According to HHS’ Enforcement Highlights web page, the most common issue alleged in complaints to the Office for Civil Rights (OCR) is impermissible uses and disclosures of Protected Health Information. This is often interpreted as a failure to understand which uses and disclosures are permissible without patient authorizations; however, it could be just as likely there is a failure to understand the HIPAA meaning of Protected Health Information.

One possible reason for misunderstanding the HIPAA meaning is that the term “Protected Health Information” does not appear in the original text of HIPAA. Furthermore, rather than appearing at the start of the Privacy Rule, the HIPAA meaning of Protected Health Information is defined at the start of the Administrative Simplification General Rules (§160.103). The definition – abridged for clarity – reads:

“Protected Health Information means individually identifiable health information […] that is (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.”

This definition applies to all individually identifiable health information collected, received, maintained, or transmitted by a HIPAA Covered Entity or a Business Associate providing a service to or on behalf of a Covered Entity or other Business Associate. However, there are some exceptions.

Students’ medical records maintained by an educational institution (that qualifies as both a FERPA-defined educational institution and a HIPAA-defined Covered Entity) are excluded from the HIPAA meaning of Protected Health Information because they are part of student educational records.

Individually identifiable health information maintained by a Covered Entity in its role as an employer (i.e., workplace injury reports, etc.) is also excluded from the HIPAA meaning of Protected Health Information, as is information relating to individuals who have been deceased for more than 50 years.

The HIPAA Meaning of Individually Identifiable Health Information

It can be difficult to fully understand the HIPAA meaning of Protected Health Information without understanding the HIPAA meaning of individually identifiable health information – defined in the Administrative Simplification General Rules as a subset of health information created or received by a health care provider, health plan, employer, or health care clearinghouse that:

• Relates to the past, present, or future physical or mental health or condition of an individual,
• the provision of health care to an individual; or
• the past, present, or future payment for the provision of health care to an individual; and
• that identifies the individual or could be used to identify the individual.

This definition raises several issues because not all healthcare providers or insurance companies that provide health benefits are Covered Entities, employers are generally not regarded as Covered Entities – but can be in some circumstances – and whereas the definition of Protected Health Information (above) applies to Business Associates, they are not mentioned in this definition.

With regards to the applicability of this definition to Business Associates, this is covered in §160.102 of the General Rules, in which paragraph (b) states: “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a Business Associate” – “this subchapter” meaning the Administrative Simplification Regulations Parts 160,162, and 164.

The issues relating to which organizations qualify as Covered Entities, Partial Entities, Hybrid Entities, and Affiliated Entities are discussed in our article explaining the HIPAA definition of a Covered Entity. However, while qualification issues may be confusing for some, the biggest challenge to understanding the HIPAA meaning of Protected Health Information is what constitutes health information that is individually identifiable.

What Constitutes Health Information that is Individually Identifiable?

One of the reasons why challenges exist in understanding the HIPAA meaning of Protected Health Information is that several online sources have conflated the definition of Protected Health Information with “the 18 HIPAA identifiers”. It is important to be aware that the two are very different, and that relying on the 18 HIPAA identifiers to determine what Protected Health Information is could explain why so many complaints allege impermissible uses and disclosures of Protected Health Information.

Assuming the definition of health information is understood (“relates to the past, present, or future physical or mental health” etc.), individually identifiable health information is any information maintained in the same designated record set as health information that can – or that could be used to – identify the subject of the health information. Importantly, once in a designated record set, identifying information does not have to be attached to health information to be protected.

For example, if a designated record set contains:

• An x-ray of a broken arm referencing the patient
• The patient’s date of birth
• The patient’s contact details
• The patient’s payment details

While in the same designated record set, all four items are Protected Health Information – the x-ray of the broken arm and the patient’s payment details because they are items of information that relate to the patient’s health and payment for treatment, and the other two items because they are maintained in the same designated record set as the health and payment information.

If the names, birth dates, and contact details of patients are maintained in a separate record set or database that does not contain health and/or payment information, these items of information may not be protected health information; however, as previously stated, individually identifiable information must be protected if it relates to the past, present, or future physical or mental health of an individual. If names, birth dates, and contact details are collected, stored, and maintained by a healthcare provider, it could indicate the status of an individual as a patient, either in the past, present, or future, and patient status is protected health information. OCR recently confirmed this in its guidance on website tracking technologies.

More about Designated Record Sets and HIPAA Identifiers

As well as understanding the HIPAA meaning of Protected Health Information it is important for Covered Entities and their workforces to understand the concept of designated record sets. This is because a single Covered Entity can maintain multiple designated record sets about the same individual – who has the right to request copies of all information maintained about them and an accounting of disclosures from all designated record sets.

Knowing where Protected Health Information is maintained is one reason why it is important to conduct an audit of all Protected Health Information collected, received, maintained, or transmitted by the organization. An audit not only helps compliance officers develop policies and procedures to protect the privacy and security of Protected Health Information, but also identifies where it is maintained to accelerate responses to patient requests for copies and accountings of disclosures.

With regards to the 18 HIPAA identifiers, these are the types of identifying information that have to be removed from a designated record set before any health information remaining in the designated record set is no longer Protected Health Information under the safe harbor deidentification method (§164.514). Importantly, these types of identifiers only relate to de-identifying designated record sets. They have nothing to do with the HIPAA meaning of Protected Health Information.

