What does everyone who works in healthcare need to know about HIPAA to help maintain a culture of compliance and safeguard the privacy of individuals’ health information?
This blog contains highlights of three big topics under HIPAA: What is PHI; Risk Analysis – Risk Management; and HIPAA breach notification. Links to more detailed information are included.
HIPAA is a federal law – the Health Information Portability and Accountability Act, originally passed in 1996. It has been amended and updated numerous times since then, and may be amended in the near future. There are also state laws governing health privacy that may be stricter that HIPAA (more protective for patients). HIPAA governs unless the state law is more strict.
There are three overarching HIPAA Rules: the Privacy, Security and Breach Notification Rules. Many refer to the 2009 HITECH Act as a separate rule, but in fact, it amended the 1996 HIPAA law and is included in the current body of laws and regulations known as HIPAA.
Enforcement comes from the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR). HIPAA is not political and has been enforced throughout its history regardless of which party is in office. OCR enforces HIPAA through audits and investigations and violations can result in civil money and criminal penalties.
Who Needs to Comply with HIPAA
- Covered Entities and Business Associates (organizations that help covered entities and handle Protected Health Information) are required to comply with HIPAA.
- Patients and family members of patients are not required to follow HIPAA; schools, and in most cases, law enforcement and employers are not required to follow HIPAA.
- Everyone throughout the organization who comes in contact with PHI, from the Board of Directors, to executive management to new hires, should receive HIPAA training and commit to the organization’s HIPAA policies.
- Every covered entity and business associate must appoint privacy and security officials.
What is PHI and How to Protect It
- Protected Health Information (PHI) is any one piece of personally identifying information that is connected to the provision of past, present or future health care.
- PHI may not be used or disclosed without the patient’s authorization. Exceptions to this general rule are that PHI may be used or disclosed for purposes of treatment, payment or health care operations without authorization.
- PHI can be on paper, in electronic format (sometimes called ePHI), on film, or spoken.
- PHI does not necessarily contain a diagnosis or specific medical information.
The Minimum Necessary Standard
- When using or disclosing PHI, only use or disclose the minimum amount necessary to accomplish the task.
- Minimum necessary does not apply to covered entities disclosing PHI to other covered entities for the purpose of treatment.
The Right of Access Rule
- HIPAA protects the right of patients to obtain their own medical records. The minimum necessary standard does not apply to patients requesting their own records.
- Covered entities should make sure that if patients request their records, the request is filled promptly and at little or no cost.
- The patient Right of Access rule is a high enforcement priority of OCR.
- Do not confuse “authorization” with “right of access”; in other words, don’t require an authorization form if a patient is asking for their own records.
Risk Analysis – Risk Management
- The single most important task that covered entities and business associates can do is a HIPAA Risk Analysis. Not only is it required by HIPAA, but it is the best defense against PHI breaches of all kinds, whether unintentional by mistake, or intentional through theft and cyber crime.
- A full HIPAA Risk Analysis is broader than a “security risk assessment” because it includes requirements from the Privacy and Breach Notification Rules, not just the Security Rule.
- A separate Risk Analysis should be conducted at each site.
- Managing business associates is a critical central part of HIPAA compliance, and the Risk Analysis helps accomplish this.
How to Prevent Breaches and What to do if a Breach Happens
- The Security Rule Checklist includes all the steps needed to prevent breaches.
- Encourage staff to report cybersecurity incidents and breaches without fear of reprisal. Create a “culture of compliance” to encourage communication and reports. Even if something turns out not to be an official breach, it should be investigated immediately to understand what happened.
- Practice good password control: strong passwords, no password sharing, periodic changes of passwords.
- Levels of access to information should be tailored to the role of each staff person.
- The Breach Notification Rule requires certain specific steps be followed if a breach occurs.
- Provide workforce training on general HIPAA compliance and cybersecurity defense strategies.
- A ransomware attack is presumed by OCR to be a breach – if it happens, treat is as such until you can prove there is a low probability of compromise of the health information – consult with a lawyer, and report ransomware to the local FBI field office.
The HIPAA E-Tool® is Your Best Guide
For detailed guidance you cannot do better than The HIPAA E-Tool®. Let us know if you have questions about HIPAA enforcement, policies or training.