Subscribe to our newsletter
Jun 08

HIPAA requirements, safeguards, and laws.

By: , Category: Uncategorized , 0 Comments

Below are the administrative and physical safeguards as outlined in the Federal Register. These requirements are items that must generally be addressed internally, even if you are outsourcing your email.

Standard: ADMINISTRATIVE SAFEGUARDS Sections Implementation Specification Required or Addressable
Security Management Process 164.308(a)(1) Risk Analysis R
Risk Management R
Sanction Policy R
Information System Activity Review R
Assigned Security Responsibility 164.308(a)(2) R
Workforce Security 164.308(a)(3) Authorization and/or Supervision A
Workforce Clearance Procedures R
Termination Procedures A
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function R
Access Authorization A
Access Establishment and Modification A
Security Awareness and Training 164.310(a)(5) Security Reminders A
Protection from Malicious Software A
Log-in Monitoring A
Password Management A
Security Incident Procedures 164.308(a)(6) Response and Reporting R
Contingency Plan 164.308(a)(7) Data Backup Plan R
Disaster Recovery Plan R
Emergency Mode Operation Plan R
Testing and Revision Procedure A
Applications and Data Criticality Analysis A
Evaluation 164.308(a)(8) R
Business Associates Contracts and Other Arrangement. 164.308(b)(1) Written Contract or Other Arrangement R
Standard: PHYSICAL SAFEGUARDS Sections Implementation Specification Required or Addressable
Facility Access Controls 164.310(a)(1) Contingency Operations A
Facility Security Plan A
Access Control and Validation Procedures A
Maintenance Records A
Audit Controls 164.312(b) R
Integrity 164.312(c)(1) Mechanism to Authenticate EPHI A
Workstation Use 164.310(b) R
Workstation Security 164.310(c) R
Device and Media Controls 164.310(d) Disposal R
Media Re-use R
Accountability A
Data Backup and Storage A
May 27

How to make a complaint

By: , Category: Uncategorized , 1 Comment

complaintIf it is believed privacy rights have been violated by an HIPAA covered entity then patients have the right to complain about it.  A little research is necessary before filing a complaint is necessary to ensure the organization or individual believed contravened these rights are subject to HIPAA, and is a covered entity.

Once it has been ascertained that a covered entity has indeed broken the privacy rules then a complaint needs to be filed with the Office for Civil Rights.  The complaint must be in writing, but may be in email form or fax if preferred, and be sent to the correct regional office.  It must name the entity involved and contain a complete and lucid description of events and the reason why the rules have been broken.  A complainant has one hundred eighty days from the day of the incident to be accepted by the Office for Civil rights.

The complainant should not be scared of complaining if they firmly believe their rights have been contravened.  There is a specific clause in the rules that prohibit any kind of retaliation for filing a complaint.  If the Office for Civil Rights get to hear about any retaliations, they take a very dim view and the entity involved can get themselves into real trouble.

A good first step for any complainant is the Office for Civil Rights website where as much information as possible has been posted, and there is a complaint pack with guidance on how to complete it.  Some entities like Universities and some hospitals have their own HIPAA complaint procedures.  A complainant can choose which body to complain to, but if the entity itself is contacted it must be given adequate time to investigate and address the issue before complaining to the Office of Civil Rights.

As with any bureaucracy it will take time to process any complaint so this should be borne in mind once the complaint is made.  Adequate time must be allowed to pass to ensure the OCR can do its job.

May 27

The practicality of sharing PHI

By: , Category: Uncategorized , 0 Comments

There will be circumstances when it is necessary to share PHI with a patient’s family and friends.  This is permitted under the HIPAA as long as the information is needed, and pertinent to the ongoing care of the patient.

Practical examples would be if a patient’s family are waiting in an ER or outside an operating theatre and the doctor or surgeon wants to update them on the patient’s condition, treatment or medical procedure.

Or if a patient is being looked after by a friend or family member, they are going to need to know the condition and types of care needed.  For example the type of medication, or particular type of care.  Any symptoms or side affects to be aware of, or how to provide a certain treatment at home.

