A HIPAA compliant home office is a working environment set up to support HIPAA compliance when a covered entity, business associate, or a member of either’s workforce works from home. Because of the different functions that can be performed from – and services that can be provided by – a home office, the requirements for HIPAA compliance can vary considerably.

What is a Home Office in Healthcare?

Although a home office is most often considered to be a remote working environment “in a location other than an employer’s central workplace”, a home office in healthcare could be the main working environment for a solo healthcare practitioner, a part-time employee of a covered entity, or a home business that provides medical transcription services as a business associate.

Regardless of whether a home office is a remote or a main working environment, is used full-time or part-time, or by an individual or a team, a home office has to be set up to comply with HIPAA whenever the function being performed in – or service being provide by – a home office involves the creation, receipt, maintenance, or transmission of Protected Health Information (PHI).

What Might a Home Office be Used For?

Working from home has become increasingly viable for a range of professions, including many in healthcare. A home office in healthcare can be used to perform many different functions for patients or to provide a range of services to covered entities and business associates. Examples of how a home office might be use for a healthcare function or service include:

• Telemedicine Provider
• Medical Transcriptionist
• Medical Coder/Biller
• Healthcare IT Specialist
• Behavioral Health Professional
• Epidemiologist
• Health Coach
• Patient Navigator
• Biostatistician
• Clinical Research Coordinator
• Medical Educator or E-Learning Specialist
• Medical Customer Service Representative

Some of these home-based functions and services can be subject to state or local employment regulations, while others may require an employee to work from home some of the time and the employer’s central workplace at other times. Nonetheless, whatever the working arrangement, whenever a home office is used to create, receive, maintain, or transmit PHI – in any media or format – it is necessary the home office is a HIPAA compliant home office.

The Requirements for a HIPAA Compliant Home Office

The requirements for a HIPAA compliant home office consist of much more than some people think. This is because the aim of the Administrative Simplification Regulations is to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic PHI regardless of where the information is created, received, stored, or transmitted.

Therefore, it does not matter whether the functions being performed and the services being provided take place in a home office, a healthcare facility, or a secure data center. The requirements for HIPAA compliance are the same. This means the same policies, procedures, and safeguards have to be implemented, and the same penalties can be applied for violations of HIPAA.

The requirements for a HIPAA compliant home office will mean different things to different types of home workers. For example:

• A solo healthcare practitioner will have to comply with all applicable provisions, standards, and implementation specifications of the Administrative Simplification Regulations
• A home business operating as a business associate may only have to comply with the applicable standards of the Privacy Rule and the Security and Breach Notification Rules.
• An employee of a covered entity or business associate will have to comply with their employer’s policies and procedures – which may be different from in the central workplace because of the unique threats of home working.

Consequently, for some home workers, the requirements for a HIPAA compliant home office may include conducting an audit to determine where and how PHI is created, received, stored, or transmitted, conducting a risk assessment to identify potential impermissible uses and disclosures of PHI and security vulnerabilities, and developing procedures for notifying individuals and HHS’ Office for Civil Rights in the event of a data breach.

For homeworkers that maintain PHI in the home office – in any media or format – the requirements for a HIPAA compliant home office may include installing a safe or lockable file cabinet to keep paper records and data backups, developing a continuity of operations plan, and ensuring all devices used to store electronic PHI – including mobile devices – are PIN-locked and have automatic logoff activated to prevent unauthorized access to PHI.

What are the Unique Threats of Home Working?

Home working expands the cyberattack surface, and while cyberattacks are not unique to home working, home offices can be more vulnerable to an attack due to a lack of advanced security defenses and – when a home office is a remote office – less oversight by corporate security teams. In addition to the increased level of vulnerability, there will likely be less support to help home workers respond to and recover from a successful attack.

Other than the cybersecurity threats, home workers may be subject to distractions (children, pets, visitors, etc.) which can result in paper records or electronic devices being left unattended. There may also be times when they forget to lock away paper records and data backups, forget to keep device screens directed away from people who might see what is on them, or carelessly make a comment that constitutes an impermissible disclosure of PHI.

In many cases, one of the most important unique threats of home working is the ease with which it is possible to develop non-compliant practices “to get the job done”. The non-compliant practices can range from failing to provide a patient with a Notice of Privacy Practices, to installing software without the capabilities to support HIPAA compliance, to failing to enter into a Business Associate Agreement before storing PHI in a cloud storage service.

Conclusion: Ensure Your Home Office is HIPAA Compliant

No matter how you use your home office, if the function you perform or the service you provide involves the creation, receipt, storage, or transmission of PHI, you have to have a HIPAA compliant home office. If you fail to ensure your home office is HIPAA compliant, it is more likely you will be the victim of a cyberattack or other HIPAA violation for which the financial penalties can be substantial.

If you are unsure of the home office compliance requirements – either as an individual or an employer with a remote working team – it is recommended you review our HIPAA compliance checklist to better understand which provisions of HIPAA may be applicable. Alternatively, it is advisable to seek professional compliance advice about which standards of HIPAA you are required to comply with and how best to comply with them.

The post What is a HIPAA Compliant Home Office? appeared first on HIPAA Journal.

HIPAA-regulated entities must ensure that protected health information (PHI) is safeguarded against unauthorized access, but many covered entities and business associates do not know how to secure healthcare data properly and leave sensitive information exposed.

The HIPAA Security Rule

The HIPAA Security Rule established national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by HIPAA-covered entities and their business associates. The Security Rule requires appropriate administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI. All regulated entities must assess security risks throughout their organziation and implement a range of different safeguards to protect against unauthorized ePHI access, and ensure all risks are reduced to a low and acceptable level.

How to Protect Healthcare Data and Comply with HIPAA

The HIPAA Security Rule was developed to be flexible to ensure that it applies to covered entities of all types and sizes and includes required implementation specifications that must be implemented by all regulated entities, and addressable implementation specifications, which require an assessment to determine if the specification is reasonable and appropriate. If not, the Security Rule permits an alternative mechanism to be implemented to meet the standard addressed by that specification.

Administrative Safeguards

Administrative safeguards under HIPAA are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.”

Administrative safeguards include security management processes to prevent, detect, contain, and correct security violations. These include a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to ePHI, risk management processes to reduce risks and vulnerabilities to a low and acceptable level, a sanctions policy, and information system activity reviews.

Staff members must be assigned responsibility for security, policies and procedures must be implemented to ensure workforce security, and a security awareness and training program is required for all members of the workforce. Administrative safeguards also include authorization, supervision, information access management, and contingency planning.

Physical Safeguards

HIPAA defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Physical safeguards include facility access controls to restrict access to physical PHI and electronic systems where ePHI is stored, contingency operations, facility security plans, access controls and validation procedures, and maintenance records.

Physical safeguards are required for workstation use and workstation security, with policies and procedures implemented to ensure that job functions can be performed in a secure way, prevent inappropriate use of computers, and restrict access to authorized users. Device and media controls should be implemented that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of the devices within the facility.

Technical Safeguards

HIPAA defines technical safeguards “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include hardware, software, and other technology that protects and limits access to ePHI through access controls, audit controls, integrity controls, authentication, and transmission security.

Access controls are required to restrict access to ePHI to authorized individuals only, audit controls are necessary for monitoring activity on systems containing ePHI, integrity controls prevent the improper alteration or destruction of ePHI, and transmission security ensures that ePHI is protected when it is transmitted over an electronic network.

