Required Disclosures: There are only two situations where covered entities are required to disclose protected health information.
- To individuals who are requesting access to their protected health information, or to an accounting of disclosures of their protected health information. No authorization is needed to release protected health information to the person who is the subject of that information. However many medical offices ask patients to sign a release of information form. It is not unreasonable to request patients complete such a form as part of the record of releasing medical records, but this cannot be a barrier to making information available in a reasonable period, e.g., within 30 days from the date of the request. In recent years, the Office for Civil Rights of the U.S. Human and Health Services Department, has fined dozens of covered entities for failing to make available copies of medical records timely to patients. Some patients have even been told that HIPAA doesn’t allow them to give the patient a copy of his/her record!
- To HHS when it is conducting an investigation or review or enforcement action.
- For Treatment, Payment, and Healthcare Operations, for instance when a patient is being referred to another provider for evaluation or treatment;
- When there is an opportunity to agree or object to the disclosure, for instance when a provider is asking the patient for verbal permission to disclose protected health information to a family member;
- Incidental disclosures to an otherwise permitted use and disclosure, as long as only the information disclosed is the minimum necessary;
- When there is a Public Interest or Public Benefit activity, such as reporting child or elder abuse, responding to a court order, or where there is a serious threat to health or safety;
- As part of Limited Data Sets for research purposes where direct identifiers of individuals and any relatives have been removed.
What is the Minimum Necessary Standard?
Another important principle of the HIPAA rules concerning patient privacy is the Minimum Necessary standard. The Minimum Necessary standard requires covered entities to disclose only the minimum amount of protected health information to accomplish the purpose of the use, disclosure, or request. This is an excellent example of the expectation that staff members of covered entities will use judgment in determining how to comply with HIPAA rules. For instance, a provider who discloses a patient’s entire medical record when the request is only for a copy of recent lab work is violating the Minimum Necessary standard.
This standard applies to workforce members who may have access to an entire electronic medical record. For instance, a staff member who must access a patient record for information necessary to complete a claim form does not necessarily need to review all the previous encounters with the patient in your medical office.
Another element of the Minimum Necessary standard is controlling access of users. You, as a covered entity, must develop policies and procedures that limit access and use of protected health information based on a user’s role in the organization. In small medical offices, there may be only minor differences in access to PHI. But especially in practices with electronic health record systems, individual user credentials (user name and password), are mandatory.
👉 Examples of acting within the Minimum Necessary standard:
- It’s okay to have paper charts in racks on the wall outside of exam rooms, provided patients or other persons are not free to wander the corridors where the exam rooms are located. It is also a good idea to turn the name on the chart towards the wall.
- Make sure computers/terminals in exam rooms are set to automatic screen saver display after a short delay, e.g., 30 seconds or less, to make sure patients waiting for a provider do not get curious about what other information may be available to them when no one is in attendance.
- Use sign-in sheets with removable name strips to minimize the amount of information about other patients at the reception desk.
- Don’t start asking the patient about the reason for their visit before they are even out of the waiting room.
There are several circumstances where the minimum necessary standard does not apply. For instance, disclosures to the patient who is the subject of the information, disclosures pursuant to an authorization, or other disclosures under the HIPAA Administrative Simplification rules.
When is Authorization Required for the Disclosure of PHI?
Covered entities are required to get authorization from the patient when they are going to disclose protected health information that is not for the purposes of treatment, payment, or healthcare operations, and for disclosures that are required or permitted by the HIPAA Privacy Rule.
There is no required format for authorizations, but they must contain specific information about the PHI to be disclosed or used. Specific elements include:
- The person disclosing or receiving the PHI;
- The expiration date of the authorization;
- The right to revoke the authorization;
- The signature of the person signing the authorization; and
- The date of the signature.
Is Authorization Required for Marketing to patients?
The HIPAA Privacy Rule does not require an authorization from patients for certain provider marketing activities:
- For face-to-face communications by a provider regarding health-related products or services offered by the provider.
- For communications about treatment options for an individual.
There are other exceptions to the requirement for an individual’s authorization for marketing activities by a group health plan.
The HIPAA Privacy Rule does require an individual’s authorization for certain provider marketing activities:
- For marketing arrangements between a covered entity and another entity when the provider discloses protected health information to the other entity and is compensated, directly or indirectly, by the other entity. For instance, suppose a physician practice wants to make PHI about a newborn available to a company selling baby formula and be compensated for the information. The physician practice would have to obtain authorization for such disclosures and disclose the existence of a financial arrangement on the authorization form.
What is a Notice of Privacy Practices?
Every covered entity (with some exceptions) is required to provide a notice of privacy practices to its patients/members. The notice of privacy practices (NPP) must describe the ways the covered entity may use and disclose protected health information. The notice of privacy practices must also state the covered entity’s duties to protect PHI, its duty to provide the notice of privacy practices, and to abide by the terms of the current notice.
