HIPAA Tip of the Month: Copiers, Fax Machines, and Printers

When developing your HIPAA policies and procedures, it is important to remember your copiers, fax machines, and printers. Especially, since the majority of these machines contain hard drives that store the information they process. Not safeguarding these machines can get you into some serious trouble. Affinity Health Plan learned this the hard way back in 2010 when patient data was discovered on the hard drives of copy machines returned to a leasing company.1

The following are some points to consider when developing policies and procedures for your organization’s copy machines, fax machines, and printers.

Location.  Ensure that copiers, fax machines, and printers are in a location where they can be protected from unauthorized access. Choose a location that is only accessible to staff members with access to electronic protected health information (ePHI). Only use fax machines, copy machines, and printers dedicated for ePHI use and keep them well separated from machines that do not process ePHI.It is also important to ensure that materials containing ePHI are not left unattended on fax machines, copy machines, and printers.

Access Control.  Contact the manufacturer of your machine to see if it has a password option. Requiring a user to enter a password before operating the machine will allow you to restrict access to authorized users.

Fax procedures.  Faxing PHI requires some additional precautions due to the fact that faxes are often left unattended on the machine after they are received. Anyone who passes by the machine could then have access to the sensitive information contained within the fax. Additionally, most machines now have internal hard drives and automatically save copies of faxes received, which makes it possible for anyone with access to the fax machine to print additional copies.2 The following safeguards can help reduce a covered entity’s risk when using a fax machine to transmit ePHI:

  • Avoid sending faxes when another more secure method of communication is unavailable.
  • Contact the manufacturer to see if it is possible to configure your fax machine to never save copies of faxes sent or received.
  • Limit the amount of ePHI contained within a fax to the minimum amount necessary.
  • Include a cover sheet with a confidentiality notice.
  • Verify fax number prior to transmission. When sending a fax to a new recipient, send a test fax first.
  • Notify recipient that a fax containing PHI is about to be sent.
  • Confirm receipt and document receipt confirmation in a designated logbook.

Digital copiers.  Digital copiers available today have internal hard drives that store images of every copy made on the machine. If the machine also has fax, print, scanning, and/or e-mail capabilities, those images are also stored. Data contained on these internal hard drives can be stolen by remote access or directly from the drive once it has been removed from the machine. There are, however, safeguards that a covered entity can implement to reduce their risk of a HIPAA violation when using a digital copier. These include regularly overwriting the hard drive and retaining or destroying the hard drive once the machine has been returned.3,4

For tips on what to consider when acquiring a digital copier read Copier Data Security: A Guide for Businesses

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.308 – Administrative Safeguards

§ 164.310 – Physical Safeguards

§ 164.312 – Technical Safeguards

§ 164.530(c) – Safeguards Standard

Additional Resources:

  1. “$1.2 Million Penalty in Copier Breach,” databreachtoday.com, posted August 14, 2013, http://www.databreachtoday.com/12-million-penalty-in-copier-breach-a-5991.
  2. “Is a FAX document HIPAA-Secure?” luxsci.com, accessed April 26, 2014, http://luxsci.com/blog/is-a-fax-document-hipaa-secure.html.
  3. “Copier Data Security: A Guide for Businesses,“ business.ftc.gov, posted November 2010, http://business.ftc.gov/documents/bus43-copier-data-security.
  4. “Copy Machines, a Security Risk?” cbsnew.com, April 19, 2010, http://www.cbsnews.com/video/watch/?id=6412572n.

HIPAA Tip of the Month: Mobile Devices

Mobile devices have become powerful business tools used in many medical practices. One of the biggest reasons for this is their portability and how they improve our ability to stay connected and share information when and where it is needed. However, the reasons mobile devices are so desirable are also the reasons they are considered a risk in terms of data security and HIPAA.

One of the biggest security concerns with mobile devices is their small size and portability, which make them vulnerable to loss or theft. If a lost or stolen mobile device stores or has access to electronic protected health information (ePHI), such as text messages or e-mail messages containing patient information, it may become the source of a HIPAA violation if patient data is compromised. However, there are several safeguards a covered entity can implement to ensure HIPAA compliance and better protect themselves against HIPAA violations.

