HIPAA Tip of the Month: Minimum Necessary Standard

When and how is a covered entity required to limit the use and disclosure of, and requests for, protected health information (PHI) to the minimum necessary?

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule requires covered entities to “implement policies and procedures to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual’s authorization.
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other law.”1

What your minimum necessary policies and procedures should include:

Uses.  Identify who requires access to PHI, either the type or category of PHI to which each person or class of persons needs access, and the appropriate conditions under which PHI may be accessed.

Routine/Recurring Disclosures and Requests. Describe the standard procedures to use in order to limit disclosed or requested PHI to the minimum necessary for a specific type of disclosure or request. With standard procedures in place, a minimum necessary review of each request or disclosure is not required.

Non-routine Disclosures/Requests. Establish criteria for determining and limiting PHI requested or disclosed to the minimum necessary for a non-routine request and disclosure.  Each non-routine request and disclosure must be reviewed in accordance with the established criteria.

Good to Know

Reasonable Reliance. In certain situations, a covered entity may rely on the judgment of a party requesting the disclosure of PHI, that the information they are requesting is the minimum amount required for the purpose stated. This reasonable reliance is permitted when the requester is one of the following:

  • A public official or agency making a request permitted by the Privacy Rule and who states that the information requested is the minimum necessary;
  • Another covered entity;
  • A covered entity’s employee or business associate who states that the information requested is the minimum necessary for the stated purpose; or,
  • A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

A covered entity is not required to rely on a requester’s judgment of the minimum amount required and may, therefore, make their own determination of what is the minimum necessary.1

Using, disclosing, or requesting an entire medical record. The minimum necessary standard does not apply to the use, disclosure, or request for an entire medical record by a health care provider for treatment purposes or when the disclosure is to the individual who is the subject of the protected health information. A case-by-case justification for the use, disclosure, or request of an entire medical record for other than treatment purposes is not required so long as it is documented in the covered entity’s policies and procedures that the entire medical record is the reasonable amount necessary for a specified purpose.2

Business Associates and the Minimum Necessary Standard.A business associate contract must limit a business associate’s uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose as defined in the covered entity’s minimum necessary policies and procedures. A business associate contract may not authorize a business associate to use or further disclose protected health information in a way that the covered entity would not be permitted to do under the HIPAA Privacy Rule.3

Minimum necessary requirements for disclosers to Federal or State agencies.Disclosers to Federal and State agencies require an authorization from the individual. The authorization will indicate what protected health information may be disclosed. Information disclosed pursuant to an authorization is exempt from the HIPAA Privacy Rule’s minimum necessary requirements.4

Establishing what is reasonable. Each covered entity has its own unique circumstances to address when determining what PHI is reasonably necessary for a specific purpose. Covered entities should assess their organization’s practices and their workforce and then implement policies and procedures to limit unnecessary or inappropriate access to PHI accordingly. Covered entities are expected to enhance protections without sacrificing the quality of health care provided.5 What is considered reasonable will be largely dependent on the size of the organization. Smaller entities may find that simply providing appropriate training to their employees will be sufficient, while others may need to provide more security, reconfigure their record systems to limit access to specific fields, or make physical adjustments to their facility to minimize access.6

Authorizations. When an individual submits an authorization for the use or disclosure of their protected health information, the minimum necessary requirements do not apply. As long as the authorization meets the requirements under the HIPAA Privacy Rule, a covered entity is permitted to use or disclose protected health information pursuant to an authorization without making a minimum necessary determination.7 An external Institutional Review Board’s or a Privacy Board’s waiver of authorization may also be accepted by a covered entity without making a minimum necessary determination. The covered entity can reasonably rely on a researcher’s documentation that the information requested is the minimum necessary for the research purpose.8

Minimum Necessary Standard vs. HIPAA Transaction Standards. Uses and disclosures required for compliance with the transactions standards are exempt from the minimum necessary standard. However, optional data elements are required to meet the minimum necessary standard. HHS provides the following example:

The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plan’s request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons.9

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502(b) – Uses and disclosures of protected health information: general rules (Minimum Necessary)

§ 164.504(e)(2) – Uses and disclosures: Organizational requirements (Business Associate Contracts)

§ 164.514(d) – Other requirements relating to uses and disclosures of protected health information (Minimum Necessary Requirements)

U.S. Department of Health and Human Services Resources:

1. ”Minimum Necessary Requirement,” hhs.gov, last modified April 4, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html.

