HIPAA and Patient Access of Information - New Rules and Guidelines
1 like16 views
The document discusses HIPAA regulations regarding patient access to protected health information (PHI), emphasizing recent updates and proposed changes aimed at enhancing access rights. It covers communication with family and friends of patients, definitions of HIPAA breaches, and the implications of telemedicine amid COVID-19. Additionally, it highlights the need for healthcare providers to adapt to new technologies while ensuring compliance and security.
HIPAA and Patient Access of Information - New Rules and Guidelines
- 1. HIPAA and Patient Access of Information Primary Enforcement Focus for HHS Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 2. Agenda • Present Patient Rights for Access of PHI under HIPAA • Review Guidance and New Proposed Changes to Access Rights • Discuss how to handle patient access and communications of Protected Health Information, including E-mail and Texting • Identify guidance from HHS for business associates, patient access and communications, and recent court decisions • Discuss rights for access of laboratory information and electronic copies of electronic records • Identify HIPAA policies that may need to be changed • Look at COVID-19 impacts and special considerations • Learn about being prepared for enforcement and auditing • Learn how to approach compliance • Q&A session © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 3. HIPAA Privacy, Security, & Breach Rules • Privacy Rule – 45 CFR §164.5xx; Enforceable since 2003 – Establishes Rights of Individuals – Controls on Uses and Disclosures – Access of PHI is THE hot button issue for HHS • Security Rule – 45 CFR §164.3xx; Enforceable since 2005 – Applies to all electronic PHI – Flexible, customizable approach to health information security – Uses Risk Analysis to identify and plan the mitigation of security risks • Breach Notification Rule – 45 CFR §164.4xx; Enforceable since February 2010 – Requires reporting of all PHI breaches to HHS and individuals – Extensive/expensive obligations – Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 4. Rules Have Been Stable • Last major update in 2013, result of HITECH Act • NEW Proposed Update to Privacy Rule; many small changes to improve access and ease information sharing and coordination of care – Shorter (by half!) timeline to respond to access requests – Proposed change to Requirement to Obtain an Acknowledgement of the Receipt of a Notice of Privacy Practices – Still no update to Accounting of Disclosures, as required by HITECH • May be a change to rules under TCPA (re: calling or messaging cell phones) • Guidance on HIPAA compliance liability of Business Associates • Information Blocking rules intersect HIPAA, being enforced • Inadequate coverage for new technologies and patient information © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 5. Proposed Changes Codify Guidance • Individual Access is THE major Privacy Rule issue today • 2016 Guidance has not led to compliance • Enforcement considers the Guidance • Putting the Guidance into the Rules • Tightening up time lines • Clarifying requirements © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 6. HIPAA Right of Access ➢ §164.524(a) Standard: Access to protected health information ➢(1) Right of Access. Individual has right to access, inspect, and copy of PHI in the Designated Record Set, except for: ➢(i) Psychotherapy Notes ➢(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding ➢(iii) Section Removed in 2013 – CLIA exemption removed: Now individuals may access test results directly from laboratories © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 7. Communication with Family & Friends of Patients • Privacy Rule § 164.502(g) and 164.510(b) • The Privacy Rule allows a health care provider or health plan to share information with a patient’s family or friends if: – They are involved in the patient’s health care or payment for health care, – The patient tells the provider or plan that it can do so, – The patient does not object to sharing of the information, or – If, using its professional judgment, a provider or plan believes that the patient does not object • The Privacy Rule does not require a health care provider or health plan to share information with a patient’s family or friends, unless they are personal representatives of the patient • https://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal- representatives/ © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 8. What is a HIPAA Breach? • §164.402 Breach is any acquisition, access, use, or disclosure in violation of the Privacy Rule, except if: – Unintentional internal use, in good faith, with no further use – Inadvertent internal use, within job scope – Information cannot be retained (returned intact, unopened, unviewed) • Not Reportable if: – Secured (encrypted) per HHS guidance, or destroyed • Otherwise: Reportable unless there is a “low probability of compromise” based on a risk assessment, examining at least: 1. what was the info, how well identified was it, and is its release “adverse to the individual” 2. to whom it was disclosed 3. was it actually acquired or viewed 4. the extent of mitigation © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 9. Telemedicine and HIPAA • Using HIPAA-compliant fully encrypted services under a HIPAA Business Associate Agreement is fully compliant for telemedicine use – Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet • Can follow the usual processes for Risk Analysis and secure implementation, including a HIPAA BAA • HIPAA has allowances for emergencies and life threatening situations • Patients and providers LOVE Telemedicine! It will be with us after the emergency © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 10. Telemedicine, HIPAA and COVID-19 • HHS has issued an enforcement advisory on telemedicine during the COVID-19 emergency: Relaxed enforcement for using services that are non-public facing but may not meet HIPAA requirements (such as a providing a BAA) – Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype • BUT: Do NOT use public-facing services that are not private – Facebook Live, Twitch, TikTok, and similar • And: Once the emergency is over you will need to use HIPAA compliant services, under a Business Associate Agreement, according to a HIPAA Security Risk Analysis • See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency- preparedness/notification-enforcement-discretion-telehealth/index.html © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 11. New Technologies • New technologies in health care every day – Some new technologies will be very useful – Some new technologies will be a privacy and security nightmare • You can’t deny new technologies – New Technologies should be addressed head-on – If you ignore them they don’t go away – Encourage dialog on new technologies and find ways to use them productively, securely • Education addressing new technologies is essential – Prevent improper uses – Train in appropriate usage © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 12. New Technologies and HIPAA • HIPAA can handle new technologies for PHI – Security Rule is very flexible, adaptable • New kinds of information, apps, devices, and various uses outside the formal HIPAA definition of “Protected Health Information” • With medical devices, consumer-driven data collection and transmission would be under FTC rules, not HIPAA, but with the same device, if prescribed by a provider, the same data are PHI protected under HIPAA • Proposed HIPAA Privacy Rule changes would address many issues more clearly • Don’t be surprised if new laws and regulations result – State laws may also be in the works – Expansion of existing state breach rules © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 13. Your to-do list… ✓ Don’t be in denial – willful neglect costs more than compliance ✓ Accommodate individual rights of access and choices ✓ Review and update your communications policies and procedures per the rules, and to allow for Emergency considerations ✓ Be ready for the end of the Emergency and compliance requirements ✓ Establish your processes for Risk Analysis and Documentation ✓ Train staff in new policies and procedures ✓ Document, document, document! ✓ Conduct drills in audit and breach response ✓ Make corrections based on results ✓ Always have a plan for moving forward, and follow it! © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com
- 14. Thank you! Any Questions? For additional information, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC 5675 Spear Street, Charlotte, VT 05445 jim@lewiscreeksystems.com www.lewiscreeksystems.com © Copyright 2022 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com REGISTER NOW