10 August 2020
The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the privacy and security of individually identifiable health information—such as medical records—while ensuring patients and providers of care can access that information when they need to. Originally passed in 1996, the Privacy and Security final rules were implemented in 2003 and 2004 and have since undergone two major, and several smaller modifications, as the healthcare field was basically mandated to embrace electronic medical records and digital communications.
HIPAA is considered a minimum set of rules to be followed for privacy or security, state or other federal rules may supersede HIPAA if they represent stronger protections for patient information. These different rule sets, of which there are more rising every day, interact with HIPAA in complex ways that increase confusion for all parties that must comply.
Three main rules comprise the HIPAA legislation: The Privacy Rule, Security Rule and Breach Notification Rule, which has a combination of privacy and security attributes. The following sections take a closer look at these rules as well as some other key elements of the HIPAA laws.
The HIPAA Privacy Rule establishes national standards for safeguarding protected health information (PHI), which is patient identifiable information. PHI comes in all forms, including paper and electronic medical records as well as oral, electronic and written communications about a patient’s health. The rule requires healthcare organizations to implement specific policies and protections to preserve patient privacy and provide for patient’s rights, including limits on how PHI can be used or disclosed without patient authorization.
The patients’ rights include the right to examine originals and obtain copies of their health records and request amendments or corrections to their records. Although there have been significant changes in the HIPAA Privacy Rule since its inception in 2003, one thing that has not changed is the fact that all organizations with patient information in the U.S. are required to have policies in place that meet the rule’s requirements.
The HIPAA Security Rule governs electronic PHI specifically, whether it is at rest or in transit. It requires any organization that interacts with the data to establish administrative, physical and technical safeguards, such as encryption and firewalls, to preserve information confidentiality, integrity and security.
Like the HIPAA Privacy Rule, healthcare entities have found the Security Rule to be quite challenging. As technology continues to advance, organizations are constantly having to revisit their risks to the security of the information, the controls used to protect the information and the policies governing the practices to ensure the confidentiality, accuracy and integrity of the patient data.
The HIPAA Breach Notification Rule requires covered entities and their business associates to report a PHI breach to the patient and Office for Civil Rights (OCR). A breach occurs when PHI is accessed, used or disclosed without permission, and the lapse compromises the information’s privacy and security. Since the nature of a breach can vary widely, covered entities and business associates should conduct a breach risk assessment if they suspect or have been notified of a possible HIPAA breach to evaluate the scope of the incident and determine appropriate notification and documentation steps. It is of note that all suspected or possible breaches must be assumed to be a breach unless determined that the incident meets one of the three HIPAA breach exceptions or to have a low probability of compromise.
If a covered entity determines a reportable breach has occurred, it must notify affected individuals along with the Secretary of the Department of Health and Human Services (HHS) via their online portal. When the breach affects more than 500 people, the organization must also notify the media.
According to HIPAA rules, covered entities or business associates (although typically it’s the covered entities) have up to 60 days to notify individuals affected by a breach, providing written notice by first-class mail or e-mail if the affected individual has agreed to receive such notices electronically. To the extent possible, a notification should include a brief description of the breach, types of information involved, steps affected individuals should take to protect themselves from potential harm and what the organization is doing to investigate, mitigate harm and prevent further breaches. The notification should also include the organization’s contact information.
OCR is to be notified of the breach either within 60 days or by the end of February the following year for breaches affecting less than 500 individuals. For breaches over 500 individuals the reporting timeframe to OCR is 60 days. When alerting the media as is required by the rules for breaches involving more than 500 individuals, covered entities should consider sending a press release. To notify HHS, they should fill out and electronically submit a breach report form.
HIPAA compliance applies to covered entities and their business associates. Covered entities are healthcare providers, health plans and healthcare clearinghouses. Note that healthcare providers include hospitals, health systems, health clinics, doctors, nursing homes, pharmacies, dentists, psychologists, chiropractors and more. Business associates refers to any companies that work directly with a covered entity and have access to PHI.
The Office of Civil Rights (OCR) is in charge of enforcing HIPAA compliance. As part of this work, the agency may choose to conduct a proactive audit or investigate a complaint. If the OCR determines that a complaint investigation is warranted, it will ask for information from the covered entity and/or business associate, including copies of all privacy and security risk analysis and policies addressing the three HIPAA rule sets. Organizations are required to respond to any requests for information from OCR under penalty of fine and criminal penalties.
After investigating, the OCR may issue a corrective action plan if the covered entity agrees. If the covered entity or business associate commits acts, that may be willful or not, including not taking appropriate actions that satisfactorily respond to the issue and mitigate future risk, the OCR may assess a monetary fine. In addition to the negative impacts of possible penalties, an organization’s reputation can be damaged by a HIPAA breach, if it affects many people. If the violations include malicious, criminal acts, they can be prosecuted by the Department of Justice and criminal penalties, including jail time, could be levied.
Conducting risk analyses, or gap analyses, are a foundational and ongoing part of a HIPAA-compliant privacy and security program, and is the first step in identifying gaps in an organizations’ HIPAA policies and safeguards. Risk analyses are typically comprised of a series of questions that determine the level of compliance an organization has with the different specifications of the Privacy and Security Rules. They may be assessed using one form, or multiple forms, but they should be performed together to ensure all concepts are considered across the entire organization. The results of each assessment should yield a set of action items that should be taken by the organization to mitigate risk. These action items should be prioritized based on the level of risk.