2. “Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/213.html.

3. “Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/252.html.

4. “Are providers required to make a minimum necessary determination to disclose to Federal or State agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals’ applications for Federal or State benefits?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/211.html.

5. “How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/207.html.

6. “In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule’s minimum necessary requirements?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/215.html.

7. “Must the HIPAA Privacy Rule’s minimum necessary standard to be applied to uses or disclosure that are authorized by an individual?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/210.html.

8. “May a covered entity accept documentation of an external Institutional Review Board’s (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/research_disclosures/217.html.

9. “Doesn’t the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/212.html.

HIPAA Tip of the Month: Authorizations – Part 2

What information must be included in an authorization for the use and disclosure of protected health information?

According to the U.S. Department of Health and Human Services, an “authorization must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.”1

Authorization Checklist  

All authorizations must meet the following criteria to be considered valid:

√ Written in plain language.

√  Describe the information to be used or disclosed.

√  Identify the person(s) authorized to use or disclose the requested information.

√  Identify the person(s) to whom a covered entity may disclose the requested information.

√  Identify the purpose of the use or disclosure.

√  Provide a specific date upon which the authorization expires.

√  Include a signature of the individual or personal representative, including the personal representative’s authority to act for the individual, if applicable, and date signed.

√  Provide a statement regarding the individual’s right to revoke the authorization in writing, including either exceptions to this right in accordance with paragraph 164.508(b)(5) and how an individual may revoke the authorization, or a reference to the covered entity’s notice of privacy practices.

√  Provide a statement that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on an individual granting an authorization, or the consequences to the individual when the authorization is not signed if the covered entity is permitted to condition treatment, enrollment, or eligibility of benefits under paragraph 164.508(b)(4).

√  Provide a statement regarding the potential for information disclosed in accordance with the authorization to be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule.

√  If the authorization is for marketing purposes and the marketing involves payment to the covered entity by a third party, a statement revealing this information must also be included in the authorization.

√  If the authorization is for the sale of protected health information, a statement is required identifying that the authorized disclosure will result in payment to the covered entity.

Good to Know

“Consent” vs “Authorization.” Covered entities are permitted, but not required to voluntarily obtain consent from an individual to use or disclose their protected health information for the purpose of treatment, payment, or health care operations.  On the other hand, a use or disclosure for a purpose other than treatment, payment, or health care operations requires a written authorization from the individual.  In this case, voluntary consent from an individual is not sufficient to permit the use or disclosure of protected health information unless that consent also meets the requirements of an authorization.2

Witness and notarization not required.  Authorizations do not require a witness signature or notarization.3

Categories or classes of persons or entities may be used when identifying who may use or disclose information. The Privacy Rule does not require that an authorization name a specific person or entity that may use or disclose protected health information.  It is sufficient for a single authorization to name a category or class of persons or entities, such as “all medical sources” or “any health care provider who has provided treatment or services to me.” Categories or classes of persons or entities are also sufficient when naming to whom a covered entity may make a disclosure.4

An expiration date or event is required. An authorization is required to identify either a specific date when the authorization will expire, or an event, such as “one year from the date the authorization is signed,” after which the authorization will not longer be valid.  The authorization will remain valid until it has expired or is revoked by the individual prior to the expiration date/event.  Keep in mind, State law may limit the length of time an authorization is effective.5

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.508 – Uses and disclosures for which an authorization is required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed February 14, 2014, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2. “What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/264.html.

3. “Does the Privacy Rule require that an Authorization be notarized or include a witness signature?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/478.html.

4. “May a valid Authorization list categories of persons who may use or disclose protected health information, without naming specific individuals or entities?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/473.html.

5. “Must an Authorization include an expiration date?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/476.html.

HIPAA Tip of the Month: Authorizations – Part 1

When is a covered entity required to obtain a written authorization for the use and discloser of protected health information? 

