HIPAA Training

HIPAA Exceptions

The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary.

In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA.

According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”.

It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the Administrative Simplification provisions. Therefore, we have highlighted a few of the most common exceptions and recommend Covered Entities seek professional compliance advice to identify others that may be relevant to their specific circumstances.

HIPAA General Rule Exceptions

The first HIPAA exceptions appear in the General Rule (45 CFR § 160.102). The General Rule stipulates that when there is a contradiction between HIPAA and State law, HIPAA takes precedence. However, there are multiple exceptions listed in the General Rule including that State law preempts HIPAA when the State law:

  • Has more stringent privacy provisions than HIPAA,
  • Provides for reporting information to public health agencies, and
  • Requires a health plan to report information for the purpose of audits, etc.

The first exception is the one that has caused more problems for HIPAA Covered Entities than most. This is because nearly every state has a law relating to the privacy of patient information with more stringent privacy provisions than HIPAA. However, many State laws apply to only one element of privacy information (i.e., HIV-related information), only in specific circumstances (i.e., for emergency care), or only to certain entities (i.e., pharmacists).

The other two General Rule exceptions can also be problematic for Covered Entities because, although a State law may permit certain disclosures of PHI to state and federal agencies, the information provided to state and federal agencies can be accessed via Freedom of Information requests. If Freedom of Information requests reveal the Covered Entity has provided more PHI than the minimum necessary, they would be in violation of HIPAA.

Most other uses of the word “exception” in the text of HIPAA relate to exceptions from transaction standards and medical code sets. However, it is worth noting exceptions exist to the right to revoke a patient authorization for the disclosure of PHI and to who should be given Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities with public-facing operations may need to be familiar with these HIPAA exceptions.

Other State and Federal HIPAA Exceptions

The relationship between HIPAA and other state and federal laws can further complicate HIPAA compliance due to multiple HIPAA exceptions. The best example of a complicated relationship of this nature is the relationship between HIPAA, the Family Education Rights and Privacy Act (FERPA), and the Texas´ Medical Records Privacy Act (as amended by HB300).

Generally, public schools, colleges, and other educational institutions that provide medical services for students and staff (as a work benefit) are not considered to be Covered Entities under HIPAA. This is because medical treatments provided to students are classified as educational records and protected by FERPA, while medical services provided for staff are non-portable benefits.

Complications start to arise when an educational institution provides medical services for members of the public (i.e., a medical teaching university). Under these circumstances, the educational institution becomes a hybrid entity and has to implement safeguards in order to isolate FERPA-covered treatment records from HIPAA-covered PHI and apply two sets of rules for staff.

When the educational institution is covered by the Texas Medical Records Privacy Act, all medical treatment records relating to students, staff, and the public are subject to HIPAA-esque privacy standards. This is further complicated by the Texas Medical Records Act applying to all citizens of Texas regardless of their location. Consequently, a medical teaching university in New York could be required to comply with three sets of regulations if it accepts mature students from Texas.

Operational and Occupational Exceptions

Operational and occupation exceptions to HIPAA can occur in many different circumstances. For example:

  1. Ambulance services that bill electronically are subject to HIPAA; but in counties without electronic billing, HIPAA does not apply to ambulance services.
  2. Healthcare facilities are allowed to disclose directory “health condition” information to callers or visitors who ask about the patient by name
  3. Some uses and disclosures of PHI allowed by the Privacy Rule are not allowed by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).
  4. Exceptions exist to the privacy requirements for psychotherapy notes when state laws mandate a duty to warn (i.e., of imminent harm) or duty to report (i.e., abuse).
  5. Exceptions to a patient´s right to an accounting of disclosures exist if a Covered Entity is ordered not to release the information by a health oversight agency or law enforcement officer.

HIPAA exceptions also exist in the military. Military treatment facilities are HIPAA Covered Entities; however, under the Military Command Exception, healthcare professionals are allowed to disclose Protected Health Information to command authorities without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

Why it is Important to be Aware of HIPAA Exceptions

Protecting patient privacy was not the only objective of HIPAA. The Act also intended to streamline healthcare functions and improve efficiency in the healthcare industry. Covered Entities who are not aware of the HIPAA exceptions can apply the regulations more rigorously than necessary – potentially stifling healthcare functions and harming efficiency. Therefore, if you are unaware of the HIPAA exceptions, it is in your best interests to seek professional compliance advice.

HIPAA Exceptions FAQs

How can I find out which State laws preempt HIPAA in my area?