The HIPAA Security Rule does not specify the specific technologies that should be used to secure healthcare data and restrict access. HIPAA-regulated entities have the flexibility to implement security measures to comply with each standard and achieve its objectives. The HHS Security Series provides guidance on the administrative safeguards, physical safeguards, and the technical safeguards of the HIPAA Security Rule.

The Insider Threat Problem in Healthcare

Security Rule compliance requires ePHI to be safeguarded to ensure the confidentiality, integrity, and availability of ePHI and many of the implementation specifications are concerned with preventing access to ePHI by unauthorized third parties; however, threats can originate from within an organziation. Employees, contractors, interns, and other staff members can be just as dangerous as outside actors, in fact some of the most damaging incidents have been caused by insiders.

According to Verizon’s Data Breach Investigations Report (DBIR), insider incidents are on the rise. For several years, healthcare was the only industry where insiders caused more breaches than external actors. While the situation is improving, the 2023 DBIR indicates 35% of healthcare data breaches were caused by insiders.

Insider threats take many forms and include careless and negligent workers, where there is no conscious decision to act inappropriately. Disgruntled employees pose a significant threat and perform deliberate actions to cause harm to their organziation. Malicious insiders abuse their privileges for personal or financial gain, and threat actors often recruit or coerce individuals into stealing data or performing other actions such as installing malware. Insider threats are one of the biggest security challenges to address in healthcare. Insiders usually have legitimate access to ePHI and knowledge of internal systems and data locations, and their actions can be difficult to identify as cybersecurity solutions such as intrusion detection systems are primarily focused on detecting and blocking external threats.

Securing healthcare data against insider threats and detecting insider threats promptly requires a combination of measures including security policies, screening of new hires, user activity monitoring, logging, auditing, incident detection and response, user and entity behavior analytics, and employee education. Malicious insider threats are far less common than negligent and careless employees, which often cause the most harm. Accidental data leaks and employee errors are by far the largest risk and cause the most data breaches. Oftentimes, these incidents are the result of unclear security policies, employees’ lack of awareness of policies, and a failure to provide security awareness training. Improving education is vital in combatting these incidents. Security policies should be easy to understand, security awareness training should be provided regularly, employees must be made aware of the HIPAA Rules and the sanctions policy for violations.

Risk can be reduced through administrative safeguards, such as ensuring employees have appropriate access rights to ePHI and systems containing ePHI. Audits should be performed of access rights to check who has access to data and systems, and to ensure that the rights are appropriate. Detecting incident incidents quickly is vital. One of the reasons why insider breaches are so harmful is they often go undetected for long periods. Having the right software in place is critical in this regard. For instance, Safetica offers a software solution for healthcare organizations that can help with the discovery of ePHI, restrict whether data can be shared with third parties, control and monitor employee access to ePHI, and rapidly detect unauthorized access and employee errors that may expose ePHI, providing insider threat and data leak protection.  Safetica can limit file operations with personal information and ePHI, such as uploading, copying, printing, and even taking screenshots, all of which feature in the list of common HIPAA violations. Without systems in place to manage ePHI, unauthorised access to medical records can persist for years without detection. According to Safetica CTO Zbyněk Sopuch, “One of the key use cases of utilising data loss prevention tools like Safetica in healthcare settings is to ensure that access to sensitive ePHI is given only to the right personnel by monitoring and controlling the flow of data, preventing unauthorised access while safeguarding sensitive information and staying in compliance with HIPAA regulations.” Systems like Safetica provide immediate alerts for data security incidents. It has been found that real time alerts, which has been  proven to reduce repeat offences by staff by 95%. 

Securing healthcare data is complex and involves implementing robust encryption protocols, strict access controls, regular security audits, up-to-date software patching, comprehensive staff training in data handling and privacy regulations, utilizing strong authentication methods, employing intrusion detection systems, and maintaining physical security measures to prevent unauthorized access or breaches and ensure the confidentiality, integrity, and availability of sensitive patient information.

The post How to Secure Healthcare Data appeared first on HIPAA Journal.

What information hospitals can give over the phone depends on the purpose of the phone call, the recipient of the information, and any restrictions or authorizations in force at the time. The phone system being used can also impact what information hospitals can give over the phone.

The most common reasons for asking the question what information can hospitals give over the phone are:

• Healthcare providers want to make sure they comply with HIPAA,
• Patients want to know if their privacy rights have been violated, or
• Families want the maximum information possible about a loved one.

Unfortunately, there is no A, B, and C answer to the question what information can hospitals give over the phone because patients have the right to restrict some or all disclosures and restrict who information is shared with. Additionally, patients have the right to authorize disclosures beyond those permitted by the Privacy Rule to individuals who enquire about the patient’s health.

Therefore, although §164.510 of the Privacy Rule permits hospitals to disclose directory information to individuals who enquire about a patient by name, there are many scenarios in which a request for information could be denied (including because a healthcare provider believes the disclosure is not in the patient’s best interest) or in which it is possible to disclose more than directory information.

What is Directory Information?

Directory information – in the context of what information can hospitals give over the phone – consists of the name of the patient, the location of the patient in the healthcare facility, the patient’s religious affiliation, and the patient’s condition described in general terms that does not communicate specific medical information about the individual.

Hospitals cannot provide any information over the phone about a patient’s past medical history if it is unrelated to the current medical condition, but can discuss treatment plans, drugs, and therapies with a caregiver over the phone provided the identity of the caregiver is verified. Note: some hospitals may require identity verification for any individual enquiring about a patient’s condition even though this is not required by HIPAA.

The Right to Restrict or Authorize Information

The right to restrict what information hospitals can give over the phone not only appears in §164.510 of the Privacy Rule. §164.522 gives patients the right to request privacy protections for PHI; and, although hospitals do not have to agree to most requests, the failure to agree to justifiable requests for privacy protections could result in a complaint to HHS’ Office for Civil Rights.

With regards to patient authorizations, in most cases authorizations are initiated by a covered entity to facilitate a use or disclosure of PHI not permitted by the Privacy Rule. However, there is nothing in the Privacy Rule that prevents a patient authorizing the disclosure of PHI to friends or family members over the phone – although hospitals need to be conscious of the fact that a patient also has the right to revoke an authorization at any time.

What Information Can Hospitals Give Over the Phone for TPO Purposes?

Hospitals can make disclosures of PHI over the phone for treatment, payment, and healthcare operations (TPO). However, how much PHI can be disclosed in a phone call depends on the purpose of the phone call. For example, there are no limitations on what information can be provided to a healthcare provider for the treatment of a patient; but, if the phone call is to a health plan to request authorization for the treatment, the minimum necessary standard applies.

It is also the case that restrictions and authorizations can apply to what information hospitals can give over the phone for TPO purposes. For example, a healthcare provider cannot refuse a request from a patient to restrict PHI disclosures to a health plan if the disclosures relate to a healthcare service the patient (or somebody on behalf of the patient) has paid for privately.

Why the Phone System being Used Might also Matter

Phone calls made by hospitals are either made over a Public Switched Telephone Network (PSTN) or over a Voice over Internet Protocol (VoIP) system. If using a VoIP system, it is necessary for a Business Associate Agreement to be in place with the software vendor before PHI is disclosed in a phone call. The same requirement does not apply to PSTN phone services.

If a hospital has deployed a VoIP system, and a Business Associate Agreement is not in place with the vendor of a VoIP system, the hospital is not allowed to disclose PHI over the phone. Note: some healthcare telephone communications are possible with patients under the FCC’s TCPA Omnibus Declaratory Ruling and Order unless a patient has rescinded their consent to be contacted by phone.

Conclusion: Why it is Important to Know What Information Hospitals Can Give over the Phone

The reasons it is important to know what information hospital can give over the phone are the same as the reasons for asking the question what information can hospitals give over the phone:

• Healthcare providers want to make sure they comply with HIPAA,
• Patients want to know if their privacy rights have been violated, and
• Families want the maximum information possible about a loved one.

The failure to comply with HIPAA, a violation of a patient’s privacy rights, or refusing to give families information that a patient has authorized can result in complaints to HHS’ Office for Civil Rights and a potential compliance investigation. To mitigate the risk of an investigation and the disruption this will cause, hospitals should develop policies and procedures for giving information over the phone.

The post What Information Can Hospitals Give Over the Phone? appeared first on HIPAA Journal.

When determining if telling a story about a patient is a HIPAA violation, it is necessary to take into account who is telling the story, why the story is being told, and what information about the patient is revealed in the story.

One of the objectives of the Privacy Rule is to protect patient privacy. The Privacy Rule tries to achieve this objective by stipulating which uses and disclosures of Protected Health Information (PHI) are permissible, which a patient should be given an opportunity to object to, and which require an authorization from the patient or their personal representative.

However, the Privacy Rule does not apply to everybody. If a healthcare provider is not a covered entity, a member of a covered entity’s workforce, or a member of a business associate’s workforce, telling a story about a patient is not a HIPAA violation – even if health information about the patient is disclosed because HIPAA does not apply to the healthcare provider.

Additionally, if an employee of a contractor for whom no Business Associate Agreement is necessary (i.e., a member of an agency’s environmental services team) reveals that they saw a famous person entering a healthcare facility for treatment, telling the story about the patient is not a HIPAA violation because the employee is not required to comply with the Privacy Rule.

Even when a healthcare provider or workforce member is required to comply with the Privacy Rule, there are still many circumstances when telling a story about a patient is not a HIPAA violation. This article explains some of the circumstances in which telling a story about a patient is not a HIPAA violation, but other circumstances may apply depending on the nature of the healthcare provider’s activities.

Why the Story is Being Told Matters

If a story about a patient is being told for a permissible use of PHI, the telling of the story is not a HIPAA violation. However, for some permissible uses of PHI, the minimum necessary standard applies; whereas, in other permissible uses, there is no limit on the amount of PHI that can be disclosed. For example:

• If a story about how a patient sustained their injuries is being told by a healthcare provider to a health plan in order to obtain an authorization for treatment, the minimum necessary standard applies even if both the healthcare provider and the health plan are covered entities under HIPAA.
• If a story about how a patient sustained their injuries is being told by a healthcare provider to another healthcare provider in order to provide treatment to the patient, the minimum necessary standard does not apply even if the two healthcare providers work for different covered entities.

Even for the same permissible use there can be times when telling a story about a patient is a HIPAA violation and times when it is not. For example, if a healthcare facility runs a training course for nursing students, trainees, or practitioners PHI can be disclosed permissibly as the training course is covered under “health care operations”.

If more than the minimum necessary PHI is disclosed in the training course it is a violation of HIPAA, unless the patient has authorized the healthcare facility to disclose more than the minimum necessary to add context to the training – in which case it is not. Consequently, it is often difficult to determine whether telling a story about a patient is a HIPAA violation without knowing the full facts.

Why What Information is Revealed Matters?

In answer to the question, is telling a story about a patient a HIPAA violation if no PHI is revealed, most people would say “no”. However, if the events of the story could be used to identify the patient, and the story is not being told for a permissible use of PHI, this answer is incorrect. To find out why, you have to review the definition of “individually identifiable health information” in §160.103 of the HIPAA General Rules. The [abridged] definition states:

Individually Identifiable Health Information is health information created or received by a health care provider, health plan, employer, or health care clearinghouse [that] relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

(i) that identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Therefore, if a healthcare provider told a story about a patient which contained no specific individually identifiable health information, the telling of the story could still be a HIPAA violation if the events related in the story could be used to identity a patient. Even if the story is embellished to make it an untruthful anecdote, the disclosure of PHI could be considered an impermissible use and a notifiable breach if the subject of the story can still be identified as a patient.

Conclusion: Is Telling a Story about a Patient a HIPAA Violation or Not?

There is no straightforward answer to the question, is telling a story about a patient a HIPAA violation or not because of the number of circumstances in which telling a story is not a HIPAA violation, and because of the issue of whether any information revealed in a story might be used to identify the individual. Additionally, as has been shown above, it can be difficult to ascertain whether a violation has occurred without knowing the full facts.

One scenario that has not yet been discussed is when a patient requests restrictions on the uses and disclosures of their PHI as they are allowed to do under §164.522 of the Privacy Rule. If a patient has exercised their right to request privacy protections, the only time it is possible to talk about the patient without violating HIPAA is when the nature of the discussion is an exempted use such as when PHI is required for emergency treatment or a disclosure is required by law.

Although the distinction between what constitutes a HIPAA violation and what doesn’t may be clear to a trained workforce of compliant healthcare professionals with knowledge of restrictions and authorizations, the distinction may not be clear to the subject of the story or to anybody else who hears it and knows the identity of the patient – potentially resulting in complaints to HHS´ Office for Civil Rights for alleged impermissible disclosures of PHI and violations of HIPAA.

Although in some circumstances the complaints will be unjustified, if HHS´ Office for Civil Rights decides to investigate a complaint, the investigation can be disruptive. Therefore, it is often best to prohibit the telling of stories about patients for any unnecessary reasons. This prohibition should be notified to members of the workforce during HIPAA training, along with the reasons why any story telling about a patient could be – or could be perceived to be – a HIPAA violation.

Is Telling a Story about a Patient a HIPAA Violation FAQs

Does talking about a patient violate HIPAA?

Talking about a patient violates HIPAA if there is no permissible reason for the patient to be discussed and, during the discussion, information about the patient is disclosed that could be used to identify the individual. When there is a permissible reason for talking about a patient, the amount of PHI disclosed must be kept to the minimum necessary unless the reason for talking about the patient is exempted from the minimum necessary standard or the patient has authorized the disclosure.

Can you talk about a patient without saying their name?

You can talk about a patient without saying their name unless any information disclosed in the conversation could be used to identify the individual. This would be a violation of HIPAA unless the reason for talking about a patient is a permissible disclosure – in which case it would not matter whether the patient’s name was mentioned or not.

Is it a HIPAA violation to talk about a patient without identifiers?

It can be a HIPAA violation to talk about a patient without identifiers if the nature of the discussion would be impermissible under the Privacy Rule and the information disclosed in the discussion could be used to identify the individual. With regards to this question, it is important to be aware that the so-called “18 HIPAA identifiers” are not what constitute PHI. Any information that could be used to identify an individual that is maintained in the same designated record set as their health information assumes Protected Health Information status.

How can you talk about a patient without violating HIPAA?

You can talk about a patient without violating HIPAA if you talk about the patient for a permissible reason. However, when you talk about a patient for a permissible reason, you also have to be aware of whether the minimum necessary standard applies and whether a patient has requested the disclosure of their health information is restricted.

