HIPAA and Personal Devices

Categories: Tags:

Incidental Disclosures – Train Your Staff

Categories: Tags:

In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying.  This case is about incidental disclosures and only using the minimum necessary to accomplish a job.

In this scenario, the nurse was helping other technicians prepare for a medical procedure.  She told them to wear gloves because the patient had Hepatitis C.  A patient filed a complaint because they felt she was too loud and other patients could hear her.  This is considered a privacy violation.  However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.

To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard.  If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation.  In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.

In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves.  Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose.  In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.

The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy.  Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also.  We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at theresa@hipaatrek.com and let her know you want to see our training platform. Until then, happy HIPAA trekking.

The Three Exceptions to A Breach

Categories:

Soon after implementation of the HIPAA privacy rule, some staff members would conclude that a violation had occurred because a doctor and a nurse were overheard speaking about a patient’s PHI, or a technician called out a patient by their actual name in the waiting room, or a white board at a nursing station contained PHI of patients on the Intensive Care Unit.  Staff had yet to learn about the “Incidental Disclosure” rule that allows for incidental uses and disclosures that occur as a by-product of a use or disclosure permitted by the privacy rule, as long as reasonable safeguards are in place.

The same can be said today about breaches.  There are still some staff members and some privacy officers that conclude that a breach has occurred when in fact the incident itself falls under an exception to the breach rule.  With the implementation of the Omnibus rule on January 25, 2013, significant modifications to the breach notification rule were made to include three distinct exceptions to a breach.  The definition of a breach remains the same and reads as follows: “a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the privacy rule which compromises the security or privacy of the protected health information”.  However, if the incident falls under one of these three exceptions, no breach has occurred.  Let’s take a closer look at each of these exceptions as described by the breach notification rule.

The first exception to a breach involves any unintentional acquisition, access, or use of PHI by a workforce member or other person acting under the authority of the CE or BA, if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the privacy rule.  For this exception to apply, the access must be unintentional and in good faith which can occur when a workforce member accessess the wrong patient’s chart.  This exception would not apply if a technician is purposely “snooping” through electronic health records as this is not unintentional and certainly not in good faith. Additionally, the unintentional access would have to occur while the technician is conducting her duties for which she is authorized to do.  Finally, after the unintentional access, the PHI cannot be further disclosed in a manner not allowed by the privacy rule.  For instance, if the information is further disclosed for a treatment activity, this exception would apply.  However, if the information garnered through the unintentional access is shared for “gossip” purposes, this first exception to a breach would not apply.   In summary, the unintentional acquisition, access, or use must have been done in good faith, as part of the workforce member’s official duties, and not further disclosed in a manner not allowed by the privacy rule.

The second exception to a breach involves any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized healthcare arrangement in which the CE participates, and information received as a result of such a disclosure is not further used or disclosed in a manner not permitted by the privacy rule.  For this exception to apply, the disclosure must be inadvertent.  For example, a nurse on the B Ward inadvertently e-mails Dr. Serrano the wrong lab results.  Dr. Serrano views the results noting that they belong to another patient and notifies the nurse who then sends him the correct lab results.  Dr. Serrano deletes the e-mail and does not further disclose the lab results to anyone else in a manner not allowed by the privacy rule.  Both the nurse and the doctor are authorized to access PHI, they both work at the same CE, and Dr. Serrano did not further disclose the PHI in a manner not allowed by the rule, thus this exception applies.

The third and final exception involves a disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.  The preamble to the HIPAA rule uses the example of a CE, due to lack of reasonable safeguards, sends a number explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, therefore the CE can conclude that the improper addressees could not reasonably have retained the information.  However, the EOBs that were not returned as undeliverable, and that the CE knows were sent to the wrong individuals, should be treated as potential breaches.  The key for this exception to apply is whether the unauthorized person is able to retain the information.  For example, sometimes pharmacies handout a wrong prescription bag to a patient.  If the patient walks to the exit, discovers it is the wrong medication, and quickly returns it to the pharmacy, the pharmacy can make an on the spot assessment as to whether the patient (unauthorized person) was able to retain any of the demographic information belonging to the wrong prescription, i.e., name, DOB, etc.  If the patient has not retained any of the information, this exception to a breach will apply.

In conclusion, the framers of the HIPAA privacy rule were aware of instances where unintentional or inadvertent uses or disclosures within a CE or BA, or disclosures to unauthorized individuals that could not reasonably retain the PHI, would pose little to no threat of compromise to a patient’s PHI.  As a result, these three exceptions were created.  When your next potential breach surfaces at your organization, don’t jump to conclusions.  First gather all the facts and then determine if an exception applies. If so, document the incident and the exception you applied, and retain in your appropriate log or files.  If none of the exceptions apply, proceed with the four-factor breach assessment to determine if there is a low risk of compromise to the PHI.  The steps for the assessment are provided here:  https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Don’t Get Caught Without a Business Associate Agreement

Categories:

The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.

Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.

Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.

In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.

Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.

Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):

  • EMR/Practice Management (billing) software companies
  • Consultants that have access to PHI
  • Accountant
  • Attorneys
  • Outside IT vendors
  • Outside Billing Company
  • Leased Copier/Printer/Scanner (if the device has a hard drive)
  • Record Storage companies
  • Any other software, consultant, or vendor that accesses, stores, or transmits PHI

For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Happy HIPAA trekking!

Fees For Medical Records

Categories:

Medical record requests from attorneys, insurance companies, and everyone in between can be challenging to keep up with. You are trying to balance patient care with operations and getting paid for treatment. At HIPAAtrek, we frequently get asked how clinics and hospitals can charge for certain records requests.

HHS issued clarification for permissible fees in May of last year: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html

There is no maximum charge for copied medical records. The flat rate not to exceed $6.50 option was meant for organizations who did not wish to calculate the actual or average cost for the copies. There are three options for charging patients for copies to their health records:

  1. By calculating actual allowable costs to fulfill each request
  2. By using a schedule of costs based on average allowable labor costs to fulfill standard requests
  3. If patients are requesting electronic records, and the entity wishes not to calculate the actual or average cost, the organization can charge a flat rate of $6.50 Link to the guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee

See link below for everything that can be included in the charge to patient who has requested access to their PHI.

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs

In addition to federal regulations, most states have regulations regarding charging for medical records. These state regulations can become quite sticky. Theres are provisions in the federal law that supersedes the state laws:

“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/

Here are some great websites that details the state permissible charges:

https://medicopy.net/who-we-are/blog/guide-of-state-statutes-for-copies-of-medical-records

https://nosscr.org/state-medical-records-payment-rates

As with all online resources, it is good practice to double check the guidance with the individual state’s website.

Happy HIPAA trekking!