A HIPAA Privacy Gap Analysis, while not required by law, is an important part of remaining in compliance with the Privacy Rule. Privacy gap analyses should include questions about the organization’s compliance program, privacy and breach policies, patients’ rights, employee privacy training, recordkeeping, and incident management and breach notification to name a few. Privacy gap analysis may be conducted as a risk analysis if desired, there is no mandate to have to use that format.
Unlike a HIPAA Privacy Gap Analysis, conducting a HIPAA Security Risk Analysis is required by law. Security risk analyses should include a thorough review of all current policies, procedures and any other documentation of security controls that support the organization’s Security Compliance Plan. As the analysis is being conducted, all action items that are identified for remediation should be assigned a “risk”, meaning that vulnerabilities and potential impacts are considered in determining which action to take first. A Security Risk Analysis should cover, but not be limited to the following: policies and procedures to detect and prevent security violations, assigned security responsibility, policies around access (and de-provisioning of access) to PHI, security awareness training for staff, physical security evaluation and examination of the technical security controls mandated by the HIPAA Security Rule.
The top area of HIPAA-related confusion pertains to what PHI (protected health information) can be released, to whom, and whether an authorization form is necessary. Organizations should have distinct policies and procedures for patient requests versus those that come from an outside third-party entity, such as an attorney, insurance company or other healthcare provider. Third-party entities require the use of a properly executed authorization form, which can be either paper or electronic. For patients, the process must facilitate ready access to information, allowing individuals to easily share their PHI with whom they’d need or like. The 21st Century Cures Act has mandated interoperability and data blocking rules with enforcement and penalties from the Office of the National Coordinator of Healthcare IT. These will impact automation of the patients’ right to access and get copies of their health information and to eventually upload information from their devices into their online records. These new rules will work in conjunction with HIPAA.
It is also important for additional guardrails surrounding outside, non-patient, third-party PHI requests for copies of patient records to be in place. Since healthcare organizations are not required to automatically grant these requests, they should have processes to determine when sharing patient PHI with an outside entity other than the patient is appropriate. Moreover, staff must be able to promptly access comprehensive authorization forms and methods used to authenticate requestors and to process requests according to HIPAA and State medical and billing record laws.
Periodically new laws are introduced that stretch the boundaries of how to comply with HIPAA and the changing legal record environment. In these times, there is typically guidance issued by OCR about HIPAA. For example, new laws that have been implemented to help address the nation’s growing opioid epidemic, along with other pressures, today’s pharmacies are often tasked with requesting more information before filling certain prescriptions. Organizations should weigh the importance of strict disclosure procedures with the need to efficiently get the right information to the right provider or party to ultimately support better and safer patient care.
The pharmacy is a perfect example of where achieving a good balance is necessary. When a pharmacy requests information from hospitals and physician offices, such as to verify a patient medication record, it is important to have processes in place to ensure the required information is delivered to the correct place efficiently and effectively. If there are too many hurdles and roadblocks, it can delay patient care, which in turn can create patient safety concerns. If staff members still have questions about their organization’s pharmacy disclosure policies during a pharmacy request, the best advice is to call the pharmacist.
Telehealth is the use of technology, such as videoconferencing and secure messaging, to enable remote healthcare delivery. It has become popular during the COVID-19 public health crisis. HIPAA regulations have strict requirements designed to safeguard the privacy and security of PHI within the context of telehealth.
However, in March 2020, the Centers for Medicare & Medicaid Services (CMS) relaxed HIPAA obligations for the duration of the pandemic. This allowed providers to rapidly scale telehealth programs without worrying about using HIPAA-compliant solutions. Note that as the crisis resolves, the government’s exceptions will expire, and providers will be required to adhere to HIPAA’s strict set of security controls that apply to telemedicine once again.
The HIPAA training requirements, although mandatory, are not overly specific. Because the regulations are so vast, it can be difficult to fully understand what training is required and how frequently it should occur. However, since lack of staff awareness around HIPAA standards is often a cause for HIPAA violations, having a robust training program is important. Plus, training is a moving target in relation to cybersecurity, training must be changed to counter emerging threats such as ransomware, phishing and other malware.
Best practice dictates that organizations should offer comprehensive HIPAA training to new staff during orientation and annual refresher courses for current staff. Quarterly reminders, tips and cybersecurity protections should be offered during staff meetings, and articles in company newsletters can also be helpful to ensure staff retain information and apply it to their daily work. Online trainings that staff can access at their convenience can be especially beneficial as these offerings often document training and highlight areas where further instruction is needed.
Proper document disposal of PHI is a critical part of HIPAA compliance. To ensure full security, organizations may want to institute a policy where all paper documents are shredded. This eliminates any staff confusion and keeps patient information secure. Any mobile devices with PHI must be wiped of PHI prior to taking out of service. Mobile devices can be a very complex area to manage, with many providers and business associates using personal devices with PHI, which is not a recommended practice. When organizations are retiring electronic equipment of any kind from mobile devices to copiers, they should also have defined processes for destroying all information housed on the equipment to prevent it from being used inappropriately.
To learn about how Stericycle can help your organization develop policies, create templates for privacy and security risk analyses and provide comprehensive training modules for staff, visit our HIPAA Compliance Solutions hub.
Interested in Our Solutions? We Can Help
Sign up to receive Stericycle’s latest news, tips and offers to help your business remain compliant
Which solution interests you?