Hospital Responsibility under HIPAA Privacy Rule
September 9, 2018
Healthcare organizations, clearinghouses and health plans (also known as Covered Entities under HIPAA Law) have been required to take steps to safeguard individually identifiable health information against wrongful access and use. This is under the umbrella of the Privacy Rule and to ensure that it does not impose an undue burden on small providers that may probably not need complex systems and procedures be put in place, the Department of Health and Human Services (DHHS) has adopted the concept of “Scalability”. This refers to the expectation that covered entities implement privacy policies and procedures that are suitable to the entity’s size, resources, technology, and organizational needs. Therefore, while the HIPAA law adapts uniform standards, these covered entities have the flexibility to make privacy policies and procedures that are just right for their respective circumstances. In line with this discussion, we ask, what the responsibilities of hospitals are in particular under the Privacy Rule of HIPAA law.
- Privacy Procedures and the Notice of Privacy Practices
Healthcare organizations are mandated to develop, adopt and implement privacy policies and procedures. Proper documentation must also be placed for these privacy policies and procedures as well as the step-by-step actions needed to be done when a breach occurs violating the patients’ privacy rights.
As for the Notice of Privacy Rights, hospitals should develop and distribute a notice that provides a clear explanation of the patients’ privacy rights with respect to their personal health information. The organization must also obtain an acknowledgment of receipt from all the patients of these NPPs.
- Minimum Necessary
According to HIPAA rule 45 CFR 164.502(b), 164.514(d) “…..The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information….” The hospital should be able to cover in its privacy policies and procedures that need to access the protected health information (PHI) to carry out their job, the categories of PHI and the circumstances where access to this sensitive information is necessary or appropriate. For example, front desk staff does not warrant full access to the medical record of patients but physicians or nurses do. Considering the duties and responsibilities of a front desk staff, only the basic information about the patient should be accessible such as name, address and contact details especially if the same staff is supposed to set appointments for and with the patient concerned.
- Patient Authorization
As a basic rule, a patient’s authorization is requested before disclosing their protected health information (PHI) to carry out treatment, payments, and health care operations.
But let’s say the patient is in serious injury and will not be capable to make medical decisions for themselves, then the physician may discuss the patient’s health information with their families so as the latter be able to make a sound decision on behalf of the patient’s medical treatments. The doctors are also allowed to share these medical records with other healthcare providers when the patient’s health and treatment are concerned and when these health care providers are involved in the patient’s care. Otherwise, these medical records are not shareable to other healthcare providers not involved with the patient’s health care unless the personal identifiable information has been omitted. NIST lists these PII as follows:
Full name Face, fingerprints, or handwriting
Login name, screen name, nickname Face
Home address Credit card numbers
Email address Digital identity
National identification number Date of birth
Passport number Birthplace
Vehicle registration plate number Genetic information
Telephone number Driver’s License Number
Routine disclosures are those that are made regularly and frequently. One good example is payment for medical treatments. Sample payment activities that do not require an authorization from the patient for PHI use and disclosure are:
- Sharing protected health information with the Radiology department
- Discussing drug or medicine dosage with outside pharmacy
- Consulting over a treatment plan with a or team medical expert(s)
- Arranging a laboratory text
As for the healthcare operations, these activities involve use and disclosure of PHI for improving operations and quality of patient care. Some examples of such activities are:
- Training programs
- Business planning and development
- Certification or licensing of the health professionals
- Administrative, Technical and Physical Safeguards to protect PHI
HIPAA Law mandates covered entities to develop adequate and suitable administrative, technical and physical safeguards for protected health information. However, considering the size of an organization, the PHI it holds and the circumstances the organization is in, gives the organization the flexibility to decide on developing ‘Reasonable” safeguards to protect PHI as there iareno guarantee covered entities will be able to shield PHI from all potential risks. But be mindful that first and foremost before any administrative, technical or physical safeguards are put in place, the healthcare organization must first conduct a risk assessment. Note as well that these three safeguards are falling under the umbrella of HIPAA Security Rule which strictly covers ePHI or electronic protected health information.
Here are the basic descriptions for each of the three safeguards:
- Administrative safeguards consist of policies and procedures that are intended to show exactly how the covered entity will be HIPAA compliant.
- Technical safeguards, on the other hand, consist of access control systems designed to prevent the impermissible use and/or disclosure of ePHI.
- Physical safeguards as the name suggest are for the tangible ones such as locked doors, window alarms, etc. which are implemented and utilized to protect ePHI from unauthorized use and disclosure.
- Business Associate Agreements
Each and every covered entity must ensure that before they deal with third party organizations which will create, store or transmit ePHI, in that they have entered valid BAA or Business Associate Agreements with these third parties. In a previous article we have published, we have discussed about a checklist one must review when entering into Business Associate Agreements. Review this checklist and find out the things that you might need to consider when creating the BAAs.
- Nominate a Privacy Officer
A HIPAA privacy officer also known as chief privacy officer (CPO)–oversees the development, implementation, maintenance of, and adherence to privacy policies and procedures regarding the safe use and handling of protected health information (PHI) in compliance with federal and state HIPAA law. Being a PO is a big responsibility and we have enumerated the several tasks a privacy officer assumes in his role.
- Training
Providing HIPAA Awareness Training to all the employees within the organization, from rank-and-file up to the executives, are a crucial part of being HIPAA compliant. Human Resources must ensure that all employment contracts of personnel, who will have access, will use or transmit ePHI or PHI shall undergo HIPAA compliance and awareness trainings. These trainings should be conducted in a yearly or regular basis as a refresher training sessions or to learn any updates and new releases pertaining to HIPAA regulations.
Evaluate your knowledge of these duties and responsibilities as a HIPAA compliant facility. Take charge and make actions today! For a no-obligation, free HIPAA compliance assessment right in your facility, do not hesitate to contact us, we are your partners from the assessment onwards!
