HIPAA Updates

Understanding GDPR Compliance

Posted by GDPR News

What does ‘GDPR Compliance’ mean?

GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe.

In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law.

The General Data Protection Regulation (GDPR) is, as its name would suggest, an EU Regulation. The 1995 EU Data Protection Directive will be replaced by the GDPR which serves to create standard data protection laws across the EU. Businesses and companies that operate in numerous EU member states will now be obliged to work within a uniform set of rules which resolve issues that were impossible to foresee when the 1995 Directive was drafted, e.g. data processing in context of “cloud” technology.

Essential Aspects of the New Data Protection Rules under GDPR

The GDPR data protection rules comprise a precise clarification of what is legally recognised as personal data, the rights of citizens to be informed as to how their personal data is used, what personal data can be gathered, and how each individual´s informed consent must be obtained in order to collect, maintain or use that personal data.

The new definition of “personal data” will impact every organisation or company that employs cookies on their websites. The GDPR data protection rules recognise “online identifiers”, including pseudonymous identifiers, as personal data. Furthermore, identifiers now considered to be personal data include race or ethnicity, religion or lack thereof, together with genetic or biometric data.

Those who review their GDPR compliance procedures are advised to keep records of the manner in which they obtain individuals’ informed consent. An individual must give consent via a recordable affirmative action if their personal data is be gathered, stored or used. Each person must be informed prior to giving consent what the data is intended to be used for and they must also be made aware of their right to later withdraw consent.

The Rights of Individuals and GDPR Compliance

Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organisation when they review their GDPR compliance. These rights of individuals include:

  • The right to view or consult stored personal data.
  • The right to amend any errors in their personal data.
  • The right to be informed as to how personal data will be used.
  • The right to be informed as to how long their personal data will be stored.
  • The right to be informed who their personal data is being shared with.
  • The right “to be forgotten”, i.e. to have any stored personal data permanently deleted.
  • The right to be informed as to the source of their personal data in circumstances where informed consent was not in fact given.

N.B. This is not an exhaustive list!

Businesses and companies will need to review their data gathering, storage and processing mechanisms to guarantee that personal data can be isolated, extracted and permanently deleted when required in order to comply with the GDPR rules for the rights of individuals. Methods of verifying the identity of individuals who wish to exercise their GDPR rights will also have to be put into action.

Data Protection Officers and Ensuring Compliance with GDPR

Included in the GDPR data protection rules are a number of measures which must be taken in order to ensure GDPR compliance. Simply put, the “accountancy principle”must be complied with; i.e. companies or organisations must provide transparent privacy policies, and carry out GDPR data protection impact evaluations to identify any potential risks to the security of personal data.

The implementation of procedures to rectify any risks to the integrity of personal data and the application of comprehensive governance measures to guarantee that those procedures are adhered to will be required. Depending on circumstances, it may be necessary to carry out GDPR compliance training and large businesses or companies might have to appoint a Data Protection Officer.

A Data Protection Officer’s role is to act as a counsellor and to monitor GDPR compliance. The officer will be in charge of managing internal data protection activities, offering advice on GDPR data protection impact evaluations, the training of staff and carrying out internal audits. Furthermore, the Data Protection Officer will be the first point of reference for Data Protection Authorities (discussed in detail below) and those individuals who may wish to exercise their GDPR rights.

European Union Penalties following GDPR Non-Compliance

The majority of European Union member states already have their own Data Protection Authorities in place. Their duty is to ensure that national data protection laws are complied with and, where there has been failures to do so, to impose penalties for unauthorized use of personal data. Following the introduction of the GDPR, these Data Protection Authorities will have the power to conduct GDPR compliance audits and impose penalties for any non-compliance found. This will even include circumstances where a breach of personal data has not in fact occurred.

Non-compliance with GDPR attracts a wide variety of penalties depending upon the type of violation, the number or size of records disclosed without authorization, and the action taken by the body in question in order to minimize the breach of personal data. Maximum penalties (which can in fact include accidental disclosure) for GDPR non-compliance are considerable:

  • Non-compliance with GDPR security standards may result in a €10 million or 2% of global annual turnover fine – whichever is greater.
  • Non-compliance with GDPR privacy standards may result in a €20 million or 4% of global annual turnover fine – whichever is greater.

