HIPPA Compliance for Loehr Health Center
Chapter 1: What is HIPAA?
It is important for all employees of Loehr Health Center (formerly Loehr Chiropractic & Acupuncture) to understand and be educated on the purpose and function of the HIPAA regulations and how that impacts the procedures and conduct of our clinic. We will begin with a history and overview of HIPAA.
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, was enacted as part of a broad Congressional attempt at incremental healthcare reform. The “Administrative Simplification” aspect of that law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.
These standards are designed to:
- Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions; and
- Protect the security and confidentiality of electronic health information.
In 2013, the U.S. Department of Health and Human Services (HHS) moved forward to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The effective date for the new HIPAA omnibus provisions is September 23, 2013, with the exception of Business Associate Agreements, which must be modified and in place by September 23, 2014.
The law provides for significant financial penalties for violations:
General Penalty for Failure to Comply:
- Each violation: $100.
- Maximum penalty for all violations of an identical requirement: May not exceed $25,000.
Wrongful Disclosure of Individually Identifiable Health Information (Federal criminal penalties):
- Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both.
- Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.
- Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.
The 2013 rules clarify the four penalty tiers as follows:
- Lowest tier – cases in which the physician did not and reasonably could not know of the breach.
- Intermediate tier – cases in which the physician “knew, or by exercising reasonable diligence would have known” of the violation, but the physician did not act with willful neglect.
- Highest 2 tiers – cases in which the physician “acted with willful neglect” and either corrected the problem within the 30-day cure period, or failed to make a timely correction.
Four Key Areas of Reform
- Standardized Electronic Data Interchange (EDI) and Code Sets
This is going to be a major change for the clearinghouses and payers. Currently, there is no common standard for the transfer of information between healthcare providers and payers. Over 400 electronic data information (“EDI”) formats are used by various payers. As a result, providers such as our chiropractic office have been required by payers to meet many different requirements.
The new regulations are an effort to reduce our paper work as a clinic and increase efficiency and accuracy through the use of standardized financial and administrative transactions and data elements for transactions. HIPAA will change this practice by requiring payers to accept the following transaction standards for EDI:
- Claims/encounters, eligibility verification, enrollment, and related transactions: American National Standards Institute ANSI X12N
- Diagnoses and inpatient hospital services: International Classification of Diseases, 9th edition, Clinical Modification (ICD-9-CM). The standard will migrate to ICD-10 in 2001 or 2002, whenever the new system is ready for adoption.
- Procedures: ICD-9-CM Volume 3 and HCFA Common Procedural Coding System (HCPCS)
- Physician services: Current Procedural Terminology (CPT)
The standardization of electronic transactions and code sets creates a concern for the privacy of the patient since everyone will be placed on one system. With the 1996 passage of HIPAA, Congress was granted 36 months to pass privacy legislation. After Congress failed to meet this deadline, HIPAA authorized DHHS to promulgate final regulations to protect patient privacy. DHHS published a NPRM for individually identifiable health information on November 3, 1999. After reviewing more than 50,000 comments, DHHS published the final regulations on December 28, 2000.
These standards outline specific rights for individuals regarding protected health information and obligations of healthcare providers, health plans, and health care clearinghouses. The privacy regulations grant healthcare consumers a greater level of control over the use and disclosure of personally identifiable health information. In general, healthcare providers, health plans, and clearinghouses are prohibited from using or disclosing health information except as authorized by the patient or specifically permitted by the regulation. The final rule’s applicability is expanded to include all personally identifiable health information, irrespective of form. There is no longer an exclusion for written medical records never transferred to electronic form or oral communications. The regulations are applicable to all health information held or created by the health care practitioner. This expansion eliminates the anticipated confusion of handling various categories of records differently.
Health plans and healthcare providers must inform their patients/beneficiaries of their business practices concerning the use and disclosure of health information. Direct healthcare providers must obtain written consent from a patient for use and disclosure of health information, even if the use or disclosure is to relate such routine purposes as treatment or payment. A separate, specific authorization is required for non-routine disclosures. Finally, as a component of the consent process, patients are granted the opportunity to request restrictions on the use and disclosure of their health information. Within 60 days of a request, patients are entitled to a disclosure history identifying all entities that received health information unrelated to treatment or payment. Patients also have a right to review and copy their own medical records and have the corresponding right to request amendments or corrections to potentially harmful errors within the record.