The U.S. Department of Health and Human Services (HHS) has developed a website that provides tips and information on protecting the privacy and security of health information when using a mobile device. This website the source for a number of resources to assist covered entities in the development of policies and procedures for their mobile devices. To help you get started, we have provided below some of the mobile device risks and suggested safeguards listed on the HHS website. Visit the website for further information.

Mobile Device Risks:

  1. Lost mobile device
  2. Stolen mobile device
  3. Downloaded virus or malware
  4. Shared mobile device
  5. Unsecured Wi-Fi network

Mobile Device Safeguards:

  1. Use a password or other user authentication
  2. Install and enable encryption
  3. Use automatic log off
  4. Require a unique user ID
  5. Install and activate remote wiping and/or remote disabling
  6. Lock the device
  7. Keep the device with you
  8. Use a screen shield
  9. Disable and do not install or use file-sharing applications
  10. Register the mobile device
  11. Install and enable a firewall
  12. Use a secure Wi-Fi connection
  13. Research mobile applications before downloading
  14. Install and enable security software and keep it up-to-date
  15. Delete all stored health information before discarding or reusing the mobile device

 

HIPAA Tip of the Month: Workstation Use

Last month we discussed the physical environment surrounding workstations and how to establish physical safeguards to prevent both intentional and incidental access to workstations by unauthorized users. This month we will discuss ways to establish the who, what, when, and where regarding access to electronic protected health information (ePHI) on workstations. These requirements fall under the HIPAA workstation use standard.

In order to comply with the HIPAA regulations regarding workstation use, a covered entity must “implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”1

As we did with workstation security, lets first look at possible threats and vulnerabilities to workstations that could result in an adverse impact on a covered entity. Potential environmental threats include, but are not limited to, power surges and failure of air filtration and central air systems, all of which can impact the performance and functionality of a covered entity’s information systems. Potential human threats include, but are not limited to, an unauthorized, malicious, or untrained user who compromises the integrity, confidentiality, or availability of ePHI; or the unauthorized disclosure, loss, or theft of ePHI that could lead to identity theft.2,3 Here are some potential vulnerabilities that could be exercised by these threats and result in adverse impacts:

  1. Lack of inventory of workstations, laptops, printers, copiers, tablets, smartphones, monitors, and other electronic devices and awareness of the environment in which the devices are used.
  2. Expectations of proper use of workstations and electronic devices not established resulting in members of the workforce and other users who are unaware how to properly use a device.
  3. Access to workstations not restricted to authorized users.
  4. Failure to use passwords or unique user ID.
  5. Use of weak or shared passwords.
  6. Failure to use a password protected screen saver or similar protective feature.
  7. Failure to lock workstation when it will be left unattended.
  8. Failure to run virus scans or install anti-virus software or firewalls.

There are a number of physical safeguards a covered entity can implement to reduce the probability that a potential threat will exercise a particular vulnerability associated with workstation use. Here are some examples:

  1. Create, maintain, and periodically review an inventory of all workstations and electronic devices. These devices include laptops, printers, copiers, fax machines, tablets, and smartphones.
  2. Establish policies and procedures that require employees to lock workstations or log off before leaving a workstation for an extended period of time.
  3. Enable security settings such as auto log off or auto lock for workstations and other electronic devices.
  4. Install antivirus and firewall software and update continually.
  5. Establish policies and procedures to control access to workstations and other electronic devices with access to ePHI. Examples include the use of a unique user ID and strong passwords.
  6. Establish policies and procedures to enforce access control policies.
  7. Establish and have users sign an appropriate access agreement prior to granting access to a user.
  8. Establish policies and procedures that specify the proper functions and define the acceptable use of workstations, information systems, and other electronic devices with access to ePHI. Examples include limiting the use of hardware and electronic media that may be connected to workstations and other information systems; prohibit access to social networking sites, private email, or other websites not specifically used for work purposes; and provide guidance for file downloads and storage of ePHI.2,3