Speak with a compliance professional or healthcare attorney in your area. If you would like some background information before doing so, the healthit.gov website published a “Report on State Law Requirements for Patient Permission to Disclose Health Information” (PDF). Although this may now be out of date in some areas, Appendix A includes some useful state-by-state information relating to which privacy information, circumstances, and entities are exempt from authorizations.

Does FERPA or HIPAA apply to elementary student health records maintained by a health care provider not employed by the school?

When health services are provided to students by an entity not employed by, under contract to, or otherwise acting on behalf of the school, the student health records are not educational records subject to FERPA even when the health services are provided on the school campus. For example, immunization services provided by a public health agency to students on the school campus are subject to the HIPAA Privacy Rule and, if data are stored electronically, the HIPAA Security Rule.

Where the HIPAA Privacy Rule applies, does it allow an external healthcare provider to disclose PHI about a student to a school nurse or physician?

Yes. The HIPAA Privacy Rule allows covered healthcare providers to disclose PHI about students to school nurses, physicians, and other health care providers for treatment purposes without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.

What is the duty to warn exception that applies to psychotherapy notes?

Psychotherapy notes contain sensitive information not usually required for treatment, payment, or healthcare operations, and therefore should not be disclosed without a patient´s written authorization. However, the duty to warn exception gives healthcare professionals the authority to disclose their notes when they believe a patient poses a threat to another person. This exception also protects healthcare professionals from prosecution for breach of confidentiality.

How likely is it PHI will be disclosed in a Freedom of Information request?

Under the Freedom of Information Act Exemption 6, public agencies can withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” However, the inclusion of the word “can” implies PHI could be disclosed in a Freedom of Information request is the information is considered to be in the public interest. Unfortunately, different public agencies interpret Exemption 6 in different ways.

The post HIPAA Exceptions appeared first on HIPAA Journal.

Guide to HIPAA Safeguards

Requirements to implement HIPAA safeguards appear more often in the text of the Healthcare Insurance Portability and Accountability Act than is often acknowledged. While many sources are aware of the Administrative, Physical, and Technical Safeguards of the Security Rule, less specific requirements relating to HIPAA safeguards also appear in the Privacy Rule.

Compared to specific requirements of the Administrative, Physical, and Technical safeguards, most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of Covered Entities and Business Associates that have to comply with them. While this flexibility means it can be easier for certain organizations to comply with the HIPAA safeguards – and protect the privacy of PHI – other organizations may find the lack of guidance confusing.

To demonstrate the difference between the safeguards of the Security Rule and the safeguards of the Privacy Rule, we´ve provided a synopsis of the Security Rule Administrative, Physical, and Technical Safeguards to compare against the safeguards mentioned in the Privacy Rule Administrative Requirements. There is also a section relating to the Organization Requirements of the Privacy and Security Rules – both of which include further HIPAA safeguards.

HIPAA Security Rule Safeguards

The HIPAA Security Rule is dominated by the Administrative, Physical, and Technical Safeguards – the remainder of the Rule being assigned to General Rules, Organization Rules (discussed below) Documentation Requirements, and Compliance Dates. The General Rules provide an oversight of the what the HIPAA safeguards set out to achieve and claim to allow flexibility in the implementation of the safeguards by designating some of the implementation specifications as “addressable”.

Addressable implementation specifications are not as flexible as they may appear. Effectively, addressable specifications must be implemented unless they are “not reasonable or appropriate in the environment” or an alternative safeguard provides at least as much protection to ePHI as the addressable specification. In most circumstances, Covered Entities and Business Associates have no option but to implement addressable specifications in order to provide adequate protection.

HIPAA Administrative Safeguards

More than half of the Security Rule focuses on the HIPAA Administrative Safeguards (45 CFR § 164.308) – defined in the Security Rule as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information”.

To achieve the objectives of the HIPAA Administrative Safeguards, Covered Entities and Business Associates must appoint a Security Officer responsible for developing a security management program that addresses access controls, incident response, and security awareness training. The Security Officer is also responsible for conducting risk assessments and implementing policies and procedures to protect ePHI from threats and vulnerabilities.

HIPAA Physical Safeguards

The physical safeguards are measures, policies, and procedures intended to protect a Covered Entity’s or Business Associate’s buildings, equipment, and information systems from unauthorized intrusion and natural and environmental hazards. Compliance with these HIPAA safeguards not only involve securing buildings and controlling access to buildings, but also validating the identity of anyone with access to equipment and information systems hosting ePHI.

Compared to the Privacy Rule HIPAA Safeguards (below), the Physical Safeguards provide direct guidance on the measures Covered Entities and Business Associates should take to (for example) govern the movement of devices and media containing ePHI, document maintenance records for facilities in which ePHI is stored, back up data before moving equipment, and properly dispose of hardware ePHI is stored on to eliminate the possibility of unauthorized disclosures.

HIPAA Technical Safeguards

The HIPAA technical safeguards relate to the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it. Like the Physical Safeguards, the HIPAA technical Safeguards include fine details on the measures organizations should implement to protect ePHI from unauthorized access including audit controls, user verification, and automatic log-off so ePHI cannot be accessed by unauthorized users when devices are left unattended.

Despite being the shortest of the Security Rule HIPAA Standards, the technical standards make it clear that encryption is considered to be a significant factor in preventing unauthorized uses and disclosures. This point has been reinforced through several subsequent HHS publications – most notably a recent Fact Sheet that answers questions about ransomware and whether or not a ransomware attack is a reportable breach under the HIPAA Breach Notification Rule.

Privacy Rule HIPAA Safeguards

Compared to the HIPAA Security Rule Safeguards, the safeguards mentioned in the Administrative Requirements of the Privacy Rule lack direct guidance. According to 45 CFR § 164.530 a Covered Entity “must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information”. The only implementation specifications offered to support this standard are:

  • A Covered Entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
  • A Covered Entity must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

The reason the Administrative Requirements lack direct guidance is the inclusion of “other requirements of this subpart”. “This subpart” refers to the Privacy Rule; and as different Covered Entities apply different policies and procedures to comply with the Privacy Rule, it would be impossible to develop “one-size-fits-all” safeguards to protect the privacy of PHI in the same way as required and addressable safeguards protect the confidentiality, integrity, and availability of ePHI.

Organizational Requirements in the Privacy and Security Rules

Both the Privacy Rule and the Security Rule contain Organizational Requirements. The Organizational Requirements of the Privacy Rule (45 CFR § 164.105) apply to Covered Entities that are not whole units (hybrid entities) or that are not single units (affiliated entities), while the Organizational Requirements of the Security Rule (45 CFR § 164.314) relate to Business Associate contracts with subcontractors and relationships between group health plans and plan sponsors.

Additional HIPAA Safeguards for Hybrid Entities

An example of a hybrid entity is a teaching institution that provides healthcare facilities for staff, students, and the public. The institution is a hybrid entity because the provision of healthcare for staff is a non-portable benefit (and therefore exempt from HIPAA), the provision of healthcare for students is covered by FERPA (which pre-empts HIPAA), and only the provision of healthcare for the public is covered by HIPAA.

Hybrid entities have to implement appropriate HIPAA safeguards to ensure that any PHI collected, used, and maintained by the public healthcare component of its operations is not disclosed to the other components of its operations. This includes disclosures of PHI by healthcare professionals working for a hybrid entity when the healthcare professionals assist with medical procedures for staff, students, and the public.

Additional HIPAA Safeguards for Affiliated Entities

Affiliated Entities are legally separate Covered Entities under the same ownership or control that designate themselves a single Affiliated Covered Entity for the purposes of HIPAA compliance. Being affiliated enables Covered Entities within the group to disclose ePHI to each other without the need for individual Business Associate Agreements, which increases integration and efficiency. Affiliated Entities can also use common documentation and share the same Privacy and Security Officers.

The additional HIPAA safeguards in the Organizational Requirements prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, several hospitals within a healthcare system under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, ePHI cannot be disclosed to the parent organization.

Business Associate Contracts with Subcontractors

Most Covered Entities and Business Associates are familiar with the requirement to enter into a Business Associate Agreement before ePHI is disclosed by a Covered Entity to a Business Associate, but it is not so widely known that a Business Associate has to enter into a Business Associate Contract before disclosing ePHI with a subcontractor or another of the Covered Entity´s Business Associates acting as a subcontractor for the primary Business Associate.

Originally, Business Associates had to ensure any subcontractors to whom they disclosed ePHI had appropriate measures in place to comply with the HIPAA Administrative Safeguards of the Security Rule. However, this requirement was changed in the Final Omnibus Rule to “ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information”. Naturally, all assurances must be documented.

Relationships between Group Health Plans and Plan Sponsors

The relationship between group health plans and plans sponsors is similar to that between Covered Entities and Business Associates with the exception that there are some allowable uses and disclosures of ePHI allowed. In all other cases, group health plans must ensure the plan sponsor has implemented the administrative, physical, and technical safeguards required by the Security Rule before disclosing further ePHI to the group sponsor.