According to the U.S. Department of Health and Human Services, under the Privacy Rule, “a covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.”¹

An Authorization is not required when using or disclosing protected health information “to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.”²

Examples When an Authorization is Required

Psychotherapy Notes. An Authorization is required even when used for the treatment of the patient, unless they are used for treatment by the covered entity that originated the notes.  A covered entity may also use or disclose psychotherapy notes without an Authorization for the purpose of “its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law.”3

Marketing. An Authorization is required when using or disclosing protected health information for marketing purposes ”except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value.”4

Sale of Protected Health Information.  An Authorization is required for a disclosure of protected health information, which is a sale of protected health information.

Good to Know

Date PHI was created is not necessarily important. A current Authorization – one that has not expired or been revoked by the individual – permits a covered entity to use or disclose specific protected health information as described in the Authorization.  Unless the Authorization specifically limits the information in any other way, the date the information was created is irrelevant.

In other words, it doesn’t matter when the Authorization was signed, as long as the Authorization is still valid and the information to be used or disclosed is identified in the Authorization, the covered entity is authorized to use or disclose the identified protected health information, even if the health information was created after the Authorization was established.5

Entire medical records can be released. A covered entity may use or disclose a patient’s entire medical record based on a valid Authorization if that Authorization describes in a “specific and meaningful fashion” the protected health information to be used and disclosed.  “Specific” and “meaningful” refers to statements such as “entire medical record” or “complete patient file.”  General statements, such as “all protected health information” are not generally specific enough and could invalidate an Authorization.6

Authorizations can be revoked by an individual. An individual has the right to revoke an Authorization at anytime.  The request for revocation must be submitted in writing and is effective upon receipt by the covered entity.  However, any actions taken by the covered entity on the valid Authorization prior to receipt are not effected by the revocation.7

Copy of Authorizations are acceptable. A signed Authorization is valid for the use or disclosure of protected health information regardless if the covered entity receives the original or a copy, to include copies by facsimile or electronic transmission.8

Authorizations and Health Care Powers of Attorney are not the same thing. The manor in which a person is granted power of attorney for health care decisions is not affected by the Privacy Rule.  A Health Care Power of Attorney gives the designated person legal authority to make treatment decisions related to an individual or exercise the rights of that individual, while an Authorization allows a person or entity to use or disclose the individual’s protected health information.

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.508 – Uses and disclosures for which an authorization is required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed August 22, 2012, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2. “Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/481.html.

3-4. Summary of the HIPAA Privacy Rule,” hhs.gov, accessed August 22, 2012, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

5. “May a covered entity disclose protected health information specified in an Authorization, even if that information was created after the Authorization was signed?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/477.html.

6. “May a covered entity use or disclose a patient’s entire medical record based on the patient’s signed Authorization?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/471.html.

7. “Can an individual revoke his or her Authorization?” hhs.gov, August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/474.html.

8. “Is a copy, facsimile, or electronically transmitted version of a signed Authorization valid under the Privacy Rule?” hhs.gov, accessed January 15, 2014, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/475.html.

9. “Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/219.html.

 

HIPAA Tip of the Month: Workers’ Compensation

Is a covered entity permitted to disclose protected health information in order to comply with workers’ compensation law?

According to the U.S. Department of Health and Human Services, “covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.”1

Good to Know

Three occasions covered entities may disclose protected health information without an authorization. A covered entity is permitted to disclose protected health information without an individual’s authorization to “workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems:”2

-  To comply with workers’ compensation laws or similar programs.

-  When required by State or other law.

-  To obtain payment for health care provided.3

Individuals can authorize other uses and disclosure of protected health information. An individual may provide his or her authorization for the release of protected health information to an entity, such as a workers’ compensation insurer, for situations not authorized by the Privacy Rule.4

Minimum necessary standard applies. Covered entities must follow the Privacy Rule’s minimum necessary standard and reasonably limit the amount of protected health information disclosed for workers’ compensation purposes.

Covered entities can reasonably accept requests from a State workers’ compensation or other public official as being the minimum necessary for the intended purpose.5

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502 – Uses and disclosures of protected health information: general rules

§ 164.512 – Uses and disclosures for which an authorization or opportunity to agree or object is not required

U.S. Department of Health and Human Services Resources:

1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed December 18, 2013, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.

2-5. “Disclosures for Workers’ Compensation Purposes,” hhs.gov, last modified April 3, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/workerscomp.html.

HIPAA Tip of the Month: Business Associates – Part 2

What are the business associate requirements?

