Updated 2018
Chapter 1: What is HIPAA?
It is important for all employees of Loehr Health Center (formerly Loehr Chiropractic & Acupuncture) to understand and be educated on the purpose and function of the HIPAA regulations and how that impacts the procedures and conduct of our clinic. We will begin with a history and overview of HIPAA.
Overview
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, was enacted as part of a broad Congressional attempt at incremental healthcare reform. The “Administrative Simplification” aspect of that law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.
These standards are designed to:
In 2013, the U.S. Department of Health and Human Services (HHS) moved forward to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The effective date for the new HIPAA omnibus provisions is September 23, 2013, with the exception of Business Associate Agreements, which must be modified and in place by September 23, 2014.
The law provides for significant financial penalties for violations:
General Penalty for Failure to Comply:
Civil penalties:
Wrongful Disclosure of Individually Identifiable Health Information (Federal criminal penalties):
The 2013 rules clarify the four penalty tiers as follows:
This is going to be a major change for the clearinghouses and payers. Currently, there is no common standard for the transfer of information between healthcare providers and payers. Over 400 electronic data information (“EDI”) formats are used by various payers. As a result, providers such as our chiropractic office have been required by payers to meet many different requirements.
The new regulations are an effort to reduce our paper work as a clinic and increase efficiency and accuracy through the use of standardized financial and administrative transactions and data elements for transactions. HIPAA will change this practice by requiring payers to accept the following transaction standards for EDI:
The standardization of electronic transactions and code sets creates a concern for the privacy of the patient since everyone will be placed on one system. With the 1996 passage of HIPAA, Congress was granted 36 months to pass privacy legislation. After Congress failed to meet this deadline, HIPAA authorized DHHS to promulgate final regulations to protect patient privacy. DHHS published a NPRM for individually identifiable health information on November 3, 1999. After reviewing more than 50,000 comments, DHHS published the final regulations on December 28, 2000.
These standards outline specific rights for individuals regarding protected health information and obligations of healthcare providers, health plans, and health care clearinghouses. The privacy regulations grant healthcare consumers a greater level of control over the use and disclosure of personally identifiable health information. In general, healthcare providers, health plans, and clearinghouses are prohibited from using or disclosing health information except as authorized by the patient or specifically permitted by the regulation. The final rule’s applicability is expanded to include all personally identifiable health information, irrespective of form. There is no longer an exclusion for written medical records never transferred to electronic form or oral communications. The regulations are applicable to all health information held or created by the health care practitioner. This expansion eliminates the anticipated confusion of handling various categories of records differently.
Health plans and healthcare providers must inform their patients/beneficiaries of their business practices concerning the use and disclosure of health information. Direct healthcare providers must obtain written consent from a patient for use and disclosure of health information, even if the use or disclosure is to relate such routine purposes as treatment or payment. A separate, specific authorization is required for non-routine disclosures. Finally, as a component of the consent process, patients are granted the opportunity to request restrictions on the use and disclosure of their health information. Within 60 days of a request, patients are entitled to a disclosure history identifying all entities that received health information unrelated to treatment or payment. Patients also have a right to review and copy their own medical records and have the corresponding right to request amendments or corrections to potentially harmful errors within the record.
As healthcare providers, we are required to create privacy-conscious business practices, which include the requirement that only the minimum amount of health information necessary is disclosed. In addition, business practices should ensure the internal protection of medical records, employee privacy training and education, creation of mechanism for addressing patient privacy complaints, and designation of a privacy official. Overall, covered entities are encouraged to use de-identifiable information whenever possible. Once information is in a de-identifiable form, it is no longer subject to the privacy regulation restrictions.
Although the anticipated compliance date for the privacy regulations is February 26, 2003, it is the intent of this clinic to observe and follow to the best of our ability all known regulations immediately
Standardization of the system also requires the standardization of identifiers for all those involved in the health care system. The standard identifiers included in the HIPAA legislation are standard, unique health identifiers for each health care provider, employer, health plan, and individual (patient). Although final rules have not been published it is expected that the identifier will be a 10 digit numeric identifier and would be required on all standard electronic health care transactions that require provider identification.