Can doctors talk about patients without using names?

Theoretically, doctors can talk about patients without using names. However, if the doctor is a covered entity or a member of a covered entity’s workforce, and the information disclosed in the conversation could be used to identify the patient, talking about patients without using their names is still a violation of HIPAA.

Can a doctor discuss a patient with a family member?

A doctor can discuss a patient with a family member provided that – wherever possible – the patient has been given the opportunity to object and the identity of the family member is verified. In most circumstances, the doctor is only allowed to disclose the minimum necessary PHI to the family member unless the patient has given their authorization for a more comprehensive disclosure.

Is saying a patient name a HIPAA violation?

Saying a patient name can be a HIPAA violation depending on who is saying the patient name, who the patient name is being said to, and the reason for saying the patient name. In most circumstances, saying a patient’s name by itself is not a HIPAA violation when the name does not relate to the patient’s health condition, treatment for the condition, or payment for the treatment. However, there are some circumstances in which saying a patient name is a HIPAA violation. For example:

Nurse 1: “Who is that in bed 4 with the broken leg?

Nurse 2: “That is Mr. Jones”.

The post Is Telling a Story about a Patient a HIPAA Violation? appeared first on HIPAA Journal.

The HHS OIG Exclusions List is a database of individuals and organizations that are prohibited from participating in federal health care programs. Healthcare providers participating in federal health care programs are advised to regularly check the HHS OIG Exclusions List to avoid penalties for non-compliance with §1128 of the Social Security Act. This article answers the following:

• What is the HHS Office of Inspector General?
• What is the HHS OIG Exclusions List?
• How is the OIG Exclusions List populated?
• Why check the OIG list for exclusions?
• What are the penalties for engaging excluded entities?
• How can providers mitigate the risk of a penalty?
• What other lists should be checked for exclusions?
• Conclusion: The importance of regularly checking for exclusions

What is the HHS Office of Inspector General?

The HHS Office of Inspector General (OIG) is a team of investigators, auditors, analysts, attorneys and cybersecurity specialists within the Department of Health and Human Services (HHS). The team’s roles are to investigate and audit the Department’s operations to prevent fraud, waste, and abuse within the Department, and also to audit and investigate potential crimes against the Department.

HHS was one of the first Departments to have an Office of Inspector General in 1976 due to billions of dollars being lost each year to Medicaid fraud. At the time there was a ten-year backlog of uninvestigated cases, so Congress passed Public Law 94-505 to create an independent unit with adequate resources to clear the backlog and implement measures to detect future fraud and abuse.

Subsequent Acts of Congress increased the OIG’s regulatory authority to prevent crimes against the Department. The False Claims Amendment Act in 1986 lowered the bar for proof of fraud and increased the fines the OIG could impose, while the Health Insurance Portability and Accountability Act (HIPAA) in 1996 established the Health Care Fraud and Abuse Control (HCFAC) Program.

HCFAC gave HHS’ OIG the resources to enforce §1128 of the Social Security Act. This section relates to the “Exclusion of Certain Individuals and Entities from Participation in Medicare and State Health Care Programs”, which – although effective since the passage of the Medicare-Medicaid Anti-Fraud and Abuse Amendments in 1977 – had never been properly enforced due to a lack of resources.

What is the HHS OIG Exclusions List?

The HHS OIG Exclusions List is the name given to the list of individuals and organizations excluded from participating in federal health care programs under section 1128 (and subsequently section 1156) of the Social Security Act. The list now covers more than just Medicare and State Health Care Programs, and includes programs such as CHIP, TRICARE, and Veterans Affairs.

Also known as the OIG’s List of Excluded Individuals and Entities (LEIE), the HHS OIG Exclusions List contains details such as the excluded individual’s or organization’s address, National Provider Number, Unique Physician Identification Number, date of birth, job description, the date of exclusion, and the reason for exclusion – referring to the relevant clause of §1182 of the Social Security Act.

There are a number of reasons why an individual or organization may be included on HHS OIG Exclusion List. Some of these reasons attract a mandatory exclusion (i.e., required by law). Others are known as “permissive exclusions”, which are discretionary and which – in most cases – give individuals or organizations 30 days advance notice to appeal against inclusion on the list.

What the LEIE list does not show is the length of exclusion (most exclusions are not permanent). If an individual or organization does not request that their name is removed from the list once the period of exclusion is finished, it will remain on the HHS OIG Exclusions List indefinitely – potentially complicating searches when multiple entries exist for individuals with identical names.

How is the HHS OIG Exclusions List Populated?

The OIG Exclusions List is populated from several sources. Most mandatory exclusions on the LEIE list originate from enforcement actions taken by the HHS OIG or DOJ which result in a felony conviction. Enforcement actions taken by the HHS OIG and other federal agencies which result in misdemeanor convictions usually appear as permissive exclusions. These do not have a right of appeal.

In addition to HHS OIG enforcement actions, Medicare Fraud Control Units (MFCUs) operate in every state and territory. MFCUs have the authority to investigate and prosecute Medicaid provider fraud and patient abuse or neglect; and, when MFCU prosecutions result in a conviction, the individuals or organizations responsible for the fraud, abuse, or neglect are added to the HHS OIG Exclusions List.

Additionally, every state and territory have its own Office of Inspector General (or equivalent), its own laws regarding exclusions, and its own exclusion database. In some states, an exclusion at the federal level automatically triggers a state-level exclusion, but this does not always work in reverse because an event that constitutes a state violation may not constitute a federal violation.

Other excludable events can be reported to HHS OIG by healthcare providers, licensing authorities, and law enforcement agencies. However, these events can take some time to be added to the LEIE list because of factors such as the right of appeal. In some cases, exclusions reported to HHS OIG from these sources can take up to two years to appear on the HHS OIG Exclusions List.

Why Check the OIG List for Exclusions?

The reason healthcare providers are advised to check the OIG list for exclusions is that §1128A of the Social Security Act prohibits individuals and organizations that appear on the OIG Exclusions List from providing goods or services to providers that participate in federal health care programs. Excluded individuals are also prohibited from working for a participating healthcare provider in any capacity.

Healthcare providers that acquire goods or services from an excluded supplier – including prescribed medical items – will not only have their claims rejected by the federal health care program (which means they will have to absorb the cost themselves), but may also be subject to a civil monetary penalty, damages (described in the next section), and inclusion on the OIG LEIE list themselves!

With regards to excluded individuals, the prohibitions not only apply to individuals working in a medical capacity (including volunteers). If a participating healthcare provider employs an excluded individual in an administrative or environmental role – or subcontracts an excluded individual via an agency – this also qualifies as a violation of §1128 of the Social Security Act.

Importantly, pleading ignorance of an organization’s or an individual’s exclusion is no defense against a penalty for engaging – or engaging with – an excluded entity. The HHS OIG Exclusions List has been online and well-publicized since 1999, and the penalty clauses of §1128A of the Social Security Act apply to persons “who knew or who should have known” they were engaging an excluded entity.

What are the Penalties for Engaging an Excluded Entity?

