Abstract image of a woman sitting on books and studying on a laptop

The Basics of Protecting PHI - Best Practices When Working with Business Associates

Endeavor Management, profile picture
Endeavor Management

The document outlines best practices for healthcare professionals to protect Protected Health Information (PHI) when working with business associates, emphasizing the importance of compliance with HIPAA regulations. It highlights the necessity of establishing clear communication and accountability regarding PHI handling, including training for personnel and proper documentation. Key recommendations include confirming compliance, ensuring secure storage and sharing of PHI, and conducting thorough checks after project completion to mitigate risks of breaches.

Healthcare
Related topics:
Healthcare ProfessionalsHIPAA Compliance Guide
1 of 6
Download to read offline
1
2
3
4
5
6
The  Basics  of  Protecting  PHI   Best Practices when Working with Business Associates Gelb, An Endeavor Management Company 1011 Highway 6 South P + 281.759.3600 Suite 120 F + 281.759.3607 Houston, Texas 77077 www.gelbconsulting.com  
The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  2     Note:  We  are  not  attorneys  and  this  represents  our  experience  in  working  with   healthcare  organizations.    This  should  not  be  considered  legal  advice.         Overview   The  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  placed  clear  responsibility  on   healthcare  providers  to  protect  individually  identifiable  health  information.  Hospitals  and   healthcare  professionals  who  work  with  this  type  of  information  everyday  are  familiar  with  HIPAA   requirements.  However,  when  external  business  associates  are  engaged  for  activities  in  which   protected  health  information  (PHI)  is  accessible  or  shared,  there  is  often  a  lack  of  explicit  discussion   about  how  to  protect  PHI.       HIPPA  rules  stipulate  that  business  associates  are  directly  liable  for  following  HIPAA  requirements   when  working  with  PHI.  For  this  reason,  healthcare  providers  are  required  to  employ  a  business   associate  agreement  (BAA)  or  other  written  arrangement  that  specifies  how  the  business  associate   will  comply  with  HIPAA.  Nevertheless,  business  associates  may  be  unaware  of  the  full  breadth  of   regulations  or  lack  the  experience  and/or  resources  to  put  proper  safeguards  in  place.  In  fact,   according  to  the  U.S.  Department  of  Health  &  Human  Services,  some  of  the  largest  HIPAA  breaches   have  involved  business  associates.  From  Gelb’s  perspective  as  a  small  business  that  works  with  PHI,   HIPAA  has  complex  guidelines  that  require  time  and  resources  to  fully  understand  and  ensure   compliance.     Privacy  violations  –  whether  the  fault  of  a  hospital  representative  or  a  business  associate  –  can  be  a   public  relations  nightmare  and  violate  the  trust  of  the  community.  For  this  reason,  it  is  important   for  hospitals  to  go  beyond  a  BAA  when  considering  HIPAA  compliance.       How  can  healthcare  professionals  be  proactive  in  keeping  PHI  safe  when  working  with  business   associates?       Despite  the  best  of  intentions,  PHI  breaches  most  often  occur  due  to  lack  of  awareness  about   HIPAA  guidelines  or  failure  to  follow  policies  that  are  in  place  to  prevent  breeches.  Particularly  in   the  case  of  business  associates  who  do  not  typically  work  with  PHI,  personnel  may  lack  proper   training  and  resources  to  protect  the  information.  Even  if  policies  are  in  place,  there  must  be   accountability  to  ensure  the  policies  are  being  followed.       At  Gelb,  we  work  with  PHI  on  a  regular  basis  in  situations  such  as  in-­‐depth  interviewing  of  patients,   conducting  focus  groups,  conducting  online  patient  surveys,  and  managing  CRM  dashboards.  Based   on  our  experiences,  we  would  like  to  share  some  best  practices  for  healthcare  professionals  to   consider  when  sharing  PHI  with  business  associates.      
