Tag Archive for: privacy rule

Proposed Privacy Rule Changes

/in /by

Finalization of Privacy Rule modifications is still pending

The Department of Health and Human Services (HHS) published proposed changes to HIPAA’s Privacy Rule on January 21, 2021. The proposal was under a public comment period until May 2021 and HHS expects to publish final changes in March or April 2023.

Effective Date – Once published, the final rule will become effective 60 days from its date of publication in the Federal Register.

Compliance Date – The important date for covered entities and other parties affected by the rule will be the Compliance Date which will be 180 days from the Effective Date.  This will allow covered entities ample time to make changes in policies, forms, and procedures.

Proposed Changes – There are multiple possible changes affecting an individual’s (patient’s) right of access, permitted disclosures for the purpose of care coordination and case management activities, and more.  Here is a brief listing of proposed changes that, if finalized, will have the greatest impact for providers and their practices:

  • New Terms will be introduced for Electronic Health Records and Personal Health Applications.
  • Timeliness for access to records will be amended from the current 30-day period to 15 calendar days for responding to access requests for inspection and/or copies of PHI. An additional 15 calendar days will be permitted to fulfill the request if certain conditions are met.
  • Strengthened right of inspection – Individuals will be permitted to take notes, take photographs, and use other personal resources to capture information when inspecting their designated record set.
  • Right of access fees – Reasonable, cost-based fees that may be imposed for copies of PHI (or for a summary of PHI if agreed to by the individual) will be clarified.
  • Notice of access and authorization fees – A covered entity will be required to post a fee schedule on its website, if it has one, and make the fee schedule available at the point of service and upon request that specifies the types of access to PHI that are available free of charge and standard copy fees, including for any readily producible electronic and non-electronic forms and formats. Upon request, the covered entity must provide an individualized estimate of the approximate fee for any type of request covered by the fee schedule and provide an individual with an itemized list of the specific charges for labor, supplies, and postage that constitute the total fee charged, if requested.
  • Requests to direct PHI to a third party will enable an individual to make a request to disclose their PHI to a third party in oral as well as written form (current requirement is written form) and to direct transmission of their PHI in an electronic format to a third party (if records are maintained electronically by the covered entity).
  • Care coordination and case management activities are added to the exceptions to the Minimum Necessary Standard regarding disclosures to or requests by healthcare providers or health plans with respect to an individual.
  • Business Associate Agreements must specify if the Business Associate is expected to disclose PHI to an individual or the individual’s designee upon request, rather than to the Covered Entity, as necessary to satisfy the covered entity’s obligations (to comply with patient access rights).
  • Modified Language for Notice of Privacy Practices – Several new, specific statements will need to be prominently displayed in the notice. In addition, the email address of the person who is designated to provide further information and answer questions about the notice will need to be included.
  • Obtaining acknowledgement of receipt of the Notice of Privacy Practices will no longer be required.
  • Providers of Telecommunications Relay Services (as defined in 47 U.S.C. 255(a)(3)) will be specifically excluded from the definition of Business Associates and covered entities will be permitted to disclose PHI to a TRS Communications Assistant as necessary to conduct covered functions.
  • Presumption of compliance – There are several permissions for disclosure within the Privacy Rule that will be based on a covered entity’s good faith belief that providing access is in the best interests of the individual (e.g., to prevent a serious and reasonably foreseeable harm, or lessen a serious or reasonably foreseeable threat, to the health or safety of a person or the public). The covered entity will be presumed to have complied with the good faith requirement absent evidence that the covered entity acted in bad faith.
  • Uses to carry out treatment, payment or healthcare operations – Covered entities will be permitted to disclose an individual’s PHI to a social services agency, community-based organization, home and community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities.
  • Reducing identity verification burden – Verification of patient access requests will be permitted to be done orally or in writing.
  • Unreasonable measures of verification – Unreasonable verification measures will be defined, and examples provided to help covered entities avoid impeding an individual’s access rights.

