HIPAA Explainer Series: HIPAA Compliance Q&A (Part 2)

In our recent HIPAA webinar, HIPAA Compliance Essentials, I talked about navigating the muddy waters of HIPAA Security and Privacy rules. And how to prepare for CMS’ recently published protocol for the Stage 2 HIPAA Privacy and Security Audits.

Many of you wrote in with questions pertaining to the webinar or HIPAA in general. In this HIPAA Explainer Series, I’ll tackle your most pressing questions from emails, blog comments, webinars, or eBriefs. Tune in every other week to find your answers. If you’re new to this series, you might want to check out: HIPAA Explainer Series: HIPAA Compliance Q&A Part 1.

Q1: Lee Castonguay - How much does a CE have to know about a BA's level of HIPAA compliance?

This is a debated question because of some tension in the law. I think to dive into the specifics related to that tension would make my answer both long and boring. So here are some general principles:

• Make sure you identify your Business Associates. You can use this tool to help you identify your Business Associates.
• Make sure you sign a Business Associates Agreement with them. The DHHS has published BAA template which you can find here. 
• It is a good idea to have your business associates provide an annual affirmation that they have complied with the regulations, they have not had an incident or breach that they need to report to the CE, that they have conducted or updated their risk analysis and that they have provided training to their employees. 
• If a business associate is essential to your business and/or is processing or handling a large amount of the CE’s PHI, then more extensive efforts may need to be made to understand and manage the risks posed by the business associates. Those more extensive efforts may include an audit, on-site visits, a review of their risk analysis or the executive summary, review of training logs, etc. 
• For reasons related to that tension mentioned above, I would avoid any requirements that substantially “control” the business associate or dictate how it is to carry out its information security management program. I would avoid requiring particular language or procedures in the policies of the business associates. Do not require them, for example, to have passwords of a certain length or complexity. 

Q2: Gina Delgado - Can you provide information on lab services. Who is required to sign off on the report/findings being returned to the ordering physician, would that be the medical director only? 

I am not sure if this is a HIPAA question or a question related to specific lab requirements. You would not require written authorization from a patient to release labs to an ordering physician because this would fall under the Payment, Treatment and Operations parameters. There may be requirements here required by CLIA or other governing bodies but that is outside my expertise. 

Q3: Crystal Hoopes - Is a postal service person who delivers mail with patient names on envelopes considered someone who needs to follow HIPAA as a business associate? 

No. The US Postal Service, private couriers and shipping companies such as UPS and FedEx, and their electronic equivalents, are merely conduits of PHI. You will sometime hear of the Conduit Exception although its not an exception, it’s baked into the rules. A conduit transports information but does not access it and is therefore not a business associate. 

Q4: April King - In billing we receive paper EOBs and have to scan them into patient accounts. When we receive the EOB’s via paper and not electronically, they come with multiple patients on each page. Is it acceptable to scan the page into the billing section for the patient if their name is on it? How would you handle this? 

It would depend on whether the procedure would cause or has a high likelihood of causing an unauthorized use or disclosure. So, for example, if a patient were to request this data and it were released to them, it would be an unauthorized disclosure if it had other patient names on it. I would need more information before I could answer definitively but the procedure seems sloppy at best. 

Q5: Kathryn Krenz - What constitutes a health plan? 

Health insurance companies, HMOs, Company health plans and Government programs that pay for health care, such as Medicare, Medicaid, and military and veterans health care programs. There is an exception for self-administered group health plans with fewer than 50 participants. 

Q6: Lydia Ottoson - If a patient requests medical records via email should we refuse and send via fax only? 

Nageen Veerabagu - Have you heard of the new guidance from DHHS about emailing PHI to unsecure patient emails...what is the best way to implement this?

You are not actually allowed to refuse even if it is against your policies. Before using unencrypted email to communicate with an Individual, a Covered Entity has a "Duty to Warn" the requestor that the Email could be read by a third party. If the Individual indicates they still the use of unsecured email, the Individual has the right to receive PHI in that way. Documentation of the requestors agreement to receive Unencrypted Email should be maintained by the Covered Entity. I would either use a form (which we have already in our HIPAA Manager product) or develop a process using an email template with “duty to Warn” language and then retain the approval that the recipient provides in a reply email. 

Q7: Lydia Ottoson - Is email a security risk? 

