HIPAA: five simple letters that are responsible for a great deal of confusion, even after all these years. The first step to avoiding violations is to understand exactly what you are responsible to do under the provisions of HIPAA.
There are currently three main rules in HIPAA that "covered entities" and "business associates" need to be concerned with: HIPAA privacy rules, HIPAA security rules and (if appropriate) HIPAA Breach Notification rules.
You are a "covered entity" if you "transmit any health information in electronic form in connection with a transaction for which Health and Human Services has adopted a standard." A "business associate" "is a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI."1 Let's review each of these rules and discuss how you can avoid violations.
One thing I should mention before I get into the details is that I am often asked about chiropractic-specific HIPAA requirements.
HIPAA Privacy Rule
The HIPAA privacy rule establishes standards for the protection, use and disclosure of Protected Health Information (PHI); anyone who provides you with a service that may require you to share PHI is considered a business associate. You must have a written Business Associate Agreement with each of your business associates that covers how they will handle the PHI.
All of your HIPAA privacy policies need to be written and placed in a manual that you have available in your office. You need to train all new staff on the rules, policies, and procedures within a short time of hiring them; and retrain your existing staff on the privacy rules, policies, and procedures at least annually. You also need to have documentation of when the training was conducted, who attended and what was discussed.
Important Ways to Avoid HIPAA Privacy Rule Violations
- Develop written policies and procedures for protecting and using PHI.
- Ensure office design / layout safeguards patient privacy.
- Develop a written notice of privacy practices and present a copy to each new patient; get a signed acknowledgment from that patient.
- Post your notice of privacy practices in your reception area.
- Ensure all business associates with access to PHI have signed a business associate agreement.
- Conduct annual staff training on HIPAA privacy policies and procedures.
HIPAA Security Rule
"The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI)."1 The start of this process is conducting a Security Risk Assessment (SRA).
The SRA will help you identify the risks you face and classify those risks by probability and importance. (You can find a Security Risk Assessment tool at www.healthit.gov/providers-professionals/security-risk-assessment that will greatly assist you in this effort.)
Once the risks have been identified, you have three methods to safeguard electronic PHI: administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards include security management processes, sanction policies, workforce security, security awareness and training, contingency plans, and business associate contracts and other arrangements. Physical safeguards include facility access controls, maintenance records, and device and media control. Technical safeguards include access control, automatic log-off, person or entity authentication, and transmission security.
Your written policies and procedures should include all safeguards necessary to mitigate the risks identified in your SRA. These policies and procedures should be taught to your staff and the training should be documented.
The Security Risk Assessment should be repeated annually to ensure no new risks have emerged, and the policies and procedures in place are still effective. Staff training should be repeated annually.
Important Ways to Avoid HIPAA Security Rule Violations
- Conduct a Security Risk Assessment for your office annually.
- Develop written policies and procedures for protecting and using ePHI utilizing the information obtained from the SRA.
- Ensure all business associates with access to ePHI have signed a business associate agreement.
- Conduct annual staff training on HIPAA security policies and procedures.
HIPAA Breach Notification
"Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information."2
If a breach occurs, you are required to notify the individuals involved, the Department of Health and Human Services, and, in some cases, the media.
If the breach involves fewer than 500 individuals, you are required to notify the affected individuals within 60 days. You can notify the Department of Health and Human Services annually by way of a log of the breaches, and the media is not required to be notified.
If more than 500 individuals are involved in the breach, you are required to notify the affected individuals, the Department of Health and Human Services, and the media within 60 days of the discovery of the breach.
Important Ways to Avoid HIPAA Breach Notification Rule Violations
- Maintain a written log of any HIPAA privacy or security breaches that occur.
- Document in writing when and how you notified any involved individuals of a HIPAA privacy or security breach.
- Document in writing how you corrected the situation leading to the breach.
- Submit the log to HHS annually (if a breach occurs within that year).
The HHS Office for Civil Rights enforces the HIPAA privacy, security, and breach notification rules. It does this by investigating complaints filed with the office, conducting compliance reviews to determine if covered entities are in compliance, and performing education and outreach to foster compliance with the rules' requirements. The HHS Office for Civil Rights also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.
Major HIPAA Errors
There are four major ways doctors mess up on HIPAA. The first is that they do not take it seriously and take no action at all. The second is that they borrow a privacy policy from a colleague and implement it as their own without doing anything else.
The third way is that they purchase a HIPAA manual, put it on their shelf without even reading it, and think they are protected. The fourth is that they purchase a manual and only do part of the necessary work. There are many good HIPAA manuals on the market today that will make HIPAA compliance easier, but they must be read and all sections completed for them to be effective. Otherwise, they are as useless as doing nothing.
References
- HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules. Medicare Learning Network, May 2015. You can receive a free copy of this publication by signing up to my mailing list at www.chiromedicare.net/mailing-list-signup/. The link will be in the final welcome e-mail.
- Code of Federal Regulations, Title 45: Public Welfare. Part 164.402: Security and Privacy - Notification in the Case of Breach of Unsecured Protected Health Information.
Dr. Ronald Short is a certified medical compliance specialist and a certified professional coder. He has authored numerous books on Medicare including The Medicare Documentation System. He also teaches seminars on Medicare, coding, billing, documentation and compliance. You can contact him at
. More information about this and other Medicare topics is available at www.chiromedicare.net.