The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  3     Confirming  Compliance:  Basic  Questions  to  Ask     Accountability  and  transparency  is  critical  in  protecting  PHI.  Even  if  a  BAA  is  in  place,  prior  to   sharing  PHI  with  a  business  associate,  healthcare  professionals  should  initiate  discussion  and  ask   questions  to  ensure  best  practices  and  regulations  are  being  followed.       1. Do  they  have  a  HIPAA  Privacy/Security  Officer,  and  does  that  person  understand  the  role   he/she  plays  in  protecting  your  PHI?   • Organizations  that  work  with  PHI  should  designate  and  maintain  a  HIPAA   Privacy/Security  Officer.     • This  person  should  have  in-­‐depth  knowledge  of  HIPAA  regulations,  and  oversee   compliance-­‐related  activities,  training  and  policies.     2. Do  they  have  a  documented  HIPAA   compliance  policy?   • All  internal  compliance  related   policies,  authorizations,  training  and   other  related  documents  should  be   clearly  documented  and  updated.       • The  policy  should  explain  what  PHI  is   and  how  it  will  be  handled  to  ensure   compliance  with  the  regulations.   • The  policy  should  be  available  to  all   employees  and  those  who  will  be  exposed  to  PHI  must  confirm  that  they  have  read   it  and  will  comply  with  it.       • A  copy  of  their  policies  should  be  provided  to  you  if  you  request  it.       3. Who  will  have  access  to  PHI,  and  are  they  HIPAA  trained?   • Any  personnel  who  have  access  to  PHI  should  complete  HIPAA  compliance  training.   At  Gelb,  employees  must  go  through  several  training  courses  and  pass  a  written   exam  prior  to  working  with  PHI.     • As  a  basic  starting  point,  employees  should  understand  what  is  considered  to  be  PHI,   and  the  importance  of  protecting  the  information.  For  example,  it  is  a  common   misconception  that  it  is  not  PHI  if  the  patient’s  specific  diagnosis  is  deleted.         4. How  will  PHI  be  stored?   • Most  documents  saved  on  a  company’s  shared  drive  or  a  cloud-­‐based  portal  are   accessible  to  the  entire  company.  However,  PHI  should  only  be  accessible  on  a  
The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  4     “need  to  know”  basis.  At  Gelb,  we  have  separate  a  web  portal  for  each  project  that   involves  PHI,  and  each  portal  is  only  accessible  to  those  who  truly  need  access.     • PHI  should  not  be  downloaded  or  saved  to  an  individual  computer  or  portable   device,  but  instead  edited  or  accessed  through  the  portal.  In  a  rare  situation  in   which  PHI  is  downloaded  (such  as  due  to  lack  of  internet  access  during  the  research),   the  device  should  be  encrypted,  and  the  downloaded  PHI  should  be  deleted  as  soon   as  possible.  PHI  saved  to  portable  devices  is  the  cause  of  many  news  stories  in  which   privacy  is  breached  due  to  a  loss  or  theft.     • When  working  with  business  associates,  it  is  best  to  avoid  sharing  hard  copies  of  PHI.   However  if  hard  copies  must  exist,  they  must  be  stored  under  lock  and  key  with   documented  control  of  who  has  access.           5. How  will  PHI  be  shared  between  the  project  team  members?   • Team  members  should  not  use  email  to  share  PHI   documentation.  They  should  share  documents  via  a   secure  server  or  online  portal.    Although  hospitals   might  have  specific  security  measures  in  place  that   allow  them  to  email  PHI,  most  business  associates  do   not  have  this  capability.     • The  business  associate  team  should  maintain  a  log  of   PHI  sensitive  information  –  who  it  was  received  from,   who  it  is  accessible  to,  any  situations  in  which  it  is   transferred  or  shared,  and  when  it  was  destroyed.       • Tip:  The  number  of  documents  that  contain  PHI   should  be  limited.  For  example,  if  the  team  is  working   on  a  schedule  for  interviews  or  focus  groups,  PHI  can   be  protected  by  assigning  each  patient  a  code.  The   code  is  included  on  the  scheduling  documents  and  research  notes  rather  than  the   patient’s  name.  This  allows  the  documents  to  be  emailed  and  shared  with  the  team   without  compromising  privacy.       6. How  is  privacy  maintained  when  recruiting  or  speaking  with  patients?   • In  marketing  research,  it  is  common  that  patients  need  to  be  recruited  for  interviews   or  focus  groups.  It  is  important  that  those  contacting  the  patients  can  clearly   communicate  how  they  obtained  their  name  and  information  to  dispel  concerns  that   patients  might  have  about  their  privacy.     • Team  members  should  also  be  aware  of  how  much  information  they  share  via  a   voicemail  or  message  left  with  another  person  who  answers  the  phone.  For   example,  at  Gelb  we  leave  ambiguous  messages  or  voicemails  along  the  lines  of  “We  
