HIPAA and Patient Access of Information

1
HIPAA and Patient Access of Information Primary
Enforcement Focus for HHS

• Jim Sheldon-Dean
• Director of Compliance Services
• Lewis Creek Systems, LLC
• www.lewiscreeksystems.com

2
Agenda

• Present Patient Rights for Access of PHI under
  HIPAA
• Review Guidance and New Proposed Changes to
  Access Rights
• Discuss how to handle patient access and
  communications of Protected Health Information,
  including E-mail and Texting
• Identify guidance from HHS for business
  associates, patient access and communications,
  and recent court decisions
• Discuss rights for access of laboratory
  information and electronic copies of electronic
  records
• Identify HIPAA policies that may need to be
  changed
• Look at COVID-19 impacts and special
  considerations
• Learn about being prepared for enforcement and
  auditing
• Learn how to approach compliance
• QA session

3
HIPAA Privacy, Security, Breach Rules

• Privacy Rule
• 45 CFR 164.5xx Enforceable since 2003
• Establishes Rights of Individuals
• Controls on Uses and Disclosures
• Access of PHI is THE hot button issue for HHS
• Security Rule
• 45 CFR 164.3xx Enforceable since 2005
• Applies to all electronic PHI
• Flexible, customizable approach to health
  information security
• Uses Risk Analysis to identify and plan the
  mitigation of security risks
• Breach Notification Rule
• 45 CFR 164.4xx Enforceable since February 2010
• Requires reporting of all PHI breaches to HHS and
  individuals
• Extensive/expensive obligations
• Provides examples of what not to do on the HHS
  Wall of Shame https//ocrportal.hhs.gov/ocr/bre
  ach/breach_report.jsf

4
Rules Have Been Stable

• Last major update in 2013, result of HITECH Act
• NEW Proposed Update to Privacy Rule many small
  changes to improve access and ease information
  sharing and coordination of care
• Shorter (by half!) timeline to respond to access
  requests
• Proposed change to Requirement to Obtain an
  Acknowledgement of the Receipt of a Notice of
  Privacy Practices
• Still no update to Accounting of Disclosures, as
  required by HITECH
• May be a change to rules under TCPA (re calling
  or messaging cell phones)
• Guidance on HIPAA compliance liability of
  Business Associates
• Information Blocking rules intersect HIPAA, being
  enforced
• Inadequate coverage for new technologies and
  patient information

5
Proposed Changes Codify Guidance

• Individual Access is THE major Privacy Rule issue
  today
• 2016 Guidance has not led to compliance
• Enforcement considers the Guidance
• Putting the Guidance into the Rules
• Tightening up time lines
• Clarifying requirements

6
HIPAA Right of Access

• 164.524(a) Standard Access to protected health
  information
• (1) Right of Access. Individual has right to
  access, inspect, and copy of PHI in the
  Designated Record Set, except for
• (i) Psychotherapy Notes
• (ii) Information compiled in reasonable
  anticipation of, or for use in, a civil,
  criminal, or administrative action or proceeding
• (iii) Section Removed in 2013 CLIA exemption
  removed Now individuals may access test results
  directly from laboratories

7
Communication with Family Friends of Patients

• Privacy Rule 164.502(g) and 164.510(b)
• The Privacy Rule allows a health care provider or
  health plan to share information with a patients
  family or friends if
• They are involved in the patients health care or
  payment for health care,
• The patient tells the provider or plan that it
  can do so,
• The patient does not object to sharing of the
  information, or
• If, using its professional judgment, a provider
  or plan believes that the patient does not object
• The Privacy Rule does not require a health care
  provider or health plan to share information with
  a patients family or friends, unless they
  are personal representatives of the patient
• https//www.hhs.gov/hipaa/for-individuals/family-m
  embers-friends/index.html
• https//www.hhs.gov/hipaa/for-professionals/privac
  y/guidance/personal-representatives/

8
What is a HIPAA Breach?

• 164.402 Breach is any acquisition, access, use,
  or disclosure in violation of the Privacy Rule,
  except if
• Unintentional internal use, in good faith, with
  no further use
• Inadvertent internal use, within job scope
• Information cannot be retained (returned intact,
  unopened, unviewed)
• Not Reportable if
• Secured (encrypted) per HHS guidance, or
  destroyed
• Otherwise Reportable unless there is a low
  probability of compromise based on a risk
  assessment, examining at least
• what was the info, how well identified was it,
  and is its release adverse to the individual
• to whom it was disclosed
• was it actually acquired or viewed
• the extent of mitigation

9
Telemedicine and HIPAA

• Using HIPAA-compliant fully encrypted services
  under a HIPAA Business Associate Agreement is
  fully compliant for telemedicine use
• Skype for Business, Updox, VSee, Zoom for
  Healthcare, Doxy.me, and Google G Suite Hangouts
  Meet
• Can follow the usual processes for Risk Analysis
  and secure implementation, including a HIPAA BAA
• HIPAA has allowances for emergencies and life
  threatening situations
• Patients and providers LOVE Telemedicine! It
  will be with us after the emergency

10
Telemedicine, HIPAA and COVID-19

• HHS has issued an enforcement advisory on
  telemedicine during the COVID-19 emergency
  Relaxed enforcement for using services that are
  non-public facing but may not meet HIPAA
  requirements (such as a providing a BAA)
• Apple FaceTime, Facebook Messenger video chat,
  Google Hangouts video, or Skype
• BUT Do NOT use public-facing services that are
  not private
• Facebook Live, Twitch, TikTok, and similar
• And Once the emergency is over you will need to
  use HIPAA compliant services, under a Business
  Associate Agreement, according to a HIPAA
  Security Risk Analysis
• See https//www.hhs.gov/hipaa/for-professionals/s
  pecial-topics/emergency-preparedness/notification-
  enforcement-discretion-telehealth/index.html

11
New Technologies

• New technologies in health care every day
• Some new technologies will be very useful
• Some new technologies will be a privacy and
  security nightmare
• You cant deny new technologies
• New Technologies should be addressed head-on
• If you ignore them they dont go away
• Encourage dialog on new technologies and find
  ways to use them productively, securely
• Education addressing new technologies is
  essential
• Prevent improper uses
• Train in appropriate usage

12
New Technologies and HIPAA

• HIPAA can handle new technologies for PHI
• Security Rule is very flexible, adaptable
• New kinds of information, apps, devices, and
  various uses outside the formal HIPAA definition
  of Protected Health Information
• With medical devices, consumer-driven data
  collection and transmission would be under FTC
  rules, not HIPAA, but with the same device, if
  prescribed by a provider, the same data are PHI
  protected under HIPAA
• Proposed HIPAA Privacy Rule changes would address
  many issues more clearly
• Dont be surprised if new laws and regulations
  result
• State laws may also be in the works
• Expansion of existing state breach rules

13
Your to-do list

• Dont be in denial willful neglect costs more
  than compliance
• Accommodate individual rights of access and
  choices
• Review and update your communications policies
  and procedures per the rules, and to allow for
  Emergency considerations
• Be ready for the end of the Emergency and
  compliance requirements
• Establish your processes for Risk Analysis and
  Documentation
• Train staff in new policies and procedures
• Document, document, document!
• Conduct drills in audit and breach response
• Make corrections based on results
• Always have a plan for moving forward, and follow
  it!

14
Thank you!

• Any Questions?
• For additional information, please contact
• Jim Sheldon-Dean
• Lewis Creek Systems, LLC
• 5675 Spear Street, Charlotte, VT 05445
• jim_at_lewiscreeksystems.com
• www.lewiscreeksystems.com

REGISTER NOW