hipaa myths: how much do you know? common myths debunked & explained
DESCRIPTION
HIPAA is a complex law with many ins and outs that requires a thorough understanding of the law and regulations. The complexity has given rise to numerous myths about what HIPAA actually does. To avoid creating unnecessary issues and frustration, hear about common issues that others encounter and learn how HIPAA will actually work in each circumstance. A good understanding of HIPAA will enable better compliance and make everyone happier.TRANSCRIPT
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program For Today
• Please ask questions
• Todays Slides http://compliancy-group.com/slides023/
• Upcoming & Past webinars:http://compliancy-group.com/webinar/
Get Involved
#cgwebinar
• September 23 - Omnibus Celebration
• October 21 - Top 5 Compliance tools • November 13 - Human Resources issues for todays medical practitioner
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Matthew Fisher, Esq. Mirick O’Connell DeMallie & Lougee, LLP
WHAT IS HIPAA?
§ Need brief introduction first § May begin to answers myths, but always useful
to have basic background
HIPAA: OVERVIEW
§ Many implications, but most important are regulating privacy and security of protected health information (PHI) • Privacy – addresses use and disclosure • Security – addresses storage and transmission
n Consider statute and implementing regulations ¨ 1996 - Originally enacted ¨ 2009 - Significantly modified by HITECH ¨ 2013 - Final Rule implementing HITECH published
HIPAA: WHO IS SUBJECT?
§ Covered Entities • Health Care Providers (meeting certain conditions) • Health Insurers • Health Care Clearinghouses
§ Business Associates • Any entity that assists with or performs functions for a
covered entity for any activity regulated by HIPAA • Very broad (e.g. law firms)
§ Subcontractors of Business Associates
HIPAA: WHAT DOES IT COVER?
§ “Protected Health Information” or “PHI” § Term of art defined by statute and regulations § If not PHI, then not covered by HIPAA
HIPAA: PRIVACY RULE
§ General Purpose – regulates “use” and “disclosure” of PHI by “covered entities” and “business associates” • Allows for certain, limited uses and disclosures without
requiring authorization • Others require notice to and/or authorization from the
patient § Imposes numerous compliance requirements on
entities (e.g. tracking, reporting, training)
HIPAA: SECURITY RULE
§ General purpose – creates standard security measures for the protection of PHI that is created, received, used or maintained by covered entity
§ Includes various technical requirements and specifications
HIPAA: BREACH NOTIFICATION RULE § General purpose - requires notification if a
“breach” of PHI occurs • Applies to a breach by any entity handling PHI • Final rule claimed to create an objective standard, but
still has subjective elements • Presumption of a breach, breaching entity must prove
why notification is not needed § Increasing exposure to enforcement actions by
Office of Civil Rights (OCR)
THE MYTHS
GENERAL MYTHS
MYTH #1
§ Healthcare providers are prevented from sharing protected health information with a patient’s family members and caregivers.
MYTH #1 EXPLANATION
§ FICTION § Providers are permitted to share information with
family members and caregivers in certain circumstances
§ Patient can impact through specific authorization or denial
MYTH #2
§ Only a patient or the patient’s personal representative may obtain a copy of that patient’s medical record.
MYTH #2 EXPLAINED
§ FICTION § Many permissible uses and disclosures § Do not always need permission
MYTH #3
§ HIPAA prevents providers and patients from communicating by email.
MYTH #3 EXPLAINED
§ FICTION § Any information may be sent by email § May need to implement certain protections § Providers should send as instructed by patient
MYTH #4
§ Providers are obligated to provide a patient their entire medical record upon request.
MYTH #4 EXPLAINED
§ FICTION § Certain parts of a record may be exempt from
disclosure – often mental health information § State law may influence – must be reviewed in
addition to HIPAA
MYTH #5
§ HIPAA protects all protected health information no matter who is in possession of it.
MYTH #5 EXPLAINED
§ FICTION § Only “covered entities” and their “business
associates” must comply with HIPAA § Context in which protected health information is
held important for determining obligations
MYTH #6
§ HIPAA obligates providers to correct any errors that may be in an individual’s medical record.
MYTH #6 EXPLAINED
§ FICTION § Individuals have the right to request
amendments § Request does not guarantee change will be
made
MYTH #7
§ Your medical records will not impact your credit score or credit generally.
MYTH #7 EXPLAINED
§ Partial FACT § The record itself does not impact an individual’s
credit § However, failure to pay for medical treatments
can be reported to credit agencies
MYTH #8
§ Protected health information cannot be sold or used for marketing.