The Privacy Rule requires covered entities to obtain satisfactory assurances from its business associates (business associates must get the same assurance from their sub-contractors who are now considered business associates) that the business associates will appropriately safeguard the protected health information it creates, receives, maintains, or transmits on behalf of the covered entity. The satisfactory assurance must be documented either in the form of a written contract or other written agreement between the covered entity and the business associate.

What should be in the contract?  The elements of a business associate contract are specified in the HIPAA Omnibus Rule at 45 CFR 164.504(e). The following lists a few of the requirements:

1. Description of the permitted and required uses of protected health information.

2. Statement that protected health information will not be used or further disclosed beyond what is specifically permitted or required by the business associate contract or law.

3. Requirement that appropriate safeguards will be implemented by the business associate to prevent the use or disclosure of protected health information beyond what is permitted or required by the business associate contract.

4.  Statement that the business associate will notify the covered entity if it discovers any unauthorized use or disclosure of protected health information.

5.  Requirement that the business associate will make protected health information available to the covered entity or the individual in accordance with an individual’s right to access, amendment, and accounting of disclosures.

6.  Statement that the business associate contract will be terminated if a material breach or violation of the contract by the business associate becomes known and steps to cure the breach or end the violation are unsuccessful.

Sample Business Associate Contract: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html1

Good to Know

Electronic Contracts.  HIPAA permits the use of electronic documents to satisfy the requirement of written documents, in most cases.  However, there are currently no standards under HIPAA for the use of electronic signatures.  Covered Entities must ensure that electronic contracts meet applicable requirements of State contract law and that electronic signatures, when used, result in a contract that is legally binding under State or other law.2

Individual Rights.  Covered Entities, not business associates, are responsible for satisfying the individual rights requirements of HIPAA.  HIPAA requires a statement in the business associate contract that a business associate must make available protected health information held by the business associate so that a covered entity can satisfy the requirements of HIPAA as it pertains to individual rights.  This includes the rights of access, amendment, and accounting.  The contract must also specify that a business associate is required to amend protected health information when requested by the covered entity.  In all cases, a covered entity and its business associate may agree through the business associate contract that, when appropriate, the business associate will provide access, amendments, or accounting directly to individuals.3

Notice of Privacy Practices.  A business associate is not required to create a notice of privacy practices.  However, a covered entity must ensure by way of its contract that a business associate’s practices and its uses and disclosures of protected health information are consistent with the privacy policies described in the covered entity’s notice of privacy practices.4

Covered Entity Liability.  A covered entity is required by HIPAA to establish a written contract or other agreement with its business associate that they will safeguard protected health information.  If a business associate fails to meet the requirements of the contract, the covered entity is not liable or responsible for the business associate’s actions as long as the covered entity take steps to cure any breach or end any violation of which it becomes aware.  If unable to do this, the covered entity must terminate the contract with the business associate or report the issue with HHS if termination is not possible.5

Business Associate Liability.  Under the HIPAA Omnibus Rule, business associates are liable for any use or disclosure of protected health information that does not meet the requirements of its business associate agreement or the HIPAA Privacy Rule.  More specifically, business associates are now directly liable for:  unauthorized uses and disclosures of protected health information, failure to provide breach notification to the covered entity, failure to provide access of electronic protected health information either to the individual or the covered entity, failure to disclose protected health information to the Secretary, failure to provide an accounting of disclosures, and failure to comply with the requirements of the HIPAA Security Rule.6

References

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 164.502(e) – Uses and disclosures of protected health information: general rules (Disclosures to Business Associates)

§ 164.504(e) – Uses and disclosures: Organizational requirements (Business Associate Contracts)

§ 164.532(d)&(e) – Transitions Provisions (Effect of prior contracts or other arrangements with business associate & Deemed Compliance)

U.S. Department of Health and Human Services Resources:

1.  “Sample Business Associate Agreement Provisions,” hhs.gov, published January 25, 2013, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

2.  “Would business associate contracts in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule’s business associate contract requirements?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/247.html.

3.  “Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/246.html.

4.  “Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/390.html.

5.  “Is a covered entity liable for, or required to monitor, the actions of its business associates?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/236.html.

6.  “HIPAA Omnibus Rule Summary,” hipaasurvivalguide.com, published February 3, 2013, http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php.

HIPAA Tip of the Month: Business Associates – Part 1

How do I determine who is a business associate?

According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule defines a business associate as a person, other than a member of a covered entity’s workforce, who:

(1) Creates, receives, maintains, or transmits protected health information (PHI) for a function or activity regulated by the Privacy Rule* on behalf of a covered entity or organized health care arrangement in which the covered entity participates; or,

(2) Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity or organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of PHI from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

*Business associate functions or activities include:  claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.

The Final Omnibus Rule expands the definition of business associate to include the following:

1.  A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI.

2.  A person that offers a personal health record to one or more individuals on behalf of a covered entity.

3.  A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.

In short, if a covered entity hires a person or organization to provide services for or on behalf of the covered entity and that service involves the creation, receipt, maintenance, or transmission of PHI, then that person or organization is likely a business associate. 

HHS Examples of Business Associates:

1. A third party administrator that assists a health plan with claims processing.

2. A CPA firm whose accounting services to a health care provider involve access to PHI.

3. An attorney whose legal services to a health plan involve access to PHI.

4. A consultant that performs utilization reviews for a hospital.

5. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

6. An independent medical transcriptionist that provides transcription services to a physician.

7. A pharmacy benefits manager that manages a health plan’s pharmacist network.1

Good to Know

Shipping services.  The US Postal Service, United Parcel Service, and certain private couriers that act as conduits for PHI are not considered business associates of a covered entity.  The probability for exposure of PHI to a conduit is considered to be very small due to the fact that a conduit is intended to transport the information and not have access to it.  Any disclosure of PHI to a conduit by a covered entity would be unintentional.2

Data storage companies and ISP’s.  A data storage company that maintains PHI is considered a business associate even if it does not view the information because it has persistence access.  An ISP, on the other hand, does not meet the definition of a business associate because it does not maintain PHI and only has transient access to the information.3

Services.  Services, such as plumbers, electricians, and janitors, do not require access to PHI when performing their duties.  Because they are not hired by a covered entity to provide services that involve the creation, receipt, maintenance, or transmission of PHI for, or on behalf of the covered entity, they do not meet the definition of a business associate.  Any disclosure to a service that is limited in nature and occurs as a by-product of their duties would be considered incidental and, therefore, permitted by the Privacy Rule. However, if the work performed by a service involves the disclosure of PHI where the disclosure is not limited in nature, the service will generally be considered a business associate.  A shredding service is one example.  Another example is a copier repairman when the copy machine retains PHI.4,5

Physicians with hospital privileges.  The HIPAA Privacy Rule describes physicians with hospital privileges as participating in an organized health care arrangement (OHCA).  Protected health information used and disclosed for the joint health care activities of the OHCA do not require a business associate agreement.6

Another health care provider.  A health care provider is not considered a business associate of another health care provider when PHI is shared for treatment purposes.  This, however, does not prevent the establishment of a business associate agreement between the two health care providers for another purpose.7

References 

Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:

§ 160.103 – Definitions

§ 164.502(e) – Uses and disclosures of protected health information: general rules (Disclosures to Business Associates)

§ 164.504(e) – Uses and disclosures: Organizational requirements (Business Associate Contracts)

§ 164.532(d)&(e) – Transitions Provisions (Effect of prior contracts or other arrangements with business associate & Deemed Compliance)

U.S. Department of Health and Human Services and Other Resources:

1.  “Business Associates,” hhs.gov, last modified April 3, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.

2.  “Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/245.html.

3.  “Who’s a Business Associate under the HIPAA Omnibus Rule?” emrsoap.com, posted January 18, 2013, http://www.emrsoap.com/business-associates-under-the-hipaa-omnibus-rule/.

4.  “Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician’s office?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/244.html.

5.  “Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result – such as in the case of janitorial services?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/243.html.

6.  “Do physicians with hospital privileges have to enter into business associate contracts with the hospital?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/248.html.

7.  “When is a health care provider a business associate of another health care provider?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/240.html.

HIPAA Tip of the Month: Breach

What is a Breach and what am I supposed to do if one occurs?

According to the U.S. Department of Health and Human Services (HHS), the Health Information Technology for Economic and Clinical Health (HITECH) Act requires HIPAA covered entities to provide notification to individuals when there has been a breach of their unsecured protected health information.

What is a breach?  The unauthorized acquisition, access, use, or disclosure of unsecured protected health information that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

What is unsecured PHI?  Protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology (encryption) or methodology (destruction) specified by the Secretary.

The HIPAA Omnibus Rule encourages covered entities to encrypt limited data sets and other protected health information pursuant to the Guidance in order to take advantage of the safe harbor provision of the breach notification rule.  If data is protected (secured) by encryption pursuant to the Guidance, then no breach notification is required following an impermissible use or disclosure of the information.

View the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

Breach Notification Requirements:

1.  Notify affected individuals in writing within 60 days of discovering their health information has been breached.

2.  Notify the Secretary of HHS on an annual basis (no later than 60 days from the end of the calendar year in which the breach was discovered) if the breach affects fewer than 500 individuals.

3.  Notify the Secretary of HHS and the media within 60 days of discovery of the breach, if the breach affects more than 500 individuals of a state or jurisdiction.

4.  If a business associate, notify the covered entity within 60 days of discovery of a breach.

Good to Know

When is it a Breach?  Any unauthorized use or disclosure of protected health information is considered to be a breach unless a Risk Assessment performed by the covered entity or business associate determines that there is a low probability that the protected health information has been compromised.  If the probability is low, the covered entity is not required to make breach notifications.  The Risk Assessment must consider at least the following factors:

1.  The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.

2.  The unauthorized person who used the protected health information or to whom the disclosure was made

3.  Whether the protected health information was actually acquired or viewed.

4.  The extent to which the risk to the protected health information has been mitigated.

Breach Notification.  Ultimately it remains the Covered Entity’s responsibility to ensure affected individuals are notified of a breach.  However, they are free to delegate this responsibility to a business associate.  Additionally, although a Risk Assessment is required in order to demonstrate that breach notification is not necessary, it is not required if notification is provided.  It is permissible for Covered Entities and Business Associates to provide notification for each breach of unsecured protected health information without performing a Risk Assessment.

The HIPAA Omnibus Rule requires that the following elements be included when providing notification of a breach to an individual:

1.  Brief description of what happened.  Include the date of the breach and date of discovery of the breach, if known.

2.  Description of the types of unsecured protected health information that were involved in the breach.  Examples include full name, social security number, date of birth, home address, account number, diagnosis, and disability code.

3.  Any steps individuals should take to protect themselves from potential harm resulting from the breach.

4.  Brief description of what the covered entity is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.

5.  Contact procedures for individuals to ask questions or learn additional information, which shall include a toll- free telephone number, an email address, Web site, or postal address.

Burden of Proof.  Covered entities or business associates, when applicable, are required to demonstrate that they have provided proper notification in the event of a breach or that a specific use or disclosure of unsecured protected health information cannot be regarded as a breach.  Therefore, covered entities are required to maintain documentation to meet this burden of proof.

What happens if I do not comply?  The HIPAA Omnibus Rule is effective as of March 26, 2013. Covered entities and business associates have up to 180 days after the effective date to come into compliance with any modifications to provisions in the Interim Final Rule.  If covered entities, and now business associates as well, have not implemented policies and procedures to meet HIPAA requirements and a breach occurs then fines may be issued by HHS.  Civil Money Penalties increase based on the level of noncompliance and can be as much as $1.5 million for all violations of the same provision in a calendar year.

References

Health Information Technology for Economic and Clinical Health Act (HITECH) relevant sections: 

45 CFR Parts 160 and 164 - “HIPAA Omnibus Rule”, hhs.gov, published February 25, 2013, http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

U.S. Department of Health and Human Services Resources:

“Breach Notification Rule,” hhs.gov, accessed April 10, 2013, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.

 

11 Secrets to Doubling Doctor Referrals to Your Hospital or Practice

This is a great article for practice administrators, hospital administrators, or physicians looking to boost thier referral sources.  The original article is located here in a downloadable PDF.  The company, healthcaresuccess.com, does a really good job of bringing to light some key points in grooming a referral base. It is a very realistic approach to what really matters and how referral sources either stay consistent or slowly dissapear. This is an area many physicians need to focus on, even when referrals are plenty. Below is an overview of the “secrets” that the article