Managing HIPAA day-to-day in a busy practice raises practical questions. Today, we’ll answer some of those common questions.
Breach Notification
Question: We are a mid-sized dental practice in California. A server located at our Electronic Health Records (EHR) company was hacked, compromising some of our patients’ protected health information (PHI). The breach did not affect our network, but our patients’ records were breached. Who is responsible for handling the breach notifications?
Answer: As a covered entity, your practice is responsible for handling breach notifications to patients, governmental authorities, and the media, if necessary. Breaches affecting 500 or more individuals must be reported to the press.
However, although HIPAA places this responsibility on the covered entity, the covered entity and business associate can shift the responsibility for breach notification to the business associate in their business associate agreement.
In California, breach notification rules are stricter than those in HIPAA. California Health and Safety Code section 1280.15 requires healthcare providers to notify the California Health Department and affected individuals no later than 15 days after “unlawful or unauthorized access.” Only law enforcement may request a delay. HIPAA requires notification to individuals “without unreasonable delay” but no later than 60 days after discovery of the breach.
HIPAA is a federal law that supplants state law, except where state law is stricter. Always check your state law for breach notification to make sure you follow it if it is stricter than HIPAA.
Risk Analysis and Security Risk Assessment
Question: I’m setting priorities for HIPAA compliance in my new job as a Compliance Officer at a midsize practice. What do you think I should do first?
Answer: Your priority should be a Risk Analysis. OCR’s new Risk Analysis enforcement initiative, announced in February 2024 at the HIPAA Summit, will focus on Risk Analysis for covered entities and business associates. See page 17 of the linked presentation.
OCR has found that most large breach investigations reveal a lack of a compliant Risk Analysis, especially regarding electronic protected health information. You should be sure you comply with key HIPAA Security Rule requirements.
HIPAA Training and Certifications
Question: Should I require our staff to obtain HIPAA certifications from training? What kind of training is needed?
Answer: HIPAA training is required for all workforce members who come into contact with protected health information (PHI). However, the Office for Civil Rights (OCR), which enforces HIPAA, does not recognize a “certification” or “certified” level of training. Don’t select training simply because it is marketed as a “HIPAA certification.” There is good quality training from many sources that meets OCR’s requirements.
Provide staff training when hired, and then repeat their training at least once a year. All members of the workforce who handle PHI or see patients need two kinds of training:
- General HIPAA training about privacy, security, and patients’ rights; and
- Cybersecurity awareness training.
Beyond that, training should be tailored to the staff members’ responsibilities so that not everyone will receive identical training. For example, IT staff may receive more specialized training in cybersecurity practices, and a physician’s assistant may receive more training about communicating with patients. Make it relevant and valuable to their jobs.
Security Cameras in the Waiting Room
Question: I’m the new compliance officer for a busy orthopedic practice. There are several security cameras here, both in the lobby of our building and two in the waiting room. Is this a HIPAA violation? How do I handle this?
Answer: No, security cameras that may capture images of patients are not a HIPAA violation as long as the camera footage is kept private and secure. The footage is protected health information (PHI) and requires the same degree of protection as any other patient information you maintain. Add it to your inventory list of PHI locations. Ensure the footage is on a secure server and the staff understands it must be protected and private. You do not need authorization from patients in advance because you obtain and use it for your internal health care operations.
The HIPAA E-Tool® is Complete
We have answers to all of your HIPAA questions.
Solutions are in the E-Tool’s policies, forms, templates, and training. Everything is up-to-date, from the self-guided comprehensive Risk Analysis chapter to the Security Rule Checklist and the Breach Risk Assessment guidance.
It’s practical and easy to use. If you’d like to learn more, feel free to give us a call.