It is Important to Comply with All Applicable HIPAA Safeguards

Covered Entities and Business Associates must comply with all applicable HIPAA safeguards. Ignorance of the safeguards – or how to comply with them – is not a justifiable defense if an organization is audited by HHS´ Office for Civil Rights or investigated following a patient complaint or self-reported data breach. In the worst cases, substantial fines can be issued for noncompliance with safeguards organizations should have known about had they exercised due diligence.

The post Guide to HIPAA Safeguards appeared first on HIPAA Journal.

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives.

This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation.

Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or cultural norms. We look at why Covered Entities might not always be able to provide sufficient training or monitor HIPAA compliance, why they may not accept responsibility when an avoidable HIPAA violation occurs, and how you can avoid HIPAA violations due to a lack of knowledge.

Click here for free HIPAA training

Click here to view HIPAA training pricing

Why Healthcare Professionals Cannot Avoid HIPAA

One of the objectives of HIPAA is to provide a federal floor of privacy protections for individuals´ identifiable health information held by Covered Entities. To achieve this objective, the Privacy and Security Rules imposes standards Covered Entities must comply with in order to protect the privacy of “Protected Health Information” (PHI). The failure to comply with the HIPAA standards can result in substantial financial penalties – even when no data breach occurs and PHI is not compromised.

Most healthcare organizations are Covered Entities and, as such, are required to implement policies and procedures to comply with the Privacy and Security Rule standards. As employees of Covered Entities, healthcare professionals are required to comply with their employer´s policies and procedures. This is why healthcare professionals cannot avoid HIPAA. However, this is not the only reason why HIPAA compliance is important for healthcare professionals.

The Benefits of HIPAA Compliance for Healthcare Professionals

There is little doubt the most important element of a patient/healthcare professional relationship is trust. Patients trust their healthcare professionals with intimate details of their lives because they trust healthcare professionals work in their best interests to achieve optimal health outcomes. However, trust can be a fragile commodity. If their intimate details are exposed due to a HIPAA violation, patients may withhold information crucial to the delivery of care despite the potential long-lasting consequences for their health.

Healthcare professionals can mitigate the risk of trust being broken by complying with the policies and procedures implemented by their employer to prevent HIPAA violations. When patients are confident their privacy is being respected, this fosters trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in a more rewarding work experience.

The Professional and Personal Consequences of Noncompliance

One of the policies a Covered Entity is required to implement is a sanctions policy for when members of its workforce do not comply with HIPAA policies and procedures. Covered Entities are required to enforce the sanctions policy and act on HIPAA violations by healthcare professionals because, if they don´t enforce the sanctions policy, the Covered Entity will be in violation of HIPAA. Furthermore, if the Covered Entity fails to act, noncompliance can deteriorate into a cultural norm.

Being sanctioned for a HIPAA violation can have professional and personal consequences for healthcare professionals. Penalties can range from verbal warnings to the loss of professional accreditation – which will make it difficult for a healthcare professional to get another job – and, if a criminal conviction results from the noncompliance, it will likely be reported in the media which will have repercussions for a healthcare professional´s personal reputation.

Who is Responsible for HIPAA Violations?

As mentioned previously, the failure to comply with HIPAA is not always the healthcare professional´s fault. Although Covered Entities are required to provide training on policies and procedures that relate to healthcare professionals´ functions, they may not have the resources to provide training on every conceivable scenario a healthcare professional may encounter, or to monitor compliance 24/7 in order to prevent the development of cultural norms.

Consequently, unintentional violations of HIPAA can occur due to a lack of knowledge. However, Covered Entities are not always willing to accept responsibility for unintentional violations due to a lack of knowledge because it implies they failed to conduct a thorough risk assessment, overlooked a threat to the privacy of PHI, and failed to provide “necessary and appropriate” training – or, when a cultural norm has developed, failed to monitor compliance with policies and procedures.

How You Can Avoid Unintentional Violations of HIPAA

The best way to avoid unintentional HIPAA violations and the professional and personal consequences of noncompliance – even when they are not your fault – is to ensure your knowledge of HIPAA covers every area of your role and the scenarios you may encounter. To achieve this level of knowledge, you should take advantage of third-party HIPAA training courses that provide you with an in-depth knowledge of HIPAA and its rules and regulations.