It is also important to be aware the list of 18 HIPAA identifiers is more than twenty years old. Since its publication, many more types of information can be included in a designated record set that could identify – or be used to identify – an individual. For example, Medicare Beneficiary Identifiers are not included in the list, nor are emotional support animals, nor are social media handles. These identifiers should also be removed from a designated record set before it is de-identified.

What Else is Important to Know about the HIPAA Meaning?

Returning to HHS’ Enforcement Highlights web page mentioned at the beginning of this article, the most common reason for complaints being rejected by OCR is the complaints allege a violation committed by an entity that is not covered by HIPAA.

This implies that not only might there be a failure to understand the HIPAA meaning of Protected Health Information, but also the HIPAA definition of a Covered Entity. For this reason, we have published a separate article explaining who is – and who isn’t – a HIPAA Covered Entity.

In conclusion, understanding the HIPAA meaning of Protected Health Information, individually identifiable health information, and designated record sets can be confusing – notwithstanding that, although identifying information maintained outside a designated record set is not protected by HIPAA, it may be protected by a state’s privacy or security regulations.

Privacy and Security Officers who are unsure of the distinction between Protected Health Information and the 18 HIPAA identifiers, what information needs to be removed from a designated record set before it is de-identified, or when identifying information is not Protected Health Information, should seek expert advice from a compliance professional.

The post HIPAA Meaning of Protected Health Information appeared first on HIPAA Journal.

Throughout the text of the Health Insurance Portability and Accountability Act (HIPAA) a lot of content connects HIPAA law and employers. From the exclusions to guaranteed health plan renewability in Title I to the conditions for deducting loan interest on life insurance plans in Title V, there are plenty of HIPAA laws for employers to comply with.

However, the most complex areas of HIPAA compliance for employers are the Administrative Simplification Regulations in Title II. These Regulations include the Privacy, Security, and Breach Notification Rules; and while these Rules are regarded as only being applicable to Covered Entities, there are standards some employers who are not HIPAA Covered Entities may have to comply with.

When is an Employer a HIPAA-Covered Entity?

Generally, an employer is a HIPAA Covered Entity when the employer is a health plan, a healthcare clearinghouse, or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards for electronic transactions which qualify an employer as a HIPAA-Covered Entity appears in CFR 45 Part 2.

There are exceptions to this definition of a HIPAA Covered Entity, and it is possible for an employer who does not qualify as a Covered Entity to be “involved” in covered transactions if – for example – they act as an intermediary between an employee, a healthcare provider, and a health plan. Additionally, an employer that self-administers a health plan with fewer than 50 participants is not considered to be a Covered Entity under HIPAA unless it qualifies as a healthcare provider.

Employment Records, HIPAA Law, and Employers

One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

Potential Privacy Issues with the Requirements

But what about other types of individually identifiable health information an employer might collect, create, or receive? For example, under §164.512, Covered Entities are allowed to disclose Protected Health Information to enable employers to comply with state and federal accident notification laws such as the Occupational Safety and Health Administration’s injury and illness recordkeeping and reporting requirements.

There is no requirement under HIPAA for employers to keep Protected Health Information of this nature secure (although state privacy and security laws may apply), and Covered Entities have no control over how it is further used or disclosed by the employer. This raises potential privacy issues if an employer not subject to state privacy and security laws fails to secure the information.

A Solution to Address Potential Privacy Issues

Whether an employer qualifies as a Covered Entity or not, one way to address potential privacy issues for individually identifiable health information not protected by HIPAA is to adopt a model of “voluntary partial compliance”. This involves implementing safeguards similar to those required by HIPAA to maintain the privacy and security of individually identifiable health information.

For organizations unfamiliar with these safeguards, a good place to start is by downloading a HIPAA Compliance Guide. Thereafter, if questions remain about how best to maintain the privacy and security of individually identifiable health information, it is recommended that employers seek advice from a HIPAA compliance professional.

The post HIPAA Law and Employers appeared first on HIPAA Journal.

The HIPAA definition of Covered Entities is generally explained as health plans, health care clearinghouses, and health care providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has developed standards. However, exceptions to this definition exist that can be responsible for unjustified complaints to the HHS’ Office for Civil Rights.

According to HHS´ Enforcement Highlights web page, the most common reason for HIPAA-related complaints being rejected by the HHS’ Office for Civil Rights is that the complaints allege a violation committed by an entity that is not a HIPAA Covered Entity. While it is not surprising some complaints are rejected for this reason, the fact it is the most common reason for complaints being rejected is notable when you consider the complexity of HIPAA and the volume of complaints the agency receives and rejects.

Since 2003, the HHS’ Office for Civil Rights has received more than 300,000 complaints and rejected more than 200,000. This implies tens of thousands of individuals – and possibly workforce members – do not understand the HIPAA definition of Covered Entities.

The HIPAA Definition of Covered Entities

The HIPAA definition of Covered Entities can be found in 45 CFR §160.103 of the Administrative Simplification General Rules. The definition is much the same as appears in the opening paragraph of this article inasmuch as:

“Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” (“this subchapter” meaning Parts 160,162 and 164 of the Administrative Simplification Regulations).

What the HIPAA definition of Covered Entities does not explain is what exceptions apply – potentially contributing to misunderstandings about what HIPAA Covered Entities are and unjustified complaints being sent to the HHS’ Office for Civil Rights.

