According to HHS’ Enforcement Highlights web page, the most common issue alleged in complaints to the Office for Civil Rights (OCR) is impermissible uses and disclosures of Protected Health Information. This is often interpreted as a failure to understand which uses and disclosures are permissible without patient authorizations; however, it could be just as likely there is a failure to understand the HIPAA meaning of Protected Health Information.

One possible reason for misunderstanding the HIPAA meaning is that the term “Protected Health Information” does not appear in the original text of HIPAA. Furthermore, rather than appearing at the start of the Privacy Rule, the HIPAA meaning of Protected Health Information is defined at the start of the Administrative Simplification General Rules (§160.103). The definition – abridged for clarity – reads:

“Protected Health Information means individually identifiable health information […] that is (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.”

This definition applies to all individually identifiable health information collected, received, maintained, or transmitted by a HIPAA Covered Entity or a Business Associate providing a service to or on behalf of a Covered Entity or other Business Associate. However, there are some exceptions.

Students’ medical records maintained by an educational institution (that qualifies as both a FERPA-defined educational institution and a HIPAA-defined Covered Entity) are excluded from the HIPAA meaning of Protected Health Information because they are part of student educational records.

Individually identifiable health information maintained by a Covered Entity in its role as an employer (i.e., workplace injury reports, etc.) is also excluded from the HIPAA meaning of Protected Health Information, as is information relating to individuals who have been deceased for more than 50 years.

The HIPAA Meaning of Individually Identifiable Health Information

It can be difficult to fully understand the HIPAA meaning of Protected Health Information without understanding the HIPAA meaning of individually identifiable health information – defined in the Administrative Simplification General Rules as a subset of health information created or received by a health care provider, health plan, employer, or health care clearinghouse that:

• Relates to the past, present, or future physical or mental health or condition of an individual,
• the provision of health care to an individual; or
• the past, present, or future payment for the provision of health care to an individual; and
• that identifies the individual or could be used to identify the individual.

This definition raises several issues because not all healthcare providers or insurance companies that provide health benefits are Covered Entities, employers are generally not regarded as Covered Entities – but can be in some circumstances – and whereas the definition of Protected Health Information (above) applies to Business Associates, they are not mentioned in this definition.

With regards to the applicability of this definition to Business Associates, this is covered in §160.102 of the General Rules, in which paragraph (b) states: “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a Business Associate” – “this subchapter” meaning the Administrative Simplification Regulations Parts 160,162, and 164.

The issues relating to which organizations qualify as Covered Entities, Partial Entities, Hybrid Entities, and Affiliated Entities are discussed in our article explaining the HIPAA definition of a Covered Entity. However, while qualification issues may be confusing for some, the biggest challenge to understanding the HIPAA meaning of Protected Health Information is what constitutes health information that is individually identifiable.

What Constitutes Health Information that is Individually Identifiable?

One of the reasons why challenges exist in understanding the HIPAA meaning of Protected Health Information is that several online sources have conflated the definition of Protected Health Information with “the 18 HIPAA identifiers”. It is important to be aware that the two are very different, and that relying on the 18 HIPAA identifiers to determine what Protected Health Information is could explain why so many complaints allege impermissible uses and disclosures of Protected Health Information.

Assuming the definition of health information is understood (“relates to the past, present, or future physical or mental health” etc.), individually identifiable health information is any information maintained in the same designated record set as health information that can – or that could be used to – identify the subject of the health information. Importantly, once in a designated record set, identifying information does not have to be attached to health information to be protected.

For example, if a designated record set contains:

• An x-ray of a broken arm referencing the patient
• The patient’s date of birth
• The patient’s contact details
• The patient’s payment details

While in the same designated record set, all four items are Protected Health Information – the x-ray of the broken arm and the patient’s payment details because they are items of information that relate to the patient’s health and payment for treatment, and the other two items because they are maintained in the same designated record set as the health and payment information.

If the names, birth dates, and contact details of patients are maintained in a separate record set or database that does not contain health and/or payment information, these items of information may not be protected health information; however, as previously stated, individually identifiable information must be protected if it relates to the past, present, or future physical or mental health of an individual. If names, birth dates, and contact details are collected, stored, and maintained by a healthcare provider, it could indicate the status of an individual as a patient, either in the past, present, or future, and patient status is protected health information. OCR recently confirmed this in its guidance on website tracking technologies.

More about Designated Record Sets and HIPAA Identifiers

As well as understanding the HIPAA meaning of Protected Health Information it is important for Covered Entities and their workforces to understand the concept of designated record sets. This is because a single Covered Entity can maintain multiple designated record sets about the same individual – who has the right to request copies of all information maintained about them and an accounting of disclosures from all designated record sets.