Taking responsibility for your own knowledge of HIPAA – and using that knowledge to work in a HIPAA-compliant manner – protects your career, improves your job prospects, and enables you to get more from your vocation. Given the choice, most healthcare professionals would prefer to work in an environment which operates compliantly to delivery better patient outcomes, in which morale is high, and in which the healthcare professional enjoys a more rewarding work experience.

Click here to view HIPAA training pricing

The post Video: Why HIPAA Compliance is Important for Healthcare Professionals appeared first on HIPAA Journal.

HIPAA Rights

The Health Insurance Accountability and Portability Act (HIPAA) introduced multiple HIPAA rights. Some of the rights were introduced directly via the text of the Act, but the majority followed later in the Privacy Rule. Unfortunately, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights.

When HIPAA was enacted in 1996, references to individuals´ rights mostly focused on the original purpose of the Act – to enable employees to carry forward insurance coverage from one employer to another after a break, to prevent the denial of coverage – or additional premiums for coverage – on the grounds of a pre-existing condition, and to guarantee renewability in multiemployer plans.

The HIPAA rights most people are familiar with – the right to health information privacy and the right to access and correct health information – are mentioned in the text of HIPAA (Section 264), but only in the context of the recommendations the Secretary for Health & Human Services was tasked with preparing in the event Congress did not pass a privacy law within three years.

As Congress did not pass a privacy law, the Privacy Rule was introduced to establish patients´ rights under HIPAA. These can be found between 45 CFR § 164.508 and 45 CFR § 164.528 in the HIPAA Administration Simplification provisions. However, as the HIPAA Administrative Simplification provisions are complex, we have provided a synopsis of the most important HIPAA rights below.

Rights under the Privacy Rule

Information for which individuals have rights under the Privacy Rule is known as Protected Health Information or PHI. In addition to information relating to a patient´s past, present, or future physical or mental condition being protected – including the provision of treatment and healthcare services – past, present, or future payment information is also protected under the Privacy Rule.

45 CFR § 164.508 – Uses and disclosures of PHI for which an authorization is required

HIPAA Covered Entities and Business Associates are allowed to use or disclose PHI to carry out selected treatment, payment, or health care operations. All other uses and disclosures require the prior authorization of a patient. Patients have the right to request a copy of the authorization to keep, and the right to revoke the authorization at any time.

45 CFR § 164.520 – Notice of Privacy Practices for PHI

Patients have the right to receive a Notice of Privacy Practices. The Notice must explain what uses and disclosures of PHI are allowed, and when an authorization is required for other uses and disclosures. The Notice must also list the patient´s other rights, how to exercise them, and how to make a compliant if their privacy rights are violated.

45 CFR § 164.522 – Right to request privacy protection for PHI

Two of the HIPAA rights listed in the Notice of Privacy Practices are that patients can request restriction on certain uses and disclosures of PHI – for example not informing a health plan when a patient receives treatment and pays for the treatment privately – and that they can request how Covered Entities communicate with them when a communication involves a disclosure of PHI.

45 CFR § 164.524 – Access of individuals to PHI

The right in this standard should also be included in a Notice of Privacy practices inasmuch as it explains a patient´s right to inspect and receive a copy of their PHI within 30 days (currently under review). Patients can also stipulate how they want to receive a copy of their PHI – for example, by email, on a USB drive, or in paper format.

45 CFR § 164.526 – The right to amend PHI

Patients have the right to request corrections to their medical record if, on obtaining a copy of their PHI, it is found to be inaccurate or incomplete. There are several scenarios in which a Covered Entity can decline to comply with this request, including in these days of interoperability between Covered Entities, that the Covered Entity to whom the request is made did not create the PHI.

45 CFR § 164.528 – Accounting of disclosures of PHI

The right to access an accounting of disclosures – which explains who the patient´s PHI has been disclosed to and why over the past six years – is one of the most complicated HIPAA rights standards because there are so many exclusions allowed. It is also possible for this right to be suspended if a suspension is requested by a law enforcement officer or public health official.

Rights under the Breach Notification Rule

In addition to the rights granted by the Privacy Rule, individuals also have HIPAA rights under the Breach Notification Rule – a Rule which specifies the process for reporting breaches of unsecured PHI. The Rule was extended in the Final Omnibus Rule in 2013 to include Business Associate data breaches, and further changes are being considered in response to the Safe Harbor Act 2021.