Health Plans and Health Insurance Issuers

The HIPAA definition of Covered Entities implies that all health plans are Covered Entities; however, that is not the case. Employers’ self-insured and self-administered health plans are exempt if they have fewer than fifty members (under the definition of group health plans in §160.103). Even if an employer’s self-insured health plan is administered externally, it may still qualify for a partial exemption if the employer does not sponsor a health plan that includes a medical Flexible Spending Account or Health Reimbursement Account.

Additionally, although “health insurance issuers” are included in the HIPAA definition of health plans (also in §160.103), they are excluded from the above definition of Covered Entities if they provide “excepted benefits” listed in §300gg-91(c)(1) of the US Code relating to Public Health and Welfare. These excepted benefits include:

• Coverage only for accident, or disability income insurance, or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics.
• Other similar insurance coverage under which benefits for medical care are secondary or incidental to other insurance benefits.

Therefore, if you are involved in an auto accident, and your auto insurance provider covers your healthcare costs following the accident, the auto insurance provider is not required to comply with HIPAA with respect to the privacy and security of your individually identifiable health information. Other exceptions may also apply to health insurance issuers when certain types of benefits are offered separately (i.e., dental care, home health care, etc.) or when coverage is for a specified type of disease not included in a coordinated health insurance policy (i.e., COVID-19 travel insurance).

Healthcare Providers

The HIPAA definition of Covered Entities is clear that only healthcare providers that conduct electronic transactions for which the HHS has developed standards are considered to be Covered Entities. But what are the transactions, and which providers might not conduct them electronically? The standards the definition relates to can be found in Subparts D to S of the HIPAA Administrative Requirements (Part 162). Generally, these Subparts concern claims transactions between healthcare providers and health plans, the operating rules for claims, and the code sets to use in transactions.

In most cases, healthcare providers recover treatment costs from health plans, but there are some healthcare providers (for example, mental health counselors) who bill clients directly. Provided they do not use a third party for billing, these healthcare providers are not Covered Entities.

Healthcare providers that do recover treatment costs from health plans – but don’t do so electronically – are also excluded from the HIPAA definition of Covered Entities. Healthcare providers in this category can check eligibility, seek authorizations, and bill for payment via non-digital paper-to-paper fax or over the phone, and will not be Covered Entities as long as any health information disclosed in these communications is not stored electronically prior to the disclosure.

As soon as one item of health information relating to a covered transaction is communicated electronically to a health plan by a healthcare provider (i.e., via email), the healthcare provider qualifies as a Covered Entity and every transaction automatically becomes a HIPAA-covered transaction – making the healthcare provider a HIPAA Covered Entity.

It is important to be aware that if a healthcare provider does not qualify as a Covered Entity because it does not conduct HIPAA transactions or does not conduct them electronically, the healthcare provider may still be required to comply with the Privacy, Security, and Breach Notification Rules if they provide a service for or on behalf of another Covered Entity as a Business Associate.

Educational Institutions

School, college, and university medical facilities are generally assumed to not qualify as Covered Entities because students’ health information is classified as part of student educational records under the Family Educational Rights and Privacy Act (FERPA). Therefore, when FERPA-covered health information is disclosed by a school, college, or university to a health plan, it is not HIPAA-covered Protected Health Information and the standards of the Privacy Rule and Security Rule do not apply. However, not all educational institutions are covered by FERPA.

If a school, college, or university does not receive federal funds, it is not an educational institution as defined by FERPA. In such cases, individually identifiable health information collected, received, maintained, or transmitted to a health plan qualifies as Protected Health Information and the educational institution qualifies as a HIPAA Covered Entity – provided the disclosure relates to a transaction for which HHS has developed standards and the transaction is conducted electronically.

One further complication relating to educational institutions is if a school, college, or university medical facility provides health care for both students and the public. In such circumstances, the educational institution becomes a “hybrid entity” in which students’ health information is protected by FERPA, and the publics’ health information is subject to the HIPAA Privacy and Security Rules. Under a hybrid arrangement, both sets of health information must be isolated from each other.

More about Hybrid, Partial, and Affiliated Entities

Schools, colleges, and universities are not the only examples of hybrid entities. Employers that administer self-funded group plans can be hybrid entities inasmuch as health information relating to employment records has to be isolated from Protected Health Information relating to health claims. Similarly, insurance issuers that offer health insurance and (for example) auto insurance have to keep each type of record separate – even when an auto insurance client receives medical treatment as part of their auto insurance policy following an auto accident.

Partial entities are different from hybrid inasmuch as they only have to comply with specific parts of HIPAA. Certain types of externally administered self-insured health plans have already been provided as an example a partial entity, and a further example is prescription drug card sponsors.

Prescription drug card sponsors were added to the HIPAA definition of Covered Entities by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. However, as these entities do not conduct electronic transactions, they are only required to comply with the standards of the Privacy Rule relating to permissible uses and disclosures of Protected Health Information.

Affiliated Entities are legally separate Covered Entities under the same ownership or control. Being affiliated enables units within the group to disclose Protected Health Information to each other without the need for individual Business Associate Agreements. This system increases integration and efficiency but can also lead to unjustified complaints about impermissible uses and disclosures.

The Organizational Requirements of the General Rules include additional safeguards to prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, healthcare providers under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, it is not possible to disclose Protected Health Information to the parent organization.

Why HIPAA Definitions are Important to Know

The HIPAA definition of Covered Entities is just one example of the complexity of HIPAA and the challenges of compliance. However, with a better understanding of the HIPAA definitions, some organizations may be able to reduce the amount of effort required to comply with HIPAA – provided they let patients and clients know to avoid unjustified complaints to HHS’ Office for Civil Rights.

