RECENT CHANGES TO HIPAA
The Office of Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable.
Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to HIPAA and 42 CFR Part 2 regulations that protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.
There have been calls from many healthcare stakeholder groups to align Part 2 regulations more closely with HIPAA to allow clinicians to view patients’ entire medical records, including Substance Use Disorder (SUD) records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery. There was progress on this front in 2020, not through HHS or OCR rulemaking, but instead as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
In June of 2022, OCR issued guidance on how the HIPAA rules permit covered healthcare providers and health plans to use remote communication technologies for audio-only telehealth. The full guidelines can be found here.
The guidelines help covered entities to understand how they can use remote communication technologies for audio-only telehealth in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification) is no longer in effect. Even though this announcement promotes audio-only telehealth for people who struggle with accessing audio-video calls, it is expected to impact the overall telehealth industry.
All healthcare service providers who are covered entities must comply with all HIPAA rules if they conduct audio-only services involving the transfer of e-PHI.
The new HIPAA guidance is not for the telehealth providers that conduct voice-only services using standard telephone lines. The new security rules only apply to electronically transmitted information, such as HIPAA-compliant phones. But, considering the adoption of electronic media and the extensive use of electronic devices and technologies, such as Wi-Fi, extranets, cellular, and the Internet, it goes without saying that all types of audio-based telehealth services are now covered in the new guidance. Note that the covered healthcare provider won’t be responsible for the privacy of the data they share with the patients through electronic media.
A few examples of entities that use electronic media for remote communication and are required to comply with the HIPAA rules are:
- Communication applications
- Apps that record a telehealth session
- Messaging apps that store audio texts
The new security rule has made it mandatory for all HIPAA-covered entities to identify and address all possible threats and risks. For instance, the authorities analyze whether the covered entities use encrypted transmission technology to ensure that all the information exchanged is secured. Most importantly, there is a chance the telehealth session recorded on provider devices might get leaked to a third party, or an unauthorized user can access this private information, thus leading to a cybersecurity breach. HIPAA phone compliance also suggests that the app is automatically closed after a brief period of inactivity.
It is recommended that all healthcare sectors follow these new OCR guidelines and prefer HIPAA-compliant phones to avoid hefty fines for security breaches.
The 2022 proposed new HIPAA regulations announced by OCR in December 2020 are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
- Individuals will be permitted to request their PHI be transferred to a personal health application.
- States when individuals should be provided with ePHI at no cost.
- Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans in cases when an individual directs those entities to do so under the HIPAA Right of Access.
- The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided has been dropped.
- Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the individual’s best interest.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- The Armed Force’s permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health records.
OVERVIEW OF HIPAA
HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996.
HIPAA legislation addresses:
- Insurance portability
- Fraud enforcement
- Administrative simplification
Portability is primarily concerned with controlling the continuity of health coverage when an individual changes jobs. It also addresses under what situations pre-existing medical conditions will be covered.
Fraud enforcement addresses the federal government’s fraud enforcement authority in various situations.
This course will focus most intently on Administrative Simplification. A significant challenge for most healthcare providers is to determine the most efficient and cost-effective method to protect patient’s privacy and the confidentiality of protected health information.
HIPAA privacy and security regulations include provisions for the punishment of individuals and/or organizations that fail to protect the confidentiality of patient information. Before HIPAA, no federal law protected patient information; consequently, it was sometimes exploited for personal gain. The Office of Civil Rights in the department of Health and Human Services is now responsible for enforcing the HIPAA privacy rule.
PRIVACY AND CONFIDENTIALITY CONSIDERATIONS
Everyone has a right to expect their identifying information to be handled properly; consequently, privacy and confidentiality are important aspects for staff to be trained on. Our objective is to give you the necessary information, so you are knowledgeable regarding HIPAA requirements and that you will consistently work toward the precise implementation of the requirements. In essence, through a well-informed and dedicated workforce and educated patients, the patients will be able to trust the facility with sensitive and confidential information. Patients will be confident the information will be handled properly.
The guiding principle for communication with or about patient information should be based on the concept of the need to know or who needs the information for treatment and/or health care operations.
Activities such as medical record review, training, and evaluation of staff performance are essential functions and must be supported. However, only those who need to know will have access to the protected information. Hospitals, facilities, private practices, and healthcare organizations have generally enforced strict privacy and confidentiality policies before HIPAA. Most HIPAA requirements will fit into standard operations in most cases. It should be noted, however, that the U.S. government has increased the focus and legal requirements to protect the privacy and confidentiality of data. This law was implemented to protect against this type of information from being wrongfully released and utilized.
Why should an employer be concerned with protecting or guarding against the misuse of health information? The most obvious answer is that it’s the right thing to do. Also, protecting a patient’s right to have protected health care information goes beyond ethical considerations, as it is now mandated by law.
Each provider has policies and methodologies for protecting health information. Please discuss the policies with your supervisor that are unique to your organization.
PRIVACY AND SECURITY REGULATIONS
HIPAA requires covered entities to implement comprehensive policies and procedures to protect the privacy and security of health information.