Knowing where Protected Health Information is maintained is one reason why it is important to conduct an audit of all Protected Health Information collected, received, maintained, or transmitted by the organization. An audit not only helps compliance officers develop policies and procedures to protect the privacy and security of Protected Health Information, but also identifies where it is maintained to accelerate responses to patient requests for copies and accountings of disclosures.

With regards to the 18 HIPAA identifiers, these are the types of identifying information that have to be removed from a designated record set before any health information remaining in the designated record set is no longer Protected Health Information under the safe harbor deidentification method (§164.514). Importantly, these types of identifiers only relate to de-identifying designated record sets. They have nothing to do with the HIPAA meaning of Protected Health Information.

It is also important to be aware the list of 18 HIPAA identifiers is more than twenty years old. Since its publication, many more types of information can be included in a designated record set that could identify – or be used to identify – an individual. For example, Medicare Beneficiary Identifiers are not included in the list, nor are emotional support animals, nor are social media handles. These identifiers should also be removed from a designated record set before it is de-identified.

What Else is Important to Know about the HIPAA Meaning?

Returning to HHS’ Enforcement Highlights web page mentioned at the beginning of this article, the most common reason for complaints being rejected by OCR is the complaints allege a violation committed by an entity that is not covered by HIPAA.

This implies that not only might there be a failure to understand the HIPAA meaning of Protected Health Information, but also the HIPAA definition of a Covered Entity. For this reason, we have published a separate article explaining who is – and who isn’t – a HIPAA Covered Entity.

In conclusion, understanding the HIPAA meaning of Protected Health Information, individually identifiable health information, and designated record sets can be confusing – notwithstanding that, although identifying information maintained outside a designated record set is not protected by HIPAA, it may be protected by a state’s privacy or security regulations.

Privacy and Security Officers who are unsure of the distinction between Protected Health Information and the 18 HIPAA identifiers, what information needs to be removed from a designated record set before it is de-identified, or when identifying information is not Protected Health Information, should seek expert advice from a compliance professional.

The post HIPAA Meaning of Protected Health Information appeared first on HIPAA Journal.

Throughout the text of the Health Insurance Portability and Accountability Act (HIPAA) a lot of content connects HIPAA law and employers. From the exclusions to guaranteed health plan renewability in Title I to the conditions for deducting loan interest on life insurance plans in Title V, there are plenty of HIPAA laws for employers to comply with.

However, the most complex areas of HIPAA compliance for employers are the Administrative Simplification Regulations in Title II. These Regulations include the Privacy, Security, and Breach Notification Rules; and while these Rules are regarded as only being applicable to Covered Entities, there are standards some employers who are not HIPAA Covered Entities may have to comply with.

When is an Employer a HIPAA-Covered Entity?

Generally, an employer is a HIPAA Covered Entity when the employer is a health plan, a healthcare clearinghouse, or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards for electronic transactions which qualify an employer as a HIPAA-Covered Entity appears in CFR 45 Part 2.

There are exceptions to this definition of a HIPAA Covered Entity, and it is possible for an employer who does not qualify as a Covered Entity to be “involved” in covered transactions if – for example – they act as an intermediary between an employee, a healthcare provider, and a health plan. Additionally, an employer that self-administers a health plan with fewer than 50 participants is not considered to be a Covered Entity under HIPAA unless it qualifies as a healthcare provider.

Employment Records, HIPAA Law, and Employers

One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

Potential Privacy Issues with the Requirements

But what about other types of individually identifiable health information an employer might collect, create, or receive? For example, under §164.512, Covered Entities are allowed to disclose Protected Health Information to enable employers to comply with state and federal accident notification laws such as the Occupational Safety and Health Administration’s injury and illness recordkeeping and reporting requirements.

There is no requirement under HIPAA for employers to keep Protected Health Information of this nature secure (although state privacy and security laws may apply), and Covered Entities have no control over how it is further used or disclosed by the employer. This raises potential privacy issues if an employer not subject to state privacy and security laws fails to secure the information.

A Solution to Address Potential Privacy Issues

Whether an employer qualifies as a Covered Entity or not, one way to address potential privacy issues for individually identifiable health information not protected by HIPAA is to adopt a model of “voluntary partial compliance”. This involves implementing safeguards similar to those required by HIPAA to maintain the privacy and security of individually identifiable health information.

For organizations unfamiliar with these safeguards, a good place to start is by downloading a HIPAA Compliance Guide. Thereafter, if questions remain about how best to maintain the privacy and security of individually identifiable health information, it is recommended that employers seek advice from a HIPAA compliance professional.

The post HIPAA Law and Employers appeared first on HIPAA Journal.

The HIPAA definition of Covered Entities is generally explained as health plans, health care clearinghouses, and health care providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has developed standards. However, exceptions to this definition exist that can be responsible for unjustified complaints to the HHS’ Office for Civil Rights.

