Archive for HIPAA privacy
The HIPAA Omnibus Rule changed the breach notification process by introducing a four-factor risk assessment process and requiring covered entities (CE) and business associates (BA) to demonstrate whether the probability that PHI was compromised is low. In response, the Workgroup for Electronic Data Interchange (WEDI) recently released an issue brief that provides breach notification guidance.
The issue brief describes the following processes for establishing probability and requirements for notification:
- Determine whether the data is PHI. If it is not PHI, further breach notification action is not required.
- Determine whether the data is unsecured PHI. No further action is required if the PHI is secured and the organization can document that the method for securing PHI was enabled at the time of the breach. If the breach involved unsecured PHI, proceed to the next step.
- Determine and document whether the incident falls within one of the breach notification exceptions, in which case breach notification is not necessary. If the disclosure does not fall within an exception, proceed to the next step. The exceptions include the following:
- Unintentional access to PHI in good faith while performing a job that does not result in further impermissible use or disclosure of PHI.
- Unintentional disclosure of PHI by a CE or BA authorized to access PHI to another person authorized to access PHI at the same CE, BA, or affiliated organized healthcare arrangement.
- When PHI is improperly disclosed, but the CE or BA thinks that the recipient is unable to retain the information.
An organization that immediately decides to proceed with notification does not need to perform the four-factor risk assessment process. Otherwise, the process is required after a breach of PHI is discovered, according to WEDI. If the probability that PHI was compromised is low, notification is not necessary and the organization should document the process for future reference. WEDI recommends remediation even in the event of a low probability breach determination.
HHS recently released new HIPAA Privacy Rule FAQ on sharing information related to mental health. The guidance clarifies the following:
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient has the capacity to make healthcare decisions so long as the patient does not object
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient is incapacitated if the provider determines doing so is in the patient’s best interest
- Providers need to obtain a patient’s authorization prior to disclosing psychotherapy notes for any reason
- Providers may disclose PHI that is directly relevant to the patient’s care to the patient’s family, friends, or other persons involved in the patient’s care or payment for care in emergency situations
- Providers may disclose general treatment information of a minor patient to a parent, guardian, or other person acting in loco parentis except in situations when the parent is not the minor child’s personal representative
- Providers may not provide a minor patient’s parents copies of psychotherapy notes, but may provide a parent who is a personal representative a copy of his or her child’s mental health information contained in the medical record, including information about diagnosis, symptoms, or treatment plans
- Providers may disclose information to family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made if the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family member is in a position to lessen the threat
- Providers may disclose necessary information about a patient to law enforcement officials, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others
- Covered entities may disclose certain PHI, including the date and time of admission and discharge, to law enforcement officials upon request for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person
- Under limited circumstances in which the HIPAA Privacy Rule may apply to health information in a school setting, disclosing information to parents of a minor patient or to law enforcement officials is permitted
HHS recently published a final rule in the Federal Register amending Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the HIPAA Privacy Rule.
The final rule permits laboratories subject to CLIA to provide a patient, personal representative of a patient, or a person designated by a patient to obtain copies of test reports belonging to that patient. It amends the HIPAA Privacy Rule by removing the exception for CLIA-certified and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their PHI.
The regulations are effective April 7, 2014. HIPAA covered entities must comply with applicable requirements by October 6, 2014.
The Office of the Inspector General (OIG) recently released its fiscal year (FY) 2014 Work Plan, which addresses the HIPAA Privacy the Breach Notification Rules with a focus on PHI.
OIG will review and assess Office for Civil Rights (OCR) oversight of covered entities’ (CE) compliance with the HIPAA Privacy Rule. OIG will also determine the compliance of Medicare Part B CEs with certain privacy standards, according to the FY2014 Work Plan. OIG said it would review OCR investigation policies and assess OCR oversight to determine CE compliance with the Privacy Rule.
In addition, OIG will review OCR oversight of CEs’ compliance with the Breach Notification Rule. OIG will review OCR investigations of breaches reported by CEs and will determine Medicare Part B CE compliance with breach standards, according to the FY2014 Work Plan.
In the FY2013 Work Plan, OIG said it would focus on reviewing the following areas related to HIPAA:
- OCR policies for investigating the policies and plans for breach mitigation of Medicare Part B CEs
- OCR oversight of HIPAA Privacy Rule and Breach Notification Rule compliance
- CMS’ oversight of Medicaid compliance with the HIPAA Security Rule with especially where State Medicaid
- Management Information Systems and security controls over Web-based applications were concerned
HCPro’s Medical Records Briefing newsletter is conducting a benchmarking survey on HIPAA compliance, and we would appreciate your input. Please take a few moments to complete this survey. The results of the survey along with commentary from industry experts will be featured in the April 2014 issue of Medical Records Briefing and will likely be reprinted on this blog.
Thank you for your feedback!