As healthcare providers, we are required to create privacy-conscious business practices, which include the requirement that only the minimum amount of health information necessary is disclosed. In addition, business practices should ensure the internal protection of medical records, employee privacy training and education, creation of mechanism for addressing patient privacy complaints, and designation of a privacy official. Overall, covered entities are encouraged to use de-identifiable information whenever possible. Once information is in a de-identifiable form, it is no longer subject to the privacy regulation restrictions.
Although the anticipated compliance date for the privacy regulations is February 26, 2003, it is the intent of this clinic to observe and follow to the best of our ability all known regulations immediately
- Unique Identifiers
Standardization of the system also requires the standardization of identifiers for all those involved in the health care system. The standard identifiers included in the HIPAA legislation are standard, unique health identifiers for each health care provider, employer, health plan, and individual (patient). Although final rules have not been published it is expected that the identifier will be a 10 digit numeric identifier and would be required on all standard electronic health care transactions that require provider identification.
National Provider Identifier
Historically, government and private health plans have assigned identifications numbers to providers of health care services and suppliers. These health plans, independently of each other, assign identifiers to providers for program management and operations purposes. The identifiers are not standardized within a single health plan or across plans. This lack of uniformity results in health care providers having different numbers for the same program and often multiple billing numbers issued within the same program, significantly complicating providers claims submission process.
Most health plans have coordination of benefits with other health plans to ensure appropriate payment. The lack of a single and unique identifier for each health care provider within and across health plans makes the exchanging of data expensive and difficult. The use of a standard, unique provider identifier would improve accuracy and assist in overcoming communication and coordination difficulties. All of these factors indicate the complexities of exchanging information on health care providers. As we become more dependent on data automation, electronic commerce and proceed in planning for health care delivery, the need for a universal, standard health care provider identifier becomes more and more evident. Considerable effort and research has gone into developing the standard for the provider number. Participants in this effort came from the government and private sector. Although final rules have not been published it is expected that the identifier will be a 10 digit numeric identifier and would be required on all standard electronic health care transactions that require provider identification.
Because of the widespread use of the Employer Identification Number (EIN) to identify employers in health transactions, the EIN is being proposed as the national standard for the employer identifier for electronic health transactions. The EIN is an identifier that is already assigned to each employer for tax identification purposes and its adoption would not result in additional data collections or paperwork thereby furthering the administrative simplification objectives. The EIN is defined as the taxpayer identifying number of an individual or other person (whether or not an employer). The EIN would be nine digits separated by a hyphen and would appear as 00-0000000.
There is often confusion about the difference between privacy, confidentiality and security.
- In the context of HIPAA, privacy determines who should have access, what constitutes the patients’ right to confidentiality, and what constitutes inappropriate access to health records.
- Confidentiality establishes how the records (or the systems that hold those records) should be protected from inappropriate access.
- Security is the means by which you ensure privacy and confidentiality.
The new security standards were designed to protect all electronic health information from improper access or alteration, and to protect against loss of records. Health plans,
health care clearinghouses, and health care providers would use the security standards to develop and maintain the security of all electronic individual health information.
The proposed security standard is divided into four categories:
Administrative procedures used to guard data integrity, confidentiality, and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
Physical safeguards to guard data integrity, confidentiality, and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
Technical data security services to guard data integrity, confidentiality, and availability. These include the processes used to protect, control, and monitor information access.
Technical security mechanisms. These include processes used to prevent unauthorized access to data transmitted over a communications network.
Under the Privacy regulations, the DHHS Secretary has delegated enforcement responsibilities to the DHHS Office for Civil Rights (OCR). The OCR will be responsible for (1) assisting with voluntary compliance efforts, (2) responding to questions on regulations, interpretation and guidance, (3) responding to state requests for exception determinations, (4) investigating complaints, (5) conducting compliance surveys, and (6) when a covered entity does not voluntarily comply, assessing CMPs and referring criminal prosecution.
Patient Benefits as a Result of HIPAA
The Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility requires disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used and what disclosures of their information have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It gives patients the right to examine and obtain a copy of their own health records and request corrections.
Frequently Asked Questions
Q: What does this regulation require our office to do?
A: For the average health care provider such as our chiropractic office, the Privacy Rule requires activities, such as:
- Providing information to patients about their privacy rights and how their information can be used.
- Adopting clear privacy procedures for its practice.
- Training employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers such as our chiropractic office to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,
- The privacy official at a chiropractic practice may be the office manager or a chiropractic assistant, who will have other non-privacy related duties.
- We have chosen to fulfill the training requirement by providing each new member of our staff with a copy of its privacy policies and documenting that the new members have reviewed the policies through this interactive on-line program.