According to HHS´ Enforcement Highlights web page, the most common reason for HIPAA-related complaints being rejected by the HHS’ Office for Civil Rights is that the complaints allege a violation committed by an entity that is not a HIPAA Covered Entity. While it is not surprising some complaints are rejected for this reason, the fact it is the most common reason for complaints being rejected is notable when you consider the complexity of HIPAA and the volume of complaints the agency receives and rejects.

Since 2003, the HHS’ Office for Civil Rights has received more than 300,000 complaints and rejected more than 200,000. This implies tens of thousands of individuals – and possibly workforce members – do not understand the HIPAA definition of Covered Entities.

The HIPAA Definition of Covered Entities

The HIPAA definition of Covered Entities can be found in 45 CFR §160.103 of the Administrative Simplification General Rules. The definition is much the same as appears in the opening paragraph of this article inasmuch as:

“Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” (“this subchapter” meaning Parts 160,162 and 164 of the Administrative Simplification Regulations).

What the HIPAA definition of Covered Entities does not explain is what exceptions apply – potentially contributing to misunderstandings about what HIPAA Covered Entities are and unjustified complaints being sent to the HHS’ Office for Civil Rights.

Health Plans and Health Insurance Issuers

The HIPAA definition of Covered Entities implies that all health plans are Covered Entities; however, that is not the case. Employers’ self-insured and self-administered health plans are exempt if they have fewer than fifty members (under the definition of group health plans in §160.103). Even if an employer’s self-insured health plan is administered externally, it may still qualify for a partial exemption if the employer does not sponsor a health plan that includes a medical Flexible Spending Account or Health Reimbursement Account.

Additionally, although “health insurance issuers” are included in the HIPAA definition of health plans (also in §160.103), they are excluded from the above definition of Covered Entities if they provide “excepted benefits” listed in §300gg-91(c)(1) of the US Code relating to Public Health and Welfare. These excepted benefits include:

• Coverage only for accident, or disability income insurance, or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics.
• Other similar insurance coverage under which benefits for medical care are secondary or incidental to other insurance benefits.

Therefore, if you are involved in an auto accident, and your auto insurance provider covers your healthcare costs following the accident, the auto insurance provider is not required to comply with HIPAA with respect to the privacy and security of your individually identifiable health information. Other exceptions may also apply to health insurance issuers when certain types of benefits are offered separately (i.e., dental care, home health care, etc.) or when coverage is for a specified type of disease not included in a coordinated health insurance policy (i.e., COVID-19 travel insurance).

Healthcare Providers

The HIPAA definition of Covered Entities is clear that only healthcare providers that conduct electronic transactions for which the HHS has developed standards are considered to be Covered Entities. But what are the transactions, and which providers might not conduct them electronically? The standards the definition relates to can be found in Subparts D to S of the HIPAA Administrative Requirements (Part 162). Generally, these Subparts concern claims transactions between healthcare providers and health plans, the operating rules for claims, and the code sets to use in transactions.

In most cases, healthcare providers recover treatment costs from health plans, but there are some healthcare providers (for example, mental health counselors) who bill clients directly. Provided they do not use a third party for billing, these healthcare providers are not Covered Entities.

Healthcare providers that do recover treatment costs from health plans – but don’t do so electronically – are also excluded from the HIPAA definition of Covered Entities. Healthcare providers in this category can check eligibility, seek authorizations, and bill for payment via non-digital paper-to-paper fax or over the phone, and will not be Covered Entities as long as any health information disclosed in these communications is not stored electronically prior to the disclosure.

As soon as one item of health information relating to a covered transaction is communicated electronically to a health plan by a healthcare provider (i.e., via email), the healthcare provider qualifies as a Covered Entity and every transaction automatically becomes a HIPAA-covered transaction – making the healthcare provider a HIPAA Covered Entity.

It is important to be aware that if a healthcare provider does not qualify as a Covered Entity because it does not conduct HIPAA transactions or does not conduct them electronically, the healthcare provider may still be required to comply with the Privacy, Security, and Breach Notification Rules if they provide a service for or on behalf of another Covered Entity as a Business Associate.

Educational Institutions

School, college, and university medical facilities are generally assumed to not qualify as Covered Entities because students’ health information is classified as part of student educational records under the Family Educational Rights and Privacy Act (FERPA). Therefore, when FERPA-covered health information is disclosed by a school, college, or university to a health plan, it is not HIPAA-covered Protected Health Information and the standards of the Privacy Rule and Security Rule do not apply. However, not all educational institutions are covered by FERPA.

If a school, college, or university does not receive federal funds, it is not an educational institution as defined by FERPA. In such cases, individually identifiable health information collected, received, maintained, or transmitted to a health plan qualifies as Protected Health Information and the educational institution qualifies as a HIPAA Covered Entity – provided the disclosure relates to a transaction for which HHS has developed standards and the transaction is conducted electronically.