When identifying and implementing physical safeguards specific to your organization, it is important to first identify workstation types and functions or uses, then identify the expected performance of each type of workstation, and finally analyze the physical surroundings for physical attributes. Here are several sample questions a covered entity should consider according to NIST SP 800-66 and the HIPAA Security Series of papers:

  1. Does an inventory exist of all workstations and electronic devices, including types and locations? Who is responsible for creating and maintaining this inventory?
  2. Are workstations classified by their capabilities, connections, and allowable activities?
  3. What tasks are commonly performed on a given workstation or class of workstation?
  4. Do policies and procedures specify the proper use and performance of a specific workstation or class of workstation?
  5. Do policies and procedures specify how and where to position workstations to prevent viewing by unauthorized individuals? Do changes need to be made in the space configuration?
  6. What are the threats and potential negative impacts associated with a workstation’s surroundings?
  7. Do policies and procedures establish additional security measures, such as privacy screens and password protected screen savers that can be used to further protect workstations with access to EPHI?
  8. Are policies and procedures in place to address telecommuters and other users that access ePHI remotely?
  9. Are employees trained on the security requirements for the ePHI they access in the course of their jobs?4,5

Definitions 

Workstation.  Workstation is defined in the Security Rule as “An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions [including printers, copiers, fax machines, smartphones, and monitors], and electronic media stored in its immediate environment.”

Threat.  Threat is defined in the Security Rule as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” 

Vulnerability.  Vulnerability is defined in the Security Rule as “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised.”

Physical Safeguards.  Physical safeguards are defined in the Security Rule as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Access.  Access is defined in the Security Rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

References 

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.310(b) – Workstation Use

Additional Resources:

  1. ”Security Rule Educational Paper Series: Physical Safeguards,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.
  2. “Security Risk Assessment Tool Physical Safeguards Content,” healthit.gov, created March 18, 2014, http://www.healthit.gov/sites/default/files/20140318_sratool_content_-_physical_volume_v1.docx.
  3. “NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations,” nvlpubs.nist.gov, revised January 15, 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
  4. ”Security Rule Educational Paper Series: Physical Safeguards,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.
  5. “NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf.

HIPAA Tip of the Month: Workstation Security

When it comes to workstation security, there are a couple of different things a covered entity should consider. First, it is important to look at the physical environment surrounding workstations and establish safeguards to prevent both intentional and incidental access by unauthorized users. Second, it is important to establish the who, what, when, and where regarding access to electronic protected health information (ePHI) on workstations. HIPAA breaks these requirements into two standards: workstation security and workstation use respectively. We will discuss workstation security in this tip.

In order to comply with the HIPAA regulations regarding workstation security, a covered entity must “implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”1

So, how should a covered entity physically protect its workstations from unauthorized users? Lets first look at some possible threats and vulnerabilities to workstations that could result in an adverse impact on a covered entity.

Without appropriate physical safeguards in place, a covered entity opens itself up to potential human threats that may include an unauthorized user vandalizing or compromising the confidentiality, integrity, or availability of ePHI; or the unauthorized disclosure, loss, or theft of ePHI that could lead to identity theft.2,4 Here are some potential vulnerabilities that could result in these adverse impacts:

  1. Leaving a workstation with access to ePHI unattended.
  2. Positioning workstations with access to ePHI in a manner that does not prevent unauthorized users, such as patients and visitors, from incidentally viewing ePHI on the workstation.
  3. Placing workstations with access to ePHI in publicly accessible areas.
  4. Using mobile devices, such as laptops, tablets, and smartphones as mobile workstations to access ePHI. Especially, when used in inappropriate locations or in a manner that would allow unauthorized users to view the screen while ePHI is visible.
  5. Placing workstations in locations where they are not protected by physical security, such as doors, locks, or keyed access.
  6. Allowing the movement of mobile and non-mobile devices and office equipment without regular monitoring and tracking.

