The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.
Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.
Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.
In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.
Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.
Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):
- EMR/Practice Management (billing) software companies
- Consultants that have access to PHI
- Outside IT vendors
- Outside Billing Company
- Leased Copier/Printer/Scanner (if the device has a hard drive)
- Record Storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
Happy HIPAA trekking!
Medical record requests from attorneys, insurance companies, and everyone in between can be challenging to keep up with. You are trying to balance patient care with operations and getting paid for treatment. At HIPAAtrek, we frequently get asked how clinics and hospitals can charge for certain records requests.
HHS issued clarification for permissible fees in May of last year: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html
There is no maximum charge for copied medical records. The flat rate not to exceed $6.50 option was meant for organizations who did not wish to calculate the actual or average cost for the copies. There are three options for charging patients for copies to their health records:
- By calculating actual allowable costs to fulfill each request
- By using a schedule of costs based on average allowable labor costs to fulfill standard requests
- If patients are requesting electronic records, and the entity wishes not to calculate the actual or average cost, the organization can charge a flat rate of $6.50 Link to the guidance from HHS: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee
See link below for everything that can be included in the charge to patient who has requested access to their PHI.
In addition to federal regulations, most states have regulations regarding charging for medical records. These state regulations can become quite sticky. Theres are provisions in the federal law that supersedes the state laws:
“The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.”
Here are some great websites that details the state permissible charges:
As with all online resources, it is good practice to double check the guidance with the individual state’s website.
Happy HIPAA trekking!
Patients are looking for easy ways to communicate with their providers that don’t require a phone call. Hold times and constraining office hours to make an appointment, request records, pay a bill, and other patient communications are often cited as frustrations by your patients. To help resolve this, you look to technology to streamline your patient communications.
Technology is a perfect solution to solve many of these more tedious communications. Technology can make your patients and your staff a lot happier. Patients can send communication requests at their convenience and your staff isn’t tied up on the phone to respond to them.
How we deal with technology to make our patients our own lives easier, is where it can get really sticky. The temptation is to create a communication page on our websites. This is totally acceptable, so long as, we keep HIPAA in mind when doing so. We have to ensure that the communication page for the patient to make these requests is SECURE. What this means is that we have to enable an encryption method on that communication page to make sure that the transmission of the request is coming to us without being seen by an unauthorized viewer.
There are several ways we can handle this problem. The first method is through our Electronic Health Record’s patient portal. Patient portals were designed to allow patients to communicate with their providers in a number of ways. By creating a link to your patient portal on your website, your patients now have the option to communicate with your staff at their convenience.
The patient portal option only works if you have a patient portal and if your patients are registered for it. A lot of practices are solving the problem with putting a communication form directly on their website to take communication requests from potential new patients as well as patients that are not yet registered for the patient portal. To make this communication form secure can be a bit trickier, but is still doable.
To secure your website communication forms, you have a few options. The easiest option is to purchase a Secure Socket Layer (SSL) for your website. Your website will then display as secure (HTTPS) for your web visitors. Another option if encrypting your entire site is not an option for you, is to purchase a secure web communication tool to embed on your website. A quick Google search for HIPAA compliant web communication forms will give you several options to choose from.
Apart from the website, we also have to ensure the communication is coming to us securely. The most common way web communication forms are delivered is through email. The email account associated with the web communication form needs to be encrypted. You will also need to make sure you are limiting access to that email account to only the necessary staff within your clinic. The email account will need to follow your practices security policies regarding backup as well.
If you are using your website as a communication tool for your patients, you will need to make sure that your website and its supporting systems (including the content management system and hosting) is included on your risk analysis, information system activity review, and other security evaluations your have in place to meet the Security Rule requirements.
Taking these few steps will help your practice avoid a costly breach due to insecure web communication.
For more information, contact us! Happy HIPAA Trekking!
No, having an EMR/EHR does not make your organization HIPAA compliant. This is a compliance mistake many organizations unknowingly make. As I visit facilities and ask the privacy officer how their HIPAA compliance program is working, they often respond that all is well because they have an EMR/EHR that keeps them compliant. The truth is the EMR/EHR itself may be HIPAA compliant, but that has no bearing on the compliance level of the entire organization. Let’s dig deeper into this issue to understand what I am saying.
