Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

By Laura M. Cascella, MA, CPHRM

2022 Alliance sponsor article provided courtesy of MedPro Group

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.¹

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information-sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.²

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”³

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”⁴

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).⁵

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.⁶

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

• Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
• Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
• Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
• Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
• Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.⁷

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.⁸ The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority.”⁹

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.¹⁰

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.¹¹

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.¹² Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

• Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
• Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
• Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
• Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
• Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with 30-day timeframe to identify potential obstacles for future compliance.
• Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
• Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.¹³

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.

Endnotes

1 Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from http://www.mcguirewoods.com/events/firm-events/2021/10/preparing-for-major-hipaa-changes-in-2022; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from
http://www.jdsupra.com/legalnews/hipaa-privacy-rule-modification-7104453/
2 Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from
https://thehipaaetool.com/hipaa-changes-ahead/; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from http://www.theregreview.org/2021/08/16/allen-hipaa-at-25-remains-a-work-in-progress/
3 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).
4 Ibid.
5 Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
6 Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
7 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from
https://compliancy-group.com/proposed-changes-to-hipaa-privacy-rule/
8 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.
9 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
10 Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.
11 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
12 Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
13 Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

The OCR’s Notorious Wall of Shame

Originally published by HealthMark Group on January 13, 2022
2022 Alliance sponsor feature article courtesy of HealthMark Group

Avoiding HIPAA Breaches and the “Wall of Shame”

Ever-evolving developments in healthcare technology, aimed at increasing efficiency and access, are growing at an exponential rate. That may offer more effective processes and support better care coordination, but it also leaves many practitioners finding it exceedingly difficult to remain compliant amid all of the security measures guided by the Health Insurance and Patient Accountability Act (“HIPAA”). Whether dealing with staffing shortages, clinic expansion, or a lack of training, avoiding breaches of personal health information (“PHI”) is both a top priority and an ongoing challenge.

When breaches do occur, HIPAA requires they be reported to the U.S. Department of Health & Services Office for Civil Rights (“OCR”). Violations affecting 500 individuals or more must be reported within 30 days of discovery to impacted individuals and within 60 days to the OCR and local media. OCR also publishes information identifying these breaches on what has become known as the OCR “Wall of Shame”. Established under the HIPAA Breach Notification Rule and HITECH Act, the Wall of Shame lists the names and other details of organizations under investigation due to a violation that has occurred within the last 24 months. To state the obvious, you do not want to be placed on this list.

Recent Statistics

• In 2021, 607 violations affecting nearly 45 million individuals were submitted to the OCR and are now visible on the Wall of Shame (a 20% increase in breaches compared to 2019, only two years prior) ¹
• Breaches have increased 84% in the last five years, with 329 reported in 2016²
• The average cost per record breached hit $499 in 2020 on an upward trend, totaling $13.2 billion for the year³
• Unauthorized access/disclosure accounts for 34% of violations every year, up 162% over the past three years⁴
• Hospitals typically account for 30% of all large data breaches⁴

Potential Financial Consequences

Most often, the OCR resolves cases through voluntary compliance or by accepting a covered entity’s plan to address the breach and adjust policies and procedures to avoid future violations. For severe cases, the Enforcement Final Rule of 2006 allows the OCR to issue financial penalties to covered entities that fail to comply with HIPAA Rules. There are currently four main tiers of such violations⁵:

• Tier 1, $100 – $50,000 per breach: A violation that the covered entity was unaware of and could not have reasonably avoided.
• Tier 2, $1,000 – $50,000 per breach: A violation that the covered entity should have been aware of but could not have avoided.
• Tier 3, $10,000 – $50,000 per breach: This violation is considered to be the result of willful neglect in instances where corrective measures were taken within a reasonable timeframe.
• Tier 4, $50,000 per breach: This violation is considered to be the result of willful neglect in instances where no corrective measures were taken to resolve the breach.

While less common, criminal penalties do exist in addition to fines for various violations, including malicious intent (i.e., selling data for harm or commercial gain).