One further complication relating to educational institutions is if a school, college, or university medical facility provides health care for both students and the public. In such circumstances, the educational institution becomes a “hybrid entity” in which students’ health information is protected by FERPA, and the publics’ health information is subject to the HIPAA Privacy and Security Rules. Under a hybrid arrangement, both sets of health information must be isolated from each other.

More about Hybrid, Partial, and Affiliated Entities

Schools, colleges, and universities are not the only examples of hybrid entities. Employers that administer self-funded group plans can be hybrid entities inasmuch as health information relating to employment records has to be isolated from Protected Health Information relating to health claims. Similarly, insurance issuers that offer health insurance and (for example) auto insurance have to keep each type of record separate – even when an auto insurance client receives medical treatment as part of their auto insurance policy following an auto accident.

Partial entities are different from hybrid inasmuch as they only have to comply with specific parts of HIPAA. Certain types of externally administered self-insured health plans have already been provided as an example a partial entity, and a further example is prescription drug card sponsors.

Prescription drug card sponsors were added to the HIPAA definition of Covered Entities by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. However, as these entities do not conduct electronic transactions, they are only required to comply with the standards of the Privacy Rule relating to permissible uses and disclosures of Protected Health Information.

Affiliated Entities are legally separate Covered Entities under the same ownership or control. Being affiliated enables units within the group to disclose Protected Health Information to each other without the need for individual Business Associate Agreements. This system increases integration and efficiency but can also lead to unjustified complaints about impermissible uses and disclosures.

The Organizational Requirements of the General Rules include additional safeguards to prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, healthcare providers under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, it is not possible to disclose Protected Health Information to the parent organization.

Why HIPAA Definitions are Important to Know

The HIPAA definition of Covered Entities is just one example of the complexity of HIPAA and the challenges of compliance. However, with a better understanding of the HIPAA definitions, some organizations may be able to reduce the amount of effort required to comply with HIPAA – provided they let patients and clients know to avoid unjustified complaints to HHS’ Office for Civil Rights.

The post The HIPAA Definition of Covered Entities Explained appeared first on HIPAA Journal.

Discussing HIPAA compliance for hospitals in a single article is challenging. Not only is there so much to cover, but there are also many different types and sizes of hospitals. This means there is no one-size-fits-all guide to HIPAA compliance for hospitals, but rather checklists that can help hospitals cover the basics of the compliance requirements.

It is also the case that, regardless of the level of effort put in to comply specifically with HIPAA, most hospitals already comply with HIPAA to some degree due to the measures implemented in order to participate in Medicare. For example, most Medicare-participating hospitals already have:

• A Notice of Rights which includes the hospital’s grievance procedures
• Procedures to respond to patients’ requests to access medical records
• Measures in place to ensure the confidentiality of patient records
• A system that maintains the availability of records during an emergency
• Physical safeguards that comply with the Health Care Facilities Code (NFPA 99)

To start on the path to HIPAA compliance for hospitals, it does not take a great deal of effort to incorporate a Notice of Privacy Practices into the Notice of Rights, to adopt existing patient access procedures to accommodate requests for amendments or requests to limit uses and disclosures, and to upgrade confidentiality, availability, and physical safeguards to meet HIPAA standards.

What is Required to Comply with HIPAA?

Although it may not take a great deal of effort to upgrade existing Medicare measures to HIPAA standards, it is important the method used is organized. If HIPAA compliance is approached in a haphazard manner, it can result in gaps in compliance, which can result in avoidable HIPAA violations, which can lead to penalties being issued by the HHS’ Office for Civil Rights.

Therefore, one of the most thorough ways to address HIPAA compliance for hospitals that already have measures in place to fulfill the Medicare requirements is to designate a Privacy Officer responsible for compliance with the HIPAA Privacy and Breach Notification Rules and a Security Officer responsible for compliance with the HIPAA Security Rule.

Thereafter, hospitals can start to identify what is required to comply with HIPAA by following the Administrative Requirements of the Privacy Rule (§164.530) and the Administrative Safeguards of the Security Rule (§164.308). Between them, these two standards will enable Compliance Officers to compile an inventory of where in the organization Protected Health Information is created, received, maintained, or transmitted, and identify threats to its confidentiality, integrity, and availability.

The Five Areas of HIPAA Compliance for Hospitals to Focus On

Assuming that most hospitals already comply with the HIPAA Administrative Requirements (as this is also a condition of Medicare participation), the five areas of HIPAA compliance for hospitals to focus on are:

• The standards of the Privacy Rule relating to patients’ rights
• Permissible uses and disclosures of Protected Health Information
• Policies and procedures to comply with the Breach Notification Rule
• The Administrative, Physical, and Technical Safeguards of the Security Rule
• Reasonable due diligence on Business Associates and ensuring HIPAA-compliant Business Associate Agreements are in place

The Standards of the Privacy Rule Relating to Patients´ Rights

The standards of the Privacy Rule relating to patients´ rights are more comprehensive than those that apply for Medicare participation, and right of access failures are one of the leading reasons for complaints being made to HHS´ Office for Civil Rights.

