The HIPAA final rule aims to increase patient privacy and secure health data. Learn how to ensure full compliance in your practice.
Exclusively for members, the AOA has published two comprehensive guides focused on HIPAA privacy and security rules, complete with step-by-step instructions for bringing your practice into compliance.
Easy-to-use descriptions, checklists, guides and sample documents to ensure compliance with HIPAA
A step-by-step guide to implementing and complying with the HIPAA Security Rule
Yes, The AOA has published two comprehensive guides available exclusively to AOA members. The guides focus on the HIPAA privacy and security rules and provide step-by-step instructions on how to bring your practice into compliance.
No. If you are communicating with covered entities regarding payment or treatment, they are not considered business associates (BAs). They are simply covered directly by the HIPAA rules for covered entities.
If you have a cloud-based EHR or an EHR on your office computer, but an external company uses the EHR in ways that they would access PHI, then they are absolutely business associates and you need to have a BA agreement with them. Ensure that all agreements are in place and up-to-date because they are also directly liable under HIPAA.
Yes, the answering service is granted access to PHI when patients disclose medical concerns that prompt them to call.
Business associate agreements are only required for third parties who are not employees of the medical practice, but provide a function on behalf of the practice and require the use of patients’ PHI. Cleaning personnel do not need to have access to PHI in order to clean the medical practice. Practices must implement administrative, technical and physical safeguards to protect PHI; therefore, the practice’s policies should work to prevent such exposures (e.g., appropriate document destruction, locked file cabinets, secured computers, etc.)
It depends on your BA agreement and whether the BA is your agent or an independent contractor. If the BA is your agent, you should be alerted to a breach at the same time as the BA. If the BA is an independent contractor, the BA must follow the timeframe specified in the BA agreement. The timeframe to be notified by your contractor should always be considered when drafting the agreement.
Try to contact relatives (i.e. spouses, children) or a caretaker to confirm consent, particularly for a course of treatment. This issue is not relegated to HIPAA concerns because once a person can no longer appoint a decision maker; the situation becomes complicated for the patient, their loved ones and physician.
When in doubt, obtain a signed HIPAA-compliant authorization form to eliminate any ambiguity. If the school asks you to provide information about the child’s immunization, you do not need formal written authorization, but should document that you provided the information.
Under the new HIPAA rule, if the patient has paid cash and does not want their information shared with their health insurer, you do not have to provide that patient’s information.
As soon as you provide a covered service and submit a bill to the health plan, this information is included in the medical record and all rules applicable to the health plan apply. For example, a patient may ask to pay for a particular test out-of-pocket and request that you not communicate about it. But if the patient requires further treatment following a test, the patient may decide they can’t afford to pay out-of-pocket; and subsequent treatments are billed to the health plan. Those records will disclose the fact that the original test was performed, but the patient elected not to inform the insurer. You may want to discuss this with your patients at such decision points.
Yes, patients can maintain confidential records and then change their minds. For instance, a patient may say “I’ve moved and I’m getting a new doctor and I want your practice to send all my records to that office.” You are obligated to fulfill the patient’s request.
Although patients can provide their written authorization to receive information and material marketed to them, discussions and subsequent recommendations about such product may be considered marketing.
Under the rule, face-to-face communications are protected as well as discussions about prescription drugs that you are recommending, but only to the extent that you do not receive a profit from that patient’s prescription. Physicians should talk to the pharmaceutical company to clarify whether promotional discussions for prescriptions affect individual discussions with their patients. The pharmaceutical company from whom you’re receiving those funds should absolutely give you a definitive legal opinion on the impact to your personal practice.
Cross-cut shredders are recommended. Under the law, you must ensure your PHI has been completely destroyed. If shredded information can be pieced back together to view the original document, the shredder is not adequate and it is far better to use a cross-cut shredder.
Overseas transcription is a very significant issue and presents many problems of its own. A standard email transmission is not secure because the transfer is not secure. For instance, hackers can access the system or information can be accidentally sent to the wrong recipient. Also, you are not able to enforce protections if information is breached. Physicians must consider the value of the service versus the penalties and associated risks.
Yes. You have an obligation to shut down processes that you know are problematic. If you can’t manage a process for taking records home for coding that will reduce the likelihood of a breach to zero or close to zero, you probably should not continue to allow staff to take records home.
EHR vendors cannot sell or de-identify medical information without an agreement with the practice. Extensive rules specify how a company might “scrub and use data.” You should clarify how the EHR vendor interprets this clause and verify whether their proposal complies with the HIPAA rule.
Yes. If you miss the deadline, you’re liable and it doesn’t matter if you did or did not know about it; even if there was nothing you could do about it, you’re still held responsible. The law also states if you were negligent and fixed the problem within 30 days, you won’t face a civil monetary penalty. You need to do everything in your power to transfer records in a timely fashion; otherwise, you should rectify the delay within 30 days.