HIPAA: One P, Two As, and 1,000 Different Interpretations.

The Health Information Portability and Accountability Act, or HIPAA, as it’s colloquially known, is thrown about on a daily basis in the health care industry, and many people think they know what it requires.  More worrisome, just as many know they don’t know what it requires, but don’t ask questions of their internal experts and make their own judgments.  Paula Span has a great article published in the New York Times that speaks to these incorrect applications.  And then there’s the black sheep contingent who think “HIPPA” doesn’t apply to them, perhaps as one person recently commented to me, “Well, I don’t live around here – so I don’t worry about patient privacy”.

HIPAA: the law, the regulation, the mystery.

This law was originally passed in 1996, as a precursor of health reform, which established insurance portability requirements for individuals changing employers.  A secondary part of the law was requiring that medical records be kept under appropriate privacy standards by providers and health plans.  There were regulatory updates in 2006 and 2011, respectively establishing the security and breach notification requirements.  However, it was only in 2013 that the HIPAA Omnibus Rule was released by the Department of Health and Human Services.  The Omnibus Rule pulled all of the previous updates together, adding in genetic information privacy requirements established under GINA, and pulled the health care industry forward.

As it stands today, HIPAA creates numerous requirements for health care providers that substantially impact and define the manner in which a provider can operate, with often vague definitions such as “in the provider’s professional judgment” to qualify who should or should not have access to a patient’s medical record.  As Paula Span’s article highlights, that professional judgment most likely tips too conservative for what is actually required.

Here is a summary of these requirements, as they fit into three broad categories:

  • Security: Keep protected health information (PHI) secured within your organization – systems should require passwords for access, and only those whose jobs require system access should be assigned user accounts.  Do not use cloud services (example – Dropbox) to store PHI that have not been vetted by your Information Security Officer to have the appropriate encryption standards. Maintain and review access logs to medical record systems. Conduct a security risk assessment of all technology infrastructure annually to identify risks, and develop plans to mitigate those risks.
  • Privacy: Train staff on access standards: only access PHI with a ‘business need to know’ – defined as healthcare treatment, payment or operations. Complete formal business associate agreements (BAA) with any entity your organization is establishing a contract with to perform healthcare treatment, payment or operations on your organization’s behalf that establish clear expectations for how the BA will handle your organization’s PHI.  Establish a privacy policy and Notice of Privacy Practices (NPP) for your organization.  The NPP must be visibly posted across the organization, and document that it is offered to patients entering the organization.
  • Communication with Patients: Provide patients access to their medical records within a timely manner, in the manner with which the patient would like access- even if they would like their PHI emailed to them. Patients have the right to designate who has access to their PHI beyond their own person. Additionally, any breach of privacy or security standards for a patient’s PHI must be communicated to that patient within 60 days of the date that the breach was discovered.

The following is a tip sheet I’ve created that summarizes the highlights of these requirements, designed for the physician group practice setting:

HIPAA Best Practices for Medical Practices

What questions do you have about administering and maintaining HIPAA compliance?