These kinds of things are practical to the continued care and wellbeing of the patient and are permitted to be shared with (generally designated) family and friends.  These circumstances do not necessarily need the patients consent either.  In some circumstances the patient may not be able to offer their consent, if they are incapacitated or unfit.  The medical personnel are then permitted to make a judgement call of what information to share and with whom to share it.

There are also permitted discussions and use of PHI if a family member or friend is assisting or arranging payment for the treatment.  Some sharing of the medical information is going to be necessary to justify the bill, or allow the person to involve the insurance company.  Again, a good practical reason for sharing the information allowed under HIPAA.

So although the HIPAA is fairly stringent in controlling access to PHI, it tries to add a practical approach to how it handles things.  It is designed to protect the information as much as possible while not interfering with the actual care of the patient.

May 27

State Law or HIPAA?

By: , Category: Uncategorized , 0 Comments

hipaalawIf State law and HIPAA got into a fight, who would win?

As a general guide, the law that offers the most protection to the patient in question wins.  The whole idea of HIPAA is to increase the privacy of medical records.  It doesn’t always succeed in its aims, but that’s beside the point.

There are clauses written in to the HIPAA Administrative Simplification Rules that will either override or be subject to State law depending on which law offers the most protection to the patient and their PHI.  These kind of judgements are generally made by a judge or the Department of Health and Human Services (HHS) who administer HIPAA.  Even if state law contravenes HIPAA, a judgement may be made against HIPAA or for it depending on this decision.

There is a whole raft of criteria to be taken into account when making a decision, which is why it is reserved for judges and HHS officials.  HIPAA can certainly be curtailed if there is a risk of fraud or a compelling public health, or safety reason.  Prevention of crimes or abuses would certainly qualify.

So, like everything else that concerns HIPAA, it is complicated, convoluted and never straight forward.  However the first statement is as accurate an assessment a layman can make.  Whichever law protects the privacy of PHI the most wins.  So as with most things HIPAA, it’s heart may appear to be in the right place, even if it’s brain isn’t.

May 27

Can a patient inspect their own records?

By: , Category: Uncategorized , 0 Comments

secret

The HIPAA concentrates a lot on protecting PHI from other people, but can a patient see their own records?  In a word yes, after all the patient is the one being talked about in them!

A patient has the right to inspect a copy of their own PHI without charge at any time within reason.  A patient also has the right to obtain a copy of their records, again within reason.  An organization has the right to charge a fee for making a copy, ostensibly to cover the administration cost of the request.  As a record can in some cases be thousands of pages long, the patient should perhaps be selective about what is requested.

Apart from general curiosity there are many reasons why a patient would want to access their PHI.  The records can be used to seek a second opinion on a diagnosis or treatment, having a copy of the record would speed things up considerably.  As would having a copy when accessing a new doctor if a patient changed area or state.  Records are transferred as part of the procedure when changing practitioners, but having a copy of a record would speed things up if something was needed instantly.

Many decisions are based on the contents of a medical record.  If a patient believes they have had decisions that seem incorrect or unfair, then it is logical to find out on what information that decision is based.  If a patient was refused insurance, or the insurance refused a payout then it would also be a good idea to check the records. There may be mistakes or incorrect information in the record that needs to be changed that only you would recognize.  Although having a medical record amended can be a bit of a pain…

Then there is the thorny issue of malpractice.  The PHI may form either the basis or evidence towards a malpractice suit.  Having a copy will aid this both for the patient and their lawyers.

In the end, the patient has the right to view or copy their own medical records.  They don’t even have to have a reason, or disclose it if they don’t want to.

May 27

HIPAA Overview

By: , Category: Uncategorized , 0 Comments

hipaaThis innocuous acronym stands for Health Insurance Portability and Accountability Act.  This is a federal statute that was enacted in 1996 to attempt to protect the medical records of citizens.  The Act itself is massive, and covers many aspects of medical care and the handling of records and information.  The two that are relevant to our needs are the privacy rule and the security rule.  Both of which will be covered in depth later.  There are other rules provided under the act and they are the Enforcement Rule, the Transactions and Code Sets Rule and the Unique Identifiers rule.

