HHS grants individuals easier access to their own records

Traditionally, health care practitioners have used a standard authorization for disclosure medical records even for individuals requesting their own medical records. In an effort to make it easier for patients to obtain their own records, HHS has issued new guidance that discourages the use of the standard medical records release. In recent audits, HHS has reminded practitioners that patients should be able to request their own records without the formality that governs authorization for disclosure of protected health information. Health care clients should use our new Individual request for own records or devise their own simple request form.

HHS provides this comparison between individual access to records and authorization:

Patients have a right to be reckless with their records

After years of warning practitioners against the use of unencrypted email, HHS has put practitioners in a bind by requiring practitioners to send email in an unsafe manner if that’s what the patient wants. However, practitioners must still offer patients a secure choice and must warn patients of the risks involved in sending unencrypted email. We have developed an “informed consent” document for healthcare clients. Practitioners should protect themselves from the inevitable finger pointing when patient records fall into the wrong hands. Instructions for use of the email consent form can be found here.

If you get caught napping or violating HIPAA rules, it will leave a mark

“The Secretary will impose a civil money penalty upon a covered entity or business associate if the Secretary determines that the covered entity or business associate has violated [these rules].” [HIPAA Rule – 45 CFR §160.402]

For quite some time now, federal regulations have required the protection and management of electronic health information in accordance with guidelines that either must be weighed and considered or are required of everyone subject to the regulations. For health care practitioners who believe they can ignore security standards by working with paper records only, remember that other laws impose obligations to secure records including Washington’s Uniform Health Care Information Act.

Too many health care practitioners neglect health information privacy and security requirements imposed by a variety of laws. Practitioners either assume compliance is too costly or that the law does not apply to their practice. Here are some resources that should change those beliefs:

The Absolute Minimum Requirements for HIPAA Compliance!

  1.  Privacy Official. Practitioners must select a Privacy Official who will be responsible for development and implementation of HIPAA policies and procedures, receiving privacy communications or complaints, providing further information about the practitioner’s privacy practices.

For solo practitioners, you must be the privacy officer and contact person for your practice. In small group practices, the group can choose one person to act as privacy official.

  • If practitioners in a small group practice have no affiliation other than sharing office space, each practitioner should serve as his or her own privacy officer and contact person especially where each person in the practice reports income under his or her own tax ID number.
  • If the group has incorporated or created a professional limited liability company under one tax ID number, you may choose to either appoint one person to be the privacy officer and contact person or continue to be your own privacy official. If you choose one person for the whole group, the Privacy Official becomes a much more important role; since, the official will need to understand HIPAA and ensure the group complies. The official must be familiar enough with HIPAA rules to guide the practice.
  1. Privacy Policies and Procedures. The privacy official/practitioner must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Remember, you must revise your Notice of Privacy Practices your policies and procedures when there are changes in the law or when you change procedures.
  2. Information Security. The privacy official/practitioner must develop and ensure that appropriate safeguards to protect PHI and electronic PHI are followed by the practice. Safeguards can be mundane, such as locking file cabinets and limiting conversations to private locations, or can be complex, such as establishing security policies for encrypting ePHI. You can figure out what safeguards are needed when you complete your required health information risk assessment.
  3. Workforce Training and Management. The privacy official/practitioner must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions and document the training. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the practitioner (whether or not they are paid by the entity).
  4. Sanctions. The practitioner must have and apply appropriate sanctions against those who violate privacy policies and procedures.
  5. Privacy Complaint Process. You must have procedures for individuals to complain about your compliance with your own privacy policies and procedures and privacy laws. You must explain these procedures in your Notice of Privacy Practices. For example, you must identify to whom individuals can submit complaints about your compliance and advise that complaints also can be submitted to the Secretary of HHS.
  6. Protect Those Who Complain. If you have employees, you must have policies in place that describe penalties for those who do not comply with your privacy policies and procedures. However, you must also advise everyone that you will not intimidate, threaten, coerce, discriminate or retaliate against any patient or employee making a complaint.
  7. Document and Record Compliance. Practitioners must keep records of compliance including copies of privacy policies and procedures, notice of privacy practices, resolution of complaints, and other actions, activities, and designations that must be documented under HIPAA privacy rules. You must keep these records at least six years after the date of their creation or their last effective date whichever is later.
Privacy and Security Compliance Survey

Complete this general questionnaire about your information management and security practices and find out how much you meet HIPAA compliance standards. Click here to go to the survey page.

Small Health Care Practices and Small Businesses

You can get quick answers to HIPAA compliance questions asked by small health care practices and small businesses by going to the Office of Civil Rights (enforcement agency) web page. Their “Frequently Asked Questions” page for small practices and businesses can be found here.

Information Privacy and Security Standards Other Than HPAA

HIPAA privacy and security requirements fit into a broad web of state federal laws governing personal privacy including laws governing particular types of information. Here is a link to a 2010 table of federal laws.

The Federal Trade Commission provides guidance on statutes, regulations, and requirements for practitioner governing that can be found in this report: Medical Identity Theft

HIPAA FAQs – select government agency responses

[Complete HIPAA FAQs published by OCR can be found here .]

Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?

The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

  • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
  • A hospital may discuss a patient’s payment options with her adult daughter.
  • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
  • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

  • A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
  • A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?

Yes. The Privacy Rule allows covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patient’s condition, or health care providers may electronically exchange PHI to and through a health information organization (HIO) for patient care.