How HealthMark Can Help

With management of PHI at the core of HealthMark’s business, it remains the highest priority to keep data secure and compliant. Our team responsible for the handling of medical records is required to undergo Certified Release of Information Specialist (“CRIS”) training and certification to demonstrate understanding of patient privacy rights and HIPAA requirements. Guidelines around HIPAA, the Privacy Rule, Information Blocking, etc. are constantly evolving, making regulatory education one more thing for practices to manage. Our goal as a partner is not only to offer services that ease administrative loads, but to also do the work for clients by combing through often convoluted details and staying abreast of the most important changes that are occurring. By doing so, we can share with clients what they need to know and when, which allows our clients to focus more of their limited resources on their primary goal of patient care.

1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
3. https://www.beckershospitalreview.com/cybersecurity/healthcare-data-breaches-up-55-1-in-2020-report-finds.html
4. https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
5. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

Tips for Responding to Online Reviews

2020 Alliance sponsor feature article courtesy of MagMutual

Top Five Recommendations:

Acknowledge feedback quickly – Consumers turn to social media for information and expect healthcare organizations to monitor online feedback, especially on their own social media pages and high-traffic sites. It’s important for organizations to perceive online reviews as valuable patient feedback. Acknowledging those activities validate patient feelings and show an organization’s commitment to providing quality care. Consider having individuals closely monitoring accounts and providing feedback within 24 hours.

Keep responses anonymous – It is extremely important to maintain HIPAA compliance when responding to online reviews. By providing generic responses, without PHI or individual patient care details, an organization can safeguard itself against fines and other penalties.

Adhere to standard protocols – Create and follow standard protocols for responding to online reviews. Determine the appropriate individual(s) to monitor online feedback. Establish time frames for online feedback reviews and responses. Use pre-approved, HIPAA-compliant responses for positive and negative feedback. If possible, remove feedback that contains offensive language or hate speech and use a templated statement about removing that type of language.

Use templated responses – Developing a few responses for positive and negative reviews can ensure that they are generic, HIPAA-compliant, timely and remove any bias or anger that might present itself in individual responses. These templates can be reviewed by your insurance risk management team and providers for approval and quickly used when a new review is submitted.

Address direct issues offline – If an organization receives an online review with allegations of negligence or non-factual information, use a generic response online and don’t address any specifics. If appropriate, ask the reviewer to contact the organization to address any concerns. Communication over the phone or in person will increase the likelihood of understanding and compromise.

Top Five Cautions:

Don’t respond in anger – Unfortunately, there are times when consumers will post incorrect, rude or defamatory reviews. Responding in anger could lead to HIPAA privacy violations or online back and forth fighting for the world to see. It’s better to use a templated response and try to address the issue offline.

Don’t private message – Online messaging and email is not private, and HIPAA violations may occur if PHI is included in any online activities on behalf of an organization.

Don’t give medical advice – Medical advice, appointment scheduling, medication prescriptions/refills, lab results, billing issues, etc. should never be provided or discussed online. Those actions should only be conducted with established patients in person, over the phone or through a secure healthcare portal after patients have consented to participate and understand emergency issues shouldn’t wait for online portal responses.

Don’t delete reviews – Consumers understand that even the best organizations and providers receive negative online reviews. Unless the review contains profane language or hate speech, organizations should leave the review and ensure they have responded, showing other consumers that they review feedback and are committed to communication and improving their quality/service.

Don’t alter content – Loss of confidence in an organization will occur if responses are altered. In today’s world, online consumers routinely take screen shots of online reviews and reply messages. If a message is altered, the evidence might still remain available and could be used against an organization. Also, it’s important to remember that patients can disclose their own PHI, but the organization cannot repeat or verify/deny without authorization.

Sample Online Compliment/Complaint Responses:

Compliment – Our practice aims to deliver the highest quality patient care. We love to hear about positive experiences. Thank you for your comments.

Compliment – Thank you so much. We really appreciate your kind words and will be sure to pass your feedback on to the staff.

Compliment – Thanks for sharing this feedback with us!

Complaint – Thank you for sharing your feedback with us. We apologize for your recent experience. Please call us at [phone number] so we can improve next time.

Complaint – We are sorry to hear about your experience. We are committed to providing the best patient care. Please contact us at [phone number] so that we may speak with you and address any concerns.

Complaint with profanity – Your message was removed because it did not meet our site standards. If you have any questions or concerns, please contact our office at [phone number].