Additionally, Protected Health Information can be maintained in multiple designated record sets – which is why it is beneficial to compile an inventory of Protected Health Information so this information can be used to respond to patients exercising their access rights more efficiently.

It is also important to be aware patients´ rights under HIPAA go much further than Medicare. For example, patients can choose how they are contacted, request certain health information is withheld, and request an accounting of disclosures to ensure their wishes are complied with.

Permissible Uses and Disclosures of Protected Health Information

The permissible uses and disclosures of Protected Health Information is one of the most complicated areas of the Privacy Rule – notwithstanding that sources provide conflicting information about what is considered Protected Health Information under HIPAA. Privacy Officers must develop policies and procedures that clearly explain which uses and disclosures are permissible and which require authorization from a patient, and when patients should be given an opportunity to agree or object to a use or disclosure. The policies and procedures should be included in HIPAA training – along with guidance over the minimum necessary standard, incidental disclosures, and what needs to be included in a patient’s authorization to ensure it is valid.

Policies and Procedures to Comply with the Breach Notification Rule

Also included in HIPAA training should be an explanation of how members of the workforce should report violations of HIPAA to their supervisor or Privacy Officer. Ideally, a system should be implemented to facilitate anonymous reports. Thereafter, there needs to be a system in place to determine whether a violation of HIPAA constitutes a breach of unsecured Protected Health Information, and – if so – there also needs to be procedures prepared for notifying individuals and the HHS’ Office for Civil Rights. If not already included in HIPAA training, all members of the workforce must be advised of the sanctions for violating HIPAA and be given a copy of the organization’s HIPAA sanctions policy, even if a sanctions policy already exists in the employees’ terms of employment.

The Administrative, Physical, and Technical Safeguards of the Security Rule

Most hospitals will already have some Administrative, Physical, and Technical Safeguards in place – not necessarily due to complying with the Medicare requirements of participation, but because of the need to secure data, servers, and networks from external threats. However, it is important that any existing risk management programs, access management programs, and emergency response programs are updated to HIPAA standards, and that technologies are upgraded to support requirements such as audit trails and event logs. Security and awareness training is required for all members of the workforce – not only those with authorized access to electronic Protected Health Information – and the Security Rule also requires a sanctions policy to mitigate the risk of non-compliance with Security Rule policies.

Reasonable Diligence on Business Associates and Business Associate Agreements

The term “reasonable diligence” applies frequently throughout the HIPAA Administrative Simplification Regulations, and while it is not always in the context of transactions with other Covered Entities or Business Associates, there is an expectation that hospitals will exercise reasonable diligence before disclosing Protected Health Information to any third party. 164.504(e)(ii) of the Privacy Rule is particularly relevant to relationships with Business Associate inasmuch as this standard states, “A covered entity is not in compliance […], if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement”. The implementation specifications of this standard and in the Administrative Safeguards of the Security Rule detail what should be included in a Business Associate Agreement. Both the hospital’s Privacy and Security Officers should review existing Agreements to ensure they comply with these standards and revise the Agreements as necessary.

Further Help with HIPAA Compliance for Hospitals

As mentioned in the introduction to this article discussing HIPAA compliance for hospitals in a single article is challenging. Not only are hospitals of different types and sizes, but they may also be at different stages of their compliance journeys. Therefore, to help hospitals with their HIPAA compliance efforts, we have compiled a HIPAA compliance checklist containing more comprehensive information on the five areas of HIPAA compliance for hospitals to focus on.

The post HIPAA Compliance for Hospitals appeared first on HIPAA Journal.

Generally, HIPAA compliance for nurses is considered to mean adhering to policies and procedures developed by an organization’s HIPAA Privacy Officer and applying the best practices of security awareness training provided by an organization’s HIPAA Security Officer. However, sometimes it is necessary to do more than provide basic training to help nurses work compliantly.

Under the Administrative Requirements of the HIPAA Privacy Rule, Covered Entities are required to implement policies and procedures with respect to Protected Health Information that are designed to meet the requirements, standards, and implementation specifications of the HIPAA Privacy and Breach Notification Rules. Thereafter, Covered Entities are required to train all members of the workforce on the policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. The training should include details of the sanctions that apply when a nurse violates HIPAA.

Additionally, under the Administrative Safeguards of the HIPAA Security Rule, all members of the workforce must participate in a security awareness and training program. Both Covered Entities and Business Associates are required to provide this training, plus send members of the workforce periodic security reminders.