The post The HIPAA Definition of Covered Entities Explained appeared first on HIPAA Journal.

Discussing HIPAA compliance for hospitals in a single article is challenging. Not only is there so much to cover, but there are also many different types and sizes of hospitals. This means there is no one-size-fits-all guide to HIPAA compliance for hospitals, but rather checklists that can help hospitals cover the basics of the compliance requirements.

It is also the case that, regardless of the level of effort put in to comply specifically with HIPAA, most hospitals already comply with HIPAA to some degree due to the measures implemented in order to participate in Medicare. For example, most Medicare-participating hospitals already have:

• A Notice of Rights which includes the hospital’s grievance procedures
• Procedures to respond to patients’ requests to access medical records
• Measures in place to ensure the confidentiality of patient records
• A system that maintains the availability of records during an emergency
• Physical safeguards that comply with the Health Care Facilities Code (NFPA 99)

To start on the path to HIPAA compliance for hospitals, it does not take a great deal of effort to incorporate a Notice of Privacy Practices into the Notice of Rights, to adopt existing patient access procedures to accommodate requests for amendments or requests to limit uses and disclosures, and to upgrade confidentiality, availability, and physical safeguards to meet HIPAA standards.

What is Required to Comply with HIPAA?

Although it may not take a great deal of effort to upgrade existing Medicare measures to HIPAA standards, it is important the method used is organized. If HIPAA compliance is approached in a haphazard manner, it can result in gaps in compliance, which can result in avoidable HIPAA violations, which can lead to penalties being issued by the HHS’ Office for Civil Rights.

Therefore, one of the most thorough ways to address HIPAA compliance for hospitals that already have measures in place to fulfill the Medicare requirements is to designate a Privacy Officer responsible for compliance with the HIPAA Privacy and Breach Notification Rules and a Security Officer responsible for compliance with the HIPAA Security Rule.

Thereafter, hospitals can start to identify what is required to comply with HIPAA by following the Administrative Requirements of the Privacy Rule (§164.530) and the Administrative Safeguards of the Security Rule (§164.308). Between them, these two standards will enable Compliance Officers to compile an inventory of where in the organization Protected Health Information is created, received, maintained, or transmitted, and identify threats to its confidentiality, integrity, and availability.

The Five Areas of HIPAA Compliance for Hospitals to Focus On

Assuming that most hospitals already comply with the HIPAA Administrative Requirements (as this is also a condition of Medicare participation), the five areas of HIPAA compliance for hospitals to focus on are:

• The standards of the Privacy Rule relating to patients’ rights
• Permissible uses and disclosures of Protected Health Information
• Policies and procedures to comply with the Breach Notification Rule
• The Administrative, Physical, and Technical Safeguards of the Security Rule
• Reasonable due diligence on Business Associates and ensuring HIPAA-compliant Business Associate Agreements are in place

The Standards of the Privacy Rule Relating to Patients´ Rights

The standards of the Privacy Rule relating to patients´ rights are more comprehensive than those that apply for Medicare participation, and right of access failures are one of the leading reasons for complaints being made to HHS´ Office for Civil Rights.

Additionally, Protected Health Information can be maintained in multiple designated record sets – which is why it is beneficial to compile an inventory of Protected Health Information so this information can be used to respond to patients exercising their access rights more efficiently.

It is also important to be aware patients´ rights under HIPAA go much further than Medicare. For example, patients can choose how they are contacted, request certain health information is withheld, and request an accounting of disclosures to ensure their wishes are complied with.

Permissible Uses and Disclosures of Protected Health Information

The permissible uses and disclosures of Protected Health Information is one of the most complicated areas of the Privacy Rule – notwithstanding that sources provide conflicting information about what is considered Protected Health Information under HIPAA. Privacy Officers must develop policies and procedures that clearly explain which uses and disclosures are permissible and which require authorization from a patient, and when patients should be given an opportunity to agree or object to a use or disclosure. The policies and procedures should be included in HIPAA training – along with guidance over the minimum necessary standard, incidental disclosures, and what needs to be included in a patient’s authorization to ensure it is valid.

Policies and Procedures to Comply with the Breach Notification Rule

Also included in HIPAA training should be an explanation of how members of the workforce should report violations of HIPAA to their supervisor or Privacy Officer. Ideally, a system should be implemented to facilitate anonymous reports. Thereafter, there needs to be a system in place to determine whether a violation of HIPAA constitutes a breach of unsecured Protected Health Information, and – if so – there also needs to be procedures prepared for notifying individuals and the HHS’ Office for Civil Rights. If not already included in HIPAA training, all members of the workforce must be advised of the sanctions for violating HIPAA and be given a copy of the organization’s HIPAA sanctions policy, even if a sanctions policy already exists in the employees’ terms of employment.

The Administrative, Physical, and Technical Safeguards of the Security Rule

Most hospitals will already have some Administrative, Physical, and Technical Safeguards in place – not necessarily due to complying with the Medicare requirements of participation, but because of the need to secure data, servers, and networks from external threats. However, it is important that any existing risk management programs, access management programs, and emergency response programs are updated to HIPAA standards, and that technologies are upgraded to support requirements such as audit trails and event logs. Security and awareness training is required for all members of the workforce – not only those with authorized access to electronic Protected Health Information – and the Security Rule also requires a sanctions policy to mitigate the risk of non-compliance with Security Rule policies.

Reasonable Diligence on Business Associates and Business Associate Agreements

The term “reasonable diligence” applies frequently throughout the HIPAA Administrative Simplification Regulations, and while it is not always in the context of transactions with other Covered Entities or Business Associates, there is an expectation that hospitals will exercise reasonable diligence before disclosing Protected Health Information to any third party. 164.504(e)(ii) of the Privacy Rule is particularly relevant to relationships with Business Associate inasmuch as this standard states, “A covered entity is not in compliance […], if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement”. The implementation specifications of this standard and in the Administrative Safeguards of the Security Rule detail what should be included in a Business Associate Agreement. Both the hospital’s Privacy and Security Officers should review existing Agreements to ensure they comply with these standards and revise the Agreements as necessary.

Further Help with HIPAA Compliance for Hospitals

As mentioned in the introduction to this article discussing HIPAA compliance for hospitals in a single article is challenging. Not only are hospitals of different types and sizes, but they may also be at different stages of their compliance journeys. Therefore, to help hospitals with their HIPAA compliance efforts, we have compiled a HIPAA compliance checklist containing more comprehensive information on the five areas of HIPAA compliance for hospitals to focus on.

The post HIPAA Compliance for Hospitals appeared first on HIPAA Journal.

Generally, HIPAA compliance for nurses is considered to mean adhering to policies and procedures developed by an organization’s HIPAA Privacy Officer and applying the best practices of security awareness training provided by an organization’s HIPAA Security Officer. However, sometimes it is necessary to do more than provide basic training to help nurses work compliantly.

Under the Administrative Requirements of the HIPAA Privacy Rule, Covered Entities are required to implement policies and procedures with respect to Protected Health Information that are designed to meet the requirements, standards, and implementation specifications of the HIPAA Privacy and Breach Notification Rules. Thereafter, Covered Entities are required to train all members of the workforce on the policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. The training should include details of the sanctions that apply when a nurse violates HIPAA.

Additionally, under the Administrative Safeguards of the HIPAA Security Rule, all members of the workforce must participate in a security awareness and training program. Both Covered Entities and Business Associates are required to provide this training, plus send members of the workforce periodic security reminders.

So, should nurses have to worry about HIPAA compliance as long as they adhere to their organization’s policies and procedures and apply the best practices of security awareness training? Unfortunately, yes, because it is not always possible for organizations to train nurses on everything they need to know to work in compliance with HIPAA.

The Primary Issue with HIPAA Training for Nurses

The primary issue with HIPAA training for nurses is that there is a lot for nurses to learn. As well as understanding what Protected Health Information (PHI) is nurses have to be aware of when PHI can be used or disclosed in a manner permitted by the HIPAA Privacy Rule, when a patient should be given an opportunity to agree or object to a disclosure, and when a patient authorization is required.

Additionally, nurses have to know what the Minimum Necessary Standard consists of, what to do in the event of an incidental disclosure of PHI, and the policies and procedures for patients who wish to exercise their access rights to PHI or request an accounting of disclosures. Then there are policies and procedures for reporting a HIPAA violation or impermissible disclosure of unsecured PHI. Absorbing and applying all this information – not to mention the information included in security awareness training – is asking a lot of nurses, especially as they may also have to undergo Medicare training, FDA training, OSHA training, emergency preparedness training, discipline-specific training, and/or training on state and local laws that preempt HIPAA or other federal regulations.

What exacerbates this issue is that Covered Entities are only required to provide HIPAA training for nurses when a nurse first joins the workforce or when there is a material change to policies and procedures. If there are no material changes to policies or procedures, a nurse could work for years in a healthcare facility without ever receiving HIPAA refresher training.

Why HIPAA Compliance for Nurses can be a Problem

In addition to the volume of information nurses have to absorb, and the lack of mandated refresher training, the pressures of work can affect how well nurses are able to comply with HIPAA policies. Patients’ behaviors – or those of emotionally evocative family members and friends – can influence how nurses respond in stressful situations, including those covered by HIPAA.

In such situations, it is understandable that a harassed, busy, or upset nurse may disclose more than the minimum necessary PHI or fail to “exercise professional judgment [if] a disclosure is determined to be in the best interests of the individual.” Although these situations are more likely to occur in emergency care, they can happen in any healthcare setting.

It can also be the case that the pressures of work result in shortcuts being taken “to get the job done”. These could be shortcuts as seemingly innocuous as sharing login credentials to an EHR or using a personal mobile device to communicate PHI. Still, these are HIPAA violations that could cause harm, and – if allowed to continue – non-compliance can deteriorate into a cultural norm.

These stressors – and nurses’ responses to them – are events that take place every day in healthcare facilities across the country, but it is not sufficient to accept they happen and allow them to go unaddressed. Failings in HIPAA compliance for nurses can damage patient trust and undo some of the provable benefits of HIPAA compliance in healthcare facilities.

How to Overcome the Problem of HIPAA Compliance for Nurses

The way the HIPAA compliance problem for nurses can be overcome is for Covered Entities to provide online HIPAA refresher training for nurses, who can take the training when time allows. Many online HIPAA training courses come in small, easy-to-digest modules so the volume of information provided per training session is not overwhelming. Providing HIPAA training for nurses in this format not only has the advantage of keeping HIPAA compliance for nurses “front of mind”, but also demonstrates a good faith effort by a Covered Entity to run a compliant operation if the organization is investigated for a HIPAA violation or a breach of unsecured PHI by HHS´ Office for Civil Rights.