There are a number of physical safeguards a covered entity can implement to reduce the probability that a particular threat will exercise a particular vulnerability associated with workstation security. Here are some examples:

  1. Keep doors locked for rooms where workstations containing ePHI are housed, in order to control access.
  2. Use privacy screens and/or face computer screens away from doorways, windows, and when screens may be visible to passersby.
  3. Establish policies and procedures that prevent unauthorized access to unattended workstations or electronic devices, such as implementing an automatic log off or lock workstations and devices that are inactive for a specific amount of time.
  4. Place information system components and storage media in a location that would restrict access to authorized users.
  5. Establish policies and procedures for mobile devices (laptops, tablets, and smartphones) that limit or restrict how and where ePHI is accessed or stored on these devices.
  6. Restrict unauthorized physical access to other electronic devices, such as printers, copiers, and fax machines that handle ePHI.
  7. 7. Develop policies and procedures that establish the acceptable use and storage of electronic devices that remotely access ePHI.2

When identifying and implementing physical safeguards specific to your organization, it is important to first identify all methods of physical access to your workstations and then analyze the risk associated with each type of access (the probability that a particular threat will exercise a particular vulnerability and the resulting impact if this should occur). Here are several sample questions a covered entity should consider according to NIST SP 800-66 and the HIPAA Security Series of papers:

  1. Is there an inventory of all current workstation locations?
  2. Are any workstations located in public areas?
  3. Are laptops used as workstations?
  4. Are any workstations in areas that are more vulnerable to unauthorized use, theft, or viewing of the data they contain?
  5. What are the options for making modifications to the current access configuration?
  6. What safeguards are in place, i.e., locked doors, screen barriers, cameras, guards?
  7. Do any workstations need to be relocated to enhance physical security?
  8. Have employees been trained on security?
  9. Are physical safeguards implemented for all workstations that access EPHI, to restrict access to authorized users?
  10. Are current physical safeguards used to protect workstations with EPHI effective?
  11. Are additional physical safeguards needed to protect workstations with EPHI?1,3

Definitions

Workstation.  Workstation is defined in the Security Rule as “An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions [including printers, copiers, fax machines, smartphones, and monitors], and electronic media stored in its immediate environment.”

Threat.  Threat is defined in the Security Rule as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

Vulnerability.  Vulnerability is defined in the Security Rule as “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised.” 

Physical Safeguards.  Physical safeguards are defined in the Security Rule as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Access.  Access is defined in the Security Rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.310(c) – Workstation Security

Additional Resources:

  1. ”Security Rule Educational Paper Series: Physical Safeguards,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.
  2. “Security Risk Assessment Tool Physical Safeguards Content,” healthit.gov, created March 18, 2014, http://www.healthit.gov/sites/default/files/20140318_sratool_content_-_physical_volume_v1.docx.
  3. “NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf.
  4. “NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations,” nvlpubs.nist.gov, revised January 15, 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

HIPAA Tip of the Month: State Law

When does the Privacy Rule preempt State law and what is the process for requesting an exception determination?

Covered entities are required to comply with both State and Federal privacy laws and regulations whenever possible. However, according to the U.S. Department of Health and Human Services (HHS), when a State law is considered contrary to the Privacy Rule, it will generally be preempted by federal requirements. There are three exceptions. The Privacy Rule will not preempt State law when State law requires:

-  Greater privacy protections or privacy rights with respect to protected health information;

-  Reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention; or,

-  Certain health plan reporting.1

Requesting Preemption Exception Determination for a Contrary State Law

If a covered entity determines that it is necessary to request a preemption exception determination, the covered entity must make the request in writing to HHS. The request must explain how the State law in question is actually contrary to the Federal requirements, and how the contrary State law meets one or more of the specific criteria for which exceptions may be granted.2

Preemption exceptions may be granted if the “State law:

-  Is necessary to prevent fraud and abuse related to the provision of or payment for health care;

-  Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;

-  Is necessary for State reporting on health care delivery or costs;

-  Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or,

- Has as its principle purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances, or that is deemed a controlled substance by State law.”3

Good to Know

Definition of a “contrary” State law. The Privacy Rule defines a State law as “contrary” to federal requirements if “a covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].”

Definition of a “more stringent” State law. The Privacy Rule defines a State law as “more stringent” than federal requirements “if it provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does.”5

Preemption exceptions exist when a contrary State law is more stringent than the federal regulation. However, covered entities are required to comply with both the more stringent State law and the federal regulation when the two are not contrary to each other.6

Exception determinations are published to inform the public. HHS will provide public notice of an exception determination through the Federal Register and on their websites.7 When a preemption exception is granted by HHS, the exception will, in most cases, apply to anyone subject to that specific provision of State law.

