Frequently Asked Questions

Business Associates

ANSWER

It is super important if they still have access to any PHI or ePHI.  You may try to reach them either physically or remotely and make sure they understand the termination.

However, if you still can’t reach them, as long as you have something on your end that has been disseminated to accounts receivable and other parties who may need to be aware of this termination, then you are OK.

It is also advisable to send a certified letter to their last known address, notifying them that their contract is considered terminated.  Keep a copy for your records.  The key is DOCUMENTATION, DOCUMENTATION, DOCUMENTATION!!!

ANSWER

A formal BAA termination is not necessarily required.

However, it is suggested to send out a letter to that entity laying out the facts pertaining to their relationship and explain that the agreement which had formerly been executed between the two parties will no longer be in effect.  Keep a copy of this along with your terminated business associate agreement files.

ANSWER

Generally, providers are not business associates of payers. For example, if a provider is a member of a health plan network and the only relationship between the health plan (payer) and the provider is one where the provider submits claims for payment to the plan, then the provider is not a business associate of the health plan. Each covered entity is acting on its own behalf when a provider submits a claim to a health plan, and when the health plan assesses and pays the claim. However, a business associate relationship could arise if the provider is performing another function on behalf of, or providing services to, the health plan (e.g., case management services) that meet the definition of “business associate” at 45 CFR 160.103.

Reference: www.hhs.gov

ANSWER

A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. Given that a business associate contract must limit a business associate’s requests for protected health information on behalf of a covered entity to that which is reasonably necessary to accomplish the intended purpose, a covered entity is permitted to reasonably rely on such requests from a business associate of another covered entity as the minimum necessary.

Reference: www.hhs.gov

ANSWER

The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1).
Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose.
For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.

Reference: www.hhs.gov

ANSWER

The vendors who do not come in any possible contact with PHI, may just have a confidentiality agreement but, you need that in place. If they have a key to access any room(s) after hours, or unattended in which PHI is possibly in their path, you should consider that contact with PHI. Some hospitals have confidentiality/non-disclosure agreements, so I imagine Home office can supply you one. But at any rate, they must sign-in and out and be identified while on the premises and you must have an auditable log of their presence.
However, the vendors, teaching facilities and students, contactors, etc. who may come in contact with PHI or ePHI must have a BA in place. No exceptions (and must sign-in and out, accordingly, with the same audit log(s) in place).
And yes, I would differentiate the two on the procedure you are writing, you can make sub-lines (like a1, a2, etc., if needed) to explain your circumstances.

ANSWER

Yes, technically, they are required to have had one, but you can just ask them to certify that they have had one, and verify that it was recent. Attach the certification form or letter to their BAA.

ANSWER

These people who come in to service the lab equipment would be exposed to PHI, or ePHI, so a BAA needs to be put in place.

ANSWER

No. They would not need a BAA. HIPAA explicitly exclude from the BA requirements, disclosures by a covered entity to a Health Care Provider for treatment purposes.
However, you need to look for a more secure way to deliver the results because faxes are not the most secure for many reasons. Maybe check with them on that or work with IT to get a more secure delivery method set up for the future.

ANSWER

No. He is considered a Covered Entity himself, and any healthcare professional who provides treatment will not need a BAA.

ANSWER

Yes. It is best practice to send a formal termination letter and also have a termination checklist that includes making sure all access is removed from this business or individual, and all PHI or ePHI is destroyed or returned (if any).

ANSWER

The answer is No, they do not need a BAA. Because if State, Country, or Local Health Department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities.
For more information, see the definition of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also the Disclosures for Emergency Preparedness – A Decision Tool.
This tool addresses the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan. If the health dept. performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the healthcare component(s) of the organization and thereby become a type of covered entity known component(s). If a health dept. elects to be a hybrid entity, there are restrictions on how its healthcare component(s) may disclose protected health information to other components of the health dept. See 45 CFR 164.103 and 164.105 for more information about hybrid entities

ANSWER

It depends if they have access to ePHI or PHI. If they do, then, they must have a BAA. This is not an option, this is required.

ANSWER

No. You cannot backdate any BAA. Execute a new BAA now, and go forward. That is all you can do.
As for the termination. In the policy and procedure, make sure it states that the terms termination, including removal of access to facility or any electronic data. There needs to be a formal step-by-step process in which someone there requests from IT that any credentials are removed immediately, keys returned, etc.
But, for those you know that are terminated, please go back and make sure they are formally removed from any access.

ANSWER

The original needs to be on file with the organization. So, originally signed BAA must be obtained.

ANSWER

It is with importance if they still have access to any PHI or ePHI. You may try to reach them either physically or remotely and make sure they understand the termination.

