I had no idea that there were so many “levels” of HIPAA and patient rights. All the different rules and regulations for the special topics, the depth of the Patient Safety Rule, the involvement of the OCR. Even though there was an overwhelming amount of information to research through, a lot of it seemed somewhat familiar. This paper discusses some points I found that I actually learned about.
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act founded in 1996. This act was issued by the US Department of Health and Human Services (HHS). The rules of HIPAA follow the HIPAA Privacy Rule, which consist of safeguards that protect patient’s privacy and health information. HIPAA states rules and regulations as to who is permitted to access Personal Health Information (PHI) without patient consent.
There is a Security Rule in place that protects health information which is electronically stored (e-PHI). A covered entity creates this e-PHI, receives, maintains or transmits this information in electronic form. Some of the safeguards that are in place are physical, technical and administrative (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26) Summary of the HIPAA Security Rule).
Administrative Simplification is a part of HIPAA and the Affordable Care Act (ACA) which requires a covered entity to adopt standard electronic transactions, codes, operating rules and identifiers in order to become a more efficient electronic sharing entity in the healthcare industry (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26) Summary of the HIPAA Security Rule).
I also learned the steps to take for a Cyber Attack. I’ve always had an IT department to take care of it, but hopefully someday, I’ll be in a management position and might be responsible for something like this.
- Call your IT department or an outside company to help fix any technical problems from the attack and/or to stop the event.
- Report the incident to state or local law enforcement, FBI and/or the Secret Service. Do not include any confidential information.
- All cyber threat indicators should be reported to federal and info-sharing and analysis organization (ISAOs). Again, do not include any confidential health information.
- An assessment must be done to determine if any PHI has been breached. If the assessment finds that there has been a breach, see step 5. If the assessment determines that no breach has occurred, then all documentation of the event must be kept and retained, including how it was found that no breach occurred.
- If a breach occurred, the event must be reported to the OCR ASAP, no later than 60 days after the determination that the breach occurred. If the breach affects 500 people or more, then those affected must be notified. (My entity just experienced a cyber-attack! What do we do now? A quick response checklist from the HHS, Office for Civil Rights (OCR). (n.d.)).
I also learned quite a bit more about the things that The Office for Civil Rights (OCR) is responsible for. The OCR handles complaints filed with the HIPAA Privacy and Security Rules. One way they do this is to perform compliance reviews to make sure that covered entities are in compliance. They also perform outreach and education to enhance compliance with the Privacy and Security Rules ((HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 7) Enforcement Process). OCR may or may not take action on cases presented to them. Normally, they will take action if the case involves a covered entity, such as a health insurance company, a physician, a hospital, etc. They won’t accept cases that involve a non-covered entity, such as employers, schools, workers comp carriers, etc. Once OCR accepts a complaint, the complainant and the covered entity are both informed and are asked to present information (sometimes very specific) related to the incident. If the OCR finds an action that may possibly be a violation of the criminal provision of HIPAA, they may refer that action to the Department of Justice (DOJ) for investigation. Otherwise, OCR reviews the evidence that it collected in each case. If they determine that a violation has been made and the entity is not in compliance, OCR may try to resolve the case with the covered entity by corrective action, voluntary compliance and/or resolution agreement. Most of these issues are resolved this way by the OCR. They then notify both the complainant and the covered entity in writing of the case result. If the covered entity fails to take action in the resolution of the issue that satisfies OCR, OCR may decide to inflict civil money penalties (CMPs) on the covered entity. If that happens, the covered entity may request a hearing where an HHS administrative law judge reviews the evidence and decides if penalties should be imposed from that review. Any CMPs collected do not go to the covered entity; they are deposited in the US Treasury (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 7). How OCR Enforces the HIPAA Privacy & Security Rules).
There are five categories that can be applied for closed OCR cases:
1) Settled after intake and review (no investigation): OCR doesn’t have jurisdiction or they decide to not investigate; 2) OCR provides technical support (no investigation); 3) OCR finds no violation after investigation (investigation); 4) Corrective Action Obtained (investigation): OCR requires the covered entity to make corrective changes to its HIPAA, privacy and security related policies, safeguards, trainings, or procedures; 5) OCR may determine not to investigate a case further if: a) it involves a natural disaster, b) they referred the case to the DOJ for investigation; c) it was went after, charged, and finalized by state authorities; and d) if the covered entity has taken steps in order to comply with HIPAA rules (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2019, March 22). Enforcement Data).
Another item I learned about is the De-identification Standard. This Standard falls under the HIPAA Privacy Rule and provides the standard for de-identification of PHI. Health information cannot be individually identifiable if it doesn’t identify a person/individual and if the covered entity has no grounds to believe it can be used to determine an individual. There are two methods that are used in this standard to help determine if the health information can be used to identify an individual. The first method is Expert Determination: a covered entity may identify the health information as not individually identifiable only if a person with generally accepted statistical and scientific processes and fundamentals for determining information not individually identifiable; applying these processes and fundamentals, determines that the risk is too small that the information may be used, by itself or with other rationally available information; or by a recipient who is able to verify that the individual stated within the health information is actually the subject person. The second method is titled the “Safe Harbor” method. In this method, some of the identifiers of the individual or of relatives, household members, or employers are removed, i.e., names, addresses, birth date, phone numbers, email addresses, social security numbers, device identifiers and serial numbers, medical record numbers, account numbers, full face photographs, among others. An interesting fact about de-identified health information is that once it’s de-identified, it can no longer be classified as PHI and it no longer falls under the protection of the Privacy Rule (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2015, November 6). Methods for De-identification of PHI).