So, should nurses have to worry about HIPAA compliance as long as they adhere to their organization’s policies and procedures and apply the best practices of security awareness training? Unfortunately, yes, because it is not always possible for organizations to train nurses on everything they need to know to work in compliance with HIPAA.

The Primary Issue with HIPAA Training for Nurses

The primary issue with HIPAA training for nurses is that there is a lot for nurses to learn. As well as understanding what Protected Health Information (PHI) is nurses have to be aware of when PHI can be used or disclosed in a manner permitted by the HIPAA Privacy Rule, when a patient should be given an opportunity to agree or object to a disclosure, and when a patient authorization is required.

Additionally, nurses have to know what the Minimum Necessary Standard consists of, what to do in the event of an incidental disclosure of PHI, and the policies and procedures for patients who wish to exercise their access rights to PHI or request an accounting of disclosures. Then there are policies and procedures for reporting a HIPAA violation or impermissible disclosure of unsecured PHI. Absorbing and applying all this information – not to mention the information included in security awareness training – is asking a lot of nurses, especially as they may also have to undergo Medicare training, FDA training, OSHA training, emergency preparedness training, discipline-specific training, and/or training on state and local laws that preempt HIPAA or other federal regulations.

What exacerbates this issue is that Covered Entities are only required to provide HIPAA training for nurses when a nurse first joins the workforce or when there is a material change to policies and procedures. If there are no material changes to policies or procedures, a nurse could work for years in a healthcare facility without ever receiving HIPAA refresher training.

Why HIPAA Compliance for Nurses can be a Problem

In addition to the volume of information nurses have to absorb, and the lack of mandated refresher training, the pressures of work can affect how well nurses are able to comply with HIPAA policies. Patients’ behaviors – or those of emotionally evocative family members and friends – can influence how nurses respond in stressful situations, including those covered by HIPAA.

In such situations, it is understandable that a harassed, busy, or upset nurse may disclose more than the minimum necessary PHI or fail to “exercise professional judgment [if] a disclosure is determined to be in the best interests of the individual.” Although these situations are more likely to occur in emergency care, they can happen in any healthcare setting.

It can also be the case that the pressures of work result in shortcuts being taken “to get the job done”. These could be shortcuts as seemingly innocuous as sharing login credentials to an EHR or using a personal mobile device to communicate PHI. Still, these are HIPAA violations that could cause harm, and – if allowed to continue – non-compliance can deteriorate into a cultural norm.

These stressors – and nurses’ responses to them – are events that take place every day in healthcare facilities across the country, but it is not sufficient to accept they happen and allow them to go unaddressed. Failings in HIPAA compliance for nurses can damage patient trust and undo some of the provable benefits of HIPAA compliance in healthcare facilities.

How to Overcome the Problem of HIPAA Compliance for Nurses

The way the HIPAA compliance problem for nurses can be overcome is for Covered Entities to provide online HIPAA refresher training for nurses, who can take the training when time allows. Many online HIPAA training courses come in small, easy-to-digest modules so the volume of information provided per training session is not overwhelming. Providing HIPAA training for nurses in this format not only has the advantage of keeping HIPAA compliance for nurses “front of mind”, but also demonstrates a good faith effort by a Covered Entity to run a compliant operation if the organization is investigated for a HIPAA violation or a breach of unsecured PHI by HHS´ Office for Civil Rights.

The post HIPAA Compliance for Nurses appeared first on HIPAA Journal.

What is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Among other measures, the Act led to the establishment of federal standards for safeguarding patients´ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI).

When the Health Insurance Portability and Accountability Act was passed by Congress in 1996, the establishment of federal standards for safeguarding PHI was not one of the primary objectives. Indeed, the long title of the Act doesn´t even mention patient privacy or data security:

“An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

So how did HIPAA evolve from being a vehicle for improving the portability and continuity of health insurance coverage to being one of the most comprehensive and detailed federal privacy laws?  The answer can be found deep in the Administrative Simplification provisions of HIPAA Title II.

What is HIPAA Title II?

HIPAA consisted of five Titles addressing the primary objectives of the Act:

• Title I: Health care access, portability, and renewability.
• Title II: Preventing health care fraud and abuse; administration simplification; medical liability reform.
• Title III: Tax-related health provisions governing medical savings accounts.
• Title IV: Application and enforcement of group health plan requirements.
• Title V: Revenue offsets governing tax deductions for employers.

Most of HIPAA Title II concerns measures to control health plan fraud and abuse (rather than health care fraud and abuse), the allocation of funds to pay for the measures, and sanctions against individuals or organizations that defraud or abuse a health plan or program. The provisions related to administrative simplification are discussed below, while the provisions for medical liability reform (of which there are few) only relate to whistle blower protection for reporting fraud and abuse.