The penalties for engaging an excluded entity or engaging with an excluded entity (for example, acquiring goods or services from an excluded supplier) are listed in §1128A of the Social Security Act. Last updated by the Bipartisan Budget Act of 2018 (and therefore likely to change in the near future), the current penalties for engaging – or engaging with – an excluded individual are:

• A civil monetary penalty of up $20,000 for each item or service claimed, per violation occasion.
• Assessed damages of up to three times the amount claimed for each item or service (no limit).
• Potential addition to state and HHS OIG Exclusion Lists depending on the nature of the violation(s).

The penalties for engaging – or engaging with – an excluded entity can be significant if a relationship with an excluded entity continues for many years. For example, in 2022, a Connecticut psychiatric practice entered into a settlement agreement of $310,874 for employing an excluded individual as its clinical director for five years and using federal reimbursement to pay the individual’s salary.

More recently, in June 2023, the Chinese American Planning Council Home Attendant Program in New York entered into a settlement agreement of $866,339 with HHS OIG for employing a personal assistant who was excluded from participation in the New York Medicaid program. HHS OIG alleged that the organization had billed New York Medicaid for services furnished by the personal assistant.

How can Providers Mitigate the Risk of a Penalty?

Providers can mitigate the risk of a penalty by frequently checking exclusion lists for individuals and organizations prohibited from providing goods and services to healthcare providers. HHS OIG recommends “providers should check the LEIE prior to employing or contracting with persons and periodically check the LEIE to determine the exclusion status of current employees and contractors”.

As well as checking the exclusion status of prospective and existing employees and contractors, it is important healthcare providers develop policies relating to the frequency of screening existing employees and contractors, the responsibility for screening, and which databases to check. These policies must be documented along with the results of database checks and positive identifications.

Any excluded individuals or organization identified in a database check that are already employed or providing goods and services to the healthcare provider should be reported to HHS OIG via the Health Care Fraud Self-Disclosure Protocol in order to mitigate the risk of a penalty. Naturally, if a prospective employee or contractor (or a member of a contractor’s workforce) matches an entry on an exclusion database, the prospective employee or contractor should not be engaged.

The challenge with mitigating the risk of a penalty is that the HHS OIG Exclusions List is not the only database healthcare providers should be checking. Depending on a provider’s location and the nature of their operations, it may be necessary to check multiple state and federal databases to identify individuals and organizations excluded from providing goods and services.

What Other Lists should be Checked for Exclusions?

Other federal lists healthcare providers may need to check for exclusions – depending on the nature of their operations – include (but are not limited to) the Medicare Exclusion Database, the GSA’s System for Award Management database, and the National Practitioner Data Base. It is also advisable to check local state exclusion lists for location-specific exclusions.

The Medicare Exclusion Database (MED)

The Medicare Exclusion Database includes data about individuals and entities that have been precluded from billing Medicare due to being assessed a penalty, owing an outstanding debt, or being subject to a Medicare payment suspension for (for example) fraudulent billing, overcharging, providing substandard care, or non-compliance with CMS rules and regulations.

An entity that appears on CMS’ Medicare Exclusion Database might not appear on the HHS OIG Exclusions List depending on the reason for being excluded. Therefore, although engaging – or engaging with – an entity that only appears on the Medicare Exclusion Database will not attract a penalty, it could mean a healthcare provider will not get paid for services billed to Medicare.

The System for Award Management (SAM) Database

The General Services Administration’s (GSA) System for Award Management (SAM) database is a procurement repository that healthcare providers can use to determine the eligibility of individuals and entities to participate in federal programs. The database not only includes contractors approved to do business with the federal government, but also contractors excluded from federal programs.

Excluded contractors that appear on the SAM database would have previously appeared in the Excluded Parties List System (EPLS). However, this system was integrated into the SAM database – effectively making it easier to search a single database. Like the MED database, inclusion on the SAM database does not guarantee an excluded entity will appear on the HHS OIG Exclusions List.

The National Practitioner Data Bank (NPDB)

The National Practitioner Data Bank is an information clearinghouse that lists adverse actions taken by licensing agencies against health care practitioners and health care entities, adverse privileging actions, and any negative actions or findings taken against health care practitioners or entities by Quality Improvement Organizations and Private Accreditation Organizations.

In 2013, the NPDB was merged with the Healthcare Integrity and Protection Data Bank (HIPDB) which was created by HIPAA to provide information on adverse licensing and certification actions, healthcare-related criminal convictions, civil judgments, exclusions from Federal or State health care programs, and other decisions. This information is now available via the NPBD database.

Conclusion: The Importance of Regularly Checking for Exclusions

While most healthcare providers will be aware of the HHS OIG Exclusions List, and likely check it before employing new hires or entering into contracts with new vendors, it is important to continue regularly checking the database because exclusions that originate from outside the Office of Inspector General or an MCFU can take up to two years to appear on the HHS OIG Exclusions List.

Furthermore, as well as checking the LEIE list and any other lists relevant to their activities, healthcare providers should develop policies for the frequency of screening, and procedures for when a database check results in a positive match. The policies, checks, and any self-disclosure reports should be documented to mitigate the risk of a penalty for non-compliance.

Indeed, the penalties for engaging – or engaging with – an excluded individual or organization can be significant if checks are not performed and a relationship with an excluded individual is allowed to continue. Six-figure civil monetary penalties are not uncommon and healthcare providers also run the risk of themselves being added to the HHS OIG Exclusions List.

Therefore, the importance of frequently checking for exclusions cannot be understated. Although not mandatory (except for State Medicaid agencies), the “should have known” clause in §1128A of the Social Security Act means there is no justifiable defense for healthcare providers that fail to check all applicable databases. If any healthcare provider is unsure of its exclusion responsibilities under §1128 of the Social Security Act, it is recommended to seek professional compliance advice.

The post What is the HHS OIG Exclusions List? appeared first on HIPAA Journal.

HIPAA enforcement discretion occurs when the Secretary for Health and Human Services (HHS) announces the Department will exercise discretion in the enforcement of HIPAA Rules. The discretion can be temporary or permanent, region-specific or nationwide, or apply to some Rules but not others. Recent examples of when HIPAA enforcement discretion has been announced include:

• 2023 – Typhoon Mawar in Guam
• 2022 – Hurricane Ian in Florida and South Carolina
• 2022 – Kentucky Flooding Public Emergency
• 2021 – Texas Winter Storms Emergency
• 2021 – The HIPAA “Safe Harbor” Law
• 2020 – Wildfires in California and Oregon
• 2020 to 2023 – The COVID-19 Pandemic
• 2020 – Puerto Rico Earthquakes
• 2019 – Hurricane Dorian (Multiple States)
• 2018 – Hurricane Michael in Florida and Georgia

Most HIPAA Enforcement Discretion is Temporary and Region Specific

Under §1135 of the Social Security Act, the HHS Secretary has the authority to issue a Notice of Enforcement Discretion if the President declares an emergency or disaster and the Secretary declares the event a public health emergency. Typically, Notices of Enforcement Discretion last between 72 hours and 60 days, are state or region-specific and apply to specific provisions of the HIPAA Rules.

The Secretary can waive requirements or announce enforcement discretion in many different areas of healthcare. For example, the Secretary can waive the requirements for out-of-state healthcare professionals to be licensed before being allowed to practice, or exercise discretion when investigating violations of the physician self-referral law (§1877 of the Social Security Act).

