Whether you are a physician, psychologist, or other clinical healthcare provider, it is a good idea to have a HIPAA and HITECH compliant privacy and security plan for your office or practice.
The confidentiality and privacy provisions of HIPAA/HITECH apply to “protected health information” (PHI), which is a subset of “individually identifiable health information” (IIHI).
- “Health information” is: “Any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
- IIHI means health information (including demographic information) that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- PHI means individually identifiable health information that is: (1) except as provided in (2): (i) transmitted by electronic media; (ii) maintained in electronic media, or (iii) transmitted or maintained in any other form or medium (whether electronic or hardcopy).
- Charts, faxes, mail, and e-mail are covered, and PHI also includes oral communication. PHI includes: name, address telephone numbers, birthday, Medicaid ID number and other medical record numbers, social security numbers, and name of employer.
- PHI excludes: (i) education records covered by the Family Educational Rights and Privacy Act (“FERPA”); (ii) certain treatment records under FERPA; and (iii) employment records held by a covered entity in its role as employer. PHI also does not include information from which the identity has been removed by removing, coding or otherwise eliminating or concealing all individually identifiable information.
- Electronic PHI (also known as EPHI) means: information that comes within paragraphs (1)(i) or (1)(ii) of the definition of PHI.
Under HIPAA, the Privacy and Security Rule are designed to minimize the risk of intentional (unauthorized) or accidental release of PHI. Note that while the Privacy Rule pertains to all PHI (including both paper and electronic forms of PHI), the Security Rule deals specifically with electronic PHI.
Most small medical, psychological, chiropractic, and other practices simply have a Notice of Privacy Practices they give to their patients. But this far from satisfies the privacy and security obligations that most clinical practices will have either under HIPAA and HITECH (federal law), or their state law counterparts (such as in California, the Confidentiality of Medical Information Act (CMIA) and other statutes).
A compliant HIPAA plan involves many aspects, including:
- Privacy Policies and Procedures. A Covered Entity must develop and implement written privacy policies and procedures that are consistent with HIPAA.
- Privacy Personnel. A Covered Entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the Covered Entity’s privacy practices.
- Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).A Covered Entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions; and must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or HIPAA.
- Mitigation. A Covered Entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or HIPAA.
- Data Safeguards. A Covered Entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
- Complaints. A Covered Entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The Covered Entity must explain those procedures in its privacy practices notice. Among other things, the Covered Entity must identify to whom individuals can submit complaints to at the Covered Entity and advise that complaints also can be submitted to the Secretary of HHS.
- No Retaliation and Waiver. A Covered Entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.A Covered Entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
- Documentation and Record Retention. A Covered Entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
According to Physician practices step up data security budgets:
Most health care organizations, including physician practices, have increased their privacy and security budgets during the past five years and are conducting risk assessments more frequently, according to a new survey from the Healthcare Information and Management Systems Society.
…. 64% of health care organizations conduct an annual risk analysis of patient data security.
…. The survey found that 77% of the organizations conduct a formal risk analysis to evaluate ways in which patient data might be put at risk. Although this number was consistent with survey results from 2008, which showed that 78% conducted a risk analysis, the frequency at which they are conducted has increased. Sixty-four percent conduct them on an annual basis, up from 54% that said they did them annually in 2008.
Not only are these security assessments required under federal regulations, including the new requirements for the Health Insurance Portability and Accountability Act that went into effect under the Health Information Technology for Economic and Clinical Health Act of 2009, but they also are necessary given the change to the health care landscape, Tennant said. Because more of medicine has gone mobile, there are more places where data are stored, and from where they potentially can be lost.
If you need a HIPAA compliant privacy and security plan, do not rely on forms you download off the Internet. Contact an experienced HIPAA legal team to help you develop HIPAA compliance customized to your practice. Be sure your HIPAA plan accounts for HITECH, as well as state privacy and confidentiality legal rules.
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.
Contact Us