The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  5     are  conducting  a  project  with  [name  of  hospital]  that  you  might  be  interested  in   participating  in.”  Rather  than  explaining  that  we  are  calling  to  ask  about  their   experience  with  the  Lung  Cancer  Program.     • Tip:  For  consistent  messaging,  it  is  helpful  to  have  a  client-­‐approved  recruiting  and   voicemail  script.  It  is  also  helpful  for  the  research  team  to  avoid  using  full  names  on   any  of  the  research  materials  (such  as  within  an  interview  transcript  or  within  the   file  name)  and  instead  use  the  patient’s  code  so  that  the  transcript  does  not  become   PHI.       7. Will  the  business  associate  be  utilizing  additional  subcontractors  or  service  providers?  If  so,   are  they  HIPAA  compliant?   • Business  associates  may  need  to  use  subcontractors  or  service  providers  for   purposes  that  require  them  to  share  PHI  –  such  as  recruiting  for  research  or   distributing  online  surveys.  In  these  situations,  the  business  associate  must  execute   a  BAA  with  the  other  entity  to  ensure  that  it  is  HIPAA  compliant  as  well.     • At  Gelb,  all  subcontractors  and  service  provider  must  complete  training  and  enter   into  a  BAA  that  outlines  safeguards  for  protecting  PHI.  Gelb  project  managers   reinforce  these  guidelines  during  the  project.     8. What  happens  to  PHI  after  the  project  is  completed?     • All  PHI  should  be  shredded  at  the  completion  of  a  project.         Tip:  At  the  end  of  a  project,  ask  the  business  associate  team  to  conduct  a  “PHI   Check”  to  ensure  all  PHI  documentation  related  to  the  project  has  been  destroyed.   This  includes  checking  servers,  online  portals,  portable  devices  and  hard  copies.         Key  Takeaway  –  Transparency  and  Accountability  are  Critical   Sharing  PHI  with  business  associates  is  often  necessary,  and  can  result  in  valuable  information  and   technology.  However,  a  lack  of  explicit  discussion  between  healthcare  professionals  and  business   associates  about  how  PHI  will  be  handled  makes  a  breech  more  likely.  Prior  to  sharing  PHI,   healthcare  personnel  should  initiate  conversation  and  ask  detailed  questions  about  the  business   associate’s  HIPAA-­‐related  policies  to  ensure  that  best  practices  and  regulations  are  being  followed.   Ultimately,  transparency  and  accountability  are  critical  for  both  organizations  in  not  only  following   the  law,  but  also  in  maintaining  patient  trust  and  confidence.          
The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  6     About  Endeavor     Endeavor  Management,  is  an  international  management  consulting  firm  that  collaboratively  works   with  their  clients  to  achieve  greater  value  from  their  transformational  business  initiatives.  Endeavor   serves   as   a   catalyst   by   providing   pragmatic   methodologies   and   industry   expertise   in   Transformational   Strategies,   Operational   Excellence,   Organizational   Effectiveness,   and   Transformational  Leadership.   Our  clients  include  those  responsible  for:   • Business  Strategy   • Marketing  and  Brand  Strategy   • Operations   • Technology  Deployment   • Strategic  Human  Capital   • Corporate  Finance     The  firm’s  50  year  heritage  has  produced  a  substantial  portfolio  of  proven  methodologies,  deep   operational  insight  and  broad  industry  experience.    This  experience  enables  our  team  to  quickly   understand  the  dynamics  of  client  companies  and  markets.    Endeavor’s  clients  span  the  globe  and   are  typically  leaders  in  their  industry.     Gelb   Consulting   Group,   a   wholly   owned   subsidiary,   monitors   organizational   performance   and   designs  winning  marketing  strategies.    Gelb  helps  organizations  focus  their  marketing  initiatives  by   fully   understanding   customer   needs   through   proven   strategic   frameworks   to   guide   marketing   strategies,  build  trusted  brands,  deliver  exceptional  experiences  and  launch  new  products.    Gelb   can  help  you  to  develop  and  implement  the  right  strategies.    Using  advanced  research  techniques,   Gelb   can   help   you   to   understand   the   complexities   of   your   market,   to   develop   your   strategic   decision  frameworks  and  to  determine  the  best  deployment  of  your  resources  and  technology  to   monitor  your  successes.     For  over  50  years,  Gelb  has  worked  with  marketing  leaders  on:   •      Strategic  Marketing   •      Brand  Building   •      Customer  Experience  Management   •      Go  to  Market   •      Product  Innovation   •      Trademark/Trade  Dress  Protection       Our  websites:   www.endeavormgmt.com   www.gelbconsulting.com   www.gulfresearch.com  