Another interesting thing I learned was that de-identified health information can actually be re-identified. The covered entity assigns a unique code to the de-identified health information set to allow for re-identification. If the covered entity managed to identify the individual of de-identified health information it maintained, it is now protected by the Privacy Rule, as it meets the definition of PHI. If a code or another way of record identification is created to facilitate coded or otherwise de-identified info to be re-identified, this is also considered to be a disclosure of PHI. There are, however, two implementation specifications for re-identification. The first one is derivation, which means that the code or other ways of record identification is not taken from or connected to information about the individual and is not capable of being adapted so the individual can be identified. The second one is security. In this regard, the covered entity does not disclose or use the code or any other ways of record identification for any other reason and doesn’t disclose the structure for re-identification (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2015, November 6). Methods for De-identification of PHI).
Here’s an act I don’t remember hearing about: The Patient Safety and Quality Improvement Act of 2005 (PSQIA), which became effective January 19, 2009. This act provides a reporting system which is voluntary and its intent is to strengthen the data available to determine and resolve patient safety and health care quality issues. In order to boost the use of this system, PSQIA provides confidentiality protections and Federal privilege for patient safety data called patient safety work product. Patient safety work product includes data gathered and discovered during the disclosure and analysis of patient safety episodes. The confidentiality side of this will help providers report and examine safety issues without fear of heightened liability risk. Better reporting and investigation of patient safety issues will most likely yield greater data and increased understanding of patient safety issues. Through the PSQIA, Patient Safety Organizations have been established. These organizations receive reports of patient safety concerns or issues from providers and prepare analyses of those issues to the reporting providers. These PSOs are considered business associates under the HIPAA Privacy Rules because they gather and prepare analyze PHI for HIPAA covered entities. The Agency for Healthcare Research and Quality (AHRQ) has the responsibility for listing the PSOs and works in close association with the OCR. (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 16). Understanding Patient Safety Confidentiality).
I learned that The Patient Safety Rule includes select provisions of PSQIA and that OCR is responsible for interpreting and carrying out the confidentiality protections defined in Subpart C and the enforcement provisions stated in Subpart D. As stated above, AHRQ has the duty of listing (and delisting) of listing the PSOs, which can be found in Subpart B. There are four Subparts of The Patient Safety Rule of note: Subpart A first defines the essential terms, such as patient safety work product, PSO, and patient safety evaluation system. Subpart B provides what is required for listing PSOs. A PSO is an entity that offers its expert advice in evaluating patient safety concerns and other data they collect to provide recommendations to providers. Subpart C contains the attachments to the patient safety work product, which are the privilege and confidentiality protections, along with the exceptions to the protections. Subpart D allows HHS to keep an eye on and make sure compliance is being followed by establishing a set framework and processes of confidentiality provisions, impositions of civil money penalties for breach of confidentiality provisions, and hearing actions (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 16). Patient Safety Rule). Providers need a setting to discuss and investigate patient safety concerns, find causes and improve outcomes. This is where the enforcement provisions of Subpart D come in. Confidentiality of patient safety work product is critical to maintaining this setting for providers. OCR looks for voluntary compliance by PSOs, providers and other responsible people who hold patient safety work product. OCR may perform compliance reviews and investigate complaints claiming that patient safety work product was disclosed in violation of the confidentiality standards. If OCR determines that an infraction has occurred, they may impose a civil money penalty of up to $11,000 per violation (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 16). Confidentiality Provisions of the Patient Safety Act).
The website offered a little more information on covered entities that I was not aware of. Of course, the covered entities must comply with HIPAA rules and provide protection and security for their patient’s healthcare information, as well as complying with the patient’s rules as far as their rights go for obtaining their own personal medical information. Here is where I gained some knowledge on business associates, which are individuals or entities hired by covered entities to perform some specific service or activity. The covered entities are allowed to “outsource” to these business associates under The Privacy Rule. Covered entities are able to disclose PHI to the business associates insofar as they use this information not for their own use, but only for what they were hired for. If the provider catches the associate with a violation of the contract, the associate must take steps to correct what they did wrong to cause the violation. If such steps are not successful, the contract is terminated. If, for whatever reason, the contract termination is not practical, then the covered entity is responsible for reporting the violation to HHS/OCR. A written contract must be in place for the agreement between the two to be effective. Some examples of business associate activities include claims processing, a medical transcriptionist who works off-site and is independent of the provider, an attorney who provides legal services to healthcare providers and accesses PHI, or a healthcare clearinghouse who deciphers claim information from the provider onto an industry standard claim form. (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2019, May 24). Business Associates).
In conclusion, I learned quite a bit from this assignment, even more than I wrote about in this paper. For my everyday job, HIPAA is something I am required to incorporate all day, every day. I have access to patient’s PHI, social security numbers, birth dates, everything. I found the website to be very helpful and informative and will most likely return to it for reference many times in the coming years.
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- My entity just experienced a cyber-attack! What do we do now? A quick response checklist from the HHS, Office for Civil Rights (OCR). (n.d.). Retrieved from https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 7). Enforcement Process. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 7). How OCR Enforces the HIPAA Privacy & Security Rules. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2019, March 22). Enforcement Data. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2015, November 6). Methods for De-identification of PHI. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 16). Understanding Patient Safety Confidentiality. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/patient-safety/index.html
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 16). Patient Safety Rule. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/patient-safety/patient-safety-rule/index.html
- HHS Office of the Secretary, Office for Civil Rights, & OCR. (2019, May 24). Business Associates. Retrieved February 9, 2020, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html