Kansas City, MO—At the 12th annual National Organization of Rheumatology Managers conference, held September 14-16, 2017, practice managers, physician managers, and other healthcare administrators gathered to network with their peers and attend educational sessions on the future of rheumatology management in the age of value-driven healthcare.
In a breakout session, Jennifer Cosey, Principal and Senior Consultant, Eagle Associates, Ann Arbor, MI, discussed issues related to the HIPAA Privacy, Security, and Breach Notification Rules, including how to assess a potential breach of protected health information (PHI) and determine whether the breach is reportable.
Under HIPAA, a breach of PHI is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification to affected individuals following a breach of unsecured PHI. Business associates must also notify covered entities if a breach occurs and the business associate was responsible.
Annual training of staff for breach and identity verification, and documentation of such training, are key administrative HIPAA requirements.
“Training records have to be kept for 6 years,” Ms Cosey told attendees.
As part of its auditing process, the US Department of Health & Human Services now sends automated e-mails to verify the proper compliance contact for the entity, followed by a screening questionnaire that requires completion within 30 days. An e-mail from the Office for Civil Rights will provide a secure portal through which any requested documentation can be uploaded. Notification will be on a rolling basis, and practices have 10 days to respond with the documentation that is requested.
“The first area that is going to be required for every single audit is business associate information. A business associate is any person or entity that your practice gives access to patient information, or actually sends patient information to in order for them to perform a service,” Ms Cosey noted.
Business associates can include contracted transcriptionists, shredding companies, an answering service, a billing clearinghouse, an information technology vendor, and the company that provides your electronic medical records. Business associates must agree to hold their subcontractors responsible for complying with HIPAA.
The Office for Civil Rights asks for multiple details about business associates, including names, points of contact, addresses, phone numbers, fax numbers, and e-mail addresses. The Office for Civil Rights recommends not sending PHI to business associates until a signed agreement is in place. Once signed, the agreement remains in effect until terminated by either party.
Agreements can originate from the covered entity or the business associate. Ms Cosey recommends reviewing agreements originating from the business associate for language that indemnifies the associate.Notice of Privacy Practices
A notice of privacy practices is required. This is an abbreviated form of the written privacy policies of the practice. It provides patients with an explanation about how their information will be used and disclosed by your practice; their rights as specified under the privacy rule; and how to file a privacy complaint with your practice, the US Department of Health & Human Services, or the Office for Civil Rights.
“You have to have a copy of your notice posted prominently in your practice, usually in the waiting area. It also has to be posted on the first page of your practice’s website if you have one,” Ms Cosey said. A notice of privacy practices should be given to patients at the first encounter, and a good-faith acknowledgment obtained—this can also be provided electronically if the patient prefers.Right to Information
With limited exceptions, patients have the right to any information that you have collected or maintained in their records, including test results and additional information from other providers. Access should be provided within 30 days of being requested, although an extension can be granted with notification to the patient.
A covered entity must inform patients in advance of the approximate fee that may be charged for the requested copy of their records. No fees can be charged if records are accessed through an electronic medical record protocol. A covered entity may charge patients a flat fee for electronic copies of the PHI, provided that the fee does not exceed $6.50.Breach Notification Rule
Under the Breach Notification Rule, if your practice gets audited, the Office for Civil Rights will ask you to provide a copy of an example of a breach that has been submitted.
“If you have no breaches, you would tell them that. Then, they might ask you some follow-up questions, because [although] a lot of practices think they haven’t had any breaches, if you think about it further, maybe you have,” Ms Cosey said.
If a breach has occurred, a breach notification letter must be sent to patients within 60 days, and a copy distributed to the Office for Civil Rights. New language added to the omnibus rule states that the business associate must report to you any breaches of your patients’ information for which they are responsible.
“The business associate should pay for credit monitoring, if it’s appropriate, based on what information was improperly disclosed,” Ms Cosey stated.
Which Types of Breaches Require Notification?
There are 4 factors used to evaluate whether a breach of unsecured PHI requires notification, including:
- The name and extent of the PHI involved, including the type of identifiers and the likelihood of reidentification; sensitive information ripe for identity theft would require notification
- The unauthorized person who used the PHI, or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated—covered entities should attempt to mitigate the risks to the PHI following an impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed, or will be destroyed.
Notification to a patient must be made by first-class mail to his or her last known address, or, if the patient agrees to receiving electronic notice, by e-mail.
Source: Centers for Medicare & Medicaid Services. HIPAA basics for providers: privacy, security, and breach notification rules. August 2016. www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf. Accessed September 29, 2017.