What You Have Forgotten About HIPAA
I am going to assume you all are familiar with the HIPAA and Hi-tech Acts as they relate to sensitive health data. But lately, I am seeing many improper disclosures of PHI and I figure it’s time to write about it. I was at a conference last week and attended a session called “Navigating DOJ Enforcement Trends in the Healthcare Sector.” Yawn, right? Please don’t! There are a couple of key points I left that presentation with: 1) take compliance and data security seriously. 2) be proactive, and 3) take compliance and data security seriously. Have a seat before reading on.
There was a big graphic on a slide entitled “HHS OIG Sentencing Guidelines” and it listed factors to be considered when imposing fines and prison time for data privacy violations:
Does the organization have written compliance standards and procedures?
Is there a designated compliance officer reporting DIRECTLY to the Board of Directors?
Is there documented regular and effective education and training?
Is there a hotline and protection for whistleblowers?
Is there active monitoring and auditing of systems?
Is there active correction of deficiencies?
Are standards enforced through appropriate discipline?
Are there formal procedures for investigating potential wrongdoing and for self-reporting?
What are the investigator’s qualifications to conduct investigations?
And that’s just getting started. The DOJ also has strong incentives to prevent corporate crime before it occurs. “The Department strives to deter criminal conduct, incentivize the development and implementation of effective compliance programs, and promote ethical corporate cultures.” Which is basically saying “if we have to find and catch you, you will be really, really sorry. But if you come clean, we will take it easy on you.” I know I was skeptical too, So I asked the team of lawyers giving the presentation if that would be their advice to a client who discovers and mitigates a violation…would you self-report? Every lawyer (4) said yes. The penalties, even with mitigation, if you do not self-report are severe. And occasionally, a self-reporter won’t even be fined. Ok. You’re warned. But what can you do?
There are times when it is necessary to share your PHI with others…a consult, a prescriber, or a business associate. That is okay, but there are some important guidelines. Please know this is a blog, with comprehensive advice! But make sure you have a BAA in place as appropriate and remember, regardless of the relationship, and regardless of whether you are sharing data inside your company or with a third party, you are authorized to share only the minimal amount of data necessary to accomplish the task at hand. The minimally necessary rule requires covered entities to only use and disclose the amount of PHI that is necessary to achieve the purpose of the use or disclosure. For example, if a covered entity is sharing PHI with a health plan for the purpose of payment, the covered entity should only share the PHI that is necessary for the health plan to process the claim.
And you should never send unencrypted PHI in an email. You may have a question, so you generate a report, and the standard report contains sensitive information like a patient's name. If that name isn’t needed, it should be redacted before you send it along as ask your questions.
Here are some places you can go for more information:
U.S. Department of Health and Human Services, HIPAA Privacy Rule
U.S. Department of Health and Human Services, HIPAA Security Rule
And remember:
Conduct regular training for employees on HIPAA compliance.
Have a written HIPAA compliance plan in place.
Conduct regular risk assessments of your HIPAA compliance practices.
Have a process in place for responding to HIPAA breaches.
Is your policy manual up-to-date?