- The policies and procedures of our chiropractic office may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
Q: Can we “avoid” HIPAA regulations by going cash?
A: No. Here is a quote from HHS: “The final rule’s applicability is expanded to include all personally identifiable health information, irrespective of form. There is no longer an exclusion for written medical records never transferred to electronic form or oral communications. The regulations are applicable to all health information held or created by the health care practitioner. This expansion eliminates the anticipated confusion of handling various categories of records differently.”
This clinic strives to be fully compliant with all of the complex rules and regulations concerning the healthcare industry. The future growth and well being of the clinic and its employees depend, in part, upon all employees of the clinic complying with the law and conducting their business activities with honesty, integrity, and fairness toward fellow employees and patients.
Since many of our policies involve intricate, legal and regulatory matters, you are not necessarily expected to understand all areas. You are, however, expected to realize when to ask for guidance. Through your active participation in meeting the demands of these compliance policies, it is hoped that the clinic will receive the rewards of your contribution and you will have an enjoyable employment experience while adding to your professional growth.
Patient Privacy Procedures and Policies
Patient Consent Forms –Our office will use an Acknowledgement and Consent form to document the receipt of the Notice of Privacy Policies and the patient’s consent to use PHI in a manner consistent with our policies and law.
The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient’s consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures of health information about the patient to carry out TPO.
- Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet.
- Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
- Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient’s consent. The rule permits such entities to obtain consent, if they choose.
- If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.
- A patient’s written consent need only be obtained by a provider one time.
- The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient’s rights to review the provider’s privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative).
- An individual may revoke consent in writing, except to the extent that our chiropractic office has taken action in reliance on the consent.
- An individual may request restrictions on uses or disclosures of health information for TPO. Our office is not required to agree to the restriction requested except as set forth below, but is bound by any restriction to which it agrees.
- An individual has the right to request that this office not disclose to a patient’s health insurance company, HMO or other payer any PHI related to any treatment the patient has elected to pay “out-of-pocket.”
- An individual will have access to a notice of our office privacy practices and may review (but is not required to review) that notice prior to signing a consent.
- An individual has a right to request that their PHI is not used for marketing and fundraising.
- An individual has a right to amend their PHI when it is inaccurate or incomplete.
- An individual has the right to request a copy of their PHI and we must provide that copy within 30 days of the written request. If we keep our records in an electronic format, the individual has a right their PHI in an electronic format of their choosing, if the records are readily reproducible in that format. If it is impossible to provide the records in the format requested by the patient, a mutual format must be agreed upon.
Our chiropractic office must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by our office.
- Certain integrated covered entities may obtain one joint consent for multiple entities.
- If our office obtains consent and also receives an authorization to disclose PHI for TPO, we may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual.
- Transition provisions allow our office to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date.
Patients have the right to revoke their consent at any time by completing the Revocation form. Our office cannot withhold treatment based upon the revocation, but this may effect our ability to see the patient in the future, The patient should be informed that they may no longer be able to be seen in our office.
Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient’s condition?
A: No. A chiropractor with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient’s health information for treatment purposes. Consulting with another health care provider about the patient’s case falls within the definition of “treatment” and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient’s consent to engage in the consultation.
Q: What is the interaction between “consent” and “notice”?
A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that our chiropractic office explains each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with our office.
Q: May consent for use or disclosure of PHI be provided electronically?
A: Yes. Our practice may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required.
Q: Must someone from our office verify a signature on a consent form if the individual is not present when he signs it?
Q: May consent be obtained by a chiropractor only one time even though there is a connected course of treatment involving multiple visits?
A: Yes. A chiropractor needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A chiropractor will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments or if the consent form has changed.
Q: If an individual consents to the use or disclosure of PHI for TPO purposes, begins chiropractic care and then revokes consent before the chiropractor bills for such service, is the provider precluded from billing for such service?
A: No. A health care provider that provides a health care service to an individual after obtaining consent from the individual may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent. Where the provider has obtained consent and provided a health care service pursuant to that consent with the expectation that he or she could bill for the service, the health care provider has acted in reliance on the consent. The revocation would not interfere with the billing or reimbursement for that care.
Q: Must a revocation of consent be in writing?
Q: Are health plans and health care clearinghouses required by the Privacy Rule to have some form of express legal permission to use and disclose health information obtained prior to the compliance date for TPO purposes?
A: No. Health plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes.