These requirements are contained in regulations published by the U.S. Department of Health and Human Services.
Hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
HIPAA considers health plans to be organizations like employer-sponsored group health insurance plans and Medicare, which provides or pays for medical care. A healthcare provider should not be considered a health plan unless it also pays for the care. Healthcare provider organizations and individuals that furnish, the bill for, and are paid for healthcare services or suppliers are providers in the context of HIPAA.
Healthcare clearinghouses are organizations that translate information from nonstandard into standard formats and vice versa. Providers and health plans use clearinghouses to translate and repackage their internal, nonstandard data elements into standard transactions. A rule requires all electronic transactions for which federal standards have been adopted to be conducted by those federal standards. This applies to standard transactions that take place entirely within a single covered entity as well as those that take place between different covered entities.
The privacy regulation protects all individually identifiable health information, in whatever form it exists, including electronic health information. This regulation became effective in April 2003. The security regulation deals specifically with electronic health information and became effective in April 2005.
WHAT INFORMATION IS PROTECTED?
The privacy rule protects individually identifiable health information in the hands of covered entities and their contractors.
This information is also called protected health information, or PHI. The privacy rule protects individually identifiable health information, whatever the form of the information (written, electronic, or spoken).
Examples of protected health information include:
A providers patients medical record
A health plan’s claims information
A provider’s billing information
A providers quality assurance files, if they contain information about identifiable individuals
A conversation between a doctor’s receptionist and a patient about the patient’s insurance coverage.
Another purpose of the privacy rule is to enable individuals who receive medical treatment to control how sensitive personal information is used and to whom it is disclosed. The following types of questions are addressed in the privacy rule:
What information can an organization use without receiving an individual’s permission?
Under what circumstances can information be shared or used without an individual’s permission?
What types of information can be shared without authorization?
What types of agreements does a provider or other entity have to share information? Who must participate in these agreements?
The privacy component of HIPAA also protects individually identifiable health information that is transmitted or maintained in any form by a covered entity. (Individually identifiable information is any information, including demographic information, that identifies an individual and meets any of the following criteria:
Records that are generated or processed by a health care provider, health plan employer, or health care clearinghouse
Medical notes that relate to the past, present or future physical or mental health or condition
Medical payment history
Quiz yourself, are the following situations HIPAA compliant?
Medical records were left in the waiting room
Public medical review (i.e., others may hear da discussion of medical status)
E-mails that contain information regarding ppatient’scondition
None of the aforementioned situations are HIPAA compliant. Patient records should be protected at all times.
Any information that could potentially identify the patient is considered individually identifiable information under HIPAA.
Releasing any of this information without establishing that the recipient needs to know and/or a signed authorization to release is a violation of the HIPAA privacy regulation.
A female patient is in the waiting room and is the only female present. Her physician is briefing a nurse on her condition in a manner that others could overhear in the waiting room.
Question: Is this HIPPA compliant?
Answer: The doctor is non-compliant. The doctor should have used a private room or area to brief the nurse. The details about her condition could be identifying factors in certain circumstances.
Ms. Smith, who is under Dr. Brown’s care, is undergoing an adverse reaction to a medication. The hospital staff attempted (unsuccessfully) to reach Dr. Brown. A nurse determined Dr. Brown was at a social function. The nurse contacted the receptionist and requested she informs Dr. Brown that Ms. Smith is experiencing an adverse reaction to medication and requested Dr. Brown contact the hospital immediately.
Question: Was the nurse’s action justified?
Answer: Leaving a message with anyone that is not authorized to receive it is a breach of confidentiality. The principle to follow in this type of situation is to never leave a message with identifying factors with a third party without prior approval. The nurse should have requested Dr. Brown call the hospital immediately.
A nurse in the pediatrics ward found out by looking at a fellow nurse’s medical records that she is going to have a baby. Staff members would like to surprise her with a baby shower, but they do not know when the baby is due or if it is a boy or girl. The nurse could again go into the medical records and get this information.
Question: Is this nurse in violation of HIPAA?
Answer: The nurse’s action violates HIPAA. Access and use of all medical records are based on a medically necessary need to know. Never look at the records of patients that are not under your care.
Authorization for the release of records is required for disclosure of health information except for treatment, payment, and /or health care operations. The authorization may be revoked at any time, or the patient may restrict how such information is used in support of treatment, payment, and healthcare operations.
Health information is sometimes disclosed to people who do not need it. For example:
A receptionist calls out a patient’s name in a waiting room, disclosing their identity to others in the room
A patient in a semi-private room overhears a discussion between another patient and a physician
HIPAA does not prohibit incidental disclosures such as these that are necessary uses of health information for treatment; however, providers are expected to use care and discretion to avoid unnecessary or careless exposures. For example, screens or dividers should be installed in areas where several patients may be counseled at once, and healthcare providers should not discuss patient information in public.
A significant departure from the standard practice is the handling of psychotherapy notes. These notes have more stringent protection as they generally contain the personal notes of the treating psychotherapist, which may be damaging to the individual should the information become available to the general public.