At present, patients have the right to be notified of any breach of unsecured PHI when there is reason to believe the PHI has been accessed, acquired, used, or disclosed without authorization. The notification must explain how the breach happened, the nature of the PHI that was breached, what steps individuals should take to protect themselves from harm as a result of the breach.

In addition, Covered Entities must describe what they are doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Covered Entities must also provide contact details – which should include a toll-free number – where affected individuals can seek help or ask further questions. These procedures apply regardless of many patients are affected.

Noncompliance with HIPAA Rights

As mentioned in the introduction to this article, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights (OCR) and subsequent enforcement action. In recent years, complaints about patients´ rights of access have among the top five complaints investigated by OCR that have resulted in corrective action and/or a civil penalty.

In November 2021, OCR released the results of five investigations into non-compliance with HIPAA rights that resulted in corrective action and/or a civil penalty. It is important to note that the settlements of up to $160,000 involved smaller practices as well as larger organizations. Therefore, it is important that every Covered Entity is aware of – and complies with – patients´ HIPAA rights.

The post HIPAA Rights appeared first on HIPAA Journal.

What is HIPAA?

What is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Among other measures, the Act led to the establishment of federal standards for safeguarding patients´ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI).

When the Health Insurance Portability and Accountability Act was passed by Congress in 1996, the establishment of federal standards for safeguarding PHI was not one of the primary objectives. Indeed, the long title of the Act doesn´t even mention patient privacy or data security:

“An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

So how did HIPAA evolve from being a vehicle for improving the portability and continuity of health insurance coverage to being one of the most comprehensive and detailed federal privacy laws?  The answer can be found deep in the Administrative Simplification provisions of HIPAA Title II.

What is HIPAA Title II?

HIPAA consisted of five Titles addressing the primary objectives of the Act:

  • Title I: Health care access, portability, and renewability.
  • Title II: Preventing health care fraud and abuse; administration simplification; medical liability reform.
  • Title III: Tax-related health provisions governing medical savings accounts.
  • Title IV: Application and enforcement of group health plan requirements.
  • Title V: Revenue offsets governing tax deductions for employers.

Most of HIPAA Title II concerns measures to control health plan fraud and abuse (rather than health care fraud and abuse), the allocation of funds to pay for the measures, and sanctions against individuals or organizations that defraud or abuse a health plan or program. The provisions related to administrative simplification are discussed below, while the provisions for medical liability reform (of which there are few) only relate to whistle blower protection for reporting fraud and abuse.

With regards to the Administrative Simplification provisions, the preamble states their purpose is to improve the Medicare and Medicaid programs, and the efficiency of the health care system via a “the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”. The responsibility for accomplishing this purpose is delegated to the Secretary for Health & Human Services (HHS).

The preamble could give the impression that the Administrative Simplification provisions of HIPAA Title II will improve accessibility to and affordability of the Medicare and Medicaid programs, or that the development of a health information system would streamline the provision of healthcare between providers. However, when you read the Administrative Simplification provisions, their primary purpose is to reduce the administrative costs of providing and paying for health care.

The Administrative Simplification provisions were important in the context of improving the portability and continuity of health insurance coverage because it was necessary to improve portability and continuity without increasing administration costs. Any increase in administration costs would have been passed on by covered health plans as increased costs to healthcare providers and as increased premiums for insurance coverage – something Congress was keen to avoid.

The final Administrative Simplification provision is possibly the most important of all – requiring the Secretary for Health & Human Services to develop “recommendations on standards with respect to the privacy of individually identifiable health information”. If Congress did not enact federal privacy legislation within three years, the Secretary was to issue the recommendations as a Final Rule. Ultimately this short passage of HIPAA Title II was to become the HIPAA Privacy Rule.

The Regulatory Landscape when HIPAA was Passed

So far, we´ve answered the question what is HIPAA by providing an overview of the Act, identifying where the provisions were within the Act that triggered the Privacy and Security Rules, and specifying who was delegated responsibility for developing the Rules. To best explain what happened next, it is important to understand the regulatory landscape at the time and the patchwork of legislation that influenced the development of the Privacy and Security Rules.

Prior to the passage of HIPAA, only ten states granted individuals privacy rights in their constitutions, although the privacy of individuals with specific conditions was required by federal law. For example, the Veterans Omnibus Health Care Act 1976 protects the privacy of medical records held by the Dept of Veterans Affairs relating to drug abuse, alcohol abuse, and AIDS. In addition, consumers of federal programs such as Medicare and Medicaid also have privacy rights under the Privacy Act 1974 – but only for records maintained by the Centers for Medicare & Medicaid Services (CMS).