PATIENT CONSENT FORM
We will provide patients with a notice of the patient’s privacy rights and the privacy practices of the covered entity. The notice requires direct treatment providers to make a good faith effort to obtain patient’s written acknowledgement of the notice of privacy rights and practices. The Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. Department makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirements and making consent for routine health care delivery (TPO) optional. The Rule requires also allows consent requirements already in place to continue.
Our office will use an Acknowledgement and Consent form to document the receipt of the Notice of Privacy Policies and the patient’s consent to use PHI in a manner consistent with our policies and law.
The Privacy Rule generally requires our chiropractic office to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose.
The minimum necessary provisions do not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual who is the subject of the information.
- Uses or disclosures made pursuant to an authorization requested by the individual.
- Uses or disclosures required for compliance with the standardized Health Insurance Portability and Accountability Act (HIPAA) transactions.
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes.
- Uses or disclosures that are required by other law.
The implementation specifications for this provision require a chiropractor to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce.
Uses and Disclosures of, and Requests for PHI
For uses of PHI, the policies and procedures must identify the persons or classes of persons within the chiropractic office who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required.
For non-routine disclosures, chiropractors must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure. Non-routine disclosures must be reviewed on an individual basis in accordance with these criteria. When making non-routine requests for PHI, the chiropractor must review each request so as to ask for only that information reasonably necessary for the purpose of the request.
Permitted Uses and Disclosures of PHI
Permitted Uses and Disclosures. This office is permitted to use and disclose protected health information, without an patient’s authorization, for the following purposes or situations: (1) To the Patient (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. We will rely on our professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1) To the Patient. This office may disclose protected health information to the patient who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. This office may use and disclose protected health information for its own treatment, payment, and health care operations activities. We may also disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the patient and the protected health information pertains to the relationship.
- a) Treatment is the provision, coordination, or management of health care and related services for a patient by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
b) Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an patient and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an patient.
- c) Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
In the unlikely event this office might, obtain, use or disclosure psychotherapy notes for treatment, payment, and health care operations purposes, we will require a written authorization from the patient prior to use or disclosure of the psychotherapy notes.
(3) Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the patient outright, or by circumstances that clearly give the patient the opportunity to agree, acquiesce, or object. Where the patient is incapacitated, in an emergency situation, or not available, this office may generally make such uses and disclosures, if in the exercise of our professional judgment, the use or disclosure is determined to be in the best interests of the patient.
Facility Directories. It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on a patient’s informal permission to list in its facility directory the patient’s name, general condition, religious affiliation, and location in the provider’s facility. The provider may then disclose the patient’s condition and location in the facility to anyone asking for the patient by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the patient by name when inquiring about patient religious affiliation. We do not anticipate creating such a Facility Directory, but we need to advise you of the scope of the rule.
For Notification and Other Purposes. This office may also rely on a patient’s informal permission to disclose to the patient’s family, relatives, or friends, or to other persons whom the patient identifies, protected health information directly relevant to that person’s involvement in the patient’s care or payment for care. This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an patient’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the patient’s care of the patient’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
(4) Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as this office has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by HIPAA.
(5) Public Interest and Benefit Activities. HIPAA permits use and disclosure of protected health information, without a patient’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the patient privacy interest and the public interest need for this information. Those purposes are:
Required by Law. This office may use and disclose protected health information without patient authorization as required by law (including by statute, regulation, or court orders).
Public Health Activities. This office may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) patients who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law..
Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, this office may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.31
Health Oversight Activities. This office may disclose protected health information to health oversight agencies, as defined by HIPAA, for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
Judicial and Administrative Proceedings. This office may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the patient or a protective order are provided.
Law Enforcement Purposes. This office may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Decedents. This office may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
Cadaveric Organ, Eye, or Tissue Donation. This office may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
Research. “Research” is defined by HIPAA as any systematic investigation designed to develop or contribute to generalizable knowledge. HIPAA permits this office to use and disclose protected health information for research purposes, without an patient’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of patients’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the patients about whom information is sought. A covered entity also may use or disclose, without an patients’ authorization, a limited data set of protected health information for research purposes
Serious Threat to Health or Safety. This office may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). This office may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.
Workers’ Compensation. This office may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.
Q: How does our clinic expect to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?
A: The Privacy Rule requires a chiropractor to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow chiropractors the flexibility to address their unique circumstances, the rule requires chiropractors to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and chiropractors need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information.
The minimum necessary standard is intended to make chiropractors evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override professional judgment and standards.
Q: Won’t the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?
A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.
The Privacy Rule provides the clinic with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information within the practice. The rule recognizes that the chiropractor is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the chiropractor can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.
Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification?
