855.85HIPAA  www.compliancygroup.com  

Industry leading Education

Certified Partner Program For Today

•  Please ask questions

•  Todays Slides http://compliancy-group.com/slides023/

•  Upcoming & Past webinars:http://compliancy-group.com/webinar/

Get Involved

#cgwebinar

•  September 23 - Omnibus Celebration

•  October 21 - Top 5 Compliance tools •  November 13 - Human Resources issues for todays medical practitioner

HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED

Matthew Fisher, Esq. Mirick O’Connell DeMallie & Lougee, LLP

WHAT IS HIPAA?

§  Need brief introduction first §  May begin to answers myths, but always useful

to have basic background

HIPAA: OVERVIEW

§  Many implications, but most important are regulating privacy and security of protected health information (PHI) •  Privacy – addresses use and disclosure •  Security – addresses storage and transmission

n  Consider statute and implementing regulations ¨  1996 - Originally enacted ¨  2009 - Significantly modified by HITECH ¨  2013 - Final Rule implementing HITECH published

HIPAA: WHO IS SUBJECT?

§  Covered Entities •  Health Care Providers (meeting certain conditions) •  Health Insurers •  Health Care Clearinghouses

§  Business Associates •  Any entity that assists with or performs functions for a

covered entity for any activity regulated by HIPAA •  Very broad (e.g. law firms)

§  Subcontractors of Business Associates

HIPAA: WHAT DOES IT COVER?

§  “Protected Health Information” or “PHI” §  Term of art defined by statute and regulations §  If not PHI, then not covered by HIPAA

HIPAA: PRIVACY RULE

§  General Purpose – regulates “use” and “disclosure” of PHI by “covered entities” and “business associates” •  Allows for certain, limited uses and disclosures without

requiring authorization •  Others require notice to and/or authorization from the

patient §  Imposes numerous compliance requirements on

entities (e.g. tracking, reporting, training)

HIPAA: SECURITY RULE

§  General purpose – creates standard security measures for the protection of PHI that is created, received, used or maintained by covered entity

§  Includes various technical requirements and specifications

HIPAA: BREACH NOTIFICATION RULE §  General purpose - requires notification if a

“breach” of PHI occurs •  Applies to a breach by any entity handling PHI •  Final rule claimed to create an objective standard, but

still has subjective elements •  Presumption of a breach, breaching entity must prove

why notification is not needed §  Increasing exposure to enforcement actions by

Office of Civil Rights (OCR)

THE MYTHS

GENERAL MYTHS

MYTH #1

§  Healthcare providers are prevented from sharing protected health information with a patient’s family members and caregivers.

MYTH #1 EXPLANATION

§  FICTION §  Providers are permitted to share information with

family members and caregivers in certain circumstances

§  Patient can impact through specific authorization or denial

MYTH #2

§  Only a patient or the patient’s personal representative may obtain a copy of that patient’s medical record.

MYTH #2 EXPLAINED

§  FICTION §  Many permissible uses and disclosures §  Do not always need permission

MYTH #3

§  HIPAA prevents providers and patients from communicating by email.

MYTH #3 EXPLAINED

§  FICTION §  Any information may be sent by email §  May need to implement certain protections §  Providers should send as instructed by patient

MYTH #4

§  Providers are obligated to provide a patient their entire medical record upon request.

MYTH #4 EXPLAINED

§  FICTION §  Certain parts of a record may be exempt from

disclosure – often mental health information §  State law may influence – must be reviewed in

addition to HIPAA

MYTH #5

§  HIPAA protects all protected health information no matter who is in possession of it.

MYTH #5 EXPLAINED

§  FICTION §  Only “covered entities” and their “business

associates” must comply with HIPAA §  Context in which protected health information is

held important for determining obligations

MYTH #6

§  HIPAA obligates providers to correct any errors that may be in an individual’s medical record.

MYTH #6 EXPLAINED

§  FICTION §  Individuals have the right to request

amendments §  Request does not guarantee change will be

made

MYTH #7

§  Your medical records will not impact your credit score or credit generally.

MYTH #7 EXPLAINED

§  Partial FACT §  The record itself does not impact an individual’s

credit §  However, failure to pay for medical treatments

can be reported to credit agencies

MYTH #8

§  Protected health information cannot be sold or used for marketing.

MYTH #8 EXPLAINED

§  Partially FACT §  HIPAA limits when protected health information

can be used for marketing purposes without authorization

§  However, de-identified data is not subject to restrictions

§  Certain, limited marketing also allowed as of right

MYTH #9

§  HIPAA requires patients to consent to the sharing of protected health information by providers.