The post HIPAA Compliance for Nurses appeared first on HIPAA Journal.

The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.

In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.

According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.

It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.

HIPAA General Rule Exceptions

The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:

• Has more stringent privacy provisions or patients´ rights than HIPAA,
• Provides for reporting information to public health agencies, and
• Requires a health plan to report information for the purpose of audits, etc.

The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).

The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.

Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.

Other State and Federal HIPAA Exceptions

The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).

Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.

Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.

When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.

Operational and Occupational Exceptions

Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:

• Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
• Healthcare facilities are allowed to disclose directory “health condition” information to callers or visitors who ask about the patient by name
• Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
• Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
• Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.

HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

HIPAA Privacy Rule Exceptions

The HIPAA Privacy Rule occupies Subpart E of the Administrative Simplification provisions (45 CFR § 164.501 – 164.534) and, within this subpart, there are multiple exceptions to HIPAA. To help Covered Entities and Business Associates better negotiate the volume of HIPAA Privacy Rule exceptions, we have included those that relate to confidentiality in a separate section below.

The first HIPAA Privacy Rule exception to be aware of is that the Privacy Rule does not apply to the Department of Defense (DoD), a federal agency, or any organization acting behalf of either when the DoD, federal agency, or organization acting on behalf of either provides healthcare services to an overseas foreign national beneficiary. This exception has caused some confusion because it has been interpreted in various ways, so here is a brief explanation.

Under the HIPAA Privacy Rule, Covered Entities and Business Associates must protect personally identifiable information of an individual regardless of the individual´s nationality or the location in which the Covered Entity or Business Associate collects, processes, maintains, uses, or discloses PHI. The exception exists because (for example) in a war zone it would be impractical to deny treatment to an injured soldier because they did not understand they had to give consent.

Further HIPAA Privacy Rule exceptions exist when the PHI of one individual is included with the PHI of another. This can happen if (for example) a patient´s medical record includes medical information relating to their parents. In this example, the PHI in the patient´s medical record must be safeguarded as one; and although the parents´ PHI is recorded in the patient´s medical record, neither parent has the right to access the medical record and request amendments to their PHI.

HIPAA Exceptions to Confidentiality

Most HIPAA exceptions to confidentiality relate to uses and disclosures “required by law” and “for health care operations”. These include (but are not limited to):

• When a Covered Entity is a defendant or witness in a malpractice claim.
• When a Covered Entity is contesting a licensing revocation.
• When a Covered Entity is pursuing payment of an outstanding bill.
• When a Covered Entity conducts a patient safety activity (i.e., fire drill).
• When a Covered Entity conducts training programs or credentialling activities.

HIPAA exceptions to confidentiality attributable to health care operations can be a gray area. Consequently, it is recommended any uses and disclosures in non-standard circumstances are documented and retained for disclosure of accounting purposes – even though the use or disclosure may be allowed under the HIPAA Privacy Rule. Additionally, in all cases it is important Covered Entities only disclose the minimum necessary PHI for the stated purpose.

Further HIPAA exceptions to confidentiality exist when a law enforcement official requests health data for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. However, although it is permissible to disclose an individual´s blood type under these circumstances, Covered Entities are not allowed to disclose information such as dental records, DNA, or body tissue analyses – elements of PHI that would help identify the body of a missing person.

Conversely, there are no limitations on the nature of PHI it is permissible to disclose to law enforcement officers when attending an off-site emergency, nor when disclosing PHI to a law enforcement officer on-site if the nature of the emergency is related to abuse, neglect, or domestic violence. Despite these HIPAA exceptions to confidentiality, it is recommended to seek the consent of the patient if possible, and to check state disclosure laws for superseding contradictions.

Summary: HIPAA Exceptions List

As mentioned previously, it would be impractical to compile a HIPAA exceptions list because there are many exceptions in the Transactions and Code Sets Rule that would be irrelevant to most Covered Entities. Nonetheless, to summarize what has been discussed thus far:

1. HIPAA preempts state law unless a state law has stronger privacy provisions or enhances patients´ rights.
2. HIPAA exceptions also exist when a state law has public agency reporting requirements.
3. Exceptions to the right to revoke patient authorizations exist in certain circumstances.
4. There are also exceptions to when it is necessary to provide a Notice of Privacy Practices.
5. HIPAA does not apply in most schools as medical records are classed as educational  under FERPA.
6. Exceptions to the school exception may apply with regards to records of immunization.
7. HIPAA does not apply to healthcare services and facilities that do not conduct covered transactions.
8. Standard disclosure rules do not apply to substance use disorder patient records.
9. State laws can also override HIPAA on the non-disclosure of psychotherapy notes.
10. Further exceptions exist in the Armed Forces and when an overseas foreign national beneficiary receives treatment provided by the DoD, a federal agency, or an organization working on behalf of either.

Why it is Important to be Aware of HIPAA Exceptions

Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.

HIPAA Exceptions FAQs

How can I find out which State laws preempt HIPAA in my area?

Speak with a compliance professional or healthcare attorney in your area. If you would like some background information before doing so, the healthit.gov website published a “Report on State Law Requirements for Patient Permission to Disclose Health Information” (PDF). Although this may now be out of date in some areas, Appendix A includes some useful state-by-state information relating to which privacy information, circumstances, and entities are exempt from authorizations.

Does FERPA or HIPAA apply to elementary student health records maintained by a health care provider not employed by the school?

When health services are provided to students by an entity not employed by, under contract to, or otherwise acting on behalf of the school, the student health records are not educational records subject to FERPA even when the health services are provided on the school campus. For example, immunization services provided by a public health agency to students on the school campus are subject to the HIPAA Privacy Rule and, if data are stored electronically, the HIPAA Security Rule.

Where the HIPAA Privacy Rule applies, does it allow an external healthcare provider to disclose PHI about a student to a school nurse or physician?

Yes. The HIPAA Privacy Rule allows covered healthcare providers to disclose PHI about students to school nurses, physicians, and other health care providers for treatment purposes without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.

What is the duty to warn exception that applies to psychotherapy notes?

Psychotherapy notes contain sensitive information not usually required for treatment, payment, or healthcare operations, and therefore should not be disclosed without a patient´s written authorization. However, the duty to warn exception gives healthcare professionals the authority to disclose their notes when they believe a patient poses a threat to another person. This exception also protects healthcare professionals from prosecution for breach of confidentiality.

How likely is it PHI will be disclosed in a Freedom of Information request?

Under the Freedom of Information Act Exemption 6, public agencies can withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” However, the inclusion of the word “can” implies PHI could be disclosed in a Freedom of Information request is the information is considered to be in the public interest. Unfortunately, different public agencies interpret Exemption 6 in different ways.

When does HIPAA not apply?

In addition to the examples discussed above, HIPAA does not apply when payments are processed by a bank or other financial institution – even when PHI is disclosed to the payment processor by the healthcare provider or health plan on whose behalf payments are being processed. Additionally, under 42 USC § 1320d-8, individuals do not have the right to request PHI is not disclosed to banks and financial institutions.

Can HIPAA information be shared with law enforcement?

HIPAA information can be shared with law enforcement, but the circumstances of each request determine what information can be shared. For example, a Covered Entity may be required by law to disclose certain types of wounds or other physical injuries or may be required to comply with a court order – in which case the court order must stipulate the scope of information required.

When sharing HIPAA information with law enforcement for identification or location purposes, §164.512 limits what information can be shared. Therefore, while it is permissible to share a patient´s name, address, type of injuries, and distinguishing features, it is not permissible to share images, dental records, or car license plate number.

What is an example of when HIPAA does not apply?

One current issue relating to when HIPAA does not apply – at least partly – concerns vendors of personal health records. Even though personal health records collect individually identifiable health information that can be used and disclosed by vendors, the HIPAA Privacy and Security Rules do not apply. However, if a vendor experiences a data breach, the vendor must comply with the Breach Notification Rule – notifying individuals and the Federal Trade Commission of the breach.

Who is exempt from HIPAA?

Although one of the objectives of HIPAA was to protect the confidentiality of health and payment information, and despite the fact that direct patient payments to healthcare providers can sometimes reveal what the payment was for (i.e., counselling services), banks and payment processors are exempt from HIPAA. Consequently, Covered Entities should be careful about how direct patient payments are initiated to comply with the minimum necessary standard.

The post HIPAA Exceptions appeared first on HIPAA Journal.

Requirements to implement HIPAA safeguards appear more often in the text of the Healthcare Insurance Portability and Accountability Act than is often acknowledged. While many sources are aware of the Administrative, Physical, and Technical Safeguards of the Security Rule, less specific requirements relating to HIPAA safeguards also appear in the Privacy Rule.

Compared to specific requirements of the Administrative, Physical, and Technical safeguards, most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of Covered Entities and Business Associates that have to comply with them. While this flexibility means it can be easier for certain organizations to comply with the HIPAA safeguards – and protect the privacy of PHI – other organizations may find the lack of guidance confusing.

To demonstrate the difference between the safeguards of the Security Rule and the safeguards of the Privacy Rule, we´ve provided a synopsis of the Security Rule Administrative, Physical, and Technical Safeguards to compare against the safeguards mentioned in the Privacy Rule Administrative Requirements. There is also a section relating to the Organization Requirements of the Privacy and Security Rules – both of which include further HIPAA safeguards.

HIPAA Security Rule Safeguards

The HIPAA Security Rule is dominated by the Administrative, Physical, and Technical Safeguards – the remainder of the Rule being assigned to General Rules, Organization Rules (discussed below) Documentation Requirements, and Compliance Dates. The General Rules provide an oversight of the what the HIPAA safeguards set out to achieve and claim to allow flexibility in the implementation of the safeguards by designating some of the implementation specifications as “addressable”.

Addressable implementation specifications are not as flexible as they may appear. Effectively, addressable specifications must be implemented unless they are “not reasonable or appropriate in the environment” or an alternative safeguard provides at least as much protection to ePHI as the addressable specification. In most circumstances, Covered Entities and Business Associates have no option but to implement addressable specifications in order to provide adequate protection.

HIPAA Administrative Safeguards

More than half of the Security Rule focuses on the HIPAA Administrative Safeguards (45 CFR § 164.308) – defined in the Security Rule as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information”.

To achieve the objectives of the HIPAA Administrative Safeguards, Covered Entities and Business Associates must appoint a Security Officer responsible for developing a security management program that addresses access controls, incident response, and security awareness training. The Security Officer is also responsible for conducting risk assessments and implementing policies and procedures to protect ePHI from threats and vulnerabilities.

HIPAA Physical Safeguards

The physical safeguards are measures, policies, and procedures intended to protect a Covered Entity’s or Business Associate’s buildings, equipment, and information systems from unauthorized intrusion and natural and environmental hazards. Compliance with these HIPAA safeguards not only involve securing buildings and controlling access to buildings, but also validating the identity of anyone with access to equipment and information systems hosting ePHI.

Compared to the Privacy Rule HIPAA Safeguards (below), the Physical Safeguards provide direct guidance on the measures Covered Entities and Business Associates should take to (for example) govern the movement of devices and media containing ePHI, document maintenance records for facilities in which ePHI is stored, back up data before moving equipment, and properly dispose of hardware ePHI is stored on to eliminate the possibility of unauthorized disclosures.

HIPAA Technical Safeguards

The HIPAA technical safeguards relate to the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it. Like the Physical Safeguards, the HIPAA technical Safeguards include fine details on the measures organizations should implement to protect ePHI from unauthorized access including audit controls, user verification, and automatic log-off so ePHI cannot be accessed by unauthorized users when devices are left unattended.

Despite being the shortest of the Security Rule HIPAA Standards, the technical standards make it clear that encryption is considered to be a significant factor in preventing unauthorized uses and disclosures. This point has been reinforced through several subsequent HHS publications – most notably a recent Fact Sheet that answers questions about ransomware and whether or not a ransomware attack is a reportable breach under the HIPAA Breach Notification Rule.

Privacy Rule HIPAA Safeguards

Compared to the HIPAA Security Rule Safeguards, the safeguards mentioned in the Administrative Requirements of the Privacy Rule lack direct guidance. According to 45 CFR § 164.530 a Covered Entity “must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information”. The only implementation specifications offered to support this standard are:

• A Covered Entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
• A Covered Entity must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

The reason the Administrative Requirements lack direct guidance is the inclusion of “other requirements of this subpart”. “This subpart” refers to the Privacy Rule; and as different Covered Entities apply different policies and procedures to comply with the Privacy Rule, it would be impossible to develop “one-size-fits-all” safeguards to protect the privacy of PHI in the same way as required and addressable safeguards protect the confidentiality, integrity, and availability of ePHI.

Organizational Requirements in the Privacy and Security Rules

Both the Privacy Rule and the Security Rule contain Organizational Requirements. The Organizational Requirements of the Privacy Rule (45 CFR § 164.105) apply to Covered Entities that are not whole units (hybrid entities) or that are not single units (affiliated entities), while the Organizational Requirements of the Security Rule (45 CFR § 164.314) relate to Business Associate contracts with subcontractors and relationships between group health plans and plan sponsors.

Additional HIPAA Safeguards for Hybrid Entities

An example of a hybrid entity is a teaching institution that provides healthcare facilities for staff, students, and the public. The institution is a hybrid entity because the provision of healthcare for staff is a non-portable benefit (and therefore exempt from HIPAA), the provision of healthcare for students is covered by FERPA (which pre-empts HIPAA), and only the provision of healthcare for the public is covered by HIPAA.

Hybrid entities have to implement appropriate HIPAA safeguards to ensure that any PHI collected, used, and maintained by the public healthcare component of its operations is not disclosed to the other components of its operations. This includes disclosures of PHI by healthcare professionals working for a hybrid entity when the healthcare professionals assist with medical procedures for staff, students, and the public.

Additional HIPAA Safeguards for Affiliated Entities

Affiliated Entities are legally separate Covered Entities under the same ownership or control that designate themselves a single Affiliated Covered Entity for the purposes of HIPAA compliance. Being affiliated enables Covered Entities within the group to disclose ePHI to each other without the need for individual Business Associate Agreements, which increases integration and efficiency. Affiliated Entities can also use common documentation and share the same Privacy and Security Officers.

The additional HIPAA safeguards in the Organizational Requirements prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, several hospitals within a healthcare system under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, ePHI cannot be disclosed to the parent organization.

Business Associate Contracts with Subcontractors

Most Covered Entities and Business Associates are familiar with the requirement to enter into a Business Associate Agreement before ePHI is disclosed by a Covered Entity to a Business Associate, but it is not so widely known that a Business Associate has to enter into a Business Associate Contract before disclosing ePHI with a subcontractor or another of the Covered Entity´s Business Associates acting as a subcontractor for the primary Business Associate.

Originally, Business Associates had to ensure any subcontractors to whom they disclosed ePHI had appropriate measures in place to comply with the HIPAA Administrative Safeguards of the Security Rule. However, this requirement was changed in the Final Omnibus Rule to “ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information”. Naturally, all assurances must be documented.

Relationships between Group Health Plans and Plan Sponsors

The relationship between group health plans and plans sponsors is similar to that between Covered Entities and Business Associates with the exception that there are some allowable uses and disclosures of ePHI allowed. In all other cases, group health plans must ensure the plan sponsor has implemented the administrative, physical, and technical safeguards required by the Security Rule before disclosing further ePHI to the group sponsor.

It is Important to Comply with All Applicable HIPAA Safeguards

Covered Entities and Business Associates must comply with all applicable HIPAA safeguards. Ignorance of the safeguards – or how to comply with them – is not a justifiable defense if an organization is audited by HHS´ Office for Civil Rights or investigated following a patient complaint or self-reported data breach. In the worst cases, substantial fines can be issued for noncompliance with safeguards organizations should have known about had they exercised due diligence.

The post Guide to HIPAA Safeguards appeared first on HIPAA Journal.