However, if you still can’t reach them, as long as you have something on your end that has been disseminated to accounts receivable and other parties who may need to be aware of this termination, then you are OK.
It is also advisable to send a certified letter to their last known address, notifying them that their contract is considered terminated. Keep a copy for your records. The key is DOCUMENTATION, DOCUMENTATION, DOCUMENTATION!!!!

ANSWER

A formal BAA termination is not necessarily required.

However, it is suggested to send out a formal letter to that entity laying out the facts pertaining to their relationship and explain that the agreement which had formally been executed between the two parties will no longer be in effect.

Keep a copy of this along with your terminated Business Associate Agreement files.

ANSWER

A BA contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a CE are not BAs because the work they perform for CE does not involve the use or disclosure of PHI, and any disclosure of PHI to janitorial personnel that occurs in the performance of their janitorial duties, and coune not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule. See 45 CFR 164.502(a)(1).

If a service is hired to do work for a CE where disclosure of PHI is not limited in nature (such as routine handling of records or shredding of documents containing PHI), it likely would be a BA. However, when such work is performed under the direct control of the CE (e.g., on the CE’s premises), the Privacy Rule permits hte CE to treat the service as part of its workforce, and the CE need not enter into a BA contract with the service.

Reference: www.hhs.gov

HIPAA Documentation and Storage

ANSWER

HIPAA Documentation requirements do go beyond documenting policies and procedures. Here are some items that you might need to document to help achieve HIPAA compliance:

  • HIPAA Risk Management Plan
  • HIPAA Risk Analysis
  • PHI location documentation
  • Notice of Privacy Practices (NPP)
  • Third Party Risk Elimination Procedures
  • Software development lifecycles
  • Business Associate Agreements (BAA)
  • Enforceable Consent Agreements (ECA)
  • Work desk procedures
  • Training logs
  • List of authorized wireless access points
  • List of all devices including physical location, serial numbers, and make/model
  • List of vendors
  • List of employees and their access to systems
  • Diagram of your physical office, including exit locations
  • Disaster recovery book
  • Employee handbook
  • Policies and procedures for Security Rule, Privacy Rule, and Breach Notification Rule

Reference: www.hhs.gov

ANSWER

There is no single answer for how long to keep the original paper medical records.  The CMS view seems to be that once records are converted to electronic storage media, and the converted image is identical to the original, the paper version need not actually be retained at all.  However, if you have notice of possible litigation or a fraud enforcement action, then it would be prudent to retain paper versions.  Even in the absence of litigation or an impending federal enforcement action, you may decide to retain the paper records for the minimum of the applicable limitation period for a malpractice action, the five-year period indicated by Medicare, or as long as the ten-year False Claims Act statute of limitations.  At a minimum, have a written retention policy that contains quality control procedures and that ensures paper records are not destroyed before their scheduled back up to an identical image.

HIPAA Privacy Rule

ANSWER

Yes. Covered hospitals and other covered health care providers can use a facility directory to inform visitors or callers about a patient’s location in the facility and general condition. The privacy rule permits a covered hospital or other covered healthcare provider to maintain in a directory certain information about patients – patient’s name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing. The facility may provide the appropriate directory information – except for religious affiliation – to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule.

Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest as determined in the professional judgement of the provider, and would not be inconsistent with any known preference previously expressed by the individual. In theses cases, as soon as practicable, the covered health care provider must inform the patient about the directory and provide the patient an opportunity to express his or her preference about how, or if, the information may be disclosed. See 45 CFR 164.510(a).

ANSWER

As cited under HIPAA Privacy Rule in 45 CFR § 164.512, if these specific conditions and limitations are met, then it is acceptable for covered entities and business associates to disclose PHI to law enforcement officials, without the written authorization of the individual:

  • To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(A)-(B)).
  • To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official, that includes or is accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C)).
  • To respond to a request for limited PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person (45 CFR 164.512(f)(2)).
  • To respond to a request for PHI about a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)).
  • To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)).
  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
  • To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
  • When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)).
  • To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3)).

Reference: www.hhs.gov

HIPAA Training

ANSWER

Anyone who is employed by and receives payment as an employee of the site is your responsibility to make sure they have updated, current HIPAA training.

If they are paid by another entity, it’s their responsibility to provide training.

However, it gets tricky because we are supposed to make sure our partners, with whom you have a BAA with, are HIPAA compliant, so you can certainly ask for proof of their current training.

Incidental Uses and Disclosures

ANSWER

Accounting for disclosures requires an individual to be informed of the date the disclosure was made (45 CFR 164.528 (b)(2)).  If access to a universe of records was provided for a discrete period of time,  Office for Civil Rights (OCR) interprets this provision to permit the accounting to include the range of dates (e.g., access was provided from August 1 to August 3, 2003; or during the week of August 10, 2003).  If the disclosure is routinely made within a set period from an event, OCR, likewise, interprets this provision to permit the accounting to provide the date of the event and the normal interval (e.g., gunshot wound reported within 48 hours of treatment and provide date of treatment; hospital discharges reported on 15th of the following month and provide date of discharge; or access provided to public health authorities within 30 days of treatment in emergency department and provide the date of treatment).

ANSWER

No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or healthcare operations.

The Rule includes, however, documentation requirements for some information disclosures for other purposes.  For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request.  Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or some other form.  For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the Rule at 45 CFR 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone , or in writing.

ANSWER

Yes.  Disclosures of PHI in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization.  Furthermore, the HIPAA Privacy Rule generally permits a CE to disclose PHI to a family member or other person involved in the individual’s care.  Where the individual is present during the disclosure, the CE may disclose PHI if it is reasonable to infer from the circumstances that the individual does not object to the disclosure.  Absent countervailing circumstances, the individual’s agreement to participate in a group therapy or family discussions is a good basis for inferring the individual’s agreement.

ANSWER

The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others.  The scope of this permission is described in a letter to the nation’s health care providers – PDF s Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.  These provisions may be found in the Privacy Rule of 45 CFR § 164.512 (j).  Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.  For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.  In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances, disclosure of patient information to prevent or lessen the risk of harm.  Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety.  Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.

ANSWER

No. The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule.

See 45 CFR 164.528(a)(1).

Reference: www.hhs.gov

ANSWER

Yes. CE, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the CE has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).

Reference: www.hhs.gov

ANSWER

Yes. Disclosures of PHI in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a CE to disclose PHI to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the CE may disclose PHI if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.

Reference: www.hhs.gov

ANSWER

No. The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule.

Reference: www.hhs.gov

Network Monitoring

ANSWER

There is no explicit mention of SMS being in violation of HIPAA rules but being part of an electronic form of communication, and then yes, SMS messaging or texting is covered by HIPAA rules.  However, if it comes to whether you are violating HIPAA rules because of using SMS messaging or texting, then we have to verify first:

  • The contents of the messages – If the information contained in the SMS message is protected health information of patients or falls under the classification of PHI, then yes, that can be a violation of HIPAA mandates
  • To whom the messages are sent – SMS messages containing PHI is too much of a risk especially if the message falls into the hands of unauthorized individuals and needless to say, no guarantee that the message will be received accordingly by the intended recipient/s. Worst is once sent, there is no way you can recall the message nor even confirm the identity of the sender or receiver of the SMS message. Moreover, unlike email sent via laptop or desktop, you can put an encryption in place but with SMS messaging, there is none.
  • In the case of texting patients, whether consent has been obtained to send information via the SMS network – It is a patient’s right to deny obtaining or sending their information via SMS messaging and this has been clearly defined in HIPAA rules.

But just to be on the safe side, it is best that any PHI or ePHI information be transmitted via HIPAA-compliant tools and means. And in recent years, there have been some releases of secure messaging system which complies with HIPAA Privacy Rule that you can explore and assess for your organization to use.

Reference: www.hhs.gov

Notice of Privacy Practice

ANSWER

Yes. For notice delivered electrically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice. A provider who gives his paper notice to a patient during a face-to-face encounter with the individual at first service delivery may also obtain an electronic acknowledgment from the individual, provided that the individual’s acknowledgment is in writing. Thus, a receptionist’s notation in the provider’s computer system of the individual’s receipt of the notice would not be considered a valid written acknowledgment of the individual.

 

Reference: www.hhs.gov

ANSWER

No. A covered health care provider with a direct treatment relationship with individuals is required to make a good faith effort to obtain an individual’s acknowledgement of receipt of the notice only at the time the provider first gives the notice to the individual — that is, at first service delivery. See 45 CFR 164.520(c)(2).

Reference: www.hhs.gov

ANSWER

Yes. The HIPAA Privacy Rule requires that a covered health care provider with a direct treatment relationship with individuals make a good faith effort to obtain written acknowledgments from those individuals that they have received the provider’s notice, regardless of whether the provider also chooses to obtain the individuals’ consent. However, those providers that choose to obtain consent from individuals have discretion to design one form that includes both a consent and the acknowledgment of receipt of the notice.


Reference: www.hhs.gov

ANSWER

Hospitals and other covered health care providers with a direct treatment relationship with individuals are not required to provide their notices to patients at the time they are providing emergency treatment. In these situations, the HIPAA Privacy Rule requires only that providers give patients a notice when it is practical to do so after the emergency situation has ended. In addition, where notice is delayed by an emergency treatment situation, the Privacy Rule does not require that providers make a good faith effort to obtain the patient’s written acknowledgment of receipt of the notice.

Reference: www.hhs.gov