Yes, unencrypted email is a security risk and its use is governed by the transmission security standard of the HIPAA Security rule. Although this safeguard is addressable, requiring the use of encrypted email is almost always reasonable and appropriate. The transmission of ePHI via email should not be allowed unless the email or any attachments to an email containing ePHI are encrypted (noting the exception above). 

Q8: Ryan Parker - Would a company that empties our paper shred bins be considered a business associate? Or will a non disclosure agreement be appropriate? 

No, not if it’s merely a janitorial-like service. If it’s a shredding company who is handling PHI then they would be a business associate. So you need a NDA/Confidentiality agreement with the former and a BAA with the latter. 

Q9: Tema Pefok – How do you deal with BAs when it comes to Cyber security insurance? As a covered entity do I include them in my insurance or are they responsible to have their own cyber insurance. 

I don’t know what insurers will allow but I imagine that covering them might be prohibitively expensive on your own policy. Requiring them to carry cyber-insurance might be a good idea as long as you are sensitive to the last bullet I addressed in the first question above. 

Q10: In that case, should I request that the show me a copy and also request their security and privacy policies? 

I think requesting a copy should be fine. Requesting a copy of policies though is, in my opinion, potentially problematic for reasons related to the last bullet of question one. I think, alternatively, you could ask for a policy map that lists the regulation alongside its supporting policy. 

Q11: Stephen Plascyk - Can you speak to the importance of strong authentication and access controls in HIPAA compliance? Is there a role for authentication tokens such as smartcards in verifying identities? 

I am about to publish a HIPAA Q & A on this topic but here is a short version: having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard. The exclusive use of usernames and passwords, by far the most common and standard practice in health care, is characterized by a lot of problems and issues. The rules don’t specifically disallow this approach but I would love to see the industry move to more secure and, surprisingly, easier approaches such as the wide adoption of two-factor authentication. Stay tuned for a future blog post on this topic. 

Q12: Alison Raman - Can you explain "incidental disclosure?" Thanks! 

The verbiage in the rules about this is cryptic but does help explain the concept. The rules state “Incident to a use or disclosure otherwise permitted or required by this subpart” which is a fancy way of saying a use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. There is a lot of confusion around this rule that has led people to believe that, for example,you can’t have a sign in sheet with individuals names on it or you can’t use a persons name to call them out of a waiting room. These are examples of an incidental disclosure allowed by the privacy rule. The HIPAA Privacy Rule is not intended to impede essential communications practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Covered entities should take steps to minimize these types of disclosures to the minimum necessary for the intended function of the communication. So, for example, a sign-in sheet that listed the medical procedure that is the reason for a visit is a disclosure inconsistent with the minimum necessary principle and should not usually be allowed. 

Q13: Barbara Truss - What happens to you if you report a breach? 

It really depends on the size of the breach. Small breaches such as misdirected mail for example, are extremely common. The Office of Civil Rights who adjudicate these cases doesn’t have time to care about small breaches like this. The one exception to this would be if OCR received a complaint. In that instance, they are more likely to conduct an investigation to see if there is a pattern of non-compliance. Larger breaches, especially those over 500 records are far more likely to get their attention. Keep in mind that all breaches must be reported. If it is a breach over 500 records it must be reported within 60 days and requires other actions such as reporting to local media. If it is less than 500 records, then annual reporting is required. 

Q14: Ashley Umbach - What about the Security Risk assessment tool on the HHS website? Isn't that another way to conduct a risk assessment? 

The CMS risk assessment tool is certainly a viable option. But for reasons I go into here, I really dislike it. I believe that if an eligible provider uses it in good faith to meet the meaningful use requirement, its use is probably fine. I am much less confident it would pass scrutiny for a HIPAA audit, even less confident if it were used in response to a complaint. I have no confidence it would suffice if it were used in response to a breach investigation in which the investigator concludes that, had the entity done an adequate risk analysis, the breach could have been prevented. The tool is quite ineffective, in the hands of a non-expert, of actually identifying threats and vulnerabilities as required by the HIPAA rule. 

A Free HIPAA Compliance Tool for You

In addition to thanking everyone for their great questions and other feedback, I want to give you the chance to download a free HIPAA Compliance tool from Healthicity. It's our HIPAA Preparation Checklist. It will help ensure that your organization is ready for a HIPAA audit any time and is customizable to your organization.

To download the checklist, just click the button below. No forms required for this one. Enjoy.