Steve Spearman
Share:
Welcome back to our HIPAA Q&A series, where you can get answers to your most pertinent HIPAA questions. Our goal is to simplify HIPAA for your organization and and make it painless to get the information you need to protect privacy and meet compliance regulations.
This series evolved from questions we received in a recent webinar of ours, HIPAA Compliance Essentials, Simplified.
If you’re new to the series, you might want to visit Part 1 and Part 2. If you’re already up to speed, let’s dive right in.
Q1: How serious is the violation of healthcare workers using their security access at the workplace to look at their own medical records at the facility?
I think there are two pertinent questions to ask regarding this:
Is it a security incident? It likely should certainly be considered a security incident and the incident reporting and response procedures should be followed. Although individuals have well defined rights to access their PHI, there are processes that should be followed to exercise those rights. An employee should follow the same procedures as patients to request access to their PHI.
Is it sanctionable? As long as Sanction policies are followed, this would be left to the discretion of the Security Officer or Administrator. A Sanction policy might prescribe certain actions for certain types of infractions. If so, sanctions should be imposed consistent with the policy. My view is that if an employee was acting in Good Faith, without malicious intent, and it was a first time offense, provide re-training to the employee and remind them of their obligations under your policies. But I, personally, would not sanction them.
Q2: Is there a way for us to know if our company has any HIPAA complaints filed?
Not that I am aware of. You likely won’t know about it until you receive notice from OCR.
Q3: How does an investigation work?
An investigation begins as you would expect: Your organization will receive a letter from OCR describing the complaint and asking for a response. You should always contact an attorney at this point who has expertise in HIPAA compliance matters. The majority of complaints are resolved voluntarily with corrective actions and training.
Q4: Is there a correlation between the rise in complaints and how televised the potential rewards for a lawsuit? Wouldn't a person be somewhat incentivized to claim a violation on the off chance there might have been one?
The changes to the enforcement rules under HITECH were definitely aligned to incentivize enforcement actions. I suspect that a complaint that was “fishing for violations” wouldn’t go anywhere. A complaint must allege that a person’s rights were violated or that the covered entity otherwise violated the rules. In either case, a complaint would likely need some “specificity” as to the nature of the violation in order to garner the attention of OCR.
Q5: If a company laptop is lost/stolen is it considered a breach/violation if the EMR is password protected and info cannot be accessed? Does this breach need to be reported?
You would need to follow you Breach Notification protocols but if there were records on the laptop and the data was not encrypted, then it is most likely a breach that would need to be reported. It’s quite easy to access “clear-text” records on a computer even when a computer or application is password protected.
Q6: When is the annual report of breach(es) due, say for a given calendar year?
No later than 60 days to the end of the calendar year in which the breach was discovered. However, a covered entity may report such breaches at the time they are discovered. Each breach incident requires a separate notice although they may all be reported on the same date.
Q7: If you do not have breaches to report, is it necessary to file the annual report?
No.
Q8: Is a medical record sent from one provider to a wrong provider considered a reportable disclosure or is it considered "incidental" as the wrong provider is also a covered entity?
It’s unlikely to be considered incidental. It would most likely fall under one of the three exceptions for an inadvertent disclosure.
Q9: If a patient who is a minor states to only to call him/her with results and we instead inform a legal guardian, can we be in trouble?
No. In most, cases parents are considered to be the "personal representatives" of their unemancipated minor children if they have the right to make healthcare decisions for them. As personal representatives, parents generally have access to their children's protected health information. There are exceptions that may be invoked based on state law requirements or in cases where the health care provider believes it is not in the best interest of the child. For example, when there is a reasonable belief that the child has been or could be subjected to abuse.
Q10: Is a medical billing company a clearinghouse-covered entity or a vendor-business associate to a medical provider?
A billing company is contracted by a covered entity and billing services are considered a “covered service.” A billing company is a business associate.
Q11: What type of authorization does a school nurse need when requesting vaccines?
Release of vaccination records require a verbal consent but not a written authorization. However, even a verbal consent should be documented.
Q12: If we are a medical office, who is responsible for providing a Business Associate Agreement with a business associate vendor, such as an IT or billing company?
The covered entity is responsible for ensuring they have BAA’s in place with appropriate vendors.
Q13: What are your suggestions for dealing with a vendor who refuses to sign a BAA?
They may push back because the don’t believe they are a Business Associate. If you confirm that they are, and they either don’t believe you or refuse to sign otherwise, I would recommend that you terminate the agreement and find a more compliant vendor.
Stay tuned for Part 4 of our HIPAA Q&A Series. Go ahead and ask your HIPAA-related questions below in our comments form.
If you would like to view the on-demand webinar recording from which these questions arose, you can do so by clicking the button below:
Questions or Comments?