Additional Penalties for Failure to Comply with the GDPR

Additional penalties for lack of GDPR compliance may be imposed in circumstances where a company has failed to notify its Data Protection, Authority within seventy-two hours, of the discovery of any unauthorised exposure of personal data. Moreover, the company may potentially be charged with a criminal offence or offences depending on the national law of the EU state concerned.
If the exposure of personal data has the possible or probable consequences of the individual(s) concerned falling victim to identity theft, fraud, financial loss, discrimination, injury to reputation or other economic or social disadvantage, the breach must also has be notified directly to the individual(s). This may result in a personal compensation law suit being made against the offending organisation.
One exception to the obligation to inform individuals (but not in fact the Data Protection Authorities) exists in circumstances where the exposed personal data had been encrypted, therefore rendering it unusable by the person or persons who gain access to it. In such an event, the Data Protection Officer would have to show to the Data Protection Authority that the data concerned had been kept securely before the breach.

Resume of the GDPR

  • The European Union General Data Protection Regulation (GDPR) will apply from the 25th May 2018 and concerns every company or organisation, inside or outside of the EU, that gathers, stores or maintains the personal data of citizens of European Union member states.
  • Concerning what is defined as “personal data”, any characteristic that could potentially identify or point out an individual is understood to be personal data. Numerous online identifiers such as cookies are included in this definition.
  • An “affirmative action” to give informed consent for the gathering, storage and/or use of personal data must be made by the individuals concerned. The way in which informed consent is given must be recorded and saved by the body which gathers the information.
  • Individuals have wide-ranging rights over how their personal data is gathered, held or used. This includes a right “to be forgotten”. In order to prevent GDPR fraud from occurring, systems must be put in place.
  • Institutions are obliged to implement privacy policies that are clear and transparent. They must also carry out risk assessments and initiate procedures to guarantee the integrity of individuals’ personal data. On occasion employment of a Data Protection Office might be a necessity.
  • A penalty for failing to comply with GDPR may be enforced even when no breach of personal data has in fact happened. The severity of the penalty is dependant on what actions were taken to minimize the unauthorized exposure of the individuals’ personal data.
  • Companies need to inform themselves about the GDPR Breach Notification Rule and the sanctions which may be applied as a consequence of failing to notify the authorities within 72 hours.

Please note that this resume of GDPR is intended to provide a simple overview of the issues discussed within it. Reasonable precautions have been taken in order to ensure that the content is based on the facts that were available at the time of publication. No responsibility for mistakes or omissions in this GDPR summary will be taken by us. Those concerned about GDPR compliance should take legal advice from a professional as soon as possible.

The post Understanding GDPR Compliance appeared first on HIPAA Journal.

OCR Launches New Tools to Help Address the Opioid Crisis

Posted by HIPAA Journal

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act.

Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible.

OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis.

OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials have been developed specifically for parents of children suffering from a mental health condition.

OCR is also collaborating with partner agencies within the HHS to identify and develop further programs and training materials covering the permitted uses and disclosures of PHI when patients seek, or undergo, treatment for mental health disorders or substance abuse disorder.

“HHS is using every tool at its disposal to help communities devastated by opioids including educating families and doctors on how they can share information to help save the lives of loved ones,” said OCR Director, Roger Severino.

The Information Related to Mental and Behavioral Health can be accessed on the links below:

Webpage for consumers

Webpage for healthcare professionals and caregivers

Guidance on HIPAA and Research

OCR has also released updated guidance on HIPAA and research, as required by the 21st Century Cures Act. The new guidance explains how the HIPAA Privacy Rule applies to research, including when protected health information can be shared without first obtaining authorization from patients.

OCR explains that HIPAA-covered entities are always permitted to disclose PHI for research purposes if it has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c).

If PHI is not de-identified, authorization from patients is required unless the covered entity has obtained Documented Institutional Review Board (IRB) or Privacy Board Approval. In the guidance, OCR explains the criteria that must be satisfied to receive such approval.

The guidance can be viewed here.

OCR has also formed a working group that includes representatives of several federal agencies, patients, researchers, healthcare providers, privacy, security and technology experts. The working group will study uses and disclosures of PHI for research and the group will report on whether those uses and disclosures should be modified to facilitate research while ensuring individuals’ privacy rights are protected.

The post OCR Launches New Tools to Help Address the Opioid Crisis appeared first on HIPAA Journal.

HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot

Posted by HIPAA Journal

The Department of Health and Human Services is running a HIPAA Administrative Simplification Optimization Project Pilot and is currently seeking volunteers to have compliance reviews. The aim of the pilot is to streamline HIPAA compliance reviews for health plans and healthcare clearinghouses.

Currently, a variety of different data formats are used for conducting electronic transitions. That variety can cause problems when transferring and sharing data. If communications about billing and insurance related matters are streamlined and healthcare organizations comply with the HIPAA Administrative Simplification transaction standards, providers and health plans can devote fewer resources to these tasks. Compliance with the Administrative Simplification transaction standards will also reduce the burden on compliant entities having to exchange healthcare data with trading partners that are not compliant.