More Related Content

PDF
HIPAA Basic Healthcare Guide
Wirehead Technology
 
PPTX
The Startup Path to HIPAA Compliance
Jim Anfield
 
PDF
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
PDF
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
PDF
HIPAA 101 for Startups
Obaa, Inc.
 
PDF
Lawyers: What You Don't Know About HIPAA Could Hurt You
Oregon Law Practice Management
 
PDF
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
PPTX
how to really implement hipaa presentation
Provider Resources Group
 
HIPAA Basic Healthcare Guide
Wirehead Technology
 
The Startup Path to HIPAA Compliance
Jim Anfield
 
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
HIPAA 101 for Startups
Obaa, Inc.
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Oregon Law Practice Management
 
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
how to really implement hipaa presentation
Provider Resources Group
 

What's hot (6)

PDF
Healthcare preparedness 2010
DataMotion
 
PDF
HIPAA compliance tuneup 2016
Compliancy Group
 
PPTX
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
PDF
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
Network 1 Consulting
 
DOC
HHS Issues HIPAA Cyber Attack Response Checklist
Todd LaRue
 
PDF
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Healthcare preparedness 2010
DataMotion
 
HIPAA compliance tuneup 2016
Compliancy Group
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
Network 1 Consulting
 
HHS Issues HIPAA Cyber Attack Response Checklist
Todd LaRue
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Ad

Viewers also liked (8)

ODP
Taller arcilla enero 2016
isabel nieto luelmo
 
PPT
Efruzhu cancer carci̇nogenesi̇s theory18
PHİLOSOPHER EFRUZHU PHRMP
 
PPT
Coag cascade for fellows(8 28-14)b
derosaMSKCC
 
PDF
Fashion design courses pune
shashank dwivedi
 
PPT
Airplane slide 2
kbhamme
 
PDF
Alternativas de solucion
Rosa Suarez
 
PDF
defense_in_depth_version_12
Alen Schulze
 
PPT
Acquired bleeding disorders
derosaMSKCC
 
Taller arcilla enero 2016
isabel nieto luelmo
 
Efruzhu cancer carci̇nogenesi̇s theory18
PHİLOSOPHER EFRUZHU PHRMP
 
Coag cascade for fellows(8 28-14)b
derosaMSKCC
 
Fashion design courses pune
shashank dwivedi
 
Airplane slide 2
kbhamme
 
Alternativas de solucion
Rosa Suarez
 
defense_in_depth_version_12
Alen Schulze
 
Acquired bleeding disorders
derosaMSKCC
 
Ad

Similar to The Basics of Protecting PHI - Best Practices When Working with Business Associates (20)

PPTX
5 hipaa training
JasonPickerill1
 
PPTX
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
PDF
Hippa_Certificate
Nishant Kumar
 
PPTX
Patient confidentiality
chwiso8418
 
PPTX
Patient confidentiality power point
chwiso8418
 
PPTX
Patient confidentiality power point
chwiso8418
 
PPTX
upholdingconfidentiality-130423175025-phpapp01.pptx
JaveriaAzmat8
 
PPTX
HIPAA presentation GAHU v7
Jason Karn
 
PPTX
Discussion2
amberlinn
 
PDF
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
PDF
Certificate AS HIPPA
Audrey Smith
 
PPTX
Patient confidentiality.ppt
chwiso8418
 
PPTX
Mha 690 week 1 discussion 2 patient privacy
Jacquelyn Treadway
 
PPTX
Upholding confidentiality
Theresa Tapley
 
PDF
Hipaa basics.pp2
martykoepke
 
PPTX
2018-HIPAA-Renewal-Training.pptx
Fariida Osman
 
PPTX
Updated modifications to the HIPAA Privacy Rule
James Pekarek
 
PPTX
Mha690 w1 d2
Lindsey Polich
 
PPTX
residents-2020-orientation-hipaa-highlights.pptx
wondimagegndesta
 
PPTX
HIPAA and Privacy for Researchers
Jason Karn
 
5 hipaa training
JasonPickerill1
 
Marc etienne week1 discussion2 presentation
MarcEtienne6
 
Hippa_Certificate
Nishant Kumar
 
Patient confidentiality
chwiso8418
 
Patient confidentiality power point
chwiso8418
 
Patient confidentiality power point
chwiso8418
 
upholdingconfidentiality-130423175025-phpapp01.pptx
JaveriaAzmat8
 
HIPAA presentation GAHU v7
Jason Karn
 
Discussion2
amberlinn
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
Certificate AS HIPPA
Audrey Smith
 
Patient confidentiality.ppt
chwiso8418
 
Mha 690 week 1 discussion 2 patient privacy
Jacquelyn Treadway
 
Upholding confidentiality
Theresa Tapley
 
Hipaa basics.pp2
martykoepke
 
2018-HIPAA-Renewal-Training.pptx
Fariida Osman
 
Updated modifications to the HIPAA Privacy Rule
James Pekarek
 
Mha690 w1 d2
Lindsey Polich
 
residents-2020-orientation-hipaa-highlights.pptx
wondimagegndesta
 
HIPAA and Privacy for Researchers
Jason Karn
 

More from Endeavor Management (20)

PDF
Physician schedule optimization model - Endeavor Analytics
Endeavor Management
 
PDF
Patient volume modeling - Endeavor Analytics
Endeavor Management
 
PDF
Leading practices in medical center call centers
Endeavor Management
 
PDF
Avoid PRM failures
Endeavor Management
 
PDF
2017 digital engagement webinar marketing360 - gelb consulting
Endeavor Management
 
