Disclosures for Treatment Purposes

/in /by

There are circumstances under which a patient’s authorization is NOT required to disclose their protected health information (PHI). One of those circumstances is when covered entities, such as practices, share patient information with another provider for treatment purposes. Many practices do not understand this provision, and require other practices to obtain a signed authorization before releasing PHI.

HHS has provided the examples below to help covered entities understand this provision:

  • A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment.
  • A health plan may use protected health information to provide customer service to its enrollees.
  • A covered entity may disclose protected health information for the treatment activities of any health care provider (including providers not covered by the Privacy Rule). For example:
    • A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.
    • A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred.

Any disclosures made must be consistent with your Notice of Privacy Practices.

The full text of the HHS guidance can be found here.

Feel free to share this link with other providers that are requiring authorizations for disclosures that do not warrant them. Keep in mind, however, that if a practice refuses to disclose information to you without a signed authorization, the quickest way to get the information you need is often to obtain the authorization. You may send and receive authorizations remotely.  You do not have to require a patient to sign an authorization in person. You would simply perform reasonable identity verification measures to confirm that you are sending the information to an address, fax or email address that you have confirmed with the patient, and their signature matches what you have on file.

Confidentiality Agreements with Vendors

/in /by

Vendors that do not access, use, or disclose patient information will not be considered business associates.

There are certain types of vendors that do not require access to patient information in order to perform a service for your practice.  Vendors that do not access, use, or disclose patient information will not be considered business associates. It would be a mistake to have them sign a business associate agreement, because such an agreement involves obligations that do not apply to a vendor that you do not intentionally provide with access to patient information. However, if a vendor will not be supervised (and works in areas where patient information could be accessed), or comes into the facility after hours when no one is there, there are steps you should take to protect the confidentiality of patient information.

Neither the Privacy Rule nor Security Rule specifically mandates the use of a “Vendor Confidentiality Agreement” with vendors that are not business associates.  However, the agreement is designed to help you ensure that your PHI is not improperly accessed, used, or disclosed by the vendor.  A signed confidentiality agreement demonstrates that you have taken steps to inform the vendor that any incidentally viewed PHI must be kept confidential and not used or disclosed.

The most common examples of vendors that should sign a Confidentiality Agreement are contracted cleaning services and landlords, because they often come into the facility when you are not there.  If you have a cleaning service, but they are only present when you are in the facility, or your landlord never enters without you being present, a vendor confidentiality agreement may not be necessary.

Similarly, an agreement is not needed with vendors such as pharmaceutical reps, who come into the practice, are escorted to a location to meet with someone, and are supervised during their visit.  However, if the rep stocks sample cabinets independently, and those cabinets are located in areas in which patient information could be viewed, then it would be wise to put a vendor confidentiality agreement in place.

Other safeguards to consider include:

  • not leaving patient information out on desks, particularly after hours;
  • placing documents containing patient information into locked cabinets whenever possible;
  • emptying shredding bins into a secure area at the end of every work shift;
  • logging off all workstations when walking away from the station and at the end of the work shift (automatic logoff may also be in place);
  • having blur screens or shields in place on workstations that are in publicly accessible areas.

Take a moment to assess your vendors to determine whether there are any with which you should have a Vendor Confidentiality Agreement.  If you are a subscriber to the HIPAA Compliance System, you have Form 7.12, Vendor Confidentiality Agreement for this purpose.

Failure to Establish Business Associate Agreements

/in /by

The Office for Civil Rights (OCR) has taken a recent enforcement action concerning the failure to establish business associate agreements in a timely manner. The following information overviews OCR actions with a practice that failed to establish a Business Associate Agreement (BAA) with one of its vendors for several years.

What Happened…

In August 2015, OCR initiated a compliance review of the practice following an investigation of a Business Associate (BA) that stored records containing protected health information (PHI) for the practice. While the practice began disclosing PHI to the BA in 2003, neither party could produce a BAA signed prior to October 2015.  So, while the practice had a current BAA (since 2015) it was discovered that they began using the vendor’s services in 2003 without a BAA.

Citations…

The citation from the failure included:

  1. Practice failed to obtain satisfactory assurance (in the form of a BAA) that vendor would appropriately safeguard patient information (PHI) of the practice.
  2. Practice impermissibly disclosed PHI to vendor without satisfactory assurances (in the form of a BAA) that the vendor would appropriately safeguard PHI.

Results…

As a result of the citations, the practice had to agree to pay a Resolution Amount (i.e., fine or penalty) of $31,000 for failing to have a BAA with the vendor, in addition to complying with a Corrective Action Plan (CAP) that OCR imposed.

Lessons learned…

It is important to ensure that a BAA is established with each new vendor that fits the definition of a business associate, as soon as service is initiated with the vendor.  A practice may designate one person to fulfill this responsibility, or ensure that each workforce member who has the authority to engage the services of a business associate is trained to obtain a BAA.  One person should be designated to periodically review records to ensure that required business associate agreements are in place (e.g., once per year).