According to the 2016 CAQH Index, industry-wide compliance with the HIPAA Administrative Simplification transaction standards could result in savings of almost $9 billion each year for the healthcare industry. However, for those savings to be made, there must be industry-wide compliance.

One of the ways that the HHS can help to make these savings is by conducting proactive compliance reviews. The purpose of the reviews is to help health plans and other healthcare organizations take action to ensure compliance.

The reviews are not intended to identify noncompliance in order to punish healthcare organizations, instead the aim is to help covered entities comply with the Administrative Simplification transaction standards. According to a recent email communication from the Centers for Medicare and Medicaid Services (CMS), there will be “a progressive penalty process with the goal of remediation, not punishment.”

The reviews will commence with a pilot, for which the HHS is now seeking volunteers. In total, the HSS requires six volunteer organizations for the HIPAA Administrative Simplification Optimization Project pilot – three health plans and three healthcare clearinghouses. Organizations that participate in the pilot will be subjected to a review of their transactions to assess compliance with the HIPAA Administrative Simplification standards, and will cover code sets, adopted standards, unique identifiers, and operating rules.

Health plans and clearinghouse that join the HIPAA Administrative Simplification Optimization Project pilot will be able to verify compliance or identify noncompliance issues.  The compliance reviews will start in January 2018 and will inform the rollout of the Administrative Simplification Optimization Program.

The reviews will require volunteer organizations to submit electronic transaction files, which will be reviewed and tested by the HHS. The HHS suggests the process of submitting electronic files for review should take no longer than 10 hours. Further details of the pilot reviews will be supplied to participants that are selected to take part in the pilot.

Once the reviews have been conducted, all participants that have successfully passed a review will be provided with a certificate by the HHS, which volunteers will be able to share with their partners and business associates.

If non-compliance is discovered, the HHS will provide guidance on areas for optimization and a corrective action plan will need to be developed by the volunteers to address compliance issues.

Any organization that takes part in the pilot will not be selected for a further review for one year following the launch of the HHS Administrative Simplification Optimization Program.

The HHS is accepting applications for the HIPAA Administrative Simplification Optimization Project pilot by email – HIPAAcompliant@cms.hhs.gov – with volunteers chosen from the pool of applicants that have applied by December 13, 2017. All organizations that apply will be notified whether they have been selected or not by December 27, 2017.

The post HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot appeared first on HIPAA Journal.

In What Year Was HIPAA Passed into Legislature?

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill.

Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud.

Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced.

There have been several important dates in the past two decades since HIPAA was originally passed – Notably the introduction of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.

The HIPAA Privacy Rule introduced many provisions to better protect the privacy of patients. The Security Rule was primarily concerned with the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are reported, while the Omnibus Rule introduced a broad range of changes, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Four key updates to HIPAA legislation are detailed below.

The Privacy Rule of HIPAA Passed into Legislature

The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. The official name of the update to HIPAA is the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule compliance date was April 14, 2003.

The HIPAA Privacy Rule details the allowable uses and disclosures of protected health information without first obtaining consent from patients. The HIPAA Privacy Rule also gives patients the right to obtain copies of their health data from HIPAA-covered entities.

The Security Rule of HIPAA Passed into Legislature

The Security Rule of HIPAA was passed into legislature on April 21, 2003, although the effective date was not until April 21, 2005. While the HIPAA Privacy Rule was concerned with all forms of protected health information, the HIPAA Security Rule is primarily concerned with the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer required.

The Breach Notification Rule of HIPAA Passed into Legislature

The HIPAA Breach Notification Rule came from the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule took effect from August 24, 2009.

The Breach Notification Rule requires HIPAA-covered entities to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the discovery of a breach if the breach involved 500 or more records. Smaller breaches must still be reported, no later than 60 days after the end of the year in which the breach was discovered. The Breach Notification Rule also requires notifications of a breach to be sent to affected patients within 60 days of the discovery of the breach.

The Omnibus Rule of HIPAA Passed into Legislature?

The HIPAA Omnibus Final Rule was issued on January 17, 2013. The HIPAA Omnibus Rule introduced several changes to the HIPAA Privacy, Security, and Breach Notification Rules.

One of the most important changes affected HIPAA business associates – individuals or entities that are contracted to HIPAA-covered entities to provide services that require access to PHI.

Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must implement safeguards to protect ePHI as required by the HIPAA Security Rule. Since the introduction of the Omnibus Rule, business associates of HIPAA-covered entities can be fined directly for HIPAA violations.