MYTH #9 EXPLAINED

§  FICTION §  Uses and disclosures for “treatment” purposes

are allowed without requiring an individual’s consent

§  Transfers between providers occur without patient involvement

MYTH #10

§  HIPAA prevents an individual’s family member from picking up the patient’s prescriptions.

MYTH #10 EXPLAINED

§  FICTION §  A family member can pick up prescriptions,

medical supplies, x-rays and other similar forms of protected health information

§  Allowed if providers determines in patient’s best interests

MYTH #11

§  Patients can sue providers for HIPAA violations.

MYTH #11 EXPLAINED

§  FICTION §  There is no private right of action under HIPAA §  Only the federal or state government can sue to

enforce HIPAA

BUSINESS ASSOCIATE MYTHS

MYTH #12

§  A healthcare provider or covered entity can never be a business associate to another covered entity.

MYTH #12 EXPLAINED

§  FICTION §  Need to evaluate what function is being

performed §  For healthcare services, exempted §  If perform billing, data analysis, data storage or

other functions can be a business associate §  Review definition

MYTH #13

§  A cloud data storage company is not a business associate because all the company does is store my information.

MYTH #13 EXPLAINED

§  FICTION §  The Omnibus Rule changed the rules and

expanded who is a business associate §  Entities that maintain protected information are

business associates §  Determination is not about access §  Only “conduits” outside requirements

MYTH #14

§  I’ve been using a new business associate agreement for all arrangements since September 23, 2013, I’m all set and do not need to review any previously existing agreements.

MYTH #14 EXPLAINED

§  FICTION §  Primary compliance date was September 23,

2013 §  BUT, then current agreements need to be

replaced by September 22, 2014 §  Review now to ensure all business associate

agreements conform to new requirements

MYTH #15

§  A covered entity must get every business associate to sign a business associate agreement.

MYTH #15 EXPLAINED

§  FACT, but . . . §  Regulations require covered entity to have

business associate sign §  What if business associate refuses? §  Arguably can make reasonable efforts §  Business associate’s status not driven by

agreement, but regulatory definition

MYTH #16

§  Now that business associates may be directly liable for breaches, covered entities are off the hook.

MYTH #16 EXPLAINED

§  FICTION §  Even if a business associate is the cause of a

breach, a covered entity’s patients still harmed §  Covered entities also have obligations to review

and oversee actions of business associates

HEALTH IT RELATED MYTHS

MYTH #17

§  HIPAA will control and regulate all mobile health apps.

MYTH #17 EXPLAINED

§  FICTION §  Never forget, context determines when HIPAA

applies §  How will a mobile health app be used §  Who is collecting the data and why

MYTH #18

§  A covered entity has a bring your own device policy in place, all concerns have been addressed.

MYTH #18 EXPLAINED

§  FICTION §  When was the BYOD policy prepared and what

is in it? §  Have all circumstances been addressed. §  Pay attention to New York and Presbyterian

Hospital and Columbia University settlement

MYTH #19

§  Small practices are less complex than larger organizations and do not have the same security concerns, so a risk analysis is not necessary.

MYTH #19 EXPLAINED

§  FICTION §  Conducting a risk analysis is a required element

under the Security Rule §  No exceptions §  Necessary to help with development and

implementation of security policies §  Once not enough either

ONE FINAL MYTH

MYTH #20

§  HIPAA can be used as an excuse to deny access to information or otherwise restrict what individuals may do.

MYTH #20 EXPLAINED

§  FICTION §  Oftentimes, HIPAA is improperly cited as a

reason to deny a request §  Examples:

•  Parent cannot accompany their children •  Visitors must leave a hospital room after a certain

time •  Offices cannot announce patient names in the waiting

room

QUESTIONS?

www.compliancy-­‐group.com    

855.85  HIPAA    (855.854.4722)  

The Guard: •  Intelligent web based solution designed by auditors. •  Used by over 1,000 Covered Entities and Business Associates •  Quickly and cost-effectively Achieve, Illustrate and Maintain

HIPAA, HITECH, and Omnibus Compliance. •  HIPAA Audit Guarantee   Features •  Training, Policy & Procedure Templates Included •  Business Associate Management •  Document & Version Control •  Training & Attestations Tracking •  HIPAA Coaches to Assist every step of the way

HIPAA Education Series sponsored by:

CONTACT INFORMATION

Matthew Fisher Mirick O’Connell 100 Front Street

Worcester, MA 01608 (508) 791-8500

mfisher@mirickoconnell.com @matt_r_fisher