4 Ways That HIPAA Encourages the Disclosure of Health Information

What’s the first word that comes to mind when you see the term “HIPAA”?

For many individuals in the healthcare market, the word is “NO.”

“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.

But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information.  Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.

Disclosures for Treatment Purposes

Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.

A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.

This is not true.

I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.

This is not true.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.

The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription.  The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.

Patient Access

One common idea is that patients do not have an unfettered right to access their entire medical record.

Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.

This opinion has lead to more than one Office of Civil Rights investigation.

In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.

But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.

Denial of such access could constitute a HIPAA violation.

Disclosures to minimize an imminent danger or assist law enforcement

Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.

HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.

However, these are important exceptions that can prevent danger to members of the community.

Disclosures Required By Law State

Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).

The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.

Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.

Conclusion

HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype.  The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.

However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

For more information about HIPAA, please contact Casey Moriarty.

The Myth of a HIPAA Compliant Product

Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

Upcoming HIPAA Audits Will Include Business Associates

On February 24, 2014, the Department of Health and Human Services (“HHS”) published a notice of its proposed collection of information in connection with its HIPAA audit efforts.  Comments on the proposed collection request must be submitted by April 25, 2014.

The notice indicates HHS’s intent to survey up to 1,200 organizations, including both covered entities and business associates, to determine the organizations’ suitability for HIPAA audits by HHS.  The survey will seek information about an organization’s patient visits, use of electronic information, revenue, and business locations, among other things.  The notice hints that some sort of technology will be used to complete the survey, as HHS’s time estimate of 30-60 minutes to complete the survey includes the time needed to “develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information…”. The notice does not include details on the criteria HHS will use to select an organization for an audit.

One of the notable items of this notice is HHS’s announcement that this round of HIPAA surveys will include business associates as well as covered entites.  This is a clear signal that HHS is getting serious about HIPAA compliance by all organizations who handle protected health information.

For more information about HIPAA audits and HIPAA enforcement, please contact Lee Kuo.

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.