HIPAA: Physician training critical to protect patients, practice

Employees who violate the rules because they don’t know them make inviting targets for new enforcement initiatives under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The lesson for all offices is to train employees on HITECH and on new and existing Health Insurance Portability and Accountability Act (HIPAA) rules. It is imperative to understand the penalties for workforce mistakes and the effects it could have on your practice and your staff.

Training in privacy, security, unsecured breaches, and regulations and how these rules and regulations affect your practice is critical.

As a proactive approach, you should conduct an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information held by your practice. All your employees need to understand how this affects them and their part in structuring a level of protocol and not avoiding their responsibility. These changes affect everyone, so your staff needs to be aware that this is a part of your practice’s structure and that you do not have the option of not enforcing it.

There are many different levels to the changes and modifications and therefore you should take a methodical approach to understanding, implementing, and training as the changes occur. As with any standards and laws, someone must be in a position to monitor, update, document, and train staff on the rules and guidelines. Employees also need to understand their roles and responsibilities under the protocols. More importantly, they need to know who is responsible for updating staff members on any changes to the rules and standards and who to go to should an issue arise.

To start with, it is important to understand each of the terms used in connection with HITECH and HIPAA and why they are in effect.

HIPAA: The Health Insurance Portability and Accountability act (HIPAA) sets the standard for protecting sensitive patient data. HIPAA was enacted in 1996 to protect individual patients’ private medical information. The law prohibited healthcare practitioners and institutions from releasing protected health information (PHI) to anyone, including health insurers, without the patient’s consent. Employers must train any employee who has contact with medical records in appropriate HIPAA compliance.

Notifications to employees are critical every time there is a substantive change in protocol that may affect medical privacy and how it is handled. It is important to remember that not all employees have been trained in the guidelines and protocols, even if they have worked for a long time in the medical field. It is your responsibility to see that your employees are aware of the rules, laws, and standards to follow in your practice.

Of course, as with any rule, there are some exceptions. Here are some examples:

Lawsuits and disputes

If you are involved in a lawsuit or a dispute, you may disclose PHI in response to a court or administrative order. You also may disclose in response to a subpoena, discovery request, or other lawful process by another party involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law enforcement

You may release PHI if asked by a law enforcement official for the following reasons:

• In response to a court order, subpoena, warrant, summons, or similar process;

• To identify or locate a suspect, fugitive, material witness or missing person;

• Information bout the victim of a crime if, under certain limited circumstances, you are unable to obtain the person’s agreement;

• A death suspected of being the result of criminal conduct;

• Regarding criminal conduct on the premises;

• In emergency circumstances or to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime.

Medical examiners and funeral directors

You may release PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or to determine the cause of death. Health information may also be released to funeral directors as necessary for them to perform their duties.

Inmates, individuals in custody

In the case of inmates of a correctional institution or those who are under the custody of a law enforcement official, you may release PHI information under the following circumstances:

• for the institution to provide the patient with healthcare;

• to protect the patients’ health and safety or the health and safety of others; or

• for the safety and security of the correctional institution

An important part of HIPAA is the requirement to comply with a patient’s request not to disclose PHI to a patient’s health insurance provider, so long as the patient has paid for the medical product or service out of his or her own pocket. Flagging such requests in the patient’s record will be problematic unless all members of your staff are aware of this requirement and the appropriate protocols are in place. Everyone in the office and related to access to this information will need to be involved and have a complete understanding of the rule.

The HIPAA final rule states explicitly that all disclosures required by law supersede the patient’s request for non-disclosure. Otherwise, a provider who discloses PHI to the insurer is violating HIPAA and the HITECH Act, and is subject to possible criminal or civil penalties or other corrective action spelled out in the rule.

It is also important to understand who is now subject to penalties under HIPAA. Prior to enactment of the final rule in January of this year, HIPAA directly affected healthcare providers and insurance companies. Now “business associates”-any organization associated with these providers that has access to PHI-must also comply or face fines.

The patient has the following rights regarding their health information:

PHI: To understand PHI, you have to examine two definitions that were included in the original HIPAA legislation of 1996. These contain the statutory definitions of health information and individually identifiable health information.

Medical practices must evaluate and enhance protections needed to prevent unnecessary or inappropriate access to PHI. Any suggestions as to how you can better limit access to and disclosure of your patient information should be brought to your practice’s HIPAA compliance officer. The minimum necessary standard is intended to reflect and be consistent with, not override, professional judgment and standards. Your goal is to limit access to PHI with the caveat that it have no impact on the quality of healthcare that you offer.

The recent release of the final HIPAA Omnibus Rule will be one of the most significant changes to the HIPAA regulations, one that will have far-reaching implications for PHI disclosure management. Penalties for violations have increased to a maximum of $1.5 million per calendar year, and the definition of what constitutes a breach has changed. Being proactive should always be your rule because you don’t want to be in a position of having to react should a PHI breach occur.

HITECH: The Health Information Technology for Economic and Clinical Health (HITECH) Act supports the enforcement of HIPAA requirements by increasing the penalties for healthcare organizations that violate HIPAA privacy and security rules. The HITECH Act is in response to developments in health technology and the increased use, storage, and transmittal of electronic health information.

The 2013 HITECH Final Rules, which went into effect March 26, 2013, impose significant new obligations on covered entities, business associates, and subcontractors. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

 The rules governing business associates take effect September 22, 2014. You need to ensure that independent contractors and/or agents who furnish services to your practice are aware of the requirements of the compliance program with respect to HIPAA and the protection of PHI.

These key dates for implementation of programs to remain in compliance with HIPAA/HITECH rules:

• March 26, 2013: The Rules became effective.

• September 23, 2013: Covered entities must comply with most of the new Rules’ provisions.

• September 25, 2013: Disclosures of PHI become subject to the new restrictions on sale of PHI.

• September 22, 2014: Covered entities must bring all of their Business Associate agreements (“BAAs”) into compliance with the rules; the new rules also apply this requirement to business associates agreements with their covered subcontractors.

With all the changes that are taking place, you should conduct a risk assessment in your practice. It is important to know what you would do in the event of a breach involving PHI. It is even more important to verify that the correct measures are taken. I would recommend bringing an outside party to do an onsite review of the security practice that is in place. A thorough risk assessment will help your practice comply with the rules and this will identify and facilitate an efficient and secure process in protecting your Practice. 

Being proactive means taking timely, effective action. This is what these changes call for. Proactive people foresee potential obstacles and exert their power to find ways to overcome them before those obstacles turn into roadblocks. Which road are you taking? 

Terry Salz is chief executive officer of International Medical Billing Management and Consulting, Inc., in Punta Gorda, Florida.