Archive for HIPAA privacy
Submit your HIPAA questions to Editor John Castelluccio at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q: Are HIPAA requirements different for college campus health centers than for larger facilities or private practices? For instance, would a college campus health center be permitted to disclose information about students who are patients to faculty members if the health center believed a student’s condition may affect his or her ability to come to class or complete assignments? What if the health center believed the student may be a danger to himself or herself, or to others?
A: Campus health centers are covered entities and must follow HIPAA. Information should not be shared with faculty without the patient’s written permission (this would not be a release for treatment, payment, or operations), although a note excusing a student from class or supporting an extension to a deadline (similar to a work note) would be appropriate (without details).
If there is an immediate concern that the patient is a danger to himself or herself, or to others, then there is a “duty to warn” exception that allows you to share information (again, minimum necessary). However, this would not include notifying the faculty unless the threat was against a faculty member. Even then, if your providers believe the threat is significant enough that faculty need to be notified, it would be appropriate to involve the police and to take whatever steps are indicated in your state to initiate a psychiatric hospitalization, either voluntary or involuntary.
Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.
The Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.
Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.
On March 13, 2013, Seugasala and his associates kidnapped, tortured, and sexually assaulted two men with a hot curling iron because one of the men owed them a large, past due debt on heroin, according to prosecutors. They said Seugasala ordered the rape to be videotaped so he could use the footage to intimidate other debtors.
One of the victims was so badly injured after three hours of torture that he was admitted to Providence Hospital in Anchorage. Two days later, Seugasala shot and wounded another man in an unrelated incident. That man also checked himself in to the hospital.
At that point, Seugasala contacted a friend who worked at the hospital–Stacy Laulu–and asked her via a text message to find out the extent of the men’s injuries and whether they were cooperating with police, prosecutors said.
They said Laulu, who was then employed as a financial counselor, accessed both men’s medical files and reported back to Seugasala, violating the men’s privacy rights.
According to prosecutors, Laulu’s husband, who was in jail on unrelated murder charges, was a close associate of Seugasala and the couple was receiving drug money from Seugasala.
Laulu was also convicted in January on the HIPAA felony violations and is scheduled for sentencing May 29. The maximum sentence is 10 years for each of those convictions. Three other members of the drug ring have also been sentenced or are due for sentencing in June.
A new healthcare bill aimed at accelerating the development of new clinical drugs and innovative treatments would allow federal regulators to relax portions of HIPAA privacy laws in the name of research, as well as penalize electronic health record vendors that fail to comply with standards for interoperability and safe information exchange. The proposed bill also allows penalties for vendors who engage in information blocking.
The 21st Century Cures Act was co-authored by U.S. Reps. Fred Upton (R-Mich.) and Diana DeGette (D-Colo.), who began work on the bill more than a year ago. They, along with three other co-sponsors, unveiled a draft of the bill April 30, which was then amended and presented to the House Committee on Energy and Commerce’s Subcommittee on Health. It passed by voice vote.
Among other things, the bill would allow HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.
The Privacy Rule currently allows hospitals and other healthcare providers to use PHI without authorization from their patients only for the purposes of treatment, billing, and internal healthcare operations; however, under the proposed law, those covered entities and their business associates would have unfettered access to those records to use in researching new drugs and treatments as well.
Proponents of the bill argue these changes, along with streamlining the regulatory process, will remove barriers to life-saving medical advancements. They also point to language in the bill that says PHI used in research would be fully protected under HIPAA Privacy, Security, and Breach Notification Rules.
There’s also consideration of seeking one-time authorization from patients to use their PHI in future medical research.
“The history of health innovation is remarkable,” Upton told colleagues during the subcommittee session. He chairs the House Committee on Energy and Commerce. “But the future is where I’ve set my sights. I’ve got my eye on 21st Century Cures. And I want to ensure that the laws, regulations, and resources governing the quest for better and faster treatments keep pace with scientific advances.”
“There is no cause more worthy, no challenge more urgent. We need 21st Century Cures, and we need them now,” he said. Upton also noted that of roughly 10,000 known diseases – most of them rare maladies – only 500 currently have treatments available.
“This bipartisan effort will take a broad look at the full arc of the process – from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment level,” said DeGette in a statement.
Subcommittee sessions were scheduled for May 19 and 20 for further deliberation on the bill.
Criminal attacks on the healthcare industry have increased 125% since 2010, making these attacks the leading cause of data breaches in the industry, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare, sponsored by ID Experts®. The goal of the study is to determine what organizations are doing to protect the privacy and security of PHI and what challenges they may face in doing so, according to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
The study reports on the responses of 90 covered entities (CE), and for the first time includes responses from 88 business associates (BA). The Ponemon Institute conducts as many as 20 separate interviews with each CE and BA involved in the study, Dr. Ponemon says.
Although criminal attacks have been highlighted in the annual study for five years, 2015 marks the first year that these attacks were listed as the top cause of data breaches. Nearly half (45%) of healthcare organizations surveyed listed criminal attacks as the top cause of data breaches, compared to 39% of BAs. Medical identity theft not only has financial repercussions, but has the potential to compromise the accuracy of patients’ records, which can ultimately harm the patient, says Rick Kam, CIPP/US, president and co-founder of ID Experts.
More than 90% of CEs surveyed experienced a data breach, and more than 40% experienced one within the last five years. More specifically, 65% of CEs said they experienced security incidents within the last two years involving the exposure, theft, or misuse of electronic information. The majority of respondents (96% of CEs and 95% of BAs) have experienced an incident involving lost or stolen devices. The study revealed that the average cost of a breach at a healthcare organization is more than $2.1 million, whereas the average cost for BAs is more than $1 million.
The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information” April 13 to help organizations integrate federal health information privacy and security requirements.
The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.
The guide covers such topics as:
- Increasing patient trust through privacy and security
- Provider responsibilities under HIPAA
- Health information rights of patients
- Security patient information in EHRs
- Meaningful Use core objectives that address privacy and security
- A seven-step approach for implementing a security management process
- Breach notification and HIPAA enforcement