For more information about this enforcement action, please see the article titled Business Associate Agreement Enforcement in your June copy of the Advisor®.

MDA Endorses Eagle Associates to Provide Compliance Services to Members

/in /by

The MDA Endorses Eagle Associates to Provide Compliance Services to Members

The Michigan Dental Association (MDA) has recently endorsed Eagle Associates to provide members with the solutions they need to comply with the Health Insurance Portability and Accountability Act, the Michigan Occupational Safety and Health Administration regulations, and the U.S. Office of Inspector General requirements.

The MDA recently announced:

Eagle Associates Simplifies HIPAA, OSHA and OIG Compliance

After an extensive nationwide search for a reliable and simple solution to the burden of HIPAA, OSHA and OIG compliance, the MDA recently endorsed Eagle Associates. Eagle Associates is an Ann Arbor-based company that has provided compliance consulting for dental and medical practices since 1988. MDA and Eagle Associates have developed various tiers of service, so there is something that will be cost effective for your practice. The MDA has negotiated significant savings for Eagle Associates’ compliance programs and service levels. We’ve done the work to make compliance simple and affordable for you as a benefit of membership.

If you are an MDA member, and would like information about the services that are available to meet the needs of your practice, please contact us at (800) 777-2337 or info@eagleassociates.net.

Phishing Scam

/in /by

On November 28, 2016, the Office for Civil Rights (OCR) released a bulletin alerting covered entities and business associates of a phishing email scam that is circulating. Please read the contents of the notice below, and be alert for a possible phishing email that you could receive.

It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. 

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. 

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.” 

OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs‑gov.us  and directs individuals to a URL at http://www.hhs‑gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

If you receive an email, and are unsure whether it is from OCR, check the sending email address. If the email is legitimately from OCR, the sending email address will end with @hhs.gov.  Email notices from OCR regarding its audit program have generally come from the OSOCRAudit@hhs.gov email address. Contact Eagle Associates, Inc. at (800) 777-2337 or via email at info@eagleassociates.net if you have any questions.

ACA Non-Discrimination Notice, Statement, and Taglines [updated]

/1 Comment/in /by

[ this article was last updated on November 9, 2016 ]

The Department of Health and Human Services (HHS) has issued final regulations prohibiting discrimination (under Section 1557 of the Affordable Care Act or ACA) on the basis of race, color, national origin, sex, age, or disability. The requirements apply to all health programs and activities that receive federal funds or assistance.

Effective Date – Posting a non-discrimination notice or statement, together with non-English taglines in significant publications, physical locations, and on the practice’s website (if applicable) was required by October 17, 2016. Note that this regulation is not part of HIPAA and only applies to covered entities that receive federal funds or assistance (including EHR incentive payments).

There are three elements to meeting requirements for posting non-discrimination information (Notice, Statement, and Non-English Taglines). In addition, practices with 15 or more employees are required to have a civil rights grievance procedure, and an employee designated to coordinate compliance. All employees, regardless of the total number, should receive basic training. Please follow the steps below to comply with these requirements.

Quick steps to Compliance with ACA 1557

  1. Notice – Post the non-discrimination Notice in a conspicuous area of the practice, and on the practice website, if such is maintained. A sample Notice is available in English and in 61 other languages through the following link. Notices in non-English languages may be provided to patients upon request. Covered entities are only required to post the Notice in English. The sample Notices are available at this link.
  2. Taglines – The final rule requires that covered entities post taglines that alert individuals with limited English proficiency to the availability of language assistance services in the top 15 languages spoken in the State in which the entity is located or does business. The posting of taglines shall also be in a conspicuous location, such as the check-in or waiting area of the practice. In addition, small-sized, significant communications such as postcards must include taglines in at least the top 2 non-English languages spoken in the State.
    • Lists of the top 15 languages spoken in each state may be found at this link.
    • You may find the top 15 translated Taglines for your State with this link.
  3. Statement – A statement of non-discrimination must be included in all significant publications or communications of small size (if the material is too small to permit the full Notice to be included). Examples of such items include marketing brochures, bulletins or other announcements. You may use existing supplies of printed materials, and include the Statement as documents are reprinted. A sample Statement may also be found on this web page.
  4. Grievance Procedure – If your practice employs 15 or more people, a grievance procedure must be established. This link will take you to a model grievance procedure.
  5. Civil Rights Coordinator – If your practice employs 15 or more people, an employee must be designated to coordinate compliance with Section 1557 (i.e., to ensure that postings are made, employees are informed of the regulations, publications include required statements and taglines, and grievance procedures are followed).
  6. Employee Training – Have employees read your Notice and Grievance Procedure so that they are familiar with the rights afforded by Section 1557, and inform them of the Civil Rights/Compliance Coordinator designation so that they know to whom questions or complaints should be directed.
  7. Identify an Interpreter Service that you would use on an as-needed basis.  Additionally, you will need a Business Associate Agreement with each interpreter service you select.
  8. Assurance of Compliance – To attest that you have met the requirement, you may use this HHS link to electronically attest.