Note – Eagle Associates will provide a detailed explanation of all changes and operational recommendations once the final rule is published. 

Notice for Subscribers to Eagle Associates’ HIPAA Compliance SystemEagle Associates will publish revised policies, forms (such as Notice of Privacy Practices and Business Associate Agreements), and workforce member training prior to the compliance date.  We will also provide guidance documents to help ensure your practice is fully prepared to meet the new requirements.

Protective Measures Following A Breach

/in /by

When your practice determines that a privacy breach is reportable, notification to patients must be provided within 60 calendar days from the date of discovery of the incident. The notice to patients must include:

  • a brief description of the breach;
  • the types of information that were involved;
  • a brief description of what your practice is doing to investigate the breach, mitigate any harm, and prevent further breaches (corrective actions); and 
  • contact information for the practice’s Privacy Officer (in the event the patient has questions regarding the breach).

It is also required that your practice provide notice of any steps that affected individuals should take to protect themselves from potential harm that might result from the breach. This article addresses the types of protective measures available to patients following a breach, when they should be recommended, and who should provide for them.

Providing Credit Monitoring & Identity Theft Protection Services

The Breach Notification Rule does not stipulate whether credit monitoring and identity theft protection services should be provided for patients who have had their PHI breached.  The decision whether or not to provide those services is left to the discretion of your practice.  However, your practice is required to provide patients with details of the steps that should be taken (by them) to mitigate further risk and protect themselves from harm.

Credit monitoring may not be necessary for all confirmed breaches. Breach of credit card numbers and Social Security numbers (SSNs) present the most risk for identity theft or fraud.  According to fraud experts, simply having full name and address does not enable theft or fraud.  However, having full name, address, date of birth (DOB) and SSN would place someone at significant risk of identity theft.

Note that some states have enacted legislation requiring credit monitoring to be offered for all data breaches. Your state medical or dental society can provide information on your state’s position. 

Consider the Public Relations (PR) Factor

Providing credit monitoring can reverse any ill will that the privacy breach has caused by demonstrating a genuine concern for the patient’s privacy. This relatively simple action may lessen the likelihood that the patient will file a privacy complaint with the Office for Civil Rights (OCR) or complain to others about your practice.  An OCR complaint could result in significant administrative time to respond to an investigation and could potentially result in civil monetary penalties.

Place yourself in the patient’s shoes.  If you have to send them notification of a confirmed breach, you’ve just told them that your practice has improperly disclosed their PHI and perhaps, as a protective measure, they should monitor their credit. Offering credit monitoring at no expense to the patient alleviates a burden that resulted from actions of the practice.  

Credit Monitoring

While the credit reporting bureaus – Equifax, Experian, and TransUnion – must provide consumers with a free credit report once every 12 months upon request, ongoing credit monitoring services include providing alerts to patients whenever the company receives notification of an application for credit, loans, or when personal information, such as an address or phone number is changed.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as SSNs, as well as driver’s license, medical ID, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the types of data that have been exposed, the likelihood of data being used for identity theft and fraud, and the risk of data being sold.

If you attempt to sign up for a credit monitoring service on the patient’s behalf, the company may see it as an attempt at credit or identity theft. It is recommended that you inform the patient of your willingness to reimburse them for such services, or you could offer an up-front payment to the patient once they have selected a service.

The cost of a one-year plan can range from $100 to $250 for an individual. Considering the cost of dealing with an unhappy patient and a possible OCR inquiry, one year of credit monitoring can be a wise investment for the practice.  

Credit Freeze

The Federal Trade Commission (FTC) recommends that if someone is concerned about identity theft, data breaches, or someone gaining access to their credit report without permission, they might consider placing a credit freeze on their report.  Depending on the nature of the breach, you might recommend that your patients consider a credit freeze.

A credit freeze will not prevent thieves from making charges to existing accounts, but this free tool lets people restrict access to their credit reports, which in turn makes it more difficult for identity thieves to open new accounts in the person’s name.  A credit freeze does not affect a person’s credit score nor prevent the person from getting a free annual credit report.  A credit freeze does not keep a person from opening a new account, renting an apartment, or buying insurance, however a person might need to temporarily lift a freeze to accomplish these things. It is free to lift a credit freeze and free to place it again.  

A freeze remains in place until the person asks the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, the bureau must lift the freeze within three business days from receipt of the request. 

You may direct patients to the FTC recommendations at:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Summary

All potential breaches should be investigated and documented.  Final determinations on whether an incident requires notification of patients and protective measures is at the discretion of your practice.

HIPAA and Students

/in /by

Professional Students

Many practices participate with programs or schools that provide training for students that are in the process of becoming healthcare professionals.  This can range from residents, interns, nurses, medical and dental assistants to numerous other titles that will eventually result in an official or graduated title in the healthcare field.  Many programs require a certain number of hours to be completed in job shadowing or clinical field observations.

General Students

Some practices also provide an opportunity for non-healthcare students (i.e., not being registered in an official healthcare training program) to come in and observe what happens in a practice to see if they would like to pursue a healthcare profession.  Quite often, this type of observer is a late middle or high school student.  Making general observations would involve watching staff activities without direct patient involvement (i.e., not being in exam or treatment rooms or other areas where patient treatment and conversations are occurring).

Job Shadowing

This may involve direct or indirect exposure to patient information (PHI) (verbal, printed, or electronic) and possibly direct diagnosis and treatment of a patient.

Note that the Privacy Rule allows a Covered Entity (such as a practice and its providers) to use or disclose PHI, without patient authorization if the use or disclosure is for the purpose of treatment, payment, or healthcare operations. The Privacy Rule defines healthcare operations, and includes “conducting training programs in which students, trainees, or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers, training as non-healthcare professionals, accreditation, certification, licensing, or credentialing activities.”

Additionally, professional students are also defined as a member of the practice’s workforce.  Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of a Covered Entity, whether or not they are paid by the Covered Entity.  We do recommend having professional students sign a visitor confidentiality agreement.  Because they are considered workforce members, they would also need to receive your new hire HIPAA training.

Because general students are not considered to be a member of the practice’s workforce and they are not enrolled in an official healthcare training program, they would not qualify as a professional student conducting job shadowing. Note that the general student could not be considered a Business Associate of the practice because they are not providing a service for the practice and do not fit the Privacy Rule’s definition of a Business Associate. If a general student were to be exposed to PHI and/or involved in direct diagnosis and treatment of a patient, the practice would need a signed authorization from each patient that the general student would have involvement with during their observation.

Courtesy Note

The practice should make it a policy to explain to patients who the student is (professional or general), the purpose of their involvement, and ask the patient if there are any objections.  The student should leave the room if the patient objects to the involvement.

Disclosure of PHI Obtained From Other Providers

/in /by

Patients have the right to request a copy of their medical record, and covered entities must provide it and include any information that was created by, or obtained from other healthcare providers that is contained in the patient record.

The Privacy Rule states:

“A covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not… In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider.

If the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access.”

The inclusion of other providers’ information is not exclusive to patient access rights. For example, if a hospital requests a patient’s full medical record for treatment purposes, then the entire contents of the medical record, including records that were created by other providers, should be included.

Health and Human Services has posted the following question and answer that addresses the issue in a more general manner, rather than only referring to patient requests:

Question – A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider.  Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer – Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.”

While a covered entity may deny access to information that was received from someone under a promise of confidentiality (if access would be reasonably likely to reveal the source of the information), a covered entity may not deny access to PHI when the information has been obtained from a healthcare provider. If a patient authorizes disclosure of his/her PHI, or disclosure is otherwise permitted by the Privacy Rule, a provider may not restrict disclosure of PHI based on who created it.