National Provider Identifier
Historically, government and private health plans have assigned identifications numbers to providers of health care services and suppliers. These health plans, independently of each other, assign identifiers to providers for program management and operations purposes. The identifiers are not standardized within a single health plan or across plans. This lack of uniformity results in health care providers having different numbers for the same program and often multiple billing numbers issued within the same program, significantly complicating providers claims submission process.
Most health plans have coordination of benefits with other health plans to ensure appropriate payment. The lack of a single and unique identifier for each health care provider within and across health plans makes the exchanging of data expensive and difficult. The use of a standard, unique provider identifier would improve accuracy and assist in overcoming communication and coordination difficulties. All of these factors indicate the complexities of exchanging information on health care providers. As we become more dependent on data automation, electronic commerce and proceed in planning for health care delivery, the need for a universal, standard health care provider identifier becomes more and more evident. Considerable effort and research has gone into developing the standard for the provider number. Participants in this effort came from the government and private sector. Although final rules have not been published it is expected that the identifier will be a 10 digit numeric identifier and would be required on all standard electronic health care transactions that require provider identification.
Employer Identifier
Because of the widespread use of the Employer Identification Number (EIN) to identify employers in health transactions, the EIN is being proposed as the national standard for the employer identifier for electronic health transactions. The EIN is an identifier that is already assigned to each employer for tax identification purposes and its adoption would not result in additional data collections or paperwork thereby furthering the administrative simplification objectives. The EIN is defined as the taxpayer identifying number of an individual or other person (whether or not an employer). The EIN would be nine digits separated by a hyphen and would appear as 00-0000000.
There is often confusion about the difference between privacy, confidentiality and security.
The new security standards were designed to protect all electronic health information from improper access or alteration, and to protect against loss of records. Health plans,
health care clearinghouses, and health care providers would use the security standards to develop and maintain the security of all electronic individual health information.
The proposed security standard is divided into four categories:
Administrative procedures used to guard data integrity, confidentiality, and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
Physical safeguards to guard data integrity, confidentiality, and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
Technical data security services to guard data integrity, confidentiality, and availability. These include the processes used to protect, control, and monitor information access.
Technical security mechanisms. These include processes used to prevent unauthorized access to data transmitted over a communications network.
Under the Privacy regulations, the DHHS Secretary has delegated enforcement responsibilities to the DHHS Office for Civil Rights (OCR). The OCR will be responsible for (1) assisting with voluntary compliance efforts, (2) responding to questions on regulations, interpretation and guidance, (3) responding to state requests for exception determinations, (4) investigating complaints, (5) conducting compliance surveys, and (6) when a covered entity does not voluntarily comply, assessing CMPs and referring criminal prosecution.
The Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
Q: What does this regulation require our office to do?
A: For the average health care provider such as our chiropractic office, the Privacy Rule requires activities, such as:
To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers such as our chiropractic office to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,
Q: Can we “avoid” HIPAA regulations by going cash?
A: No. Here is a quote from HHS: “The final rule’s applicability is expanded to include all personally identifiable health information, irrespective of form. There is no longer an exclusion for written medical records never transferred to electronic form or oral communications. The regulations are applicable to all health information held or created by the health care practitioner. This expansion eliminates the anticipated confusion of handling various categories of records differently.”
Summary
This clinic strives to be fully compliant with all of the complex rules and regulations concerning the healthcare industry. The future growth and well being of the clinic and its employees depend, in part, upon all employees of the clinic complying with the law and conducting their business activities with honesty, integrity, and fairness toward fellow employees and patients.
Since many of our policies involve intricate, legal and regulatory matters, you are not necessarily expected to understand all areas. You are, however, expected to realize when to ask for guidance. Through your active participation in meeting the demands of these compliance policies, it is hoped that the clinic will receive the rewards of your contribution and you will have an enjoyable employment experience while adding to your professional growth.
CONSENT
Patient Consent Forms –Our office will use an Acknowledgement and Consent form to document the receipt of the Notice of Privacy Policies and the patient’s consent to use PHI in a manner consistent with our policies and law.
The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient’s consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures of health information about the patient to carry out TPO.
General Provisions
Individual Rights
Administrative Issues
Our chiropractic office must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by our office.
