Tag Archive for: hipaa

Disclosure Requests for Legal Proceedings

/in /by

Disclosure of protected health information (PHI) for use in legal proceedings is permitted under certain circumstances.  If a covered entity receives a court order that is signed by a judge, requesting PHI, it should comply with the order and provide the information that is specifically requested.

If the practice receives a subpoena, discovery request, or other lawful process that is not accompanied by a signed order of the court, certain satisfactory assurances must be obtained from the requesting party prior to disclosure of the requested information.

In these instances, the requesting party must provide the practice with either of the following:

  • Satisfactory assurances that reasonable efforts have been made to give the individual (whose information has been requested) notice of the request; or
  • Satisfactory assurances that the party seeking such information has made reasonable efforts to secure a qualified protective order (see below) that will guard the confidentiality of the information.

Please refer to the article, Requests for Disclosure of PHI for Legal Proceedings, in the April issue of the Advisor®, for more information regarding satisfactory assurances and documentation requirements.

End of Support for Windows 7 and 8

/in /by

Microsoft has announced its timetable regarding the end of support for Windows 7 and Windows 8.  These dates may seem distant, but you will want to begin planning now, so that you can complete a transition prior to the end of support.

Transition planning is important, because after support ends, security updates are no longer provided.  Without security updates, your computer/network will be vulnerable to external hacking attempts and potential malware intrusion.  Under HIPAA’s Security Rule, you are required to take measures that reduce such risks, including updating software with security patches, and ending use of software that is no longer being supported by the manufacturer.

Windows continues to offer security updates through what it terms the “Extended Support” time frame.

  • For Windows 7, Service Pack 1, extended support will end on January 14, 2020.
  • For Windows 8, (current latest version 8.1), extended support will end on January 10, 2023.

You should work with your IT department/vendor to plan upgrades to operating systems/software as appropriate prior to the end of extended support dates.  Due to limitations of hardware, this may sometimes require the purchase of new equipment that is capable of running the new operating system or software.   For this reason, budgeting concerns also play a key role.

Refer to the March 2016 issue of the Advisor for additional information on this topic.

Disclosure of PHI Obtained From Other Providers

/in /by

Patients have the right to request a copy of their medical record, and covered entities must provide it and include any information that was created by, or obtained from other healthcare providers that is contained in the patient record.

The Privacy Rule states:

“A covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not… In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider.

If the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access.”

The inclusion of other providers’ information is not exclusive to patient access rights. For example, if a hospital requests a patient’s full medical record for treatment purposes, then the entire contents of the medical record, including records that were created by other providers, should be included.

Health and Human Services has posted the following question and answer that addresses the issue in a more general manner, rather than only referring to patient requests:

Question – A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider.  Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer – Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.”

While a covered entity may deny access to information that was received from someone under a promise of confidentiality (if access would be reasonably likely to reveal the source of the information), a covered entity may not deny access to PHI when the information has been obtained from a healthcare provider. If a patient authorizes disclosure of his/her PHI, or disclosure is otherwise permitted by the Privacy Rule, a provider may not restrict disclosure of PHI based on who created it.

Acceptable/Responsible Use

/in /by

Once a workforce member is granted access to a practice’s information systems (including computer hardware, software, email, voice mail, internet, telephone, cell phone, laptops, or other electronic equipment or service made available to employees or paid for by the practice), it is everyone’s responsibility to ensure that the systems are utilized in an acceptable manner following basic rules of conduct.

Acceptable Use applies to the use and disclosure of proprietary and patient information, computer or other devices (includes mobile and other computing or storage devices), and network resources. Some basic responsibilities include:

  • Protecting proprietary information, such as business practices, financial information and intellectual property of the practice.
  • Using or disclosing business and patient information only as necessary to perform assigned duties.
  • Promptly reporting any theft, loss or unauthorized disclosure of proprietary or patient information.
  • Exercising good judgment in the use of the information system (this includes internet access and the sites visited).
  • Ensuring that local, state, federal, or international law is not violated while utilizing the practice’s information system.

It is helpful if acceptable or responsible use expectations are outlined in an employee handbook, or otherwise clearly communicated to workforce members.  Some organizations may also require users to sign an acknowledgement (often called an “acceptable use policy”) to ensure understanding of the policies.

Sanctions or penalties must be uniformly imposed if anyone should cause harm to the information system, use or disclose information in an unauthorized manner, or violate regulatory requirements. Sanctions may include disciplinary actions up to, and including termination of employment.  Workforce members should also be warned that certain actions that violate privacy requirements might subject them to prosecution and/or monetary penalties by regulatory agencies, such as the Office for Civil Rights.

Communicating compliance responsibilities to workforce members, and informing them of sanctions that will be imposed for failure to meet them, helps ensure the security of your practice’s information system.

Disclosure to Medical/Dental Device Companies

/in /by

We are often asked whether a patient authorization is required in order to disclose protected health information (PHI) to a medical or dental device company. Similarly, practices have asked whether device companies will be considered business associates of the practice. The answer to both questions lies in whether or not the device company is considered a healthcare provider, as defined by the Privacy Rule.

A healthcare provider is defined as an entity that furnishes, bills or is paid for healthcare in the normal course of business.

If the device company provides healthcare (care, services or supplies related to the health of an individual), the company will be considered a healthcare provider (and must comply with HIPAA requirements as a covered entity). A patient authorization is not required in order to disclose PHI to other healthcare providers that are involved in the treatment of a patient. Nor is a business associate agreement required with such entities.

For more detailed information, please see the article “Medical & Dental Device Companies” in the December 2015 Advisor.

Meaningful Use and Security Risk Analysis

/in /by

Now that the final rule for 2015 meaningful use has been released, we have received some questions as to whether there are changes that will need to be made to our Security Risk Analysis template. The final rule was released on October 16, 2015, and changed the Medicare and Medicaid EHR Incentive Programs reporting period in 2015 to a 90-day period aligned with the calendar year.

The good news is that the final rule did not include any modifications to Security Rule requirements, and therefore does not necessitate any changes to our 2015 Security Risk Analysis template. If you have already completed a Security Risk Analysis during 2015, and used our template, you will NOT need to re-do it, or change anything.

The rule specifies that you may select any 90-day period in the calendar year as a measurement period, and that your Security Risk Analysis must be completed during the same calendar year, and before you submit your attestation. So, even if you conducted your Security Risk Analysis outside of your 90-day measurement period, that is fine, as long as it took place during 2015, and was completed prior to submitting your attestation.

HIPAA Compliance System Subscribers

Security Risk Analysis – The 2015 Security Risk Analysis template is available in the Member Services area of our website. Simply log in to locate the document on the HIPAA Compliance System materials page, and then save the template to your hard drive to enable saving your entries. Explanations, instruction and HIPAA Compliance Manual references are provided for each item to be addressed within the risk analysis.

Risk Analysis Assistance – If you would prefer that Eagle Associates complete your risk analysis with you, you may call to schedule a phone conference with one of our consultants. During the call, our consultant will collect information about the security measures that are in place in your practice, make note of these in the risk analysis document, and identify any corrective actions that are needed to comply with Security Rule requirements. The fee for this service is $350. (Note that an active subscription to the HIPAA Compliance System is required.)