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 160.202 – Preemption of State Law Definitions

§ 160.203 – Preemption of State Law General Rule and Exceptions

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed April 19, 2014, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2. “Under what circumstances will HHS grant a State law preemption exception determination?” hhs.gov, last modified December 11, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/404.html.

3. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed April 19, 2014, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

4. “How do I know if a State law is “contrary” to the HIPAA Privacy Rule?” hhs.gov, last modified December 11, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/402.html.

5-6. “How do I know if a State law is “more stringent” than the HIPAA Privacy Rule?” hhs.gov, last modified December 11, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/403.html.

7. “Will HHS publish exception determinations?” hhs.gov, last modified December 11, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/409.html.

HIPAA Tip of the Month: Incidental Use and Disclosure

Is a covered entity required to prevent all incidental uses and disclosures of protected health information?

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule permits a covered entity to use or disclose, without prior authorization, protected health information for the purpose of treatment, payment, and health care operations. Incidental uses and disclosures secondary to otherwise permitted uses and disclosures are allowed under the Privacy Rule as long as reasonable safeguards and minimum necessary policies and procedures are in place.1

Incidental Use or Disclosure Definition. “A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.”2

HHS Reasonable Safeguards Examples

- Discuss patient information quietly when in a public area.

- Avoid the use of patient names in public spaces.

- Secure rooms or file cabinets containing patient records.

- Control access to computers that maintain personal information.

- Remind employees about the importance of protecting patient information through the use of posted signs.3

Minimum Necessary Standard. Covered entities are required to implement policies and procedures that limit protected health information used or disclosed to the minimum necessary to complete the intended task. This includes limiting an employee’s access to protected health information to the minimum necessary to fulfill their job responsibilities.4

Good to Know

What is reasonable? Not every covered entity is the same and the safeguards they implement won’t be either. There are several factors that should be considered when determining if a safeguard is reasonable for a particular covered entity. Analyzing these factors will help a covered entity tailor safeguards to their particular circumstances.

- Size of the covered entity.

- Type and volume of protected health information maintained.

- Risks to the privacy of a patient’s protected health information.

- Financial constraints.

- Administrative challenges.5

Leaving patient charts outside of an exam room. A covered entity may place patient charts outside of an exam room as long as appropriate steps have been taken to safeguard the patient’s privacy and meet minimum necessary requirements. These steps may include limiting access to spaces where protected health information is located, escorting non-employees, concealing patient information on charts, and supervising restricted areas.6

Documenting Incidental Disclosures.An accounting of disclosures is not required for incidental disclosures permitted by the Privacy Rule.7

Waiting room etiquette. The use of patient sign-in sheets and calling out patient names in a waiting room are permitted under the Privacy Rule, as long as the information disclosed is limited to the minimum necessary. In most cases, this means that medical information should not be displayed on sign-in sheets or disclosed in waiting rooms. When reasonable safeguards are in place and the minimum necessary standard has been implemented, incidental disclosures, such as one patient hearing the name of another in the waiting room or seeing another patient’s name on a sign-in sheet, are allowed.8

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502 – Uses and disclosures of protected health information: general rules

§ 164.530 – Administrative Requirements

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed August 22, 2012, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2-5. “Incidental Uses and Disclosures,” hhs.gov, last modified December 3, 2002, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html.

6. “A clinic customarily places patient charts in the plastic box outside an exam room…” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/incidential_uses_and_disclosures/201.html.

7. “Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/incidential_uses_and_disclosures/204.html.

8. “May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/incidential_uses_and_disclosures/199.html.

HIPAA Tip of the Month: Minimum Necessary Standard

When and how is a covered entity required to limit the use and disclosure of, and requests for, protected health information (PHI) to the minimum necessary?

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule requires covered entities to “implement policies and procedures to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual’s authorization.
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other law.”1

What your minimum necessary policies and procedures should include:

Uses.  Identify who requires access to PHI, either the type or category of PHI to which each person or class of persons needs access, and the appropriate conditions under which PHI may be accessed.