With regards to the Administrative Simplification provisions, the preamble states their purpose is to improve the Medicare and Medicaid programs, and the efficiency of the health care system via a “the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”. The responsibility for accomplishing this purpose is delegated to the Secretary for Health & Human Services (HHS).

The preamble could give the impression that the Administrative Simplification provisions of HIPAA Title II will improve accessibility to and affordability of the Medicare and Medicaid programs, or that the development of a health information system would streamline the provision of healthcare between providers. However, when you read the Administrative Simplification provisions, their primary purpose is to reduce the administrative costs of providing and paying for health care.

The Administrative Simplification provisions were important in the context of improving the portability and continuity of health insurance coverage because it was necessary to improve portability and continuity without increasing administration costs. Any increase in administration costs would have been passed on by covered health plans as increased costs to healthcare providers and as increased premiums for insurance coverage – something Congress was keen to avoid.

The final Administrative Simplification provision is possibly the most important of all – requiring the Secretary for Health & Human Services to develop “recommendations on standards with respect to the privacy of individually identifiable health information”. If Congress did not enact federal privacy legislation within three years, the Secretary was to issue the recommendations as a Final Rule. Ultimately this short passage of HIPAA Title II was to become the HIPAA Privacy Rule.

The Regulatory Landscape when HIPAA was Passed

So far, we´ve answered the question what is HIPAA by providing an overview of the Act, identifying where the provisions were within the Act that triggered the Privacy and Security Rules, and specifying who was delegated responsibility for developing the Rules. To best explain what happened next, it is important to understand the regulatory landscape at the time and the patchwork of legislation that influenced the development of the Privacy and Security Rules.

Prior to the passage of HIPAA, only ten states granted individuals privacy rights in their constitutions, although the privacy of individuals with specific conditions was required by federal law. For example, the Veterans Omnibus Health Care Act 1976 protects the privacy of medical records held by the Dept of Veterans Affairs relating to drug abuse, alcohol abuse, and AIDS. In addition, consumers of federal programs such as Medicare and Medicaid also have privacy rights under the Privacy Act 1974 – but only for records maintained by the Centers for Medicare & Medicaid Services (CMS).

The patchwork of legislation often failed to prevent unauthorized disclosures of personal health or payment information. Furthermore, unless a patient´s data was protected by an existing state or federal law, data could be freely exchanged between (for example) health plans and finance agencies – which could affect the patient´s ability to apply for a home mortgage. Similarly, a health plan could find out about a patient´s condition or treatment through non-regulated channels and increase the patient´s premiums or deductible – even if the patient had paid for treatment privately.

In addition to accommodating existing state and federals laws, the Secretary of Health & Human Services was given guidelines to work within. In respect of reducing the administrative costs of providing and paying for health care, HHS had to develop standards for the electronic exchange, privacy, and security of health information in financial and administrative transactions, while the recommendations on standards with respect to the privacy of individually identifiable health information had to cover:

• The rights that an individual who is a subject of individually identifiable health information should have.
• The procedures that should be established for the exercise of such rights.
• The uses and disclosures of such information that should be authorized or required.

Because the standards relating to the privacy of individually identifiable information were subject to a three year delay, the Notice of Proposed Rulemaking for the Security Rule was the first to be issued in 1998. The Notice of Proposed Rulemaking for the Privacy Rule was issued in 1999; but due to several years of revisions due to stakeholder comments, public hearings, and other issues, the Privacy Rule was not published until 2002, and the Security Rule until the following year.

Rules Extend Privacy Rights and Data Security Nationwide

The Privacy and Security Rules introduced minimum privacy, technical, physical, and administrative requirements that apply to all “Covered Entities” nationwide, unless state laws, alternative federal legislation, or professional regulations have more stringent requirements. HIPAA preempts all other federal, state, and professional regulations. The safeguards also apply to Business Associates who provide services for Covered Entities, and contractors who provide services for Business Associates.

An Enforcement Rule was introduced in 2006 to tackle noncompliance with HIPAA; and, in 2009, the HHS´ Office for Civil Rights issued its first financial penalty for a violation of HIPAA – CVS Pharmacy Inc. being ordered to pay $2.25 million for the improper disposal of patient health records. Multiple penalties have since been issued – not only by the Office for Civil Rights, but also by State Attorney Generals. The DoJ has also pursued several successful criminal convictions for violations of HIPAA.

Further Rules have reinforced the importance of HIPAA compliance. The Breach Notification Rule in 2009 made it a requirement for Covered Entities and Business Associates to report data breaches to individuals, the Office for Civil Rights, and – in some cases – the media. The Rule also shifted the burden of proof. Previously, OCR would have to establish a breach had occurred. Now, organizations have to prove an unauthorized disclosure of unsecured PHI does not constitute a breach.

In 2013, the Omnibus Final Rule enacted provisions of the HITECH Act which made changes to the Security Rule to improve data security and further restrict access to ePHI. The Omnibus Final Rule also enhanced HHS´ powers to enforce HIPAA, updated the Breach Notification Rule, and made Business Associates directly liable for data breaches and HIPAA violations. Changes to the Privacy Rule are currently under consideration that may affect the answer to what is HIPAA in the future.

The post What is HIPAA? appeared first on HIPAA Journal.

It is important to understand the HIPAA guidelines for nursing students because of the role nursing students play in the provision of healthcare and because of the threats to the privacy of Protected Health Information (PHI) when nursing students have received insufficient training to perform their roles in compliance with HIPAA.

The nursing profession is not easy; and, when nursing students start on their career path, there is a lot to take in. In addition to learning the skills of their profession and completing years of coursework, nursing students are frequently asked to assist with the provision of healthcare. Although they are most usually supervised when working with patients, the risk exists that – without an understanding of HIPAA – violations of HIPAA could occur due to a lack of knowledge.

For example, if a nursing student shares the events of the day with friends via social media, it is important the student has been trained on what constitutes PHI, when it can be disclosed, and the penalties for disclosing PHI without consent. If the student has not been trained on the HIPAA guidelines for nursing students – and they reveal the name of a patient in a social media post – the consequences could impact both the training institution and the student´s future nursing career.

Who is Responsible for Training Nursing Students on HIPAA?

The HIPAA guidelines for nursing students are the same as the HIPAA guidelines for any other member of a Covered Entity´s workforce. This is because the HIPAA Privacy Rule defines a Covered Entity´s workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such Covered Entity, whether or not they are paid by the Covered Entity”.

However, if a nursing student is studying at a teaching institution that does not qualify as a Covered Entity (i.e., one that does not provide healthcare services to non-students), the HIPAA guidelines for nursing students do not apply to the teaching institution. In this case, the medical facility at which a nursing student takes a placement or works on a clinical rotation will be the entity responsible for training nursing students on HIPAA – assuming the medical facility is a Covered Entity.

This is where issues can arise in understanding the HIPAA guidelines for nursing students because Covered Entities are only required (by 45 CFR § 164.530) to provide training on “policies and procedures in respect of PHI […] as necessary and appropriate for members of the workforce to carry out their functions”. This requirement means nursing students may not fully understand policy and procedure training due to a lack of basic knowledge about the Privacy and Security Rules.

How to Mitigate Potential Violations due to a Lack of Knowledge

Covered Entities – whether they are training institutions or medical facilities – can mitigate the risk of potential HIPAA violations due to a lack of knowledge by providing basic HIPAA training to all students and new, inexperienced employees. This will give them a grounding in the background to HIPAA, so they are better equipped to understand – and comply with – policies relating to unauthorized disclosures, the Minimum Necessary Standard, and patients´ rights.

The basic HIPAA training should also include subjects such as computer safety rules, threats to patient data, and protecting ePHI from cyber threats so students can better understand security and awareness training (as required by 45 CFR § 164.308), better appreciate why the Technical Safeguards of the Security Rule limit access to ePHI, and better recognize phishing attempts and other attacks that could result in malware being installed on healthcare systems.

To reduce the overhead of providing basic HIPAA training to students, Covered Entities can take advantage of off-the-shelf HIPAA training packages. While these packages do not replace a Covered Entity´s obligation to provide policy and procedure training, they offer training in online modules students can take in their own time, monitor each student´s progress through the course, and can get reused for annual refresher training on the HIPAA guidelines for nursing students.

Refresher Training on the HIPAA Guidelines for Nursing Students?

As mentioned previously, nursing students have a lot to take in when embarking on a nursing career; and, when basic HIPAA training has been provided at the start of a course, it can be easy for elements of  HIPAA training to be swamped by the volume of other information students have to absorb. However, a knowledge of HIPAA is vital when students qualify and start working for a Covered Entity, so it is recommended refresher HIPAA training is provided at least annually.

The provision of refresher training on the HIPAA guidelines for nursing students not only keeps HIPAA compliance at front of mind but can help overcome bad influences that can compromise compliance – such as when shortcuts are taken by nursing professionals “to get the job done” and non-compliant practices become the cultural norm. This case study illustrates how cultural norms in nursing units can negatively effect compliance and potentially end students´ careers.

The case study also illustrates why compliance experts recommend HIPAA refresher training is provided at least annually to all members of a Covered Entity´s workforce. While scheduling refresher training can be difficult during staff shortages or health emergencies, the online modular courses used to train students on the HIPAA guidelines for nursing students can be rolled out time and time again to save Covered Entities time and money and enhance their compliance profiles.

The post HIPAA Guidelines for Nursing Students appeared first on HIPAA Journal.