On Jan. 25, 2013, the final HIPAA omnibus rule was published in the Federal Register. This new rule increases patients’ privacy rights and expands the opportunity for the Office of Civil Rights to track and enforce the new law. The following questions were adapted from the AOA webinar "HIPAA 2013: Changes You Must Know and Implement to Avoid Costly Penalties."
1. When do patients need to be informed of these changes?
By Sept. 23, 2013, you should post new notice of privacy practices, provide copies to your new and existing patients and post the new version on your website, if applicable.
2. Where are the AOA HIPAA manuals?
The updated AOA HIPAA manuals (member login required) provide templates and forms to help implement your compliance plan. Start with the step-by-step security manual to ensure that you have safeguards to protect patients’ electronic health records.
Business Associate (BA) Agreement
3. Do I need a business associate agreement with pharmacies that fill my prescriptions?
No. If you are communicating with covered entities regarding payment or treatment, they are not considered business associates (BAs). They are simply covered directly by the HIPAA rules for covered entities.
4. Is an EHR vendor considered a BA requiring a BA agreement?
If you have a cloud-based EHR or an EHR on your office computer, but an external company uses the EHR in ways that they would access PHI, then they are absolutely business associates and you need to have a BA agreement with them. Ensure that all agreements are in place and up-to-date because they are also directly liable under HIPAA.
5. Is an answering service a BA?
Yes, the answering service is granted access to PHI when patients disclose medical concerns that prompt them to call.
6. Do medical practices need a BA agreement with their janitor or cleaning service?
Business associate agreements are only required for third parties who are not employees of the medical practice, but provide a function on behalf of the practice and require the use of patients’ PHI. Cleaning personnel do not need to have access to PHI in order to clean the medical practice. Practices must implement administrative, technical and physical safeguards to protect PHI; therefore, the practice’s policies should work to prevent such exposures (e.g., appropriate document destruction, locked file cabinets, secured computers, etc.)
7. How many days does a business associate have to notify a covered entity of a breach?
It depends on your BA agreement and whether the BA is your agent or an independent contractor. If the BA is your agent, you should be alerted to a breach at the same time as the BA. If the BA is an independent contractor, the BA must follow the timeframe specified in the BA agreement. The timeframe to be notified by your contractor should always be considered when drafting the agreement.
8. How should a physician obtain consent from elderly patients who may not be able to make decisions for themselves and don’t have a caregiver with them?
Try to contact relatives (i.e. spouses, children) or a caretaker to confirm consent, particularly for a course of treatment. This issue is not relegated to HIPAA concerns because once a person can no longer appoint a decision maker; the situation becomes complicated for the patient, their loved ones and physician.
9. Is a signed request required to obtain immunization records from another health care facility?
When in doubt, obtain a signed HIPAA-compliant authorization form to eliminate any ambiguity. If the school asks you to provide information about the child’s immunization, you do not need formal written authorization, but should document that you provided the information.
Releasing Patient Information
10. According to state laws, physicians must provide insurance companies with requested patient records within 14 days. What should a physician do if the patient doesn’t want the record sent and has paid cash?
Under the new HIPAA rule, if the patient has paid cash and does not want their information shared with their health insurer, you do not have to provide that patient’s information.
11. What if a patient pays cash for certain visits but used insurance for other visits? Does a physician pick and choose what their office sends?
As soon as you provide a covered service and submit a bill to the health plan, this information is included in the medical record and all rules applicable to the health plan apply. For example, a patient may ask to pay for a particular test out-of-pocket and request that you not communicate about it. But if the patient requires further treatment following a test, the patient may decide they can’t afford to pay out-of-pocket; and subsequent treatments are billed to the health plan. Those records will disclose the fact that the original test was performed, but the patient elected not to inform the insurer. You may want to discuss this with your patients at such decision points.
12. Can patients change their minds about releasing all records including all cash services at any time?
Yes, patients can maintain confidential records and then change their minds. For instance, a patient may say “I’ve moved and I’m getting a new doctor and I want your practice to send all my records to that office.” You are obligated to fulfill the patient’s request.
13. Our office policy states that patients are not obligated to buy products in the office. If we sell supplements for a profit, is this considered marketing?
Although patients can provide their written authorization to receive information and material marketed to them, discussions and subsequent recommendations about such product may be considered marketing.
14. If a physician speaks in promotional programs for pharmaceutical companies, is that considered marketing? If so, does their patients need to acknowledge, in writing, that they understand the physician is recommending a treatment he/she has previously promoted?
Under the rule, face-to-face communications are protected as well as discussions about prescription drugs that you are recommending, but only to the extent that you do not receive a profit from that patient’s prescription. Physicians should talk to the pharmaceutical company to clarify whether promotional discussions for prescriptions affect individual discussions with their patients. The pharmaceutical company from whom you’re receiving those funds should absolutely give you a definitive legal opinion on the impact to your personal practice.
15. Are there any specific guidelines for using paper shredders to protect PHI?
Cross-cut shredders are recommended. Under the law, you must ensure your PHI has been completely destroyed. If shredded information can be pieced back together to view the original document, the shredder is not adequate and it is far better to use a cross-cut shredder.
16. How does the rule apply to overseas dictation services and the internet transfer of audio files?
Overseas transcription is a very significant issue and presents many problems of its own. A standard email transmission is not secure because the transfer is not secure. For instance, hackers can access the system or information can be accidentally sent to the wrong recipient. Also, you are not able to enforce protections if information is breached. Physicians must consider the value of the service versus the penalties and associated risks.
17. If coding staff occasionally takes home records to complete and that information is misplaced, is that willful neglect?
Yes. You have an obligation to shut down processes that you know are problematic. If you can’t manage a process for taking records home for coding that will reduce the likelihood of a breach to zero or close to zero, you probably should not continue to allow staff to take records home.
18. If a practice’s contract with a new EHR company specifies they can “scrub and use” information gathered from the patient portal, is this allowed?
EHR vendors cannot sell or de-identify medical information without an agreement with the practice. Extensive rules specify how a company might “scrub and use data.” You should clarify how the EHR vendor interprets this clause and verify whether their proposal complies with the HIPAA rule.
19. Are jail sentences imposed on physicians?
Yes, particularly related to breaching celebrities’ PHI. One case involved a physician sentenced to one year of probation, 50 hours community service and a $5,000 fine for breaching celebrities’ PHI. A second case involved a UCLA researcher who faced four years of imprisonment for snooping into the medical records of celebrities.
20. Can practices be penalized for a logistical delay in transferring records if the records are lost or misplaced?
Yes. If you miss the deadline, you’re liable and it doesn’t matter if you did or did not know about it; even if there was nothing you could do about it, you’re still held responsible. The law also states if you were negligent and fixed the problem within 30 days, you won’t face a civil monetary penalty. You need to do everything in your power to transfer records in a timely fashion; otherwise, you should rectify the delay within 30 days.
ABOUT THE AUTHOR: The information in this section was transcribed from a presentation by Catherine I. Hanson, JD. Hanson’s experience includes serving as chief attorney for the California Medical Association and vice president of the American Medical Association's State and Private Advocacy unit. She is currently counsel to Whatley Kallas, LLP.