A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. Our clinic may use, disclose, or request an entire medical record, without a case-by-case justification, if we have documented in our records that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, our policies and procedures identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, hat are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the attending physician may establish and utilize criteria to assist in determining when to request the entire medical record.
The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.
Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual.
Q: In limiting access, is your office required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements?
A: No. The basic standard for minimum necessary uses requires that chiropractor make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity.
The Department of Health and Human Services generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, our chiropractic clinic has volunteered to make certain adjustments to our facility to minimize access, such as isolating and locking file cabinets or records rooms, and providing additional security, such as passwords, on computers maintaining personal information and keeping those computers from outside public access.
Q: Do the minimum necessary requirements prohibit our practice from maintaining patient medical charts in the treatment room or require that X-ray light boards be isolated?
A: No. The minimum necessary standards do not require that chiropractors take any of these specific measures. Chiropractors must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require the chiropractor to take reasonable precautions to protect X-rays from being accessible to the public. The patients’ x-rays should not be left in full view of the public.
Q: Will doctors’ and physicians’ offices be allowed to continue using sign-in sheets in waiting rooms?
A: The Privacy Rule did not intend to prohibit the use of sign-in sheets, but understands that the Privacy Rule is ambiguous about this common practice. Therefore, there is proposed modifications to the rule to clarify that this and similar practices are permissible.
The Privacy Rule applies to patient health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.
The Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if overheard by a passerby.
- Chiropractors must reasonably safeguard protected health information (PHI) – including oral information – from any intentional or unintentional use or disclosure that is in violation of the rule (see § 164.530(c)(2)). They must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. “Reasonably safeguard” means that chiropractors must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. In determining whether a chiropractor has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards.
- Loehr Health Center makes it a practice to ensure reasonable safeguards for oral information – for instance, by speaking quietly when discussing a patient’s condition with family members in a waiting room or other public areas, and by avoiding using patients’ names in public hallways and elevators.
A current change being made to the Rule will increase the confidence that you are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas.
Oral Communications with Patient in the Presence of Patients Family or Friends
We may engage in oral communications with the patient in the presence of the patient’s family or friends as long as the patient is provided an adequate opportunity to object. If the patient objects, all communications in front of family or friends must cease.
Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring the clinic to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. The Privacy Rule is not intended to prevent appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions were taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):
- Health care staff may orally coordinate services at different stations in the office.
- Physicians, nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member.
- A health care professional may discuss test results with a patient or other provider in a joint treatment area.
- Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution.
Regulatory language has also been introduced to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.
Q: Does the Privacy Rule require chiropractic offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
A: No, the Privacy Rule does not require these types of structural changes be made to facilities.
Chiropractic offices must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. “Reasonable safeguards” mean that as health care providers we must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department of Health and Human Services does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of our office regarding potential effects on patient care and financial burden.
For example, the Privacy Rule does not require the following types of structural or systems changes:
- Private rooms.
- Soundproofing of rooms.
- Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners.
- Encryption of telephone systems.
Our office must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. We are required to review our own practice and determine what steps are reasonable to safeguard their patient information.
Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:
- The clinic could add curtains or screens to areas where oral communications often occur between doctors and patients or among professionals treating the patient.
- In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, or similar barriers may constitute a reasonable safeguard. For example, as our clinic gets larger, the treatment area may reasonably use cubicles or shield-type dividers, rather than separate rooms.
In assessing what is “reasonable,” our office will also consider the viewpoint of prudent professionals.
By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today’s health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these “business associates,” the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the clinic, will safeguard the information from misuse, and will help the our clinic comply with the practice duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with our chiropractic clinic to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions – not for independent use by the business associate.
What is a “business associate”?
- A business associate is a person or entity who provides certain functions, activities, or services for or to our chiropractic clinic, involving the use and/or disclosure of PHI.
- A business associate is not a member of the health care provider, health plan, or other covered entity’s workforce.
- A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
- The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes – for example, information exchanges between a hospital or medical doctor and our chiropractic physicians.
Q: Is it reasonable for our practice to be held liable for the privacy violations of business associates?
A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Our clinic is not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
Moreover, a business associate’s violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by our practice. The contract must obligate the business associate to advise us when violations have occurred.
If our office becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, we must take “reasonable steps” to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship.
If such steps are not successful, our office must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for our clinic to take. In such circumstances where termination is not feasible, we must report the problem to the Department of Health and Human Services.
Only if our clinic fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.