Patients have the right to revoke their consent at any time by completing the Revocation form. Our office cannot withhold treatment based upon the revocation, but this may effect our ability to see the patient in the future, The patient should be informed that they may no longer be able to be seen in our office.
Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient’s condition?
A: No. A chiropractor with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient’s health information for treatment purposes. Consulting with another health care provider about the patient’s case falls within the definition of “treatment” and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient’s consent to engage in the consultation.
Q: What is the interaction between “consent” and “notice”?
A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that our chiropractic office explains each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with our office.
Q: May consent for use or disclosure of PHI be provided electronically?
A: Yes. Our practice may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required.
Q: Must someone from our office verify a signature on a consent form if the individual is not present when he signs it?
A: No.
Q: May consent be obtained by a chiropractor only one time even though there is a connected course of treatment involving multiple visits?
A: Yes. A chiropractor needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A chiropractor will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments or if the consent form has changed.
Q: If an individual consents to the use or disclosure of PHI for TPO purposes, begins chiropractic care and then revokes consent before the chiropractor bills for such service, is the provider precluded from billing for such service?
A: No. A health care provider that provides a health care service to an individual after obtaining consent from the individual may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent. Where the provider has obtained consent and provided a health care service pursuant to that consent with the expectation that he or she could bill for the service, the health care provider has acted in reliance on the consent. The revocation would not interfere with the billing or reimbursement for that care.
Q: Must a revocation of consent be in writing?
A: Yes.
Q: Are health plans and health care clearinghouses required by the Privacy Rule to have some form of express legal permission to use and disclose health information obtained prior to the compliance date for TPO purposes?
A: No. Health plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes.
We will provide patients with a notice of the patient’s privacy rights and the privacy practices of the covered entity. The notice requires direct treatment providers to make a good faith effort to obtain patient’s written acknowledgement of the notice of privacy rights and practices. The Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. Department makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirements and making consent for routine health care delivery (TPO) optional. The Rule requires also allows consent requirements already in place to continue.
Our office will use an Acknowledgement and Consent form to document the receipt of the Notice of Privacy Policies and the patient’s consent to use PHI in a manner consistent with our policies and law.
General Requirement
The Privacy Rule generally requires our chiropractic office to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose.
The minimum necessary provisions do not apply to the following:
The implementation specifications for this provision require a chiropractor to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce.
Uses and Disclosures of, and Requests for PHI
For uses of PHI, the policies and procedures must identify the persons or classes of persons within the chiropractic office who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required.
For non-routine disclosures, chiropractors must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure. Non-routine disclosures must be reviewed on an individual basis in accordance with these criteria. When making non-routine requests for PHI, the chiropractor must review each request so as to ask for only that information reasonably necessary for the purpose of the request.
Permitted Uses and Disclosures. This office is permitted to use and disclose protected health information, without an patient’s authorization, for the following purposes or situations: (1) To the Patient (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. We will rely on our professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1) To the Patient. This office may disclose protected health information to the patient who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. This office may use and disclose protected health information for its own treatment, payment, and health care operations activities. We may also disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the patient and the protected health information pertains to the relationship.
In the unlikely event this office might, obtain, use or disclosure psychotherapy notes for treatment, payment, and health care operations purposes, we will require a written authorization from the patient prior to use or disclosure of the psychotherapy notes.
(3) Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the patient outright, or by circumstances that clearly give the patient the opportunity to agree, acquiesce, or object. Where the patient is incapacitated, in an emergency situation, or not available, this office may generally make such uses and disclosures, if in the exercise of our professional judgment, the use or disclosure is determined to be in the best interests of the patient.
Facility Directories. It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on a patient’s informal permission to list in its facility directory the patient’s name, general condition, religious affiliation, and location in the provider’s facility. The provider may then disclose the patient’s condition and location in the facility to anyone asking for the patient by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the patient by name when inquiring about patient religious affiliation. We do not anticipate creating such a Facility Directory, but we need to advise you of the scope of the rule.