MYTH #8 EXPLAINED
§ Partially FACT § HIPAA limits when protected health information
can be used for marketing purposes without authorization
§ However, de-identified data is not subject to restrictions
§ Certain, limited marketing also allowed as of right
MYTH #9
§ HIPAA requires patients to consent to the sharing of protected health information by providers.
MYTH #9 EXPLAINED
§ FICTION § Uses and disclosures for “treatment” purposes
are allowed without requiring an individual’s consent
§ Transfers between providers occur without patient involvement
MYTH #10
§ HIPAA prevents an individual’s family member from picking up the patient’s prescriptions.
MYTH #10 EXPLAINED
§ FICTION § A family member can pick up prescriptions,
medical supplies, x-rays and other similar forms of protected health information
§ Allowed if providers determines in patient’s best interests
MYTH #11
§ Patients can sue providers for HIPAA violations.
MYTH #11 EXPLAINED
§ FICTION § There is no private right of action under HIPAA § Only the federal or state government can sue to
enforce HIPAA
BUSINESS ASSOCIATE MYTHS
MYTH #12
§ A healthcare provider or covered entity can never be a business associate to another covered entity.
MYTH #12 EXPLAINED
§ FICTION § Need to evaluate what function is being
performed § For healthcare services, exempted § If perform billing, data analysis, data storage or
other functions can be a business associate § Review definition
MYTH #13
§ A cloud data storage company is not a business associate because all the company does is store my information.
MYTH #13 EXPLAINED
§ FICTION § The Omnibus Rule changed the rules and
expanded who is a business associate § Entities that maintain protected information are
business associates § Determination is not about access § Only “conduits” outside requirements
MYTH #14
§ I’ve been using a new business associate agreement for all arrangements since September 23, 2013, I’m all set and do not need to review any previously existing agreements.
MYTH #14 EXPLAINED
§ FICTION § Primary compliance date was September 23,
2013 § BUT, then current agreements need to be
replaced by September 22, 2014 § Review now to ensure all business associate
agreements conform to new requirements
MYTH #15
§ A covered entity must get every business associate to sign a business associate agreement.
MYTH #15 EXPLAINED
§ FACT, but . . . § Regulations require covered entity to have
business associate sign § What if business associate refuses? § Arguably can make reasonable efforts § Business associate’s status not driven by
agreement, but regulatory definition
MYTH #16
§ Now that business associates may be directly liable for breaches, covered entities are off the hook.
MYTH #16 EXPLAINED
§ FICTION § Even if a business associate is the cause of a
breach, a covered entity’s patients still harmed § Covered entities also have obligations to review
and oversee actions of business associates
HEALTH IT RELATED MYTHS
MYTH #17
§ HIPAA will control and regulate all mobile health apps.
MYTH #17 EXPLAINED
§ FICTION § Never forget, context determines when HIPAA
applies § How will a mobile health app be used § Who is collecting the data and why
MYTH #18
§ A covered entity has a bring your own device policy in place, all concerns have been addressed.
MYTH #18 EXPLAINED
§ FICTION § When was the BYOD policy prepared and what
is in it? § Have all circumstances been addressed. § Pay attention to New York and Presbyterian
Hospital and Columbia University settlement
MYTH #19
§ Small practices are less complex than larger organizations and do not have the same security concerns, so a risk analysis is not necessary.
MYTH #19 EXPLAINED
§ FICTION § Conducting a risk analysis is a required element
under the Security Rule § No exceptions § Necessary to help with development and
implementation of security policies § Once not enough either
ONE FINAL MYTH
MYTH #20
§ HIPAA can be used as an excuse to deny access to information or otherwise restrict what individuals may do.
MYTH #20 EXPLAINED
§ FICTION § Oftentimes, HIPAA is improperly cited as a
reason to deny a request § Examples:
• Parent cannot accompany their children • Visitors must leave a hospital room after a certain
time • Offices cannot announce patient names in the waiting
room
QUESTIONS?
www.compliancy-‐group.com
855.85 HIPAA (855.854.4722)
The Guard: • Intelligent web based solution designed by auditors. • Used by over 1,000 Covered Entities and Business Associates • Quickly and cost-effectively Achieve, Illustrate and Maintain
HIPAA, HITECH, and Omnibus Compliance. • HIPAA Audit Guarantee Features • Training, Policy & Procedure Templates Included • Business Associate Management • Document & Version Control • Training & Attestations Tracking • HIPAA Coaches to Assist every step of the way
HIPAA Education Series sponsored by:
CONTACT INFORMATION
Matthew Fisher Mirick O’Connell 100 Front Street
Worcester, MA 01608 (508) 791-8500
[email protected] @matt_r_fisher