Routine/Recurring Disclosures and Requests. Describe the standard procedures to use in order to limit disclosed or requested PHI to the minimum necessary for a specific type of disclosure or request. With standard procedures in place, a minimum necessary review of each request or disclosure is not required.

Non-routine Disclosures/Requests. Establish criteria for determining and limiting PHI requested or disclosed to the minimum necessary for a non-routine request and disclosure.  Each non-routine request and disclosure must be reviewed in accordance with the established criteria.

Good to Know

Reasonable Reliance. In certain situations, a covered entity may rely on the judgment of a party requesting the disclosure of PHI, that the information they are requesting is the minimum amount required for the purpose stated. This reasonable reliance is permitted when the requester is one of the following:

  • A public official or agency making a request permitted by the Privacy Rule and who states that the information requested is the minimum necessary;
  • Another covered entity;
  • A covered entity’s employee or business associate who states that the information requested is the minimum necessary for the stated purpose; or,
  • A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

A covered entity is not required to rely on a requester’s judgment of the minimum amount required and may, therefore, make their own determination of what is the minimum necessary.1

Using, disclosing, or requesting an entire medical record. The minimum necessary standard does not apply to the use, disclosure, or request for an entire medical record by a health care provider for treatment purposes or when the disclosure is to the individual who is the subject of the protected health information. A case-by-case justification for the use, disclosure, or request of an entire medical record for other than treatment purposes is not required so long as it is documented in the covered entity’s policies and procedures that the entire medical record is the reasonable amount necessary for a specified purpose.2

Business Associates and the Minimum Necessary Standard.A business associate contract must limit a business associate’s uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose as defined in the covered entity’s minimum necessary policies and procedures. A business associate contract may not authorize a business associate to use or further disclose protected health information in a way that the covered entity would not be permitted to do under the HIPAA Privacy Rule.3

Minimum necessary requirements for disclosers to Federal or State agencies.Disclosers to Federal and State agencies require an authorization from the individual. The authorization will indicate what protected health information may be disclosed. Information disclosed pursuant to an authorization is exempt from the HIPAA Privacy Rule’s minimum necessary requirements.4

Establishing what is reasonable. Each covered entity has its own unique circumstances to address when determining what PHI is reasonably necessary for a specific purpose. Covered entities should assess their organization’s practices and their workforce and then implement policies and procedures to limit unnecessary or inappropriate access to PHI accordingly. Covered entities are expected to enhance protections without sacrificing the quality of health care provided.5 What is considered reasonable will be largely dependent on the size of the organization. Smaller entities may find that simply providing appropriate training to their employees will be sufficient, while others may need to provide more security, reconfigure their record systems to limit access to specific fields, or make physical adjustments to their facility to minimize access.6

Authorizations. When an individual submits an authorization for the use or disclosure of their protected health information, the minimum necessary requirements do not apply. As long as the authorization meets the requirements under the HIPAA Privacy Rule, a covered entity is permitted to use or disclose protected health information pursuant to an authorization without making a minimum necessary determination.7 An external Institutional Review Board’s or a Privacy Board’s waiver of authorization may also be accepted by a covered entity without making a minimum necessary determination. The covered entity can reasonably rely on a researcher’s documentation that the information requested is the minimum necessary for the research purpose.8

Minimum Necessary Standard vs. HIPAA Transaction Standards. Uses and disclosures required for compliance with the transactions standards are exempt from the minimum necessary standard. However, optional data elements are required to meet the minimum necessary standard. HHS provides the following example:

The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plan’s request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons.9

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502(b) – Uses and disclosures of protected health information: general rules (Minimum Necessary)

§ 164.504(e)(2) – Uses and disclosures: Organizational requirements (Business Associate Contracts)

§ 164.514(d) – Other requirements relating to uses and disclosures of protected health information (Minimum Necessary Requirements)

U.S. Department of Health and Human Services Resources:

1. ”Minimum Necessary Requirement,” hhs.gov, last modified April 4, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html.

2. “Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/213.html.

3. “Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/252.html.