There are also several Privacy Rule provisions on the distribution of the notice of privacy practices (NPP).
- The NPP must be delivered no later than the first service encounter with the patient. It can be delivered in person, by contemporaneous electronic delivery, or by mail.
- The covered entity’s NPP must be posted at each service delivery location in a prominent place, e.g., not in the employee break room!
- In an emergency, the NPP can be furnished as soon as practicable after the emergency abates.
- A copy of the NPP must be furnished to anyone upon request.
A covered healthcare provider must make a good faith attempt to obtain a written acknowledgment from an individual with whom they have a direct treatment relationship. While there is no specified format for the acknowledgment, there is a requirement to document the reason for failing to get an acknowledgment. This is a requirement more honored in the breach these days!
There are simplified (but complete) model NPPs available in both English and Spanish from HHS on their website.
What Sort of Training Does the HIPAA Privacy Rule Require?
Workforce training is an important part of an overall HIPAA compliance program. Workforce members are any individuals whose conduct is under the direct control of a covered entity. A workforce member does not need to be compensated by the covered entity to meet this definition of being a workforce member. Employees/owners, volunteers, and trainees are all staff members who need proper training in the HIPAA policies and procedures of the organization.
Beyond the HIPPA training requirement is a requirement to have a policy on sanctions for workforce members who violate HIPAA Privacy policies and procedures. HIPAA compliance is not a no-harm, no-foul situation. For instance, covered entities have been sanctioned by the Office for Civil Rights of the U.S. Health and Human Services Department for things like failing to keep their firewall up after doing system maintenance. There was no evidence that any PHI had been subject to an unauthorized disclosure, but they got fined anyway for not protecting the privacy of the protected health information. The message is that when a workforce member at a covered entity accesses PHI without a valid business reason, sanctions are still in order even if the PHI is not further disclosed beyond the employee.
What Does the Breach Notification Rule Require You to Do?
The HIPAA Breach Notification Rule was proposed in 2009 and finalized in 2013. It set forth a lot of requirements for covered entities as part of a response to HIPAA violations and HIPAA complaints. Under the current HIPAA breach regulations, a breach is considered the use or disclosure of PHI that involves a risk of financial, reputational, or other harm to the patient. Every covered entity needs policies and procedures that cover the organization’s response to a potential unauthorized person receiving someone else’s PHI. See extended discussions about definitions, risk assessments, notifications, and penalties for help in developing your HIPAA-compliant policies and procedures related to breaches.
And don’t forget about breaches by business associates. Your business associate agreements should specify the business associate has primary responsibility for mitigating the consequences of any breach, including breach notification to affected individuals and government agencies. And business associates are responsible for an inordinate amount of the breaches of large volumes of PHI, so the responsibility for notifications must be clear in the business associate contract.
What are Other HIPAA Administrative Simplification Requirements?
There are still more requirements to address as part of your HIPAA compliance program:
- Privacy Policies and procedures on complaints, amendments to medical records and documentation, and record retention of HIPAA compliance program activities;
- Appointment of a Privacy Officer, and
- Mitigation of unauthorized disclosures of PHI.
What are the Requirements of the HIPAA Security Rule?
The HIPAA Security Rule is mainly concerned with data safeguards, including technical safeguards, physical safeguards, and administrative safeguards, to protect health information maintained in electronic form (ePHI). These safeguards also provide guidance on a HIPAA Security Risk Assessment.
The HIPAA Security Rule applies to the same types of Covered Entities as the HIPAA Privacy Rule. The main caveat is that they must also be engaging in creating, maintaining or transmitting protected health information in electronic form. All medical offices utilizing an electronic health records system, even one that resides in the cloud, will have to include policies and procedures for compliance with the HIPAA Security Rule as part of its HIPAA compliance program.
Each data safeguard category (technical, physical, and administrative) contains a mixture of required implementation standards, and addressable implementation strategies, for a total of 30 implementation standards total. Please keep in mind that “addressable” does not mean optional! A covered entity may choose not to implement an addressable technical. physical or administrative safeguard. But it must then explain why it is choosing not to implement it, and describe its alternative method for achieving the intent of the implementation safeguard.
What are the HIPAA Security Rule Technical Safeguards?
The HIPAA Security Rule Technical Standards are a mix of technology and policies and procedures that covered entities use to protect the privacy of protected health information, and control access to it. Like physical and administrative safeguards, technical safeguards include seven implementation specifications. Two of the implementation specifications are required; the other five are addressable implementation specifications. Two of the technical safeguards have no implementation specifications but are still required.
The standards of the technical standards include:
- Access Controls: The Access Controls standard includes four implementation specifications; two are required and two are addressable.
