Archive for HIPAA Q&A
Q. Our physician practice operates a satellite clinic. The practice does not use an electronic medical record. Charts are transported from the practice to a workforce member’s home at the end of the week. That person then transports the records to the satellite clinic Monday morning. Does this violate HIPAA? Also, who is responsible for the breach of patient PHI if someone steals the charts from a workforce member’s vehicle?
A. HIPAA does not prohibit transporting charts temporarily to a workforce member’s home. Medical practices that do so must reasonably ensure that charts are secured while they are en route and temporarily stored at the workforce member’s home. Ideally, store charts in a locking file cabinet or safely in the workforce member’s home.
Exercise the same care that is necessary when transporting laptop computers. Don’t leave charts in plain sight in an unattended vehicle. If it becomes necessary to leave the charts in an unattended vehicle, lock them in the trunk, or out of sight of passersby if there is no trunk. You must document these practices (transportation and remote storage of charts) in policy and enforce them.
If the charts are stolen, ultimately the practice is liable. The incident would be considered a breach of unsecure PHI, and the practice would be required to notify patients within a reasonable period of time and follow all requirements of the interim breach notification rule (45 CFR 164.400–164.414).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
I have a friend who is a Facebook friend of a nurse in a hospital in another state. This nurse posted a picture of herself posing with an athlete who had come to the organization for care.
The caption said something like “You were a great patient and even a better player.”
The first comment on her photo was “HIPAA VIOLATION.” Her response — “No, I didn’t say why this person was here.”
I think she still violated the rules – the patient’s name, face, hospital, approximate time of admission – all easily understandable from the post.
What do you think?
Q. The Code of Federal Regulations (CRF), specifically 45 CFR 160.103, defines PHI and individually identifiable health information.
Is the information described in the following scenarios considered PHI?
A hospital sends a patient a letter that includes the patient’s name and address, patient number, admission date, account balance, and the hospital’s name. Alternatively, the hospital sends a letter that includes the patient’s name and date of birth, patient number, date of service, medical record number, and the hospital’s name. If one of these letters is sent to someone other than the patient, is this considered a breach of PHI that requires patient notification?
A. Pursuant to 45 CFR 160.103, PHI is considered individually identifiable health information. A strict interpretation and an “on-the-face-of-it” reading would classify the patient name alone as PHI if it is in any way associated with the hospital. CFR states that PHI includes demographic information received by a healthcare provider and relating to the provision of healthcare. If an individual’s name is associated with a hospital and the hospital provided healthcare, it is demographic information and is considered PHI.
The additional information confirms that the content of the letter is PHI even though the letter does not specifically mention the health condition of the patient. The regulation does not require a data set to include a certain number of identifiers to be considered PHI. It specifically states that if information identifies an individual, it is PHI.
The information included in the two example letters is clearly PHI. Sending the letter to the wrong individual would be considered a breach of unsecure PHI. After conducting a risk assessment to determine whether sending the letter to the wrong individual will cause harm to the affected patient, the hospital would be responsible for determining whether to notify patients. The hospital must document its actions regardless of whether the incident is a notifiable breach (45 CFR 164.400–164.414).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Q. During a recent webinar, a presenter indicated disclosure of PHI to business associates needed to be included in the disclosure accounting log. Aren’t disclosures of PHI to business associates considered disclosure for healthcare operations purposes?
A. The disclosure of PHI to a business associate does not need to be included in the disclosure accounting log as long as the disclosure is related to treatment, payment, and healthcare operations. Disclosures of PHI to a business associate are not necessarily classified as disclosures only for healthcare operations. As an example, if a health plan discloses PHI to a third-party administrator, the disclosure would likely be for payment purposes. However, a valid business associate contract or other written arrangement (government entities) needs to be executed before any PHI is disclosed to business associates.
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Q. I’m having problems with managed care companies requesting PHI for their Healthcare Effectiveness Data and Information Set (HEDIS) quality reviews. When I ask them for the individual’s signed enrollment agreement to ensure that disclosure is appropriate, some of them tell me this is covered in our Notice of Privacy Practices (NPP). This doesn’t seem correct to me. Our NPP tells patients how we use their PHI, not how the managed care company uses it. Is it okay to release this information to the managed care company without the patient’s authorization?
A. Your interpretation is correct; your NPP explains how your organization uses PHI, not how payers may use it. However, you are permitted to disclose PHI to other CEs (such as managed care companies) for their healthcare operations, which would include HEDIS quality reporting. You don’t need the patient’s authorization for this disclosure, as long as both of the CEs have a relationship with the patient.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here