The patchwork of legislation often failed to prevent unauthorized disclosures of personal health or payment information. Furthermore, unless a patient´s data was protected by an existing state or federal law, data could be freely exchanged between (for example) health plans and finance agencies – which could affect the patient´s ability to apply for a home mortgage. Similarly, a health plan could find out about a patient´s condition or treatment through non-regulated channels and increase the patient´s premiums or deductible – even if the patient had paid for treatment privately.

In addition to accommodating existing state and federals laws, the Secretary of Health & Human Services was given guidelines to work within. In respect of reducing the administrative costs of providing and paying for health care, HHS had to develop standards for the electronic exchange, privacy, and security of health information in financial and administrative transactions, while the recommendations on standards with respect to the privacy of individually identifiable health information had to cover:

  • The rights that an individual who is a subject of individually identifiable health information should have.
  • The procedures that should be established for the exercise of such rights.
  • The uses and disclosures of such information that should be authorized or required.

Because the standards relating to the privacy of individually identifiable information were subject to a three year delay, the Notice of Proposed Rulemaking for the Security Rule was the first to be issued in 1998. The Notice of Proposed Rulemaking for the Privacy Rule was issued in 1999; but due to several years of revisions due to stakeholder comments, public hearings, and other issues, the Privacy Rule was not published until 2002, and the Security Rule until the following year.

Rules Extend Privacy Rights and Data Security Nationwide

The Privacy and Security Rules introduced minimum privacy, technical, physical, and administrative requirements that apply to all “Covered Entities” nationwide, unless state laws, alternative federal legislation, or professional regulations have more stringent requirements. HIPAA preempts all other federal, state, and professional regulations. The safeguards also apply to Business Associates who provide services for Covered Entities, and contractors who provide services for Business Associates.

An Enforcement Rule was introduced in 2006 to tackle noncompliance with HIPAA; and, in 2009, the HHS´ Office for Civil Rights issued its first financial penalty for a violation of HIPAA – CVS Pharmacy Inc. being ordered to pay $2.25 million for the improper disposal of patient health records. Multiple penalties have since been issued – not only by the Office for Civil Rights, but also by State Attorney Generals. The DoJ has also pursued several successful criminal convictions for violations of HIPAA.

Further Rules have reinforced the importance of HIPAA compliance. The Breach Notification Rule in 2009 made it a requirement for Covered Entities and Business Associates to report data breaches to individuals, the Office for Civil Rights, and – in some cases – the media. The Rule also shifted the burden of proof. Previously, OCR would have to establish a breach had occurred. Now, organizations have to prove an unauthorized disclosure of unsecured PHI does not constitute a breach.

In 2013, the Omnibus Final Rule enacted provisions of the HITECH Act which made changes to the Security Rule to improve data security and further restrict access to ePHI. The Omnibus Final Rule also enhanced HHS´ powers to enforce HIPAA, updated the Breach Notification Rule, and made Business Associates directly liable for data breaches and HIPAA violations. Changes to the Privacy Rule are currently under consideration that may affect the answer to what is HIPAA in the future.

The post What is HIPAA? appeared first on HIPAA Journal.

HIPAA Guidelines for Nursing Students

It is important to understand the HIPAA guidelines for nursing students because of the role nursing students play in the provision of healthcare and because of the threats to the privacy of Protected Health Information (PHI) when nursing students have received insufficient training to perform their roles in compliance with HIPAA.

The nursing profession is not easy; and, when nursing students start on their career path, there is a lot to take in. In addition to learning the skills of their profession and completing years of coursework, nursing students are frequently asked to assist with the provision of healthcare. Although they are most usually supervised when working with patients, the risk exists that – without an understanding of HIPAA – violations of HIPAA could occur due to a lack of knowledge.

For example, if a nursing student shares the events of the day with friends via social media, it is important the student has been trained on what constitutes PHI, when it can be disclosed, and the penalties for disclosing PHI without consent. If the student has not been trained on the HIPAA guidelines for nursing students – and they reveal the name of a patient in a social media post – the consequences could impact both the training institution and the student´s future nursing career.

Who is Responsible for Training Nursing Students on HIPAA?

The HIPAA guidelines for nursing students are the same as the HIPAA guidelines for any other member of a Covered Entity´s workforce. This is because the HIPAA Privacy Rule defines a Covered Entity´s workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such Covered Entity, whether or not they are paid by the Covered Entity”.