PDF
Oil and gas brand management - Endeavor
Endeavor Management
 
PDF
Experience management overview - Gelb Consulting
Endeavor Management
 
PDF
Behavioral Health Client Experience Management - Gelb
Endeavor Management
 
PDF
Healthcare Employee Experience Management - Gelb Consulting
Endeavor Management
 
PDF
Get to know your referrers
Endeavor Management
 
PDF
How to apply speed dating techniques to persona development
Endeavor Management
 
PDF
Strategic imperative digital transformation in capital projects
Endeavor Management
 
PDF
2017 Physician Strategies Webinar Series - Physician Relations Structure
Endeavor Management
 
PDF
Emotionally intelligent healthcare
Endeavor Management
 
PDF
Physician Strategies - Physician Engagement
Endeavor Management
 
PDF
2017 Physician Strategies: Physician Enagement - Gelb
Endeavor Management
 
PDF
What Referring Physicians Want - Gelb Consulting
Endeavor Management
 
PDF
Engaging users in digital strategy development
Endeavor Management
 
PDF
Healthcare expert advisory group
Endeavor Management
 
PDF
Digital physician outreach
Endeavor Management
 
Physician schedule optimization model - Endeavor Analytics
Endeavor Management
 
Patient volume modeling - Endeavor Analytics
Endeavor Management
 
Leading practices in medical center call centers
Endeavor Management
 
Avoid PRM failures
Endeavor Management
 
2017 digital engagement webinar marketing360 - gelb consulting
Endeavor Management
 
Oil and gas brand management - Endeavor
Endeavor Management
 
Experience management overview - Gelb Consulting
Endeavor Management
 
Behavioral Health Client Experience Management - Gelb
Endeavor Management
 
Healthcare Employee Experience Management - Gelb Consulting
Endeavor Management
 
Get to know your referrers
Endeavor Management
 
How to apply speed dating techniques to persona development
Endeavor Management
 
Strategic imperative digital transformation in capital projects
Endeavor Management
 
2017 Physician Strategies Webinar Series - Physician Relations Structure
Endeavor Management
 
Emotionally intelligent healthcare
Endeavor Management
 
Physician Strategies - Physician Engagement
Endeavor Management
 
2017 Physician Strategies: Physician Enagement - Gelb
Endeavor Management
 
What Referring Physicians Want - Gelb Consulting
Endeavor Management
 
Engaging users in digital strategy development
Endeavor Management
 
Healthcare expert advisory group
Endeavor Management
 
Digital physician outreach
Endeavor Management
 

Recently uploaded (20)

PDF
mycobacterial infection tuberculosis (TB)
TheophilusBaidoo3
 
PPTX
Full Slide Deck - SY CF Talk Adelaide 10June.pptx
sarahychurchillfello
 
PPT
heartap-240428112119-ec76d6fb.pp for studentt
anup222212
 
PPTX
Nancy Caroline Emergency Paramedic Chapter 17
djorgenmorris
 
PPT
DENGUE_FEVER_&_DHF.pptfffffffffhffffffffffff
khaalidmohamed6
 
PDF
crisisintervention-210721062718.presentatiodnf
girishsanath86
 
PPTX
case study of ischemic stroke for nursing
shrumanandhar
 
PPTX
ANALGESIC AND ANTI-INFLAMMssssssATORY DRUGS.pptx
khaalidmohamed6
 
PDF
Culturally Sensitive Health Solutions: Engineering Localized Practices (www....
publication11
 
PPTX
health promotion of infant.pptx for nursing students
neelamjoshi0922
 
PPTX
Tracheostomy Care: A Comprehensive Guide
chiiicherryy17
 
PPTX
AUTOIMMUNITY - Note for Second Year Pharm D Students
Ameena Kadar K A
 
PPTX
Benign prostatic hyperplasia, uro anaesthesia
cheryljyoti
 
PPTX
ANTERIOR CRUCIATE LIGAMENT RECONSTRUCTION
OmarShurafa
 
PPTX
FOOD IN RELATION TO NUTRITION AND HEALTH
VarshaTambe6
 
PPTX
osteoporosis in menopause...............
Vikram Khanna
 
PDF
Fundamentals Final Review Questions.docx.pdf
julianafassarella38
 
PDF
cerebral aneurysm.. neurosurgery , anaesthesia
cheryljyoti
 
PPTX
Nancy Caroline Emergency Paramedic Chapter 15
djorgenmorris
 
PPTX
Nepal health service act.pptx by Sunil Sharma
SunilSharma361579
 
mycobacterial infection tuberculosis (TB)
TheophilusBaidoo3
 
Full Slide Deck - SY CF Talk Adelaide 10June.pptx
sarahychurchillfello
 
heartap-240428112119-ec76d6fb.pp for studentt
anup222212
 
Nancy Caroline Emergency Paramedic Chapter 17
djorgenmorris
 
DENGUE_FEVER_&_DHF.pptfffffffffhffffffffffff
khaalidmohamed6
 
crisisintervention-210721062718.presentatiodnf
girishsanath86
 
case study of ischemic stroke for nursing
shrumanandhar
 
ANALGESIC AND ANTI-INFLAMMssssssATORY DRUGS.pptx
khaalidmohamed6
 
Culturally Sensitive Health Solutions: Engineering Localized Practices (www....
publication11
 