In the context of HIPAA enforcement discretion, the Secretary can waive sanctions and penalties that result from non-compliance with the following standards of the Privacy Rule:

• 164.510 – Uses and disclosures of Protected Health Information requiring an opportunity for the individual to agree or object.
• 164.520 – The requirement to distribute a HIPAA Notice of Privacy Practices and obtain acknowledgment of receipt.
• 164.522 – The rights to request privacy protections for Protected Health Information and request confidential communications.

When the Secretary issues a Notice of HIPAA Enforcement Discretion, it only applies to the emergency area for the emergency period specified in the public health emergency declaration, and only to hospitals that have initiated a disaster protocol. A Notice of HIPAA Enforcement Discretion issued in these circumstances does not apply to health plans or business associates.

Nationwide Discretion Announced during the COVID-19 Pandemic

During the COVID-19 pandemic, healthcare providers had to deal with a nationwide public health crisis, the likes of which had never been seen before. The 2019 Novel Coronavirus (SARS-CoV-2) that caused COVID-19 forced healthcare providers to change normal operating procedures and workflows, reconfigure hospitals to segregate patients, open testing centers outside their usual facilities, work with new providers and vendors, and rapidly expand telehealth services.

To ensure the flow of essential healthcare information was not impeded by the HIPAA regulations during the public health emergency, the HHS’ Office for Civil Rights (OCR) issued multiple nationwide Notices of HIPAA Enforcement Discretion and announced that penalties and sanctions for noncompliance with certain provisions of the HIPAA Rules would not be imposed on healthcare providers for the good faith provision of healthcare services during the COVID-19 public health emergency.

Notice of Enforcement Discretion Covering Telehealth Remote Communications

With hospitals having limited capacity, and social distancing and self-isolation measures in place, healthcare providers rapidly expanded their telehealth and virtual care capabilities. The Centers for Medicare and Medicaid Services (CMS) also temporarily expanded telehealth options for all Medicare and Medicaid recipients.

To support healthcare providers, OCR announced a Notice of Enforcement Discretion covering telehealth remote communications for the duration of the public health emergency. Although some of the platforms used for providing these services were not fully compliant with HIPAA, OCR said it will not be imposing penalties for the use of these platforms during the public health emergency provided those platforms were non-public-facing.

Notice of Enforcement Discretion Covering Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities

The HIPAA Privacy Rule only permits business associates of HIPAA-covered entities to use and disclose PHI for public health and health oversight activities if it is specifically stated that they can do so in a business associate agreement (BAA) with a HIPAA-covered entity. Even in such cases, disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective of the disclosure.

On April 2, 2020, OCR issued a Notice of HIPAA Enforcement Discretion stating penalties would not be imposed on business associates for good faith disclosures of PHI for public health purposes to agencies such as the Centers for Disease Control and Prevention (CDC), CMS, state and local health authorities, and state emergency operations centers. In all cases, any use or disclosure of PHI must be reported to the covered entity within 10 days of the use or disclosure occurring.

Notice of HIPAA Enforcement Discretion for Community-Based Testing Sites

Additionally, enforcement discretion was exercised by OCR in connection with good faith participation in the operation of COVID-19 testing sites such as walk-up, drive-through, and mobile sites. The Notice of Enforcement Discretion covered all activities in testing centers that support the collection of specimens and testing of individuals for COVID-19.

Reasonable safeguards had to be implemented to protect patient privacy and the security of any PHI used or collected at these sites. The Notice did not apply to health plans or healthcare clearinghouses when they were performing health plan and clearinghouse functions, nor to healthcare providers or business associates that were not performing COVID-19 Community-Based Testing Site activities, even if those activities were performed at the testing sites.

Notice of Enforcement Discretion Covering Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

On January 19, 2021, OCR announced it would be exercising enforcement discretion and would not impose penalties or sanctions on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.

While HIPAA penalties would not be imposed, OCR encouraged HIPAA-covered entities and business associates to ensure that reasonable safeguards were implemented to ensure the privacy and security of healthcare data, such as the use of encryption, limiting data input into systems to the minimum necessary information, and activating all available privacy settings.

Sharing PHI About COVID-19 Patients with First Responders

As well as publishing several Notices of HIPAA Enforcement Discretion at the start of the COVID-19 public health emergency, OCR confirmed that the Privacy Rule permitted the sharing of PHI with first responders such as law enforcement, paramedics, public safety agencies, and others under certain circumstances, without first obtaining a HIPAA authorization from a patient.

OCR also confirmed that the HIPAA Privacy Rule permits disclosures of PHI for the provision of treatment (e.g., by a skilled nursing facility to medical transport personnel), when required to do so by law (such as to comply with state infectious disease reporting requirements), and to prevent or control disease, injury, or disability. The latter included disclosures for public health surveillance, and to public health authorities to help prevent or control the spread of disease.

PHI could – and still can – be disclosed to first responders who may be at risk of infection and to help prevent or lessen a serious and imminent threat to the health and safety of a person or the public. OCR explained that it is permissible to “disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.”

Enforcement Discretion to be Applied when Calculating Violation Penalties

In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise HIPAA enforcement discretion and take into consideration certain recognized security practices when determining potential fines and/or the length and extent of a corrective action plan or an audit in the event of a data breach.

To qualify for HIPAA enforcement discretion, an investigated covered entity or business associate must be able to demonstrate at least twelve months prior compliance with a recognized security framework. Although covered entities and business associates can implement a security framework that best meets the needs of the organization, OCR has recommended:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework,
• Section 405(d) of the Cybersecurity Act of 2015, or
• Other programs that address cybersecurity which are explicitly recognized by statute or regulation.

Despite the amendment coming into force more than two years ago, OCR has not yet published details of how discretion will be applied in the context of the HIPAA Enforcement Rule. In June 2022, the agency issued a Request for Information asking for comments from stakeholders on how HIPAA enforcement discretion should best be applied in such circumstances and has published a video detailing how HIPAA-regulated entities can demonstrate they have implemented recognized security practices, but has yet to publish a Notice of Proposed Rulemaking – the next step before any Rule is finalized.

Conclusion:

HIPAA compliance can be challenging at the best of times; but, during a public health emergency, compliance becomes more difficult – no matter how well prepared a healthcare provider is. The Department of Health and Human Services recognizes the issues that can occur when healthcare providers are prevented from delivering the best possible healthcare because of regulatory barriers and will exercise HIPAA enforcement discretion as and when necessary.

Nonetheless, it is important for covered entities – and business associates where applicable – to understand which Privacy Rule standards are subject to enforcement discretion, and which are not. It is also important for both covered entities and business associates to review their current Security Rule compliance in order to ensure they protect PHI from unauthorized and impermissible disclosures using a recognized security framework.

Healthcare providers who require further information about HIPAA compliance, which standards may be subject to HIPAA enforcement discretion, and what constitutes a recognized security framework should seek professional compliance advice.

The post What is HIPAA Enforcement Discretion? appeared first on HIPAA Journal.

Paubox is HIPAA compliant inasmuch as the email encryption solution supports HIPAA compliance and can be used by Covered Entities and Business Associates to communicate Protected Health Information in emails without violating the standards of the HIPAA Privacy or Security Rules.

• What is Paubox?
• What are the HIPAA Email Requirements?
• Privacy Rule Challenges to HIPAA Email Compliance
• Security Rule Challenges to HIPAA Email Compliance
• How Paubox Can Help Overcome the Challenges
• Making Paubox HIPAA Compliant
• Conclusion: Paubox is HIPAA Compliant

What is Paubox?