The idea was to have an all encompassing act that covered as much ground as possible with regards patient privacy and confidentiality.  As expected the act is complicated and convoluted even for lawyers to work with, let alone the people it is designed to protect.  It serves to protect any medical record that an individual may have and attempts to afford these records as much control and privacy as possible. The people responsible for enforcing the privacy aspect of HIPAA is the Office for Civil Rights (OCR) and took effect in April 2003.

Within the act, patients are called ‘individuals’ and their medical records are called ‘PHI’ or ‘Personal Health Information’.  Any organization who handles PHI, or pays or receives electronic payment from an organization that conforms to HIPAA is subject to it.  PHI itself is regarded as any “individually identifiable health information” used, stored or transferred by any organization or entity, in any form.

There was a myth that the HIPAA only covered electronic information, but this is false.  It covers medical information as above in any form or media.  It doesn’t matter if it is electronic, paper or oral, the act applies.

The PHI itself is anything that could even loosely identify an individual and associate them with medical information.  It includes any past, present or future medical conditions, any healthcare provision information and any payments related to any healthcare provision.

Basically this all means that an organization covered by HIPAA is not permitted to disclose medical information to anybody unless the individual authorizes it or the privacy rule itself requires it.

Mar 17

HIPAA and email

By: , Category: Uncategorized , 0 Comments


As discussed last time HIPAA email is regarded as anything that contains any information relating to your medical records.  They don’t have to be the records themselves, they can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.

It isn’t only clinics, hospitals or doctors that are subject to this.  Your employer is too if you have a health or medical plan.  If email is becoming an increasingly popular medium for transmitting your information then it is logical that those mails are stored somewhere.  Companies who handle this kind of information have to have an information storage strategy that complies with HIPAA and many other pieces of legislation.  Many companies handle this in-house with their existing staff and infrastructure.

Some outsource this burden to companies like Archive Compliance who will take care of their secure storage for them.  Companies like this have to demonstrate that their storage and retrieval methods are secure to be able to remain in business.

This method may not be palatable to everyone as you are paying out, but own nothing.  One the other hand you are paying someone to take all the hassle out of not just HIPAA email storage but all of your email storage needs.

Mar 12

HIPAA and you

By: , Category: Uncategorized , 0 Comments


Information is a commodity increasingly in demand.  Having access to people’s health information would be like the holy grail to a criminal or even an insurance company.  With the medical profession becoming increasingly digital there is even more opportunity for your private information to go missing.

Some medical practitioners will now consult by email.  Medical records can be transferred like this too.  This can leave people with an uncomfortable feeling, knowing their innermost medical secrets are floating around the ether.  HIPAA email is regarded as anything that contains any information relating to your medical records.  They don’t have to be the records themselves, they can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.

We live in a defensive society where we have to be on our guard all the time, in real life and online.  Information privacy is a big issue that gets lots of attention for good and for bad.  Imagine how much your personal medical information is worth to somebody if it fell into the wrong hands.  What mischief could they do?

All electronic communication that relates even loosely to medical records is covered under the HIPAA.  The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established federal regulations that require all organizations that manage Protected Health Information (PHI) to safeguard the privacy and security of their data.

This Act isn’t restricted to clinic or healthcare businesses.  Any organization that sends or receives Personal Health Information (PHI) is subject to this compliance legislation.  Although the legislation has been in force for a while, a 2006 survey of more than 300 healthcare providers and subscribers found that only about half of them are compliant with the HIPAA Security standards.

The pertinent part of the HIPAA is the Privacy Rule.  Wikipedia says this about it;

“The Privacy Rule

The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain “small plans.” The HIPAA Privacy Rule regulates the use and disclosure of certain information held by “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.  This is interpreted rather broadly and includes any part of an individual’s medical record or payment history.

Covered entities must disclose PHI to the individual within 30 days upon request.  They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.

A covered entity may disclose PHI to facilitate treatment, payment, or health care operations or if the covered entity has obtained authorization from the individual.  However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.

The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.  It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.  For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.

The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.  They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.

An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).  However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints. “Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.”

(Wikipedia, Health Insurance Portability and Accountability Act, 2009)

So you see that there is protection and enforcement out there if your information does go missing.  However this Act doesn’t prevent your information going missing in the first place…