Archive for HIPAA privacy
In light of the recent Ebola outbreak in the U.S., the Office for Civil Rights (OCR) released new guidance November 10 regarding the release of PHI in emergency situations.
According to OCR, covered entities (CE) and business associates should adhere to the HIPAA Privacy Rule standards when releasing PHI for treatment, to protect the nation’s public health, and for other critical purposes. CEs may disclose PHI without the patient’s consent for the following reasons:
- To treat the patient or another patient, which includes coordination and management of care and services by one or more healthcare providers and others, or for consultation between providers, and referrals
- To grant public health authorities (e.g., the Centers for Disease Control and Prevention) access to PHI that is critical to carrying out its public health mission
- To provide information for the patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care
- As necessary to identify or locate a patient and notify his or her family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death
- To prevent or lessen a serious and imminent threat to the health and safety of a person or the public
In addition, the HIPAA Privacy Rule permits the release of limited facility directory information if the patient has not objected to or restricted the release of such information. If the patient is incapacitated, CEs may disclose this information if it is believed to be in the best interest of the patient and is consistent with any prior preferences of the patient, according to OCR.
In most instances, CEs must make an effort to adhere to minimum necessary requirements by disclosing only that information that is necessary to care for the patient, except when providing patient information to healthcare providers. BAs may disclose the minimum necessary information when authorized to do so by a CE or BA to the extent outlined in a BA agreement, according to OCR.
CEs must implement reasonable safeguards to protect PHI against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule for ePHI, according to OCR.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q: Are there any penalties for sending an unencrypted email containing PHI to the intended recipient? Would this just be a violation of the CE’s policy and not a privacy breach under HITECH?
A: HIPAA and HITECH tell us that every CE must perform a documented risk assessment (preferably annually) to determine the level of risk and how it will handle various privacy and security issues. (For more guidance visit www.hhs.gov/news/press/2014pres/03/20140328a.html.)
You should consider and document the risk of sending unencrypted PHI to patients via email in your risk assessment. More and more CEs are deciding that sending unencrypted emails to patients is not worth the risk it poses.
In addition to the security risk, there is the chance that the patient may email you in an emergency, and you may fail to respond in a timely way. There is also the possibility that email can be forwarded, copied, or altered. Email also presents retention issues as providers will not always print the email exchange for the actual patient record. Fortunately, many organizations are implementing patient portals that not only have encrypted messaging functionality but also retain the exchange in the record.
Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Nebraska Medical Center in Omaha recently fired two workers for inappropriately accessing the medical records of an American aid worker being treated for Ebola at the facility, according to the Associated Press.
An audit of the medical center’s EMR revealed that the employees violated Dr. Rick Sacra’s privacy by accessing his records without authorization. The medical center notified Sacra of the HIPAA privacy violation in person and in writing. He contracted Ebola while working in Africa and spent three weeks at Nebraska Medical Center where he was treated with an experimental Tekmira Pharmaceuticals drug called TKM-Ebola and later released. The medical center did not reveal why the employees accessed Sacra’s records, the Associated Press reported.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com, and we will work with our experts to provide the information you need.
Q: Within the pharmacy dispensing system at the facility where I am employed, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. The notes entered in the patient record are customer-service focused and not related to treatment or payment. Would these notes be considered PHI? Would there be a retention requirement concerning these notes?
A: If these notes contain patient-identifiable information, they would be considered PHI and must be protected from unauthorized use or disclosure under the HIPAA Privacy Rule. However, the Privacy Rule does not establish record retention requirements. Instead, state law/regulation establishes retention requirements for medical records and some other records.
Check your state law to see if there are any retention requirements for information in pharmacy dispensing systems. Your state board of pharmacy may be a good resource. Search “(state name) State Board of Pharmacy” into your web browser for more information (i.e., Texas State Board of Pharmacy).
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
HHS recently released guidance about HIPAA regulations affected by the Supreme Court’s 2013 United States v. Windsor ruling that found Section 3 of the federal Defense of Marriage Act (DOMA) unconstitutional. Section 3 of DOMA states that federal law would only recognize opposite-sex marriage.
The HIPAA Privacy Rule includes information about the role of family members in patient care. Section 45 CFR 160.10 of the rule includes the terms “spouse” and “marriage” under the definition of family member.
To maintain consistency with the United States v. Windsor ruling, the term spouse includes people in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction. However, same-sex marriages performed in a foreign jurisdiction must be recognized in the United States for a patient’s partner to be recognized as a spouse under HIPAA.
Similarly, the HIPAA Privacy Rule recognizes marriage between same-sex and opposite-sex couples and defines a family member as a dependent of a marriage. These definitions apply to people who are legally married whether the jurisdiction where they reside recognizes the marriage or not.
Under §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purpose, covered entities are permitted under certain circumstances to share PHI with a patient’s family member. Legally married same-sex couples are family members for the purpose of this provision regardless of where they reside.
The definition of family member also applies to §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes, which prohibits health plans with the exception of issuers of long-term care policies from using or disclosing genetic information for underwriting purposes. Plans are not permitted to make underwriting decisions about a patient based on his or her same-sex spouse’s genetic test results or manifestation of disease.