PARENTS AND MINORS
The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the “personal representative” of that individual. In general, a person’s right to control protected health information (PHI) is based on that person’s right (under state or other applicable law, e.g., tribal or military law) to control the health care itself.
Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a “personal representative” of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor.
There are exceptions in which a parent might not be the “personal representative” with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor’s health care decisions and, thus, does not control the PHI related to that care.
- When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor’s personal representative under the Privacy Rule. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations.
- When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances.
In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor’s personal representative with respect to the relevant PHI:
- When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship. For example, if a physician asks the parent of a 16-year old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control the PHI that was discussed during that confidential conference.
- When a physician (or other covered entity) reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.
Relation to State Law
In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law.
Q: Does the Privacy Rule allow parents the right to see their children’s medical records?
A: This has been modified in the Rule to read as follows: The Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a parent, the Rule clarifies that state law governs. In addition, the Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents’ ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.
HEALTH-RELATED COMMUNICATIONS AND MARKETING
The Privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:
- Defines what is “marketing” under the rule;
- Removes from that definition certain treatment or health care operations activities;
- Set limits on the kind of marketing that can be done as a health care operation; and
- Requires individual authorization for all other uses or disclosures of PHI for marketing purposes.
What Is Marketing
The Privacy Rule defines “marketing” as “a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.” To make this definition easier for chiropractic offices to understand and comply with, the Department specified what “marketing” is not, as well as generally defined what it is. As questions arise about what activities are “marketing” under the Privacy Rule, additional clarification will be given regarding such activities.
Communications That Are Not Marketing
The Privacy Rule carves out activities that are not considered marketing under this definition. In recommending treatments or describing available services, health care providers and health plans are advising us to purchase goods and services. To prevent any interference with essential treatment or similar health-related communications with a patient, the rule identifies the following activities as not subject to the marketing provision, even if the activity otherwise meets the definition of marketing. (Written communications for which the practice is compensated by a third party is not carved out of the marketing definition.)
Thus, our chiropractic clinic is not “marketing” when it:
- Describes other participating providers or plans in a network. If we notify our patients of a new service or product or medical doctor that was added to the patient’s health plan, this is not engaging in marketing.
- Describes the services offered by a provider or the benefits covered by a health plan.
Furthermore, it is not marketing for our practice to use an individual’s PHI to tailor a health-related communication to that individual, when the communication is:
- Part of a provider’s treatment of the patient and for the purpose of furthering that treatment. For example, recommendations of specific brand-name or over-the-counter vitamins or nutritional supplements or the production and fitting of orthotics or referrals of patients to other providers are not marketing.
- Made in the course of managing the individual’s treatment or recommending alternative treatment. For example, reminder notices for appointments or annual exams are not marketing. Similarly, informing an individual who is a smoker about an effective smoking-cessation program is not marketing, even if that program is offered by someone other than our clinic.
Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of our clinic. No other disclosure for marketing is permitted. We will not give away or sell lists of patients or enrollees without obtaining authorization from each patient on the list. As with any disclosure to a business associate, we will obtain the business associate’s agreement to use the PHI only for the marketing activities that we direct from our clinic. We will not give PHI to a business associate for the business associate’s own purposes.
In Office Procedure for Business Associates
- Each business associate will be given an agreement containing our marketing policy and stipulations for how PHI can be obtained and used by their business.
- This agreement must be signed by an official of the company and returned to us before any PHI is disclosed.
- The agreement will be kept on file in our office and will be considered in force for all patients of our clinic until otherwise notified.
Limitations on Marketing Communications
It is the policy of this chiropractic clinic that patient lists and PHI will not be given out or sold to vendors for the purpose of marketing other than the circumstances as described in “Communications That Are Not Marketing” and “Business Associates.”
Patient’s Right to Object to the use of PHI for Marketing or Fundraising Purposes
Patients have the right to object to the use of PHI for Marketing or Fundraising purposes. The patient can revoke the patient’s authorization by completing the Revocation of Authorization of Use of PHI for Marketing or Fundraising Purposes. If the patient revokes their authorization, this mean no marketing or fundraising materials shall be sent to the patient based upon health or demographic information maintained in patients file. The patient should be informed that the patient may still receive marketing or fundraising information from our office, but that the source of the demographic information will not be the patients PHI, but instead a community mailing list, such as the White Pages or other similar mailing list service.
As provided for by the Privacy Rule, this practice may use and disclose protected health information (PHI) for payment purposes. “Payment” is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to:
- Determining eligibility or coverage under a plan and adjudicating claims;
- Risk adjustments;
- Billing and collection activities;
- Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
- Utilization review activities; and
- Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).
Rights Of Patients Who Pay “Out-Of-Pocket” To Not Have Information Disclosed To Their Health Insurance Company
A patient who pays in cash or other “out-of-pocket funds” for their office visit and treatment may request this office to not disclose the information related to their visit and treatment to their health insurance company or other payer. The patient can do this by completing the appropriate form. This form should be completed each time the patient has a visit or treatment during which the patient requests the information to not be disclosed
Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
A: No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The chiropractor may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.
We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.
Q: Does the Privacy Rule prevent our office from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?
A: The Privacy Rule permits chiropractors to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the “payment” definition. Through a business associate arrangement, the chiropractor may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.
We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the practice to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.
Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule?
A: “Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The clinic and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.
It is the responsibility of Loehr Health Center to assign someone on the staff to serve as privacy official. The privacy official at our clinic may be the office manager or a chiropractic assistant, who will have other non-privacy related duties.
It is this clinic’s desire for this program to aid in the identification and correction of any actual or perceived violations of HIPAA regulations and patient privacy. In order to achieve this goal, this program imposes a duty upon all employees to report to designated individuals any actual or perceived violations. To do this in a professional and lawful matter, the clinic will treat any such report confidentially and to the maximum extent consistent with the fair and rigorous enforcement of the HIPAA Program. To this end, the clinic has set up a Privacy Official and a toll free number through Integrity Management through which employees can report real or suspected non-compliance in a professional, and if necessary, anonymous way. Any suspected or actual misconduct should be reported first to the Privacy Official or if you wish to remain anonymous, through Integrity Management at (800) 843-9162. The clinic has established Integrity Management as an independent party to which employees can report issues anonymously. Issues reported through this method must contain enough information for the clinic to conduct a thorough investigation of the alleged issues. Again, it is the clinic’s express policy that no adverse action or retribution will be taken by the clinic against any employee due to an employee’s good faith reporting of a suspected violation or irregularity.
Privacy Official Information
Because of the small size of the clinic, we have elected to appoint a Privacy Official from within the clinic. The Privacy Official is, and Privacy Officials in the future will be, a) knowledgeable of normal clinic standards and procedures; b) knowledgeable of the billing and collections procedure; and c) knowledgeable of the history of the clinic to the extent this person is available on the clinic staff; and d) knowledgeable of the policies and procedures of this clinic concerning HIPAA regulations and patient privacy.
Privacy Official Indemnity
The Privacy Official shall be indemnified and held harmless from any reporting, disciplinary or other activities conducted in a legal manner as part of the Privacy Official’s duties.
As with other clinic personnel, it is the clinic’s express policy that no adverse action or retribution will be taken by the clinic against the Privacy Official due to good faith reporting of a suspected violation or irregularity or as a result of actions proceeding from the Privacy Official’s duties.
The responsibilities of the Privacy Official are as follows:
- Educate your staff, physicians, and other key constituents about HIPAA. This can be done by making sure all staff and doctors have completed the on-line course. They should also make sure that they take it every year. All new staff must complete this course as their training as well.
- Make a comprehensive inventory of the individually identifiable electronic health information your organization maintains. Be sure to include information kept on personal computers and in research databases.
- Conduct a risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information. Include the possibility of outside attacks if your systems have Internet access or dial-up access. Develop a tactical plan to address the identified risks, placing highest priority on the areas of greatest vulnerability.
- Educate your staff about your security policies and enforce them. Establish a confidential reporting system, so employees can report security breaches without fear of repercussions. Impose sanctions for violations, and be prepared to deal with system disruptions or data corruption that may result from security violations.
- Evaluate your current billing system to see if you are using the standards outlined in the EDI transaction standard. If you’re using the designated standards, have they been modified to meet specific payer requirements? If so, you’ll need a plan for changing your system back to the approved standard formats.
- Compare your current procedures for disclosure of health information with the known privacy standards. Are individuals allowed to inspect and copy their health information? Are reasonable fees charged for this? Does the organization account for all disclosures of protected health information for purposes other than treatment, payment, or healthcare operations? Is there a procedure in place to allow individuals to request amendments or corrections to their health information? Is there a mechanism for individuals to complain about possible violations of privacy?
- Review/revise existing vendor contracts to assure HIPAA compliance. Your contracts must ensure that your business partners also protect the privacy of identifiable health information.
- Investigate any reports of violations or misconduct reported to the Privacy Official.
- The Privacy Official shall record all incidents of misconduct including the action, the parties involved, the corrective measure, and the discipline, if any, to the doctor and shall record such information in the Records Section of this manual.