4. “Are providers required to make a minimum necessary determination to disclose to Federal or State agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals’ applications for Federal or State benefits?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/211.html.

5. “How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/207.html.

6. “In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule’s minimum necessary requirements?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/215.html.

7. “Must the HIPAA Privacy Rule’s minimum necessary standard to be applied to uses or disclosure that are authorized by an individual?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/210.html.

8. “May a covered entity accept documentation of an external Institutional Review Board’s (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/research_disclosures/217.html.

9. “Doesn’t the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/212.html.

HIPAA Tip of the Month: Authorizations – Part 2

What information must be included in an authorization for the use and disclosure of protected health information?

According to the U.S. Department of Health and Human Services, an “authorization must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.”1

Authorization Checklist  

All authorizations must meet the following criteria to be considered valid:

√ Written in plain language.

√  Describe the information to be used or disclosed.

√  Identify the person(s) authorized to use or disclose the requested information.

√  Identify the person(s) to whom a covered entity may disclose the requested information.

√  Identify the purpose of the use or disclosure.

√  Provide a specific date upon which the authorization expires.

√  Include a signature of the individual or personal representative, including the personal representative’s authority to act for the individual, if applicable, and date signed.

√  Provide a statement regarding the individual’s right to revoke the authorization in writing, including either exceptions to this right in accordance with paragraph 164.508(b)(5) and how an individual may revoke the authorization, or a reference to the covered entity’s notice of privacy practices.

√  Provide a statement that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on an individual granting an authorization, or the consequences to the individual when the authorization is not signed if the covered entity is permitted to condition treatment, enrollment, or eligibility of benefits under paragraph 164.508(b)(4).

√  Provide a statement regarding the potential for information disclosed in accordance with the authorization to be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule.

√  If the authorization is for marketing purposes and the marketing involves payment to the covered entity by a third party, a statement revealing this information must also be included in the authorization.

√  If the authorization is for the sale of protected health information, a statement is required identifying that the authorized disclosure will result in payment to the covered entity.

Good to Know

“Consent” vs “Authorization.” Covered entities are permitted, but not required to voluntarily obtain consent from an individual to use or disclose their protected health information for the purpose of treatment, payment, or health care operations.  On the other hand, a use or disclosure for a purpose other than treatment, payment, or health care operations requires a written authorization from the individual.  In this case, voluntary consent from an individual is not sufficient to permit the use or disclosure of protected health information unless that consent also meets the requirements of an authorization.2

Witness and notarization not required.  Authorizations do not require a witness signature or notarization.3

Categories or classes of persons or entities may be used when identifying who may use or disclose information. The Privacy Rule does not require that an authorization name a specific person or entity that may use or disclose protected health information.  It is sufficient for a single authorization to name a category or class of persons or entities, such as “all medical sources” or “any health care provider who has provided treatment or services to me.” Categories or classes of persons or entities are also sufficient when naming to whom a covered entity may make a disclosure.4

An expiration date or event is required. An authorization is required to identify either a specific date when the authorization will expire, or an event, such as “one year from the date the authorization is signed,” after which the authorization will not longer be valid.  The authorization will remain valid until it has expired or is revoked by the individual prior to the expiration date/event.  Keep in mind, State law may limit the length of time an authorization is effective.5

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.508 – Uses and disclosures for which an authorization is required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed February 14, 2014, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2. “What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/264.html.

3. “Does the Privacy Rule require that an Authorization be notarized or include a witness signature?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/478.html.

4. “May a valid Authorization list categories of persons who may use or disclose protected health information, without naming specific individuals or entities?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/473.html.

5. “Must an Authorization include an expiration date?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/476.html.

HIPAA Tip of the Month: Authorizations – Part 1

When is a covered entity required to obtain a written authorization for the use and discloser of protected health information? 

According to the U.S. Department of Health and Human Services, under the Privacy Rule, “a covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.”¹

An Authorization is not required when using or disclosing protected health information “to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.”²

Examples When an Authorization is Required

Psychotherapy Notes. An Authorization is required even when used for the treatment of the patient, unless they are used for treatment by the covered entity that originated the notes.  A covered entity may also use or disclose psychotherapy notes without an Authorization for the purpose of “its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law.”3

Marketing. An Authorization is required when using or disclosing protected health information for marketing purposes ”except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value.”4

Sale of Protected Health Information.  An Authorization is required for a disclosure of protected health information, which is a sale of protected health information.