health promotion of infant.pptx for nursing students
neelamjoshi0922
 
Tracheostomy Care: A Comprehensive Guide
chiiicherryy17
 
AUTOIMMUNITY - Note for Second Year Pharm D Students
Ameena Kadar K A
 
Benign prostatic hyperplasia, uro anaesthesia
cheryljyoti
 
ANTERIOR CRUCIATE LIGAMENT RECONSTRUCTION
OmarShurafa
 
FOOD IN RELATION TO NUTRITION AND HEALTH
VarshaTambe6
 
osteoporosis in menopause...............
Vikram Khanna
 
Fundamentals Final Review Questions.docx.pdf
julianafassarella38
 
cerebral aneurysm.. neurosurgery , anaesthesia
cheryljyoti
 
Nancy Caroline Emergency Paramedic Chapter 15
djorgenmorris
 
Nepal health service act.pptx by Sunil Sharma
SunilSharma361579
 

The Basics of Protecting PHI - Best Practices When Working with Business Associates

  • 1. The  Basics  of  Protecting  PHI   Best Practices when Working with Business Associates Gelb, An Endeavor Management Company 1011 Highway 6 South P + 281.759.3600 Suite 120 F + 281.759.3607 Houston, Texas 77077 www.gelbconsulting.com  
  • 2. The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  2     Note:  We  are  not  attorneys  and  this  represents  our  experience  in  working  with   healthcare  organizations.    This  should  not  be  considered  legal  advice.         Overview   The  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  placed  clear  responsibility  on   healthcare  providers  to  protect  individually  identifiable  health  information.  Hospitals  and   healthcare  professionals  who  work  with  this  type  of  information  everyday  are  familiar  with  HIPAA   requirements.  However,  when  external  business  associates  are  engaged  for  activities  in  which   protected  health  information  (PHI)  is  accessible  or  shared,  there  is  often  a  lack  of  explicit  discussion   about  how  to  protect  PHI.       HIPPA  rules  stipulate  that  business  associates  are  directly  liable  for  following  HIPAA  requirements   when  working  with  PHI.  For  this  reason,  healthcare  providers  are  required  to  employ  a  business   associate  agreement  (BAA)  or  other  written  arrangement  that  specifies  how  the  business  associate   will  comply  with  HIPAA.  Nevertheless,  business  associates  may  be  unaware  of  the  full  breadth  of   regulations  or  lack  the  experience  and/or  resources  to  put  proper  safeguards  in  place.  In  fact,   according  to  the  U.S.  Department  of  Health  &  Human  Services,  some  of  the  largest  HIPAA  breaches   have  involved  business  associates.  From  Gelb’s  perspective  as  a  small  business  that  works  with  PHI,   HIPAA  has  complex  guidelines  that  require  time  and  resources  to  fully  understand  and  ensure   compliance.     Privacy  violations  –  whether  the  fault  of  a  hospital  representative  or  a  business  associate  –  can  be  a   public  relations  nightmare  and  violate  the  trust  of  the  community.  For  this  reason,  it  is  important   for  hospitals  to  go  beyond  a  BAA  when  considering  HIPAA  compliance.       How  can  healthcare  professionals  be  proactive  in  keeping  PHI  safe  when  working  with  business   associates?       Despite  the  best  of  intentions,  PHI  breaches  most  often  occur  due  to  lack  of  awareness  about   HIPAA  guidelines  or  failure  to  follow  policies  that  are  in  place  to  prevent  breeches.  Particularly  in   the  case  of  business  associates  who  do  not  typically  work  with  PHI,  personnel  may  lack  proper   training  and  resources  to  protect  the  information.  Even  if  policies  are  in  place,  there  must  be   accountability  to  ensure  the  policies  are  being  followed.       At  Gelb,  we  work  with  PHI  on  a  regular  basis  in  situations  such  as  in-­‐depth  interviewing  of  patients,   conducting  focus  groups,  conducting  online  patient  surveys,  and  managing  CRM  dashboards.  Based   on  our  experiences,  we  would  like  to  share  some  best  practices  for  healthcare  professionals  to   consider  when  sharing  PHI  with  business  associates.      
  • 3. The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  3     Confirming  Compliance:  Basic  Questions  to  Ask     Accountability  and  transparency  is  critical  in  protecting  PHI.  Even  if  a  BAA  is  in  place,  prior  to   sharing  PHI  with  a  business  associate,  healthcare  professionals  should  initiate  discussion  and  ask   questions  to  ensure  best  practices  and  regulations  are  being  followed.       1. Do  they  have  a  HIPAA  Privacy/Security  Officer,  and  does  that  person  understand  the  role   he/she  plays  in  protecting  your  PHI?   • Organizations  that  work  with  PHI  should  designate  and  maintain  a  HIPAA   Privacy/Security  Officer.     • This  person  should  have  in-­‐depth  knowledge  of  HIPAA  regulations,  and  oversee   compliance-­‐related  activities,  training  and  policies.     2. Do  they  have  a  documented  HIPAA   compliance  policy?   • All  internal  compliance  related   policies,  authorizations,  training  and   other  related  documents  should  be   clearly  documented  and  updated.       • The  policy  should  explain  what  PHI  is   and  how  it  will  be  handled  to  ensure   compliance  with  the  regulations.   • The  policy  should  be  available  to  all   employees  and  those  who  will  be  exposed  to  PHI  must  confirm  that  they  have  read   it  and  will  comply  with  it.       • A  copy  of  their  policies  should  be  provided  to  you  if  you  request  it.       3. Who  will  have  access  to  PHI,  and  are  they  HIPAA  trained?   • Any  personnel  who  have  access  to  PHI  should  complete  HIPAA  compliance  training.   At  Gelb,  employees  must  go  through  several  training  courses  and  pass  a  written   exam  prior  to  working  with  PHI.     • As  a  basic  starting  point,  employees  should  understand  what  is  considered  to  be  PHI,   and  the  importance  of  protecting  the  information.  For  example,  it  is  a  common   misconception  that  it  is  not  PHI  if  the  patient’s  specific  diagnosis  is  deleted.         4. How  will  PHI  be  stored?   • Most  documents  saved  on  a  company’s  shared  drive  or  a  cloud-­‐based  portal  are   accessible  to  the  entire  company.  However,  PHI  should  only  be  accessible  on  a  
  • 4. The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  4     “need  to  know”  basis.  At  Gelb,  we  have  separate  a  web  portal  for  each  project  that   involves  PHI,  and  each  portal  is  only  accessible  to  those  who  truly  need  access.     • PHI  should  not  be  downloaded  or  saved  to  an  individual  computer  or  portable   device,  but  instead  edited  or  accessed  through  the  portal.  In  a  rare  situation  in   which  PHI  is  downloaded  (such  as  due  to  lack  of  internet  access  during  the  research),   the  device  should  be  encrypted,  and  the  downloaded  PHI  should  be  deleted  as  soon   as  possible.  PHI  saved  to  portable  devices  is  the  cause  of  many  news  stories  in  which   privacy  is  breached  due  to  a  loss  or  theft.     • When  working  with  business  associates,  it  is  best  to  avoid  sharing  hard  copies  of  PHI.   However  if  hard  copies  must  exist,  they  must  be  stored  under  lock  and  key  with   documented  control  of  who  has  access.           5. How  will  PHI  be  shared  between  the  project  team  members?   • Team  members  should  not  use  email  to  share  PHI   documentation.  They  should  share  documents  via  a   secure  server  or  online  portal.    Although  hospitals   might  have  specific  security  measures  in  place  that   allow  them  to  email  PHI,  most  business  associates  do   not  have  this  capability.     • The  business  associate  team  should  maintain  a  log  of   PHI  sensitive  information  –  who  it  was  received  from,   who  it  is  accessible  to,  any  situations  in  which  it  is   transferred  or  shared,  and  when  it  was  destroyed.       • Tip:  The  number  of  documents  that  contain  PHI   should  be  limited.  For  example,  if  the  team  is  working   on  a  schedule  for  interviews  or  focus  groups,  PHI  can   be  protected  by  assigning  each  patient  a  code.  The   code  is  included  on  the  scheduling  documents  and  research  notes  rather  than  the   patient’s  name.  This  allows  the  documents  to  be  emailed  and  shared  with  the  team   without  compromising  privacy.       6. How  is  privacy  maintained  when  recruiting  or  speaking  with  patients?   • In  marketing  research,  it  is  common  that  patients  need  to  be  recruited  for  interviews   or  focus  groups.  It  is  important  that  those  contacting  the  patients  can  clearly   communicate  how  they  obtained  their  name  and  information  to  dispel  concerns  that   patients  might  have  about  their  privacy.     • Team  members  should  also  be  aware  of  how  much  information  they  share  via  a   voicemail  or  message  left  with  another  person  who  answers  the  phone.  For   example,  at  Gelb  we  leave  ambiguous  messages  or  voicemails  along  the  lines  of  “We  