Throughout this process, keep in mind that your approach should be flexible, scaleable, and reasonable. Because technology—especially security technology—is changing so rapidly, the standard will give your organization the flexibility to choose its own technical solutions. You also want to be sure your approach is scaleable to provide an economically feasible solution. Finally, ensure the policies and procedures you outline are reasonable and that your organization can assure compliance. Documenting policies and procedures your staff can not (or does not) follow consistently creates liability for your organization.
Chapter 4 Violations and Breach Reporting
Each violation or suspected violation reported to the Privacy Official or other compliance party shall be recorded on the enclosed violation form and shall be numbered, each form in consecutive numerical order, and become a permanent portion of the records section of this office.
Verification of Violation
Once a violation or suspected violation has occurred and a violation form has been filled out, the Privacy Official shall be responsible for conducting a fact finding audit to the depth warranted by the severity of the alleged violation. The Privacy Official will further investigate the alleged violation and record the information with respect to the time, date, parties involved and longevity (the extent of time that the violation occurred/has been occurring). The Privacy Official will determine through written record review, interview and other procedure as necessary if the alleged violation has in fact occurred. Alleged violations that are found to be non-valid (a non-violation) shall be recorded as such on the violations form. All involved parties shall be notified of the non-violation and the reason thereof and the violation form shall be filed indicating a non-violation.
When an alleged violation proves to be an actual violation of compliance, it will be handled in the following manner:
- The activity shall be immediately terminated and new correct procedure shall be implemented.
- Special training for the staff and other involved parties will be held to explain the violation and implement corrected procedures.
- Discipline of the party or parties involved shall occur by the Compliance Officer, doctor and other necessary parties and shall be provided according to the severity of the violation, the number of past violations and in accordance with the discipline procedures under the Discipline Section of this Compliance Program.
Breach Notification to Patients: Breaches are now presumed reportable to HHS, unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” The following four factors are required by HIPAA to be taken into consideration as to whether there is a “low probability of PHI compromise”:
1) The nature and extent of the PHI involved – issues to be considered include the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
2) The person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information;
3) Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
4) The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.
If after considering these four factors it is determined that there is a “low probability of PHI compromise,” then affected patients do not need to be notified of the breach.
Chapter 5 Discipline
The clinic takes compliance very seriously and demands that all clinic employees comply with HIPAA regulations. Non-compliance will not be tolerated.
Disciplinary actions may include, but are not limited to:
- Information and training. Minor and occasional violations that may have occurred due to a lack of training or adequate information will be corrected by requiring the employee to be trained in proper procedure and implementation. This action will not be recorded in the employee’s permanent employee file, but will be recorded in the Records Section of this Compliance program for future referral and verification.
- A period of retraining will be required if the Privacy Official and other managerial staff feel that the employee has had adequate training but may have not understood or otherwise inadvertently violated the clinic’s compliance procedures. This action will not be recorded in the employee’s permanent employee file, but will be recorded in the Records Section of this Compliance program for future referral and verification.
- Retraining and Proof of Competency. If the Privacy Official and/or other managerial staff feel that the employee was adequately trained and at one time knew the correct procedures but now is judged to have involuntarily been non-compliant, they may require retraining and proof of competency. This retraining can be on premise or by an outside source/off premise. And the proof of competency can be through written or oral testing. This discipline will be noted in the employee’s permanent employment file.
- If there is a question as to the employee’s ability or willingness to work within the compliance guidelines, that employee’s work shall be monitored for a period of time adequate to demonstrate willingness and proficiency. This discipline will be noted in the employee’s permanent employment file.
- If after adequate training, violations continue to occur because of potential employee incompetency, that employee may be repositioned in the clinic to an area of work that requires less responsibility in the areas of clinic compliance. This discipline will be noted in the employee’s permanent employment file.
- Any serious violation or repeated violation (voluntary or involuntary) will lead to a probationary period which if during the time of probation, violations continue, the employee may be terminated. This discipline will be noted in the employee’s permanent employment file.
- Lack of Advancement or Demotion. Significant compliance violations and/or repeated compliance violations, especially after adequate retraining, are grounds for lack of advancement or demotion. This discipline will be noted in the employee’s permanent employment file.
- Willful non-compliance, significant history of repeated non-compliance or other major acts of non-compliance would result in termination of employment and other retribution as required/allowed by law. This discipline will be noted in the employee’s permanent employment file.
All non-compliance will become part of the violations and discipline portion of the records section of this program.