- Unique User Identification (required): The user identifier must enable the covered entity to track specific user activity when that user is logged into an information system.
- Emergency Access Procedure (required): A covered entity must implement policies and procedures that document the instructions and operational practices for obtaining access to necessary electronic protected health information during an emergency situation.
- Automatic Logoff (addressable): The procedure should provide for an automatic logoff of a user after a predetermined time of inactivity. Although it is not required, the covered entity must explain why it is not implementing the standard and what alternative it will utilize to achieve the same result.
- Encryption and Decryption (addressable): At a minimum, covered entities should encrypt ePHI data in transit. But they should also strongly consider encrypting ePHI data on flash drives, local computer hard drives, and even mobile devices.
- Mechanism to Authenticate Electronic Protected Health Information (addressable): Covered entities must implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
- Integrity Controls (addressable): Integrity Controls require covered entities to ensure that the data sent is the data received. More formally, it requires security measures to ensure ePHI is not improperly modified without detection during electronic transmission.
- Encryption: (addressable): This implementation specification requires a covered entity to ensure its risk analysis process includes how it is transmitting ePHI electronically, and decide how it will protect the ePHI from unauthorized access. If the security risk assessment shows there is a reasonable chance of unauthorized access, then some form of encryption must be employed.
What are the HIPAA Security Rule Physical Safeguards?
Physical safeguards refer to physical measures, policies, and procedures that directly address limiting access to ePHI except for those who are specifically authorized. This portion of the HIPAA security rules includes four standards that your medical office needs to address, including:
- Facility Access Controls: This standard includes four addressable implementation specifications.
- Contingency operations (addressable): A covered entity must have policies and procedures for responding to a disaster or other emergency where all or part of its system containing ePHI is down or malfunctioning.
- Facility Security Plan (addressable): The facility security plan is where covered entities spell out and implement the details of the security measures in place to ensure that only those individuals who are authorized will have physical access to ePH.
- Access Control and Validation Procedures (addressable): These are step-by-step procedures to ensure that each person’s access to protected information is strictly limited according to their role or function within an organization.
- Maintenance Records (addressable): Maintenance records for hardware and software create a paper trail of proper upkeep and a window into specifically what was done, when it was done and who did it.
- Disposal (required): Covered entities are required to develop and implement policies and procedures for the disposal of electronic media and hardware containing ePHI .
- Media Re-use (required): When digital media containing ePHI will be reused, covered entities must have policies and procedures addressing how this re-use may occur. For instance, will all information on the media be deleted prior to using it to contain new ePHI? And watch out for devices like copiers and fax machines (yes, some people still use them!). Copy machines turned in at the end of a lease have been known to have copies of medical records containing PHI in the memory. This could constitute a large breach of PHI – even if no one ever printed out copies of the information.
- Accountability (addressable): Accountability addresses the need to know where hardware and electronic media that access ePHI are at any given time. This includes if the hardware or electronic media has been relocated from one secure area to another.
- Data back-up and Storage (addressable): This implementation specification requires that there be an exact copy made of the housed ePHI before hardware or electronic media is moved, to provide for recovery of data in the event of a casualty to the hardware containing the operating copy of the database containing ePHI.
What are the HIPAA Security Rule Administrative Standards?
The longest list of security rule applicable requirements is the list of Administrative Standards. There are nine major categories of Administrative Safeguards. The Administrative Safeguards are administrative activities that should be undertaken by your medical office to secure ePHI. These safeguards contain 10 required implementation specifications, and 11 addressable implementation specifications.
- Security Management Process. The first Administrative Standard includes four required implementation specifications.
- A Security risk assessment (required): This assessment (or analysis) should cover several areas, including
- an inventory of hardware and software applications containing ePHI;
- a threat assessment covering natural threats like fire or flooding, and human threats like internal or external actors; and
- evaluation of the risks (low, medium, or high) of the identified threats;
A HIPAA Security risk assessment is not a one-time activity. A security risk assessment should be updated whenever there is a material change to the software containing ePHI, or to the natural threats of the location of hardware. The lack of a current or reasonably complete security risk assessment is one of the frequent findings when the Office for Civil Rights comes to investigate HIPAA violations.
- Risk Management (required): Risk management is the process used to identify security measures to reduce risk. A covered entity must reduce risk to a reasonable and appropriate level based on the organization’s circumstances. Circumstances for reasonable efforts include things like the size, complexity, and capabilities of the organization.
- Sanction Policy (required): The third implementation specification is having a sanction policy. Sanction policies and procedures should provide examples of potential violations of HIPAA privacy and security rules, and should adjust the disciplinary action based on the severity of the violation. For example, falsifying medical record entries is typically a termination offense, as is using PHI for personal gain.