Paubox Inc. is a Californian provider of email encryption products with varying capabilities. At the entry level, Paubox works in the background to encrypt outbound emails to prevent Protected Health Information (PHI) from being impermissibly disclosed during the transit of emails.

Further up the product suite, Paubox offers an effective email filter for inbound emails, a HIPAA-compliant email archiving service, and an email marketing solution. The suite also includes an email API for automating HIPAA-compliant emails at a scale.

To substantiate the company’s commitment to security, Paubox is HITRUST CSF Certified. HITRUST is an acronym for the Health Information Trust Alliance, and being certified demonstrates that Paubox complies with the HITRUST Common Security Framework.

What are the HIPAA Email Requirements?

When HIPAA was passed in 1996, email was not the force it is today. Web clients (i.e., Hotmail, Yahoo, etc.) had only just been launched and the first mobile device with email capabilities (the Blackberry 5810) was still six years away. Gmail was not launched until 2004.

Consequently, Congress’ instructions to the Secretary of the U.S. Department of Health and Human Services – to develop privacy and security standards for the protection of individually identifiable health information – did not factor in specific HIPAA email requirements.

Nonetheless, some standards are relevant to HIPAA compliance for email. These include a patient’s right to request how they receive communications containing PHI, the requirement to implement audit controls, and the implementation specifications relating to transmission security.

Privacy Rule Challenges to HIPAA Email Compliance

The first challenge to HIPAA email compliance is when a patient requests communications containing PHI are sent by email. Unencrypted emails are not HIPAA compliant because they can be intercepted in transit and tampered with, or read by unauthorized individuals in a “man-in-the-middle” attack, in a similar way to email filters reading the content of emails to identify spam.

Therefore, if a patient exercises their right to request communications by email – or initiates a conversation via email – Covered Entities should warn the patient that unencrypted email is an unsecured channel of communication; and, if the patient still wants to receive emails containing PHI, document the request and the warning that was provided.

A further Privacy Rule challenge to HIPAA email compliance is human error. There are numerous examples of Covered Entities inadvertently disclosing PHI via email; and while the HHS Breach Portal lists examples in which the PHI of more than 500 individuals has been disclosed via email, there are likely many thousands of smaller data breaches that do not make the list.

Security Rule Challenges to HIPAA Email Compliance

The Security Rule challenges to HIPAA email compliance can be summed up in two words – Technical Safeguards. Most standard email services lack the capabilities to (for example) record when PHI is included in an email, ensure the content of the email is not modified without authorization, and prevent PHI from being disclosed in man-in-the-middle attacks or by legitimate software such as spam filters.

Measures proposed by HHS could – if adopted – ultimately remove the technical burden of recording when PHI is included in an email (provided that the inclusion of PHI is permissible) and ensure the validity of attachments by confirming there has been no tampering. The challenge of preventing man-in-the-middle interceptions can easily be overcome with encryption.

It is important to be aware that encryption does not stop man-in-the-middle interceptions. It simply ensures the content of an email and any attachments are not disclosed because the encryption has made the content and/or attachment unreadable, indecipherable, and unusable. Therefore, in the event of an email being intercepted, there would be no data breach.

How Paubox Can Help Overcome the Challenges

Paubox can help overcome the challenge of HIPAA email compliance in various ways depending on which products are used. For example:

• The entry-level email suite can be configured to automatically encrypt emails without the necessity for members of the workforce to go through extra procedures or for recipients to enter a password or visit a secure portal to read the email.
• The suite can be integrated with major business email platforms and the Salesforce CRM for a seamless user experience, while administrators and compliance officers can take advantage of a library of analytic and email reports.
• The email suite “Plus” includes advanced email filtering capabilities to reduce the risk of malware and ransomware. It also includes two extremely efficient capabilities to mitigate the threat of phishing – DomainAge and ExecProtect.
• At the top level of the Paubox email suite, Covered Entities can take advantage of a HIPAA-compliant email archiving service and a Data Loss Prevention feature that prevents PHI from being sent outside the corporate network by unauthorized members of the workforce.

Two further products in the Paubox portfolio may also be of interest to Covered Entities and Business Associates – Paubox Marketing and the Paubox Email API.

• Paubox Marketing is a simple-to-use email builder that enables marketing departments to personalize marketing emails according to patients’ medical conditions, prescribed medications, and more.
• The Paubox Email API is a tool that can be used to automate email communications at scale while ensuring HIPAA compliance. When used with Paubox Marketing, Paubox can be configured to automatically respond to specified triggers.

Making Paubox HIPAA Compliant

Software is not usually HIPAA compliant “out of the box”. In most cases, the software has to be configured to operate compliantly – especially when integrated with other technologies. Fortunately, making Paubox HIPAA compliant is not complicated due to the simple-to-follow instructions for integrating the email suite with existing business email platforms and the Salesforce CRM.

Once user email addresses have been imported into Paubox, members of the workforce will not notice any difference when sending emails. Nonetheless, it is advisable to explain to users what changes have been made in case a patient raises a concern about PHI being disclosed via email. HIPAA training on Paubox will enable users to answer patient concerns quickly.

Additionally, Covered Entities and Business Associates subscribing to the email encryption service will need to enter into a Business Associate Agreement with Paubox. Like many major software vendors, Paubox has its own Business Associate Agreement; but, having reviewed its content, we have no concerns about the Paubox HIPAA-compliant Business Associate Agreement.

Conclusion: Paubox is HIPAA Compliant

Covered Entities and Business Associates looking at ways to overcome the challenges of HIPAA email compliance can consider Paubox a HIPAA-compliant solution. At the entry level, Paubox removes the compliance overhead of warning patients about the dangers of unencrypted email and documenting their requests to receive PHI via email.

At higher subscription levels, Paubox has a number of HIPAA-compliant capabilities that can help organizations maintain the security of PHI and archive emails for fast search and retrieval. Naturally, the software can be used to ensure other confidential information (governed by other regulations) remains private and is protected against unauthorized access.

Therefore, in answer to the question is Paubox HIPAA compliant, the answer is yes, provided that Covered Entities and Business Associates configure the software to comply with the technical safeguards of the Security Rule and enter into a Business Associate Agreement with Paubox. It is also recommended to provide user training in order to prevent unjustified complaints from uninformed patients.

The post Is Paubox HIPAA Compliant? appeared first on HIPAA Journal.

The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.

In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.

According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.

It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.

HIPAA General Rule Exceptions

The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:

• Has more stringent privacy provisions or patients´ rights than HIPAA,
• Provides for reporting information to public health agencies, and
• Requires a health plan to report information for the purpose of audits, etc.

The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).

The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.

Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.

Other State and Federal HIPAA Exceptions

The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).

Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.

Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.

When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.

Operational and Occupational Exceptions

Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:

• Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
• Healthcare facilities are allowed to disclose directory “health condition” information to callers or visitors who ask about the patient by name
• Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
• Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
• Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.

HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

HIPAA Privacy Rule Exceptions

The HIPAA Privacy Rule occupies Subpart E of the Administrative Simplification provisions (45 CFR § 164.501 – 164.534) and, within this subpart, there are multiple exceptions to HIPAA. To help Covered Entities and Business Associates better negotiate the volume of HIPAA Privacy Rule exceptions, we have included those that relate to confidentiality in a separate section below.