Another important update was clarification of “significant harm.” Prior to the introduction of the Omnibus Rule, many covered entities failed to report breaches as there was determined to have been no significant harm caused to patients as a result of the breach. After the Omnibus Rule, covered entities must be able to prove there was no significant harm if they decide not to report a breach.

Infographic Summary of Milestones in the History of HIPAA

In addition to the above major changes to HIPAA legislation, there have been numerous milestones in the history of HIPAA, which have been summarized in the infographic below. The infographic details legislation changes, clarifications of HIPAA Rules, major enforcement actions, and HIPAA audits – Click the image below to view the graphic in full size.

HIPAA History

The post In What Year Was HIPAA Passed into Legislature? appeared first on HIPAA Journal.

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

Posted by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires.

As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended.

Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:

  • 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

Even in emergency situations, the HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts and to help ensure patients receive the care they need.

PHI may also be disclosed for the purpose of providing treatment to patients, in order to coordination patient care, or when referring patients to other healthcare providers.  PHI can be shared for public health activities to allow organizations to carry out their public health missions. Disclosures can be made to family members, friends, and other individuals involved in a patients’ care, as necessary, to identify, locate, or notify family members of the patient’s location, condition, or loss of life. Disclosures can be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.

In all cases, the ‘minimum necessary’ standard applies. Information should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed.

Further information on the waiver can be found in the HHS bulletin on this link.

The post HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California appeared first on HIPAA Journal.

Amida Care Mailing Potentially Revealed HIV Status of its Members

Posted by HIPAA Journal

The New York not-for-profit community health plan Amida Care has reported a HIPAA breach that has potentially impacted 6,231 of its members.

Amida Care specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions such as HIV.

On July 25, 2017, Amida Care sent a flyer to some of its members who had contracted HIV, advising them of an opportunity to take part in a HIV research project. The double-sided flyers contained details of the HIV research project on one side, and information on an Amida Care Summer Life Celebration event on the other.

The decision had originally been made to send out the flyer in windowless envelopes, and those instructions were provided to the mailroom. However, due to fault with the envelope printer, and in order to make sure individuals received the flyer in time, the decision was made to send out the flyer in windowed envelopes.

Care was taken to prevent any sensitive information being visible through the clear plastic windows of the envelopes. A blank sheet of paper was included with the patient’s name and address, which was visible through the window.

However, while that should have prevented any information from being viewed, Amida Care discovered that the words “Your HIV detecta” – which were on the printed flyer – may have been visible through the paper.

Amida has informed all patients who received the mailing of the potential disclosure of sensitive information, which was limited to the above words. No other information was visible through the paper.  Amida Care has apologised for the error and has told patients steps have been taken to prevent similar incidents from occurring in the future.

This is the second breach of this nature to have been discovered this summer. In July, Aetna sent a mailing to 12,000 of its members via a third party firm. While the letters were sent inside sealed envelopes, details about prescribed HIV medications were visible through the plastic windows of the envelopes for some of those patients.

The post Amida Care Mailing Potentially Revealed HIV Status of its Members appeared first on HIPAA Journal.

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

Posted by HIPAA Journal

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification:
Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn.

Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs.

Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them directly, although a significant burden would have been placed on self-funded employers by the rule change. Following publication of the proposed rule in the federal register in January 2014, HHS received more than 72 public comments. After examining those comments, the HHS made the decision to withdraw the proposed rule.

HHS will be re-examining the issues raised in the comments and will be exploring options and alternatives to comply with statutory requirements.

The Secretary of the HHS explained that regulations have already been established for compliance with HIPAA administration simplification standards, and enforcement of compliance with those standards. While the proposed rule has been withdrawn, the HHS has confirmed that covered entities are still required to comply with 45 CFR parts 160 and 162.

The post Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS appeared first on HIPAA Journal.

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands.

As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has elapsed, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care.

Further information on the HIPAA waiver in relation to Hurricane Maria can be viewed here.

In an emergency situation, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly necessary, although such a waiver does offer some reassurance to covered entities that are operating in a disaster area.

The HHS has pointed out in its recent communication that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help identify patients, to help locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or controlling disease, injury or disability.

PHI can also be shared for the purposes of treatment, either the treatment of the patient or another person who may be affected by the same situation, as well as to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to make a determination about the nature and severity of the threat to health – 45 CFR 164.512(j).

Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).

When others not involved in the treatment of a patient, including the media, request information about a specific patient by name, a HIPAA-covered entity is permitted to disclose “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private.

In all cases, any disclosures must be limited to the minimum necessary information to achieve the purpose for which the information is disclosed. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.

The post HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

Posted by HIPAA Journal

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.