Archive for September, 2009
HHS has posted links for online forms for covered entities to report breaches.
HHS asks providers to review the instructions for submitting breach notifications. Only covered entities may submit notification using this form.
Q: A patient admitted to the hospital has a close family member who is a physician with privileges at the same hospital. This physician is not involved in the patient’s care, but the patient has given permission for this physician to see his medical information. May the physician access the information electronically (i.e. via the hospital computer system)? Or is this a breach because he is not the attending physician? Must he contact the attending physician to access the information?
A: Competent adult patients may authorize release of their information to anyone they choose. If you have written authorization from the patient to release information to this physician, permission from the attending physician is not necessary. You may allow the physician to access the record electronically if the patient has authorized the physician to review his complete record. If the patient has limited the information that may be disclosed to the physician, paper copies of the information should be provided to meet minimum necessary requirements.
Andrew E. Blustein, Esq., responded quickly when asked what he came away with after talking to providers at last week’s 17th annual HIPAA Summit at the Wardman Park Hotel in Washington, DC.
“People are shell-shocked,” says Blustein, partner and co-chair of Garfunkel Wild & Travis, PC’s Health Information and Technology Group in Great Neck, NY, and Hackensack, NJ.
Blustein and David A Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ, teamed to present on breach notification at the event.
HHS released its interim final rule on breach notification August 24 calling for greater—and more swift—notification requirements when there is a breach of unsecure PHI.
It’s one requirement among many in the HITECH Act that has providers worrying about compliance. The HITECH Act, signed into law February 17, 2009, calls for increased HIPAA enforcement, stiffer monetary penalties for privacy and security violations, and more patient rights on their medical records.
“I think that people are just a little overwhelmed,” Blustein says.
Providers have a tough enough time complying with HIPAA’s Administrative Simplification Act, Blustein says.
“They’re very complicated,” he says. “They’re like a puzzle.”
Times have changed at the HIPAA Summit. In the days shortly after the HIPAA law passed in 1996, providers buzzed at the conference and showed some spark about compliance.
“People were excited,” Blustein says. “They were getting amped up about things like ‘minimum necessary.'”
Today, Blustein says they feel like Roberto Duran in his 1980 WBC welterweight title against Sugar Ray Leonard. Duran quit in the middle of Round 8, reportedly saying, “no mas,” Spanish for “no more.”
“People are saying there are so many hospital regulations flying at us, and they’re saying, ‘no mas,'” Blustein says. “How much more can we get? And more’s coming.”
Kate Borten, CISSP, CISM, president, The Marblehead Group, in Marblehead, MA, also feels from her time at the HIPAA Summit that providers are just not ready.
Fellow speaker J. David Kirby, president of Kirby Information Management Consulting, LLC, made the great point that “most healthcare still takes place in small practices,” Borten says.
“From my work and personal experience and anecdote, the small providers are woefully out of compliance (not sure it’s willful though),” Borten wrote in an e-mail to HIPAA Update. “And I bet few of them are even aware of these new regulations. … When [covered entities] and [business associates] still believe in 2009 that a patient name alone, without a dx code, is not PHI, it’s pretty scary.”
Q. Are hospice and home health staff members permitted to review records of residents referred to them by a covered entity’s administrative staff to determine whether the residents qualify for hospice and home health services?
A. Yes, as long as the hospice and home health staff members are internal to the covered entity, and they don’t use the resident records for marketing purposes prohibited by the HIPAA privacy rule. This type of review would fall under healthcare operations because its purpose is to determine eligibility for services rather than providing treatment.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
The interim final rule on breach notification took effect Wednesday, September 23.
HHS enforcement of this rule won’t begin until February 22, 2010, but naturally you should be ready to comply in case of a breach.
Go to our No. 1 HIPAA Update post as of presstime, HHS finalizes breach notification guidelines, defines unsecure PHI, for compliance tips and important information on the rule.