For Notification and Other Purposes. This office may also rely on a patient’s informal permission to disclose to the patient’s family, relatives, or friends, or to other persons whom the patient identifies, protected health information directly relevant to that person’s involvement in the patient’s care or payment for care. This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an patient’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the patient’s care of the patient’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
(4) Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as this office has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by HIPAA.
(5) Public Interest and Benefit Activities. HIPAA permits use and disclosure of protected health information, without a patient’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the patient privacy interest and the public interest need for this information. Those purposes are:
Required by Law. This office may use and disclose protected health information without patient authorization as required by law (including by statute, regulation, or court orders).
Public Health Activities. This office may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) patients who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law..
Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, this office may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.31
Health Oversight Activities. This office may disclose protected health information to health oversight agencies, as defined by HIPAA, for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
Judicial and Administrative Proceedings. This office may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the patient or a protective order are provided.
Law Enforcement Purposes. This office may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Decedents. This office may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
Cadaveric Organ, Eye, or Tissue Donation. This office may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
Research. “Research” is defined by HIPAA as any systematic investigation designed to develop or contribute to generalizable knowledge. HIPAA permits this office to use and disclose protected health information for research purposes, without an patient’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of patients’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the patients about whom information is sought. A covered entity also may use or disclose, without an patients’ authorization, a limited data set of protected health information for research purposes
Serious Threat to Health or Safety. This office may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). This office may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.
Workers’ Compensation. This office may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.
Q: How does our clinic expect to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?
A: The Privacy Rule requires a chiropractor to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow chiropractors the flexibility to address their unique circumstances, the rule requires chiropractors to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and chiropractors need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information.
The minimum necessary standard is intended to make chiropractors evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override professional judgment and standards.
Q: Won’t the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?
A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.
The Privacy Rule provides the clinic with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information within the practice. The rule recognizes that the chiropractor is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the chiropractor can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.
Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification?
A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. Our clinic may use, disclose, or request an entire medical record, without a case-by-case justification, if we have documented in our records that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, our policies and procedures identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, hat are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the attending physician may establish and utilize criteria to assist in determining when to request the entire medical record.
The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.
Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual.
Q: In limiting access, is your office required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements?
A: No. The basic standard for minimum necessary uses requires that chiropractor make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity.
The Department of Health and Human Services generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, our chiropractic clinic has volunteered to make certain adjustments to our facility to minimize access, such as isolating and locking file cabinets or records rooms, and providing additional security, such as passwords, on computers maintaining personal information and keeping those computers from outside public access.
Q: Do the minimum necessary requirements prohibit our practice from maintaining patient medical charts in the treatment room or require that X-ray light boards be isolated?
A: No. The minimum necessary standards do not require that chiropractors take any of these specific measures. Chiropractors must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require the chiropractor to take reasonable precautions to protect X-rays from being accessible to the public. The patients’ x-rays should not be left in full view of the public.
Q: Will doctors’ and physicians’ offices be allowed to continue using sign-in sheets in waiting rooms?
A: The Privacy Rule did not intend to prohibit the use of sign-in sheets, but understands that the Privacy Rule is ambiguous about this common practice. Therefore, there is proposed modifications to the rule to clarify that this and similar practices are permissible.
Background
The Privacy Rule applies to patient health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.
Communications Quote
The Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if overheard by a passerby.
General Requirements
Allowable Communications
A current change being made to the Rule will increase the confidence that you are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas.
Oral Communications with Patient in the Presence of Patients Family or Friends
We may engage in oral communications with the patient in the presence of the patient’s family or friends as long as the patient is provided an adequate opportunity to object. If the patient objects, all communications in front of family or friends must cease.
Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring the clinic to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. The Privacy Rule is not intended to prevent appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions were taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):
Regulatory language has also been introduced to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.
Q: Does the Privacy Rule require chiropractic offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
A: No, the Privacy Rule does not require these types of structural changes be made to facilities.
Chiropractic offices must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. “Reasonable safeguards” mean that as health care providers we must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department of Health and Human Services does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of our office regarding potential effects on patient care and financial burden.
For example, the Privacy Rule does not require the following types of structural or systems changes:
Our office must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. We are required to review our own practice and determine what steps are reasonable to safeguard their patient information.
Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:
In assessing what is “reasonable,” our office will also consider the viewpoint of prudent professionals.
By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today’s health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these “business associates,” the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the clinic, will safeguard the information from misuse, and will help the our clinic comply with the practice duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with our chiropractic clinic to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions – not for independent use by the business associate.
What is a “business associate”?
Q: Is it reasonable for our practice to be held liable for the privacy violations of business associates?
A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Our clinic is not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
Moreover, a business associate’s violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by our practice. The contract must obligate the business associate to advise us when violations have occurred.
If our office becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, we must take “reasonable steps” to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship.
If such steps are not successful, our office must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for our clinic to take. In such circumstances where termination is not feasible, we must report the problem to the Department of Health and Human Services.
Only if our clinic fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.
The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the “personal representative” of that individual. In general, a person’s right to control protected health information (PHI) is based on that person’s right (under state or other applicable law, e.g., tribal or military law) to control the health care itself.
Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a “personal representative” of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor.
There are exceptions in which a parent might not be the “personal representative” with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor’s health care decisions and, thus, does not control the PHI related to that care.
In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor’s personal representative with respect to the relevant PHI:
Relation to State Law
In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law.
Q: Does the Privacy Rule allow parents the right to see their children’s medical records?
A: This has been modified in the Rule to read as follows: The Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a parent, the Rule clarifies that state law governs. In addition, the Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents’ ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.
General Requirements
The Privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:
What Is Marketing
The Privacy Rule defines “marketing” as “a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.” To make this definition easier for chiropractic offices to understand and comply with, the Department specified what “marketing” is not, as well as generally defined what it is. As questions arise about what activities are “marketing” under the Privacy Rule, additional clarification will be given regarding such activities.
Communications That Are Not Marketing
The Privacy Rule carves out activities that are not considered marketing under this definition. In recommending treatments or describing available services, health care providers and health plans are advising us to purchase goods and services. To prevent any interference with essential treatment or similar health-related communications with a patient, the rule identifies the following activities as not subject to the marketing provision, even if the activity otherwise meets the definition of marketing. (Written communications for which the practice is compensated by a third party is not carved out of the marketing definition.)
Thus, our chiropractic clinic is not “marketing” when it:
Furthermore, it is not marketing for our practice to use an individual’s PHI to tailor a health-related communication to that individual, when the communication is:
Business Associates
Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of our clinic. No other disclosure for marketing is permitted. We will not give away or sell lists of patients or enrollees without obtaining authorization from each patient on the list. As with any disclosure to a business associate, we will obtain the business associate’s agreement to use the PHI only for the marketing activities that we direct from our clinic. We will not give PHI to a business associate for the business associate’s own purposes.
In Office Procedure for Business Associates
Limitations on Marketing Communications
Patient’s Right to Object to the use of PHI for Marketing or Fundraising Purposes
Patients have the right to object to the use of PHI for Marketing or Fundraising purposes. The patient can revoke the patient’s authorization by completing the Revocation of Authorization of Use of PHI for Marketing or Fundraising Purposes. If the patient revokes their authorization, this mean no marketing or fundraising materials shall be sent to the patient based upon health or demographic information maintained in patients file. The patient should be informed that the patient may still receive marketing or fundraising information from our office, but that the source of the demographic information will not be the patients PHI, but instead a community mailing list, such as the White Pages or other similar mailing list service.
General Requirements
As provided for by the Privacy Rule, this practice may use and disclose protected health information (PHI) for payment purposes. “Payment” is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to:
Rights Of Patients Who Pay “Out-Of-Pocket” To Not Have Information Disclosed To Their Health Insurance Company
A patient who pays in cash or other “out-of-pocket funds” for their office visit and treatment may request this office to not disclose the information related to their visit and treatment to their health insurance company or other payer. The patient can do this by completing the appropriate form. This form should be completed each time the patient has a visit or treatment during which the patient requests the information to not be disclosed
Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
A: No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The chiropractor may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.
We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.
Q: Does the Privacy Rule prevent our office from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?
A: The Privacy Rule permits chiropractors to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the “payment” definition. Through a business associate arrangement, the chiropractor may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.
We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the practice to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.
Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule?
A: “Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The clinic and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.