However, if a nursing student is studying at a teaching institution that does not qualify as a Covered Entity (i.e., one that does not provide healthcare services to non-students), the HIPAA guidelines for nursing students do not apply to the teaching institution. In this case, the medical facility at which a nursing student takes a placement or works on a clinical rotation will be the entity responsible for training nursing students on HIPAA – assuming the medical facility is a Covered Entity.

This is where issues can arise in understanding the HIPAA guidelines for nursing students because Covered Entities are only required (by 45 CFR § 164.530) to provide training on “policies and procedures in respect of PHI […] as necessary and appropriate for members of the workforce to carry out their functions”. This requirement means nursing students may not fully understand policy and procedure training due to a lack of basic knowledge about the Privacy and Security Rules.

How to Mitigate Potential Violations due to a Lack of Knowledge

Covered Entities – whether they are training institutions or medical facilities – can mitigate the risk of potential HIPAA violations due to a lack of knowledge by providing basic HIPAA training to all students and new, inexperienced employees. This will give them a grounding in the background to HIPAA, so they are better equipped to understand – and comply with – policies relating to unauthorized disclosures, the Minimum Necessary Standard, and patients´ rights.

The basic HIPAA training should also include subjects such as computer safety rules, threats to patient data, and protecting ePHI from cyber threats so students can better understand security and awareness training (as required by 45 CFR § 164.308), better appreciate why the Technical Safeguards of the Security Rule limit access to ePHI, and better recognize phishing attempts and other attacks that could result in malware being installed on healthcare systems.

To reduce the overhead of providing basic HIPAA training to students, Covered Entities can take advantage of off-the-shelf HIPAA training packages. While these packages do not replace a Covered Entity´s obligation to provide policy and procedure training, they offer training in online modules students can take in their own time, monitor each student´s progress through the course, and can get reused for annual refresher training on the HIPAA guidelines for nursing students.

Refresher Training on the HIPAA Guidelines for Nursing Students?

As mentioned previously, nursing students have a lot to take in when embarking on a nursing career; and, when basic HIPAA training has been provided at the start of a course, it can be easy for elements of  HIPAA training to be swamped by the volume of other information students have to absorb. However, a knowledge of HIPAA is vital when students qualify and start working for a Covered Entity, so it is recommended refresher HIPAA training is provided at least annually.

The provision of refresher training on the HIPAA guidelines for nursing students not only keeps HIPAA compliance at front of mind but can help overcome bad influences that can compromise compliance – such as when shortcuts are taken by nursing professionals “to get the job done” and non-compliant practices become the cultural norm. This case study illustrates how cultural norms in nursing units can negatively effect compliance and potentially end students´ careers.

The case study also illustrates why compliance experts recommend HIPAA refresher training is provided at least annually to all members of a Covered Entity´s workforce. While scheduling refresher training can be difficult during staff shortages or health emergencies, the online modular courses used to train students on the HIPAA guidelines for nursing students can be rolled out time and time again to save Covered Entities time and money and enhance their compliance profiles.

The post HIPAA Guidelines for Nursing Students appeared first on HIPAA Journal.

HIPAA Checklists

Get started with HIPAA compliance by checking out these free checklists. You may want to build your own customized checklist when developing your strategy for complying with HIPAA.

Bookmark this page, since it will be updated when we find more useful free HIPAA checklists.

Free HIPAA Compliance Checklists

Do you know of any other good HIPAA checklists we could add to this list? Leave a comment below!

Five Essential HIPAA Books for Beginners

Here are five highly rated books (all available from Amazon.com) that are full of useful information for people who are new to the world of HIPAA compliance. If you are just learning the basics about HIPAA, these are a good place to start building your expertise.

#1: Getting Started with HIPAA


608 pages – ISBN: 1592000541

Read full reviews of this HIPAA book

#2: Hipaa Plain and Simple: A Compliance Guide for Healthcare Professionals


250 pages – ISBN: 1579474195

Read full reviews of this HIPAA book

#3: Understanding HIPAA: The Employer’s Guide to Compliance


152 pages – ISBN: 1410788784

Read full reviews of this HIPAA book

#4: Hipaa Facility Desk Reference: A Facilities’ Guide to Understanding the Administrative Simplification Provisions, 2003


243 pages – ISBN: 1563299267

Read full reviews of this HIPAA book

#5: Field Guide to HIPAA Implementation


266 pages – ISBN: 1579472834

Read full reviews of this HIPAA book

Do you have any other HIPAA books you would add to this list that you found to be helpful?