Tech Talk: Practice Primer on HIPAA and Related Privacy Regulations
Understanding the Health Insurance Portability and Accountability Act (HIPAA) and related acts is not easy.
Mike Robey, MS, AAO-HNS/F Senior Director, Information Technology
Understanding the Health Insurance Portability and Accountability Act (HIPAA) and related acts is not easy. Complying with the privacy and security regulations promulgated under HIPAA and related legislation can be overwhelming. Unfortunately, ignoring these regulations is not an option. This article provides practical insights for understanding from a practice perspective.
The guiding principle behind HIPAA and other privacy regulations such as the European Union’s General Data Protection Regulation (EU GDPR) is this: An individual’s data belongs to the individual. Your practice is a steward of the patient’s data. At all times, the practice must be respectful of an individual’s rights regarding their own data.
HIPAA created the first national set of standards protecting patients’ health information as well as addressing the flow of health information across systems. Interoperability is a complex topic. This article focuses on the patient data protection component.
The three major components of HIPAA are:
1. the Privacy Rule
2. the Security Rule
3. Breach Notifications
Here is how they relate to one another. The Privacy Rule establishes what information needs to be protected and how it is handled. The Security Rule identifies how electronic data is to be protected (i.e., cybersecurity aspects). And Breach Notification says what needs to be done in case protected information gets exposed to unauthorized parties.
Privacy Rule
The Privacy Rule centers around protecting data that is identifiable back to an individual as well as a patient’s right to access their own information. The 21st Century Cures Act specifics the following eight types of clinical notes among electronic information that must be made available to patients when they ask:
- Consultation notes
- Discharge summary notes
- History and physical
- Imaging narratives
- Laboratory report narratives
- Pathology report narratives
- Procedure notes
- Progress notes
Of major importance to a practice is what is at the center of the 21st Century Cares Act. If a patient asks for their data, the practice has several options, including the following:
- Printing the data from your electronic healthcare records (EHR) system
- Exporting it through a Continuity of Care Document (CCD) in the EHR
- Directing patients to view and download data using a patient portal
Below are the rules governing a patient’s information request:
- The patient or personal representative has the right to medical and billing records. If a person has a healthcare power of attorney, then they are a personal representative.
- Even if they have not yet paid for services, a patient cannot be denied a copy of their records.
- A reasonable fee can be charged for copying and mailing records. A fee cannot be charged for searching or retrieving a patient’s records.
- Clinicians are only required to provide access to protected healthcare information (PHI) that the patient requests.
- Patients only have the rights to access information used in decision making for their care.
- Clinicians have 30 days to provide patient-requested medical records at reasonable cost. Recent penalties paid to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for noncompliance range from $10,000 to $160,000.
Security Rule
The HIPAA Security Rule protects all individually identifiable health information a practice creates, receives, maintains, or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (ePHI). The Security Rule does not apply to PHI transmitted orally or in writing (paper based).
When developing your practice’s HIPAA security policies and procedures covering administrative, physical, and technical safeguards, keep in mind the following principles:
1. Ensure the confidentially, integrity, and availability of all ePHI created, received, maintained, or transmitted as follows:
a. Confidentiality: ePHI is not made available nor disclosed to unauthorized people
b. Integrity: ePHI is not altered, changed, or destroyed in an unauthorized manner, while in transit or at rest
c. Availability: accessible and usable on demand by authorized staff
2. Identify and protect against reasonably anticipated threats to the security and integrity of ePHI
3. Protect against reasonably anticipated, impermissible uses, or disclosures
4. Ensure compliance by the practice’s staff
In a nutshell, ePHI, needs to be encrypted while in transit (between systems or to a secure web portal). Careful consideration should also be given to encrypting PHI while at rest (stored in a database).
Breach Notifications
A breach is generally an impermissible or unauthorized use or disclosure of PHI. Exposure of encrypted data is not considered a breach if the encryption is strong enough to prevent decoding. These are the key points as identified on the U.S. Department of Health and Human Services (HHS) website:
- Unsecured protected health information is unencrypted or easily decipherable data that can then be attributed to an individual.
- If a breach affects 500 or more individuals, the HHS Secretary must be notified within 60 days.
- If a breach affects fewer than 500 individuals, it must be reported within 60 days of the end of the calendar year.
Please visit here for details on reporting a breach.
Recommendations
HIPAA requires practices to conduct a risk assessment to help ensure compliance with HIPAA’s Security Rule safeguards: administrative, physical, and technical. The assessment will help reveal areas where PHI may be at risk. Here is the link to the Security Risk Assessment (SRA) tool developed by the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR),
The outcome of the security risk assessment should help drive next steps. The following are additional recommendations pertaining to each of the three main HIPAA components:
Privacy
- Create a secure patient portal giving patients self-service access to their health information.
- Develop policy and procedures for how to address patient requests for their health information, including any associated fees.
Security
- Develop policies and procedures for addressing appropriate administrative, physical, and technical safeguards for electronic protected health information (ePHI).
- Develop a robust cybersecurity plan. Reviewing the article “A Framework for Combating Ransomware” is a good place to start.
Breach
- Review the HIPAA Breach notification requirements and develop your policies and procedures accordingly.
Concluding Remarks
HIPAA and privacy regulation compliance is not easy. Fines can be stiff. Loss of reputation can be even more damaging. Adopting the mindset that your practices are stewards of patient data is as important as developing an in-depth cybersecurity posture. On an annual basis, conduct an in-depth risk assessment and use the results as a guide to develop and review policies and procedures related to Privacy, Security, and Breach Notification.