The first HIPAA Privacy Rule exception to be aware of is that the Privacy Rule does not apply to the Department of Defense (DoD), a federal agency, or any organization acting behalf of either when the DoD, federal agency, or organization acting on behalf of either provides healthcare services to an overseas foreign national beneficiary. This exception has caused some confusion because it has been interpreted in various ways, so here is a brief explanation.

Under the HIPAA Privacy Rule, Covered Entities and Business Associates must protect personally identifiable information of an individual regardless of the individual´s nationality or the location in which the Covered Entity or Business Associate collects, processes, maintains, uses, or discloses PHI. The exception exists because (for example) in a war zone it would be impractical to deny treatment to an injured soldier because they did not understand they had to give consent.

Further HIPAA Privacy Rule exceptions exist when the PHI of one individual is included with the PHI of another. This can happen if (for example) a patient´s medical record includes medical information relating to their parents. In this example, the PHI in the patient´s medical record must be safeguarded as one; and although the parents´ PHI is recorded in the patient´s medical record, neither parent has the right to access the medical record and request amendments to their PHI.

HIPAA Exceptions to Confidentiality

Most HIPAA exceptions to confidentiality relate to uses and disclosures “required by law” and “for health care operations”. These include (but are not limited to):

• When a Covered Entity is a defendant or witness in a malpractice claim.
• When a Covered Entity is contesting a licensing revocation.
• When a Covered Entity is pursuing payment of an outstanding bill.
• When a Covered Entity conducts a patient safety activity (i.e., fire drill).
• When a Covered Entity conducts training programs or credentialling activities.

HIPAA exceptions to confidentiality attributable to health care operations can be a gray area. Consequently, it is recommended any uses and disclosures in non-standard circumstances are documented and retained for disclosure of accounting purposes – even though the use or disclosure may be allowed under the HIPAA Privacy Rule. Additionally, in all cases it is important Covered Entities only disclose the minimum necessary PHI for the stated purpose.

Further HIPAA exceptions to confidentiality exist when a law enforcement official requests health data for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. However, although it is permissible to disclose an individual´s blood type under these circumstances, Covered Entities are not allowed to disclose information such as dental records, DNA, or body tissue analyses – elements of PHI that would help identify the body of a missing person.

Conversely, there are no limitations on the nature of PHI it is permissible to disclose to law enforcement officers when attending an off-site emergency, nor when disclosing PHI to a law enforcement officer on-site if the nature of the emergency is related to abuse, neglect, or domestic violence. Despite these HIPAA exceptions to confidentiality, it is recommended to seek the consent of the patient if possible, and to check state disclosure laws for superseding contradictions.

Summary: HIPAA Exceptions List

As mentioned previously, it would be impractical to compile a HIPAA exceptions list because there are many exceptions in the Transactions and Code Sets Rule that would be irrelevant to most Covered Entities. Nonetheless, to summarize what has been discussed thus far:

1. HIPAA preempts state law unless a state law has stronger privacy provisions or enhances patients´ rights.
2. HIPAA exceptions also exist when a state law has public agency reporting requirements.
3. Exceptions to the right to revoke patient authorizations exist in certain circumstances.
4. There are also exceptions to when it is necessary to provide a Notice of Privacy Practices.
5. HIPAA does not apply in most schools as medical records are classed as educational  under FERPA.
6. Exceptions to the school exception may apply with regards to records of immunization.
7. HIPAA does not apply to healthcare services and facilities that do not conduct covered transactions.
8. Standard disclosure rules do not apply to substance use disorder patient records.
9. State laws can also override HIPAA on the non-disclosure of psychotherapy notes.
10. Further exceptions exist in the Armed Forces and when an overseas foreign national beneficiary receives treatment provided by the DoD, a federal agency, or an organization working on behalf of either.

Why it is Important to be Aware of HIPAA Exceptions

Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.

HIPAA Exceptions FAQs

How can I find out which State laws preempt HIPAA in my area?

Speak with a compliance professional or healthcare attorney in your area. If you would like some background information before doing so, the healthit.gov website published a “Report on State Law Requirements for Patient Permission to Disclose Health Information” (PDF). Although this may now be out of date in some areas, Appendix A includes some useful state-by-state information relating to which privacy information, circumstances, and entities are exempt from authorizations.

Does FERPA or HIPAA apply to elementary student health records maintained by a health care provider not employed by the school?

When health services are provided to students by an entity not employed by, under contract to, or otherwise acting on behalf of the school, the student health records are not educational records subject to FERPA even when the health services are provided on the school campus. For example, immunization services provided by a public health agency to students on the school campus are subject to the HIPAA Privacy Rule and, if data are stored electronically, the HIPAA Security Rule.

Where the HIPAA Privacy Rule applies, does it allow an external healthcare provider to disclose PHI about a student to a school nurse or physician?

Yes. The HIPAA Privacy Rule allows covered healthcare providers to disclose PHI about students to school nurses, physicians, and other health care providers for treatment purposes without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.

What is the duty to warn exception that applies to psychotherapy notes?

Psychotherapy notes contain sensitive information not usually required for treatment, payment, or healthcare operations, and therefore should not be disclosed without a patient´s written authorization. However, the duty to warn exception gives healthcare professionals the authority to disclose their notes when they believe a patient poses a threat to another person. This exception also protects healthcare professionals from prosecution for breach of confidentiality.

How likely is it PHI will be disclosed in a Freedom of Information request?

Under the Freedom of Information Act Exemption 6, public agencies can withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” However, the inclusion of the word “can” implies PHI could be disclosed in a Freedom of Information request is the information is considered to be in the public interest. Unfortunately, different public agencies interpret Exemption 6 in different ways.

When does HIPAA not apply?

In addition to the examples discussed above, HIPAA does not apply when payments are processed by a bank or other financial institution – even when PHI is disclosed to the payment processor by the healthcare provider or health plan on whose behalf payments are being processed. Additionally, under 42 USC § 1320d-8, individuals do not have the right to request PHI is not disclosed to banks and financial institutions.

Can HIPAA information be shared with law enforcement?

HIPAA information can be shared with law enforcement, but the circumstances of each request determine what information can be shared. For example, a Covered Entity may be required by law to disclose certain types of wounds or other physical injuries or may be required to comply with a court order – in which case the court order must stipulate the scope of information required.

When sharing HIPAA information with law enforcement for identification or location purposes, §164.512 limits what information can be shared. Therefore, while it is permissible to share a patient´s name, address, type of injuries, and distinguishing features, it is not permissible to share images, dental records, or car license plate number.

What is an example of when HIPAA does not apply?

One current issue relating to when HIPAA does not apply – at least partly – concerns vendors of personal health records. Even though personal health records collect individually identifiable health information that can be used and disclosed by vendors, the HIPAA Privacy and Security Rules do not apply. However, if a vendor experiences a data breach, the vendor must comply with the Breach Notification Rule – notifying individuals and the Federal Trade Commission of the breach.

Who is exempt from HIPAA?

Although one of the objectives of HIPAA was to protect the confidentiality of health and payment information, and despite the fact that direct patient payments to healthcare providers can sometimes reveal what the payment was for (i.e., counselling services), banks and payment processors are exempt from HIPAA. Consequently, Covered Entities should be careful about how direct patient payments are initiated to comply with the minimum necessary standard.

The post HIPAA Exceptions appeared first on HIPAA Journal.