Good to Know

Date PHI was created is not necessarily important. A current Authorization – one that has not expired or been revoked by the individual – permits a covered entity to use or disclose specific protected health information as described in the Authorization.  Unless the Authorization specifically limits the information in any other way, the date the information was created is irrelevant.

In other words, it doesn’t matter when the Authorization was signed, as long as the Authorization is still valid and the information to be used or disclosed is identified in the Authorization, the covered entity is authorized to use or disclose the identified protected health information, even if the health information was created after the Authorization was established.5

Entire medical records can be released. A covered entity may use or disclose a patient’s entire medical record based on a valid Authorization if that Authorization describes in a “specific and meaningful fashion” the protected health information to be used and disclosed.  “Specific” and “meaningful” refers to statements such as “entire medical record” or “complete patient file.”  General statements, such as “all protected health information” are not generally specific enough and could invalidate an Authorization.6

Authorizations can be revoked by an individual. An individual has the right to revoke an Authorization at anytime.  The request for revocation must be submitted in writing and is effective upon receipt by the covered entity.  However, any actions taken by the covered entity on the valid Authorization prior to receipt are not effected by the revocation.7

Copy of Authorizations are acceptable. A signed Authorization is valid for the use or disclosure of protected health information regardless if the covered entity receives the original or a copy, to include copies by facsimile or electronic transmission.8

Authorizations and Health Care Powers of Attorney are not the same thing. The manor in which a person is granted power of attorney for health care decisions is not affected by the Privacy Rule.  A Health Care Power of Attorney gives the designated person legal authority to make treatment decisions related to an individual or exercise the rights of that individual, while an Authorization allows a person or entity to use or disclose the individual’s protected health information.

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.508 – Uses and disclosures for which an authorization is required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed August 22, 2012, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2. “Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/481.html.

3-4. Summary of the HIPAA Privacy Rule,” hhs.gov, accessed August 22, 2012, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

5. “May a covered entity disclose protected health information specified in an Authorization, even if that information was created after the Authorization was signed?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/477.html.

6. “May a covered entity use or disclose a patient’s entire medical record based on the patient’s signed Authorization?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/471.html.

7. “Can an individual revoke his or her Authorization?” hhs.gov, August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/474.html.

8. “Is a copy, facsimile, or electronically transmitted version of a signed Authorization valid under the Privacy Rule?” hhs.gov, accessed January 15, 2014, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/475.html.

9. “Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/219.html.

 

HIPAA Tip of the Month: Workers’ Compensation

Is a covered entity permitted to disclose protected health information in order to comply with workers’ compensation law?

According to the U.S. Department of Health and Human Services, “covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.”1

Good to Know

Three occasions covered entities may disclose protected health information without an authorization. A covered entity is permitted to disclose protected health information without an individual’s authorization to “workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems:”2

-  To comply with workers’ compensation laws or similar programs.

-  When required by State or other law.

-  To obtain payment for health care provided.3

Individuals can authorize other uses and disclosure of protected health information. An individual may provide his or her authorization for the release of protected health information to an entity, such as a workers’ compensation insurer, for situations not authorized by the Privacy Rule.4

Minimum necessary standard applies. Covered entities must follow the Privacy Rule’s minimum necessary standard and reasonably limit the amount of protected health information disclosed for workers’ compensation purposes.

Covered entities can reasonably accept requests from a State workers’ compensation or other public official as being the minimum necessary for the intended purpose.5

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502 – Uses and disclosures of protected health information: general rules

§ 164.512 – Uses and disclosures for which an authorization or opportunity to agree or object is not required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed December 18, 2013, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2-5. “Disclosures for Workers’ Compensation Purposes,” hhs.gov, last modified April 3, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/workerscomp.html.

Follow

Get every new post delivered to your Inbox.

Join 233 other followers

%d bloggers like this: