HIPAA Privacy & Security Compliance: Dispelling Common Myths

With the hundreds of pages that it takes to cover the breadth of HIPAA regulations, not to mention the regulations’ inherent complexity, it’s no wonder myths and rumors about compliance abound. Additionally, there are many “experts” who have only limited training (or no training, in fact) on the regulations themselves. However, HIPAA audits performed by the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR), patient-driven complaints, investigations, and legal liabilities should help steer a practitioner to get accurate, up-to-date information on HIPAA. This article will explore some common HIPAA myths while sorting the myths from the facts to help enhance wound care clinicians’ efforts to keep patient information private and secure. 

Myth: “I don’t need to worry about HIPAA audits.”  

Fact: The OCR is responsible for auditing, but the auditing process is still in its infancy. In fact, the OCR will only be auditing 200-250 covered entities (CEs)* and business associates (BAs)** in 2016.  However, don’t let this small number of audits lull you into a sense of complacency. CEs should be more worried about patient complaints. In 2015, there were 17,643 HIPAA complaints made to OCR. Only 2% were found to have no HIPAA violation. Patients have become savvier regarding their privacy rights and are educated to these rights through the notice of privacy practices (NPP) that all healthcare and health plan providers must share with patients to explain how protected health information (PHI)*** may be used and shared, as well as how to file a complaint in the event of abuse. It should concern all clinicians that research shows an organization has a 50% chance of having a breach every 24 months and 60% will have five or more breaches in that same time. Finally, OCR has promulgated guidance that a ransomware attack should be classified as a breach. Ransomware attacks occur when access to data is blocked by an outside party until a ransom is paid. These invasions are initiated by phishing attacks (direct the user to visit a website where they are asked to update personal information). Consider that each day in 2015:

• 8 million phishing emails were opened, 
• 800,000 malicious links were clicked, and 
• 80,000 people fell for a scam every day and shared critical information.

Granted, these were not all healthcare related, but the bottom line is a clinician/practice is much more likely to be investigated if a patient or representative files a HIPAA complaint, or if there’s a HIPAA breach, rather than being subjected to an OCR audit. All HIPAA complaints are investigated and CEs are required to self-report breaches to the HHS secretary. The reality is everyone should be worried about ongoing compliance efforts more than experiencing an audit.

*CEs are healthcare providers/health plans/healthcare clearinghouses who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Typically, this means HIPAA is triggered when an entity bills electronically when receiving reimbursement from insurers or government entities.

**BAs are persons or entities (other than a workforce member) who create, receive, maintain, or transmit PHI on behalf of the CE, or who provide services to a CE, which includes use or disclosure of PHI. BAs may also use subcontractors, who must also abide by the regulations.

***PHI is health information that relates to an individual’s past, present, or future physical or mental health/condition; the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual. PHI also relates to information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  

Myth: “Because I password-protect my smartphone, I can use it for receiving, storing, or transmitting patient PHI.”  

Fact:  Electronic PHI must be protected in compliance with the HIPAA administrative, physical, and technical safeguards, which prevent unauthorized disclosure, destruction, or loss of PHI. Loss or theft of mobile devices are one of the most frequently occurring reasons for breach of PHI, though in many instances the use of smartphones can enhance patient treatment. HIPAA safeguards must be in place for any mobile device used in treatment, payment, or healthcare operations. In addition to password protection, providers will want to encrypt PHI stored or sent on their mobile devices, activate remote wiping should the device be lost or stolen, install security and firewall software, keep software up-to-date, be careful downloading files or apps, and maintain physical control of one’s phone.¹ 

Required measures should also be documented in the organization or practice’s policies and procedures manual. For example, if staff members use their smartphones, is there a documented procedure for removal of PHI on the device if their employment is terminated or they leave the organization?  

Myth: “Providers are not allowed to share information about patients with others.”  

Fact: Providers may share information with family or friends if they are involved in the patient’s treatment, or payment for healthcare, or if the patient tells the provider they may share healthcare information with a particular individual. The only exception to this is if the patient specifically objects to the provider sharing the information. If a patient is incapacitated, providers may use their professional judgment to decide to share healthcare information. (For example if it’s in the patient’s best interest, or if providers have good reason to believe the patient would not object to the sharing of their healthcare information.) 

Providers may divulge health information to family or friends who are caregivers or with a family member who pays the medical bill. Providers may also give health information to clergy, unless the patient objects. The HIPAA Privacy Rule does not require providers to share information with family and friends, unless certain individuals have been designated as a patient’s personal representative. For example, if a patient has a healthcare power of attorney, that person is considered a “personal representative” (state law may differ). In many states, with some exceptions, parents are considered their children’s personal representatives. In the case of divorced parents, the parent or parents who are authorized to make healthcare decisions in the divorce decree are considered the personal representative. 

In many cases, parents have joint legal custody that gives both parents the right to make healthcare decisions for their child(ren), unless the custody decree states otherwise. In all of these situations, a provider is required to share healthcare information with the legally prescribed personal representative. A provider or plan may choose not to treat a person as a personal representative if the provider or plan reasonably believes the person might endanger the patient, such as in situations of domestic violence, abuse, or neglect [45 Code of Federal Regulations 164.502(g)].  

Myth: “All patients must acknowledge in writing they have received the HIPAA NPP.”

Fact: Providers must provide patients with an NPP and attempt to get written acknowledgement that they’ve received notice. However, patients are not required to sign that they received the NPP. If they refuse to provide signature, the provider should document their refusal. Services cannot be denied based on a patient’s refusal to provide a signature of acknowledgement of receipt of the NPP. It’s important to understand the NPP does not take the place of informed consent for treatment, which typically lists the risks and benefits of treatment. The NPP solely covers patient rights and provider responsibilities.  

Myth: “Providers must obtain consent for sharing PHI for purposes of treatment or billing.”  

Fact: For purposes of treatment, payment, or healthcare operations, providers are not required to obtain consent of the patient or his/her personal representative. (Healthcare operations include medical review, legal services, business management, and administrative activities that are necessary for the CE to run its business). However, some states require consent to use or disclose health information. The HIPAA Privacy Rule doesn’t prohibit providers from obtaining patient consent for use or disclosure of PHI. In fact, some states require consent for disclosure of PHI, which is completely permissible under HIPAA regulations. 

Myth: “In my practice, I use the NPP and I am careful about confidentiality, which makes me ‘HIPAA compliant.’”

Fact: Providers who have made real efforts at HIPAA compliance and experience a HIPAA violation may be fined $100 if there’s a violation. Those who have not made efforts towards compliance are considered to have committed “willful neglect,” which garners between $10,000-$50,000 in fines. The OCR is fairly forgiving to those who are compliant and experience a breach. However, those who don’t attempt to be compliant and experience a breach will face a mandatory fine. The head-in-the-sand approach does not work when it comes to HIPAA. So, simply having an NPP in place and being “careful” does not make for HIPAA compliance. Providers must understand the rules around “use” and “disclosure” of PHI under the regulations and be sure patients are granted all of their privacy rights. A practice/organization must have completed a required security risk analysis that covers 54 standards and specifications under HIPAA; must have written HIPAA policies and procedures; and must train staff members/providers/volunteers on policies and procedures. Those who are unwilling or unable to facilitate a compliance program will fall into the camp of willful neglect. Under the regulations, providers cannot be sued by patients for lack of compliance, but there are other routes that may be taken should one be in violation of these regulations. For example, state attorney generals are enabled to sue for HIPAA violations. Additionally, patients have been able to successfully sue under tort law for violation of privacy.

Conclusion

With the hundreds of pages of HIPAA regulations that exist, the inherent complexity they feature, and the extraordinary information found on the Internet, it’s difficult to separate HIPAA fact from fiction. Add to this that HIPAA regulations and regulatory guidance change relatively frequently and, given the newness of many regulations, specific interpretations are not really available until a body of case law gives a more definitive interpretation. Of the regulations, providers are unfortunately left having to keep up-to-date and assess myths from facts on their own. To assist, there are a number of resources that can help:

• To sign up for privacy or security listservs, visit www.hhs.gov/hipaa/for-professionals
• For general HIPAA information, visit www.hhs.gov
• For compliance assistance, visit www.hipaacomplianceusa.net
• Visit the American Health Information Management Association at www.ahima.org
• Visit the National Institute for Standards and Technology at www.csrc.nist.gov

Additionally, aligning with a trained expert can go a long way towards helping separate fact from myth and keep providers on the right side of compliance. Remember, HIPAA is not a destination, but a process. That process lives in an ever-changing environment. It’s incumbent upon practitioners to learn how to guard patient privacy as securely as they would want their own privacy maintained. 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindel@carosh.com.

Reference

1. Take Steps to Protect and Secure Information When Using a Mobile Device. U.S. Department of Health & Human Services. Accessed online: www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf