lots of medical devices, as do all healthcare practices today, from diagnostics to treatment, life support, and including durable medical equipment. Is a medical device subject to HIPAA?
Answer: Yes, provided the medical device creates receives, maintains or transmits PHI (including electronic PHI) and is used in the diagnosis or in the cure, mitigation, treatment, or prevention of disease in humans. It should be treated like any other electronic device used by a covered entity or business associate. It should be inventoried for the Risk Analysis (on a list, with location noted) and its security evaluated and updated. Medical devices are regulated by the Food and Drug Administration (FDA), which recently has issued warnings about cybersecurity concerns for these essential devices.