When a vendor implements an EMR/EHR solution, all the compliance activities surround the EMR/EHR solution only. For instance, the vendor will set the EMR/EHR to force the staff to change their password the first time they log in and to use the password every time thereafter. By doing so, the EMR/EHR is helping the organization implement and use unique user identifications as required by the Access Control standard in the security rule. Another example involves the automatic logoff feature. The EMR/EHR’s electronic session is set to automatically logoff after a predetermined time of inactivity. Again, this is another requirement under the Access Control standard of the security rule. Finally, most EMR/EHRs allow the security officer to partition off areas in the EMR/EHR using an individual’s role in the organization, such as nurses, technicians, and doctors. This feature allows the organization to meet the “minimum necessary principle” of the privacy rule where the staff member only has access to the PHI required to do their job. In summary, the EMR/EHR vendor develops privacy and security safeguards into the EMR/EHR that allows the EMR/EHR to be used in a compliant manner.
However, although you have an EMR/EHR that is HIPAA compliant, the rest of your organization needs to meet the requirements of the security and privacy rule as well. The two security features of unique user identification and automatic logoff needs to be implemented in all of the organization’s information systems that process or maintain ePHI, not just the EMR/EHR. Privacy concerns such as accounting of disclosures, requests for restrictions, business associate management, providing a notice of privacy practices, answering HIPAA complaints, or security concerns such as conducting risk analysis, developing contingency plans, facility security plan, and security awareness and training, happen outside the EMR/EHR and thus must be implemented independently of the EMR/EHR for the organization to be HIPAA compliant. So, to summarize, it is incorrect to say you are HIPAA compliant because your EMR/EHR does it all for you. A compliant EMR/EHR is just a fraction of the organizations total efforts to meet the HIPAA security and privacy Rule.
Whether you back up your data with a cloud service provider, on your local server, or a physical hard drive, the question of whether to secure it via encryption should be answered. We begin with the basic premise that the HIPAA Security Rule requires you as a Covered Entity or a Business Associate to protect the confidentiality, integrity, and availability of the Protected Health Information in your possession. This responsibility also extends to your backed-up data.
Under the Technical Safeguards and access control standard of the rule, you are asked to determine if encryption and decryption should be implemented to allow access only to those persons who are authorized to view the PHI. Although this is an addressable implementation specification, you must still determine if encryption is reasonable and appropriate, and if not, consider an alternative equivalent. It would be difficult to conclude that some methodology to secure the backup PHI is not reasonable and appropriate. This question should be answered during your risk analysis and the following event demonstrates the importance of seriously considering this standard and ultimately securing your backed-up data.
On January 11, 2017, a Covered Entity from Texas learned that an “unencrypted” external hard drive was stolen from the clinic on or about December 29, 2016. The external computer hard drive was used by the clinic to back-up or store patient information from the Clinic’s electronic health records. Subsequently, the hard drive was stolen from a locked closet within the Clinic. The theft was reported to law enforcement and an investigation is currently ongoing. The stolen data consisted of the following sensitive information:
- Patient’s name
- Dates of birth
- Phone numbers
- Driver’s license numbers
- Social Security number
- Medical record numbers
- Account numbers
- Physician’s names
- Diagnosis and conditions
- Lab test results
The patient data spanned a period between 2009 and 2016 (seven years). Notifications are going out to the affected individuals as well as an offer for credit monitoring.
One can argue the organization could not reasonably anticipate this theft as a threat to the security and integrity of the PHI. After all, the hard drive was in a closet in the clinic. However, one can also argue the PHI was not protected from insiders who did not have a “need to know” access to the information since it was not secured via encryption. The investigation is ongoing as reported by the Covered Entity so we don’t know if a risk analysis was conducted or if this specific piece of equipment was on the inventory and known to exist by the security team or the IT department. What we do know is that backup data should be viewed like all data and securing it should be part of your effort to protect the confidentiality, integrity, and availability of PHI in your possession.