A Step-by-Step Guide for Responding to Medical Record Subpoenas

By Raj Shah, Esq., Senior Regulatory Attorney, MagMutual

2020 Alliance sponsor feature article courtesy of MagMutual

Healthcare providers are aware that HIPAA and state privacy laws place restrictions on the disclosure of protected health information (PHI) to third parties. If a request for records comes via subpoena, discovery request or any other court order, the provider must not ignore it because a response is usually required. However, while you shouldn’t ignore the subpoena or discovery request, the consequences of responding incorrectly to a request can be even more severe than those of ignoring it altogether. Once a subpoena is received, DO NOT ignore it, but also DO NOT immediately disclose the records, as you could be in violation of HIPAA or state privacy laws and face severe penalties. This article offers guidance about what to do and what not to do after being served with a subpoena or request for documents including PHI.

Step 1: Check if the Request is Signed by a Judge

Court Orders, Court-Issued Subpoenas and Grand Jury Subpoenas. If you receive a court order or a subpoena that is signed by a judge, magistrate, administrative tribunal or a grand jury subpoena, you must disclose the requested information. Still, remember to disclose only the information expressly requested, and nothing more. For example, if the subpoena asks for records relating to a specific date of service, only send records from that day and not the patient’s whole record. (If the document you received meets these criteria, there is no need to go on to the other steps, but additional information is available at the end of this document.)

Practical Advice: Look specifically for a checkbox or judge’s signature on the subpoena form to confirm the subpoena is signed by a judge and not the court clerk or attorney. The judge’s name should also be listed in print next to the signature.

Step 2: Responding to Lawyer or Clerk Signed Requests

Attorney-Issued Subpoenas or Discovery Requests. A subpoena or discovery request signed by someone other than a judge, magistrate or administrative tribunal – most likely a court clerk or an attorney – is NOT a court order. A subpoena signed by an attorney or a court clerk requires additional assurances under HIPAA. If you receive a subpoena or discovery request that is signed by an attorney or court clerk, you can not disclose information unless one of the following conditions are satisfied:

1. Provider must receive a written statement and accompanying documentation from the attorney issuing the subpoena demonstrating that:
   1. A good faith attempt was made to provide written notice of the subpoena to the patient or his or her attorney (this can be satisfied by a cover letter accompanying the request that that patient’s attorney was notified via a carbon copy);
   2. The written notice included sufficient information to allow the patient to raise an objection to the subpoena;
   3. The time for objecting to the subpoena has passed; and
   4. The patient did not object to the subpoena or that any objections by the patient were adequately resolved by the court.
2. Provider makes reasonable efforts to provide notice of the subpoena to the patient and the patient does not make any objections to the release of their PHI.
   1. Examples of reasonable efforts to notify the patient include calling the patient or sending the patient a letter via mail or email explaining that you’ve received a subpoena requesting disclosure of their protected health information, and you are required to respond unless the patient has the subpoena set aside before the time for responding has expired and notifies you that the subpoena has been set aside.
3. Provider may obtain a valid authorization form signed by the patient for the release of their records. This is the provider’s HIPAA authorization that patients in the office routinely sign to obtain their PHI. To be valid, the authorization form must contain the elements and statements required by the HIPAA Privacy Rule. The form also must be signed by the appropriate person, which may be the patient or may be the patient’s personal representative (if, for example, the patient is a child or an incapacitated adult).
   Practical Advice: If a subpoena is accompanied by an authorization or other document labeled “release” or “waiver” or something similar DO NOT USE IT. Some of the elements of an authorization that make it HIPAA-compliant are not intuitive and may be left out of a form prepared by a person (even an attorney) who is unaccustomed to working with HIPAA. If you receive a subpoena with an attached authorization for the patient to sign, do not use it and use your practice’s HIPAA authorization form instead.
4. Provider must receive a written statement and supporting documentation demonstrating:
   1. that the parties have agreed on a qualified protective order or
   2. that the party seeking the information has filed for a qualified protective order. A qualified protective order limits the use of the requested PHI to the lawsuit.
5. Provider makes reasonable efforts to obtain a qualified protective order.

If for some reason the provider cannot satisfy one of these five conditions, they may not disclose the requested PHI, but neither may they ignore the subpoena without subjecting themselves to possible contempt sanctions. Staff members should notify their supervisors if one of these conditions are not met. The supervisors will be able to contact the organization’s attorney or a risk consultant at MagMutual who can provide guidance.

Step 3: See What Information is Being Requested

After determining the attorney-signed subpoena is valid, look at what information is being requested and be sure to provide only what was requested. In most states, for example, a subpoena must specifically ask for specially protected records such as those related to mental health and substance abuse. A subpoena asking for all of a patient’s medical records would not be sufficient to obtain those documents. See the examples below.

1. General Request for Entire Record. If the subpoena is for a patient’s entire medical record, release the record except for specially protected records. Specially protected records include mental health records; drug/alcohol treatment records; psychotherapy notes; testing for or treatment of HIV, AIDS and STDs; and mental health, behavioral health or treatment records of substance abuse programs. If you are unsure if a part of the record is specially protected, ask a supervisor.Practical Advice: Remember when communicating with the party seeking the record, even mentioning the existence of this highly sensitive PHI could be a HIPAA violation. For example, do not say, “We can send over the record except for the HIV treatment information.”
2. Requests for Specially Protected Records. If the request specifically asks for specially protected records, they can only be released under one of the following conditions:
   1. A court order signed by a judge specifically ordering the records related to these specially protected areas; or
   2. A valid authorization signed by the patient specifically authorizing the practice to release that portion of the record.

Step 4: Watch and Diary the Calendar

Once you know which records to send, pay attention to the calendar. Note the date by which the records are required, which sometimes can be too soon for the provider to comply. A short deadline also doesn’t allow enough time if the patient must be contacted for authorization or for the patient to object to the subpoena. It is not unusual for a subpoena to request records be delivered within a week. If the time to respond seems too short, contact your supervisor. If no time to respond to the subpoena is listed, you should respond after 21 days (ideally between 21 and 25 days). Remember, do not immediately respond even if it is a valid subpoena. This gives the patient time to sign an authorization or file an objection.

General Checklist for Responding to a Subpoena Requesting Protected Health Information

These are steps to be taken to comply with a subpoena while at the same time protecting patient privacy and confidentiality. A provider should do the following:

1. Confirm that the subpoena is valid (if it’s from an out-of-state court, it’s probably invalid)
2. Identify who signed the subpoena (e.g., judge, administrative agency, attorney, court clerk)
3. If the subpoena is signed by an attorney, contact the party issuing the subpoena to obtain satisfactory written assurances or a qualified protective order.
4. When the subpoena is requesting records relating to a limited number of patients, notify the patients whose records are being sought as already outlined and/or determine whether the patients will provide a valid HIPAA authorization that complies with HIPAA. (Remember you can use either a MagMutual authorization form or your practice’s existing authorization form.)
5. If there are any questions about whether or which documents can be produced, ask your supervisor.
6. Consider whether other laws in addition to HIPAA limit disclosures (e.g., state law limits on disclosures for mental health records and drug/alcohol treatment records).

Considerations for Deceased Patients

If a subpoena is requesting the medical records of a deceased patient, the same rules listed above apply, except that any authorization must be given by a “personal representative” of the deceased patient. The executor of the patient’s estate is a “personal representative” and may sign the authorization as well as be substituted for the deceased patient for the purpose of notice or qualified protective orders. The patient may also sign a HIPAA release prior to death that designates an individual to have access to their PHI. Even if not an executor or specifically designated by a HIPAA authorization form, family members or individuals involved in the patient’s care may also be “personal representatives” if the request is relevant to their involvement in the patient’s care, unless releasing the records is against the preference of the deceased patient.

HIPAA Privacy and Coronavirus

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

While preparing and treating patients that have or might have novel coronavirus (2019 nCoV), it is important to remember your patient’s privacy rights. HIPAA permits the sharing of patient’s protected health information (PHI) for public health activities such as this without a patient authorization.

With whom and when can you share PHI for public health activities? Generally, PHI can be shared with:

• entities that are permitted by law to collect and receive health information for the purpose of preventing or controlling disease such as the CDC or a state or local health department,
• organizations such as the American Red Cross,
• others at risk of contracting or spreading a disease or condition if state law authorizes the covered entity to notify others as necessary to prevent or control the spread of the disease, and
• others involved in the patient’s care such as family and friends. Providers should use their professional judgement here and obtain verbal consent from the patient, if possible.

PHI should not be shared with the media or others not involved in a patient’s care without the patient’s authorization.

The HIPAA minimum necessary standard still applies to the use and disclosure of PHI. The U.S. Department of Health and Human Services says that entities may rely on representations from the CDC or other public health department that the PHI requested by them about all patients exposed to or suspected or confirmed to have novel coronavirus (2019-nCoV) is the minimum necessary. In addition, a covered entity should continue to limit access to PHI to only those workforce members who need it to carry out their duties.

HIPAA Compliance and Information Technology

2018 Alliance sponsor article courtesy of HitsTech

The HIPAA Security Rule, in force since April 21, 2005, established three safeguards:

• Administrative policies and procedures designed to clearly show how the entity will comply with the act.
• Physical measures that control access to data storage areas.
• Technical methods securing “protected health Information” (PHI) that, when transmitted electronically over open networks, is known as ePHI.

The first two safeguards take time and effort but most healthcare providers have staff who can read the manuals, apply the guidelines and develop a compliant infrastructure.

The technical safeguard provision is entirely different!

HIPAA IT skills are not easily mastered. It requires the ability to understand the rules and regulations, envision a network (along with the ePHI flowing through it), and spot vulnerabilities. This must usually be done with a limited budget and with a minimum disruption of provider efficiency.

Deciding how to protect your information is a critical decision. The financial penalties resulting from data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation makes investment in the protection of PHI extraordinarily cost-effective .

If you decide to handle HIPAA technical issues by hiring an in-house IT professional or contract with a Managed Services Provider (MSP) who specializes in healthcare, how do you make the right decision?

Most importantly, your applicant must present a plan that addresses four issues:

1. 1. The protection of the entire volume of PHI and ePHI you process. This includes:
      • Patient names, pictures, biometric data, addresses, contact numbers, insurance information, and any identifying numbers or data.
      • Health insurance plan beneficiary numbers.
      • Vehicle identifiers and serial numbers including license plates.
      • Device identifiers and serial numbers.
      • Web URLs and Internet protocol (IP) addresses.
   2. The ability to defend against known and anticipated threats. Failure to use current generation OS software and protection and tardiness in the implementation of published fixes and patches makes you 40 times more likely to be hacked.
   3. Compliance by other “Covered entities,” “business associates” and third-party service providers who might access your PHI. This includes items sometimes overlooked such as x-rays, physician appointment schedules, dictated notes, conversations, and information placed in patient portals.
   4. Security network components that are affordable and operationally feasible. The following diagrams identifies these components.²

 

²Prevention Data Breaches Diagram used with permission of the HIPAA Journal 2017

There are specific HIPAA standards for servers, hosted environments, cloud utilization VPN architecture, workstations and network components. Your staff or MSP must provide evidence that the components they intend to deploy meet these specifications.

The technical defense you deploy must compensate for common human failings by using:

• Password best practices. Passwords cannot be used by a group, must not be assigned to a position and must be changed every 90 days. Passwords must be sophisticated using letters, symbols, differing case and numbers.
• Screen protectors that limit a third party’s ability to view a protected screen. These are commercially available.
• Automatic controls that close a computer when it is left unattended.
• Auditing techniques that ensure business associate networks are compliant. Remember you remain responsible for ePHI even when it leaves your network for another.
• Restricted use of mobile devices such as flash drives that are not encrypted or are left in unprotected locations.
• Technology that locks misplaced mobile devices.
• Tracking that identifies attempted hacks and determines if data has been compromised.
• An automatic restoration protocol that frequently backs up data so that if you are successfully attacked, it will disable the threat and immediately return your network to its last safe status.
• Disposal procedures that ensure that any device to be disposed of is wiped completely before release from the protected environment.

While I hope this synopsis is helpful, I highly recommend you look at the 2017 edition of the HIPAA Journal’s “HIPAA Compliance Guide”. It provides a detailed analysis of the points made in this paper.

Armed with “Compliance Guide” expertise, explain your goals to your IT staff or MSP and leave the driving to them.

Sandra Loftin
Chief Executive Officer
HitsTech

Can I Text My Patients? FAQs – Emails and Texts

By Carrie Lowe, JD

2018 Alliance sponsor feature article courtesy of MagMutual

Can I text or email my patients?

Yes, healthcare providers can communicate with patients via text messages, but only if:

1. The communication is encrypted or sent via a secure messaging system, or
2. The patient is warned beforehand regarding the risk associated with unencrypted communication and the patient still prefers to communicate via unsecured text or email.

If a provider sends an email or text message that is encrypted or sent over a secure messaging system, such as a secure patient portal, the message may include protected health information (PHI). The Department of Health & Human Services (HHS), in its Guide to Privacy and Security of Electronic Health Information, points out that if a provider uses an EHR system that is certified under ONC’s 2014 Certification Rule, the EHR should have the capability to allow patients to communicate through a secure patient portal. However, patients may want information sent via text to their phone or personal email account, which is not secure or encrypted, rather than going to a portal.

Patients have a right to receive communications (including PHI) from the provider by alternative means, such as email or text.[i] However, it is incumbent upon the healthcare provider to inform the patient, in writing, of the risk of unintentional disclosure to a third party of PHI if sent in an unsecure manner. If the patient, after being informed of the risks, chooses to communicate via unsecured means, the patient has that right. This can be done by discussing these risks with the patient and having the patient sign a consent form acknowledging that he or she understands the risk.

In the Final Omnibus Rule, the HHS Office for Civil Rights (OCR) states that covered entities are not required to educate individuals about encryption and information security, but must notify the patient that there is a risk that the information in the email could be read by a third party. “If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.” [ii]

What if a patient sends an unsolicited text to me?

When a patient initiates communication with a provider by email or a text message, the provider can assume that email or text is an acceptable form of communication to the patient. A patient may send health information to a healthcare provider using an unsecure email or text. Once this health information is received by the provider, however, it becomes PHI. At that point the PHI must be safeguarded and any texts back to the patient must be sent via a secure messaging system, encrypted, or the patient must have been previously warned in writing of the risk, with supporting documentation that shows that the patient accepted the risk.

Can I send texts regarding patient care to other healthcare providers?

Yes, you can send PHI to other healthcare providers, but only if the information is sent via a secure messaging system or is encrypted.

Can I text orders to members of the healthcare team?

No, CMS and the Joint Commission explicitly prohibit healthcare providers from texting orders. In addition to the privacy and security concerns discussed above, there is concern that the information may be lost or compromised if it has to be manually entered into the medical record from a text message. Other healthcare providers will not have access to the order if it is not in the medical record, which could affect patient care. The medical record must contain all information upon which treatment decisions are based, and patients have the right to access this information pursuant to HIPAA. The recent CMS Memorandum can be found here.
[i] 45 C.F.R. 164.522(b)

[ii] 78 Fed. Reg. 5634

Palmetto GBA E-mail Update: Tuesday, April 04, 2017

eServices Makes Asking a Medicare Question Easier
Palmetto GBA has Secure eChat to make asking Medicare questions easier. This innovative feature allows providers to interact with designated Palmetto GBA staff so they can receive real-time assistance locating information on any topics or specialties they are searching for on the Palmetto GBA website or within the eServices online portal. The Secure eChat feature also allows users to dialogue with an online operator who can assist with patient or provider specific inquires or address questions that require the sharing of PHI information! Using Secure eChat is simple! Please share with appropriate staff.

Applies to:

• JM Home Health and Hospice//General
• JM Part A//General
• JM Part B//General

What Can You Expect to Receive from the CERT Contractor?
You can expect to receive the following from the CERT Contractor: Information on the CERT process; Health Insurance Portability Accountability Act (HIPAA) compliance information; What documentation to submit; Timeframe for responding to the request; and Claim information.

Applies to:

• JM Home Health and Hospice//General
• JM Part A//General
• JM Part B//General
• Railroad Medicare (RRB)//General – Railroad Medicare

Inquiries for Unprocessable/Rejected Claims
Did you know the top two reasons for Palmetto GBA Provider Contact Center inquiries in February all had to do with claims that were unprocessable or rejected? When a claim is rejected (also referred to as unprocessable) the claim is not afforded appeal rights. You must correct and refile the claim correcting the missing, invalid or incomplete information. Reason code MA-130 will appear on your remittance advice (RA) along with one or more remark codes that outline the error causing a claim to be considered unprocessable. If your clearinghouse is not providing you with associated remarks code to explain why a claim was rejected, speak with your clearinghouse to receive that information. Please share with appropriate staff.

Applies to:

• JM Part B//General

Unprocessable/Rejected Claims Webcast: April 13
Jurisdiction M will hold a Part B Unprocessable/Rejected Claims Webcast on April 13, 2017, at 10 am, ET. This webcast will include identifying, correcting, and reviewing examples and resources to resolve and prevent rejected claims. Please plan to attend.

Applies to:

• JM Part B//General

E/M Weekly Tip: History Component – Status of Three Chronic/Inactive Conditions
An extended History of Present Illness (HPI) ma y consist of the status of three chronic/inactive conditions for either set of guidelines (1995 or 1997) for services performed on or after on or after September 10, 2013. Please share with appropriate staff.

Applies to:

• JM Part B//General
• Railroad Medicare (RRB)//General – Railroad Medicare

New Waived Tests
Change Request (CR) 9956 informs MACs of new Clinical Laboratory Improvement Amendments of 1988 (CLIA) waived tests approved by the Food and Drug Administration (FDA). Since these tests are marketed immediately after approval, the Centers for Medicare & Medicaid Services (CMS) must notify MACs of the new tests so that they can accurately process claims. Make sure that your billing staffs are aware of these CLIA-related changes.

Applies to:

• JM Part B//General
• Railroad Medicare (RRB)//General – Railroad Medicare

Does your Practice Fall Short on HIPAA Compliance?

2016 Alliance feature article by IT Practice, Inc.

In the medical and dental fields, protected health information (PHI) is a concern not only for the patient, but also for the employees. Protected health information is any information about the health status, provision of health care, payment information or other medical terms that can be used to identify a patient. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 in order to protect this sensitive information. HIPAA ensures that no PHI is released without the patient’s consent. It is vital that medical professionals ensure that no violations happen and that they are working to avoid releasing PHI in any capacity.

There are several areas where healthcare practitioners need to be especially careful to ensure that no violations of HIPAA are occurring. By recognizing these areas, medical practices and staff can pay special attention and care to follow the law.

Social Media

Today it seems everyone uses social media. Whether it is Facebook, Twitter, Instagram or the many other social media networks, we are surrounded by it. It has made the ability to “share” information easy and done with the click of a button. One issue that arises from this is HIPAA law violation. Many times healthcare professionals share information before thinking or even realizing they are violating HIPAA law. It could be something shared in a positive and harmless spirit, but it could have huge consequences if it is found to be in violation.

Photographs are a large issue in HIPAA and social media. A healthcare worker may think sharing a photo is innocent and not harming anyone, but without consent from the patient it is a violation. For example, a photo could be shared with a patient only visible in the background of the photo. This is still a violation as the patient is able to be seen and identified. While the healthcare worker did not mean for it to happen, they unknowingly violated HIPAA law.

Wireless and Mobile Devices

In healthcare fields, patient information often times needs to be shared between healthcare professionals. This information could be vital signs, PHI information on the patient, or even just discussing the progress of the patient. It is simple to send a quick email or text to relay this information quickly. It’s very easy to violate HIPAA doing this as the software and wireless networks being used may not have enough security measures to prevent a breach.

Using encryption programs allows this information to remain secure, but only if all parties involved on the information sharing have the encryption installed on their wireless devices. It is often difficult to encrypt all employee devices and as such polices should be put into place to prevent any violations. Discouraging employees from sharing PHI through wireless devices or only allowing encrypted software to be used will safeguard against violations.

Employee Training

In order to follow HIPAA and avoid violations, it is vital to understand and be educated in HIPAA law. Knowledge in the law will prevent employees from breaking the law. In many healthcare practices and industries, the only employees fully trained in HIPAA are those who are higher up in the field such as management and administrators. However, it is actually required for all staff to know the ins and outs of HIPAA.

To prevent most violations, HIPAA regulations should be integrated into practice policies and procedures. This will allow there to be more employee training and keep the staff informed and knowledgeable in HIPAA law. Employee training in HIPAA must become a priority in order to avoid HIPAA violations before they occur.

IT Practice, Inc. with headquarters based in Raleigh, NC is a HIPAA Certified IT Provider. The staff knows how vital HIPAA regulations are and ensure that when medical information comes through to them from clients it is protected and kept confidential.

IT Practice based in Raleigh, NC provides a wide range of IT solutions for Dental, Medical and Small Business Professionals across North Carolina and Virginia. Call 919.301.1000 for a consultation to determine your exact IT needs.