Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is an important responsibility with which many health care organizations struggle due to the law’s vast complexity. To demystify a few of HIPAA’s more confusing aspects, we recently sat down with Kelly McLendon, RHIA, CHPS, a well-known industry expert in patient privacy and HIPAA security who serves as technical advisor and subject matter expert for Stericycle’s HIPAA Compliance Program. Here are a few frequently asked questions that Kelly addressed.
How Should Protected Health Information (PHI) Requests from Patients be Handled Versus Other Entities?
A top area of HIPAA-related confusion pertains to what can be released, to whom, and whether an authorization form is necessary. Organizations should have distinct processes for patient requests versus those that come from an outside entity, such as an attorney, insurance company or other health care provider. For patients, the process should facilitate ready access to information, allowing individuals to easily share their PHI with whom they’d need or like.
It is also important for additional guardrails surrounding outside, non-patient PHI requests for copies of patient records to be in place. Since health care organizations are not required to automatically grant these requests, they should have processes to determine when sharing patient PHI with an outside entity other than the patient is appropriate. Moreover, staff must be able to promptly access comprehensive authorization forms used to obtain patient permission to share information.
What About When Pharmacies Ask for Patient Information to Fill Prescriptions?
With new laws in place to help address the nation’s growing opioid epidemic, along with other pressures, today’s pharmacies are often tasked with requesting more information before filling certain prescriptions. Organizations should weigh the importance of strict disclosure procedures with the need to efficiently get the right information to the right provider or party to ultimately support better and safer patient care.
The pharmacy is a perfect example of where achieving a good balance is necessary. When a pharmacy requests information from hospitals and physician offices, such as to verify a patient medication record, it is important to have processes in place to ensure the required information is delivered to the correct place efficiently and effectively. If there are too many hurdles and roadblocks, it can delay patient care, which in turn can create patient safety concerns. If staff members still have questions about their organization’s pharmacy disclosure policies during a pharmacy request, the best advice is to call the pharmacist.
What Vulnerabilities are Most Often Overlooked by Health Care Organizations?
Data security is a hot topic across nearly all industries and business sectors today, and many companies are struggling to stay ahead. Not only must organizations have strict internal protocols and security measures to mitigate the risk of data breaches and other security-related threats, they also must be diligent about their business associates—any outside partner or vendor which works with the organization’s PHI —maintaining high-levels of data privacy and security.
According to the Shred-it 2019 Data Protection Report, nearly a quarter of consumers would stop doing business with an organization if their own data were stolen from it. With threats constantly evolving, it is critical to have regular and pointed conversations with all business associates to make sure they can demonstrate a robust commitment to keeping your patients’ information safe and secure.
What Electronic Communications are HIPAA Compliant?
HIPAA covers all communications with patients that include their protected health information. As a rule, electronic communications via email and secure patient portals are permitted, while text and social media are strongly discouraged. When an organization communicates with patients via email, it is recommended to encrypt those exchanges, however it is not required. At a minimum, the patient’s permission to communicate via a specified e-mail addresses should be documented.
Going forward, organizations will need to remain vigilant about how new and emerging health care applications that capture patient wellness information communicate with electronic health records and other technology. Also, keep an eye on the evolving patient record copy automations that promise to make patient information exchange more efficient. These technologies may potentially require careful monitoring. As more smart apps enter the market, organizations will have to determine the best methods for keeping protected information private.
Complying with HIPAA is a complex endeavor. Stericycle stands ready to help organizations navigate the nuances of the legislation and realize a consistent and comprehensive program you can count on. Learn how Stericycle’s compliance solutions can help take your organization’s efforts to the next level.