It is the responsibility of Loehr Health Center to assign someone on the staff to serve as privacy official. The privacy official at our clinic may be the office manager or a chiropractic assistant, who will have other non-privacy related duties.
It is this clinic’s desire for this program to aid in the identification and correction of any actual or perceived violations of HIPAA regulations and patient privacy. In order to achieve this goal, this program imposes a duty upon all employees to report to designated individuals any actual or perceived violations. To do this in a professional and lawful matter, the clinic will treat any such report confidentially and to the maximum extent consistent with the fair and rigorous enforcement of the HIPAA Program. To this end, the clinic has set up a Privacy Official and a toll free number through Integrity Management through which employees can report real or suspected non-compliance in a professional, and if necessary, anonymous way. Any suspected or actual misconduct should be reported first to the Privacy Official or if you wish to remain anonymous, through Integrity Management at (800) 843-9162. The clinic has established Integrity Management as an independent party to which employees can report issues anonymously. Issues reported through this method must contain enough information for the clinic to conduct a thorough investigation of the alleged issues. Again, it is the clinic’s express policy that no adverse action or retribution will be taken by the clinic against any employee due to an employee’s good faith reporting of a suspected violation or irregularity.
Privacy Official Information
Because of the small size of the clinic, we have elected to appoint a Privacy Official from within the clinic. The Privacy Official is, and Privacy Officials in the future will be, a) knowledgeable of normal clinic standards and procedures; b) knowledgeable of the billing and collections procedure; and c) knowledgeable of the history of the clinic to the extent this person is available on the clinic staff; and d) knowledgeable of the policies and procedures of this clinic concerning HIPAA regulations and patient privacy.
Privacy Official Indemnity
The Privacy Official shall be indemnified and held harmless from any reporting, disciplinary or other activities conducted in a legal manner as part of the Privacy Official’s duties.
As with other clinic personnel, it is the clinic’s express policy that no adverse action or retribution will be taken by the clinic against the Privacy Official due to good faith reporting of a suspected violation or irregularity or as a result of actions proceeding from the Privacy Official’s duties.
The responsibilities of the Privacy Official are as follows:
Throughout this process, keep in mind that your approach should be flexible, scaleable, and reasonable. Because technology—especially security technology—is changing so rapidly, the standard will give your organization the flexibility to choose its own technical solutions. You also want to be sure your approach is scaleable to provide an economically feasible solution. Finally, ensure the policies and procedures you outline are reasonable and that your organization can assure compliance. Documenting policies and procedures your staff can not (or does not) follow consistently creates liability for your organization.
Each violation or suspected violation reported to the Privacy Official or other compliance party shall be recorded on the enclosed violation form and shall be numbered, each form in consecutive numerical order, and become a permanent portion of the records section of this office.
Verification of Violation
Once a violation or suspected violation has occurred and a violation form has been filled out, the Privacy Official shall be responsible for conducting a fact finding audit to the depth warranted by the severity of the alleged violation. The Privacy Official will further investigate the alleged violation and record the information with respect to the time, date, parties involved and longevity (the extent of time that the violation occurred/has been occurring). The Privacy Official will determine through written record review, interview and other procedure as necessary if the alleged violation has in fact occurred. Alleged violations that are found to be non-valid (a non-violation) shall be recorded as such on the violations form. All involved parties shall be notified of the non-violation and the reason thereof and the violation form shall be filed indicating a non-violation.
Actual Violations
When an alleged violation proves to be an actual violation of compliance, it will be handled in the following manner:
Breach Notification to Patients: Breaches are now presumed reportable to HHS, unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” The following four factors are required by HIPAA to be taken into consideration as to whether there is a “low probability of PHI compromise”:
1) The nature and extent of the PHI involved – issues to be considered include the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
2) The person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information;
3) Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
4) The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.
If after considering these four factors it is determined that there is a “low probability of PHI compromise,” then affected patients do not need to be notified of the breach.
The clinic takes compliance very seriously and demands that all clinic employees comply with HIPAA regulations. Non-compliance will not be tolerated.
Disciplinary actions may include, but are not limited to:
All non-compliance will become part of the violations and discipline portion of the records section of this program.