  • 5. The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  5     are  conducting  a  project  with  [name  of  hospital]  that  you  might  be  interested  in   participating  in.”  Rather  than  explaining  that  we  are  calling  to  ask  about  their   experience  with  the  Lung  Cancer  Program.     • Tip:  For  consistent  messaging,  it  is  helpful  to  have  a  client-­‐approved  recruiting  and   voicemail  script.  It  is  also  helpful  for  the  research  team  to  avoid  using  full  names  on   any  of  the  research  materials  (such  as  within  an  interview  transcript  or  within  the   file  name)  and  instead  use  the  patient’s  code  so  that  the  transcript  does  not  become   PHI.       7. Will  the  business  associate  be  utilizing  additional  subcontractors  or  service  providers?  If  so,   are  they  HIPAA  compliant?   • Business  associates  may  need  to  use  subcontractors  or  service  providers  for   purposes  that  require  them  to  share  PHI  –  such  as  recruiting  for  research  or   distributing  online  surveys.  In  these  situations,  the  business  associate  must  execute   a  BAA  with  the  other  entity  to  ensure  that  it  is  HIPAA  compliant  as  well.     • At  Gelb,  all  subcontractors  and  service  provider  must  complete  training  and  enter   into  a  BAA  that  outlines  safeguards  for  protecting  PHI.  Gelb  project  managers   reinforce  these  guidelines  during  the  project.     8. What  happens  to  PHI  after  the  project  is  completed?     • All  PHI  should  be  shredded  at  the  completion  of  a  project.         Tip:  At  the  end  of  a  project,  ask  the  business  associate  team  to  conduct  a  “PHI   Check”  to  ensure  all  PHI  documentation  related  to  the  project  has  been  destroyed.   This  includes  checking  servers,  online  portals,  portable  devices  and  hard  copies.         Key  Takeaway  –  Transparency  and  Accountability  are  Critical   Sharing  PHI  with  business  associates  is  often  necessary,  and  can  result  in  valuable  information  and   technology.  However,  a  lack  of  explicit  discussion  between  healthcare  professionals  and  business   associates  about  how  PHI  will  be  handled  makes  a  breech  more  likely.  Prior  to  sharing  PHI,   healthcare  personnel  should  initiate  conversation  and  ask  detailed  questions  about  the  business   associate’s  HIPAA-­‐related  policies  to  ensure  that  best  practices  and  regulations  are  being  followed.   Ultimately,  transparency  and  accountability  are  critical  for  both  organizations  in  not  only  following   the  law,  but  also  in  maintaining  patient  trust  and  confidence.          
  • 6. The  Basics  of  Protecting  PHI     ©  2015  Gelb  Consulting.  All  Rights  Reserved.       Page  6     About  Endeavor     Endeavor  Management,  is  an  international  management  consulting  firm  that  collaboratively  works   with  their  clients  to  achieve  greater  value  from  their  transformational  business  initiatives.  Endeavor   serves   as   a   catalyst   by   providing   pragmatic   methodologies   and   industry   expertise   in   Transformational   Strategies,   Operational   Excellence,   Organizational   Effectiveness,   and   Transformational  Leadership.   Our  clients  include  those  responsible  for:   • Business  Strategy   • Marketing  and  Brand  Strategy   • Operations   • Technology  Deployment   • Strategic  Human  Capital   • Corporate  Finance     The  firm’s  50  year  heritage  has  produced  a  substantial  portfolio  of  proven  methodologies,  deep   operational  insight  and  broad  industry  experience.    This  experience  enables  our  team  to  quickly   understand  the  dynamics  of  client  companies  and  markets.    Endeavor’s  clients  span  the  globe  and   are  typically  leaders  in  their  industry.     Gelb   Consulting   Group,   a   wholly   owned   subsidiary,   monitors   organizational   performance   and   designs  winning  marketing  strategies.    Gelb  helps  organizations  focus  their  marketing  initiatives  by   fully   understanding   customer   needs   through   proven   strategic   frameworks   to   guide   marketing   strategies,  build  trusted  brands,  deliver  exceptional  experiences  and  launch  new  products.    Gelb   can  help  you  to  develop  and  implement  the  right  strategies.    Using  advanced  research  techniques,   Gelb   can   help   you   to   understand   the   complexities   of   your   market,   to   develop   your   strategic   decision  frameworks  and  to  determine  the  best  deployment  of  your  resources  and  technology  to   monitor  your  successes.     For  over  50  years,  Gelb  has  worked  with  marketing  leaders  on:   •      Strategic  Marketing   •      Brand  Building   •      Customer  Experience  Management   •      Go  to  Market   •      Product  Innovation   •      Trademark/Trade  Dress  Protection       Our  websites:   www.endeavormgmt.com   www.gelbconsulting.com   www.gulfresearch.com