HIPAA requires specific authorization for the release of psychotherapy notes.
METHODS OF PROTECTING CONFIDENTIALITY
The minimum necessary standard for the protection of confidentiality is that healthcare workers make a reasonable effort to use or disclose only the protected health information needed to do their job. Experienced healthcare workers can make these reasonable effort decisions more professionally as they are more aware of good business practices and HIPAA regulations. Maintaining the proper balance between patient privacy and comprehensive and timely patient treatment is an ongoing challenge. One should always ask, “is this needed to do my job” and if the answer is no, act accordingly.
The clinical staff can review the patient record and share information with other attending clinicians. This broad approach to record availability for treatment may occasionally expose a clinician to confidential information that is not needed for treatment. An example would be a patient in isolation, and you become aware of why they are there. This information is confidential and should not be communicated to others. It is also possible to view patient information at other locations in the hospital. This information is generally posted in areas that are not readily available to the public. Again, this information is confidential and should not be disclosed to anyone, including co-workers, other patients, visitors, or anyone else who may ask.
PROTECTION OF PATIENT PRIVACY
Every patient has a right to privacy; consequently, it is essential to the success of this hospital to adhere to the privacy rules and encourage co-workers to follow the rules.
Safeguarding patient information is everyone’s responsibility. Do not leave a patient file in an area where others can see it. A good practice is returning the file to its appropriate place after you finish it. Generally, patient files should be returned to the medical records department or a protected file at a nursing station. If a person is using electronic patient information, log off the system upon completion of the transaction.
When paper information is no longer needed, it should be shredded or locked in a secure area until it can be destroyed. All data must be removed from a computer storage device before discarding the device.
Suggestions for the protection of electronic data include:
Block patient information when not in use, use screen savers, or log off.
Place screens in locations and positions to minimize exposure to others.
Do not make passwords obvious, such as your name. Commit the password to memory; do not write it down and place it on or near the computer.
Never share your password with anyone.
Situation: It may be a common practice to leave the computer on during a shift change.
Question: Is this practice compliant?
Answer: This practice is inconsistent with HIPAA rules as it is, in effect, sharing a password.
Situation: The computer technician needs access to the system for an upgrade. He requests your password to get in to do his work.
Question: Is this allowed under HIPAA rules?
Answer: The general rule is to not share your password; however, in this situation, you should verify that the individual is who he claims to be and then obtain permission from your supervisor. Upon completion of the upgrade, you should change your password.
The transmission of health information by fax is not covered by security standards. However, good business practices mandate that an entity should only fax to a secure location and coordinate with the recipient to ensure their awareness that you are sending a fax and that it contains sensitive information. If you are to receive a fax, the process is reversed. Never send a fax to an unattended machine.
If information is obtained appropriately from an entity by an authorized person and subsequently transmitted by fax to an entity that is not authorized to receive that information, this could constitute a violation of both privacy and security standards.
Providers sometimes are required to release patient information even if the patient does not agree with the transaction. In most cases, the courts authorize the release. Examples of circumstances that may arise are:
Communicable diseases that the law required to be reported to health agencies
Certain information regarding the failure of medical devices is required to be reported by the Food and Drug Administration
Suspected child abuse or domestic violence is required to be reported to the police in some states
The court has a right to certain information about patients when conducting a criminal investigation
Providers are required to report suspicious death or certain injuries
Providers are required to report a death to the coroner
This hospital complies with the law and makes reports when necessary. Patients are generally informed when their health information is reported; however, they do not have the authority to block the release. Individuals should not report this information unless reporting is part of their job. Consult with your supervisor if you have any questions about whether a report is necessary.
Situation: A child is brought to E.R. with suspicious bruises and other injuries. You suspect the child has been physically abused. The parent denies any abuse and requests that you do not report the incident.
Question: What is the appropriate course of action?
Answer: If your state requires reporting of suspected child abuse, you should report the incident to the police. You should ensure that the information goes only to the proper authority.
Public Law 104-191 (Aug.21, 1996) stipulates the general penalty for non-compliance is:
The Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
In general, a penalty may not be imposed if the failure to comply was due to reasonable cause and not to willful neglect; and the failure to comply is corrected during the 30 days beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.
A person violates “wrongful disclosure of individually identifiable health information through any or all of the following means:
Uses or causes to be used a unique health identifier;
Obtains individually identifiable health information relating to an individual; or
Discloses individually identifiable health information to another person
Shall be fined not more than $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
To HIPAA requirements, organizations need to have detailed policies and procedures in place that mandate how employees can use patient information, when they can disclose it and how they should dispose of it. All staff should read these procedures carefully. Contact your supervisor regarding these policies.
REPORTING HIPAA ABUSES
Anyone (patient, public individual, employee) who suspects the hospital or a provider is not complying with HIPAA may file a complaint with the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services.
A complaint must be filed within 180 days of the violation of privacy. The OCR has the authority to audit an organization’s privacy practices for HIPAA compliance. All organizations must designate an individual who handles complaints.