- Information System Activity Review (required): Under the fourth implementation specification, each covered entity must implement procedures to review records of information access management. These records include audit logs, access reports, and security incident tracking reports. Policies and procedures should address the type and frequency of review.
- Authorization and/or Supervision (addressable): Covered entities are required to consider access control policies and procedures that provide for the authorization and/or supervision of workforce members who work with ePHI.
- Workforce Clearance Procedure (addressable): A covered entity should have procedures to ensure all workforce members with access to ePHI are authorized to have that access.
- Termination Procedures (addressable). A Covered entity must implement procedures to remove access privileges when a workforce member no longer needs access.
- Isolating Health Care Clearinghouse Functions (addressable): A clearinghouse maintaining ePHI must use security measures to keep that information secure from persons who perform duties in other business units of the corporation.
- Access Authorization (addressable): This standard requires covered entities to implement policies and procedures for granting access to ePHI by means of specific methods. These might include access via workstations, or by means of access to specific programs.
- Access Establishment and Modification (addressable): This standard requires a covered entity to implement and manage the creation and modification of access privileges to workstations or programs.
- Security Reminders (addressable). This implementation specification requires periodic information security updates.
- Protection from Malicious Software (addressable). This implementation specification requires procedures for guarding against, detecting, and reporting malicious software.
- Log-in Monitoring (addressable). Another component of security awareness training is managing attempts to log in or other mechanisms for accessing electronic protected health information. Excessive log-in attempts can represent attacks from outside the covered entity, or even workforce members accessing records without a valid business reason.
- Password Management (addressable): A covered entity should have procedures for creating, changing, and safeguarding passwords.
- Response and Reporting (required): A covered entity must identify and respond to suspected or known security incidents. They should mitigate harmful effects and document the incidents and their outcomes.
- Data Backup Plan (required): This implementation specification requires a covered entity to establish and implement procedures to create and maintain exact copies of electronic protected health information.
- Disaster Recovery Plan (required): This element of HIPAA compliance should address the data to be restored and copies should be available at more than one location.
- Emergency Mode Operations Plan (required): A covered entity must incorporate plans to operate in an emergency into its written security policies.
- Testing and Revision Procedures (addressable). It is important to document all processes for restoring patient health information from backups and to test the actual process for completing a restoration.
- Application and Data Criticality Analysis (addressable): Each covered entity should identify software applications that are important to patient care or business needs for priority restoration in a disaster.
10 Tips to Help Your Medical Office to Make Progress on a HIPAA Compliance Program Today
Navigating the intricate landscape of HIPAA compliance in a medical office setting may sometimes seem like a daunting task. And using a cloud-based electronic health record and/or billing service does not mean you are automatically in compliance. Failure to comply with HIPAA regulations not only jeopardizes the security and privacy of your patients but can also result in hefty penalties or sanctions. And it can also land you on the “HIPAA Wall of Shame” causing reputational damage to your practice.
The following tips can serve as a strategic roadmap to guide you through the essential steps for achieving and maintaining HIPAA compliance. From initial checklists and risk assessments to staff training and regular audits, these actionable items will help you build an effective compliance program, minimize vulnerabilities, and foster a culture of compliance. Whether you’re starting from scratch or looking to fine-tune your existing processes, these tips offer practical advice for enhancing your compliance efforts.
- Download our HIPAA Compliance Checklist: Our HIPAA Compliance Checklist can be downloaded for free. You may come away still feeling overwhelmed, but this could be a helpful first step to identifying gaps in your existing system.
- Conduct a Security Risk Assessment: Don’t wait for an audit or an incident. Knowing your vulnerabilities can help you prioritize your compliance activities.
- Train Your Staff: Make sure that everyone who has access to ePHI is trained on the HIPAA Privacy and Security standards and understands the importance of adhering to them.
- Review Business Associate Agreements: Make sure all third-party vendors are also compliant, as you are responsible for any breaches on their end. If you don’t have your own template, download our Business Associate Agreement. It’s a free, up-to-date PDF fillable form that you can use over and over again.
- Set Up Regular Audits: Periodic checks can help ensure that you remain compliant over time and adapt to any changes in law or technology.
- Start Small, But Start: Even if the list seems overwhelming, taking even small steps toward compliance can make a significant impact in the long term.
- Consult with Experts: Given the complexity and the potential legal repercussions, consider consulting with experts who specialize in healthcare and HIPAA compliance (like The Fox Group!).
- Document Everything: Documentation can be your best friend in the event of an audit or legal proceedings.
- Stay Updated: Regulations can change. Make sure you stay updated on any changes to HIPAA or healthcare laws that could affect your practice.
- Establish a Compliance Team: Depending on the size of your organization, a dedicated team can focus on ensuring ongoing compliance, training, and evaluation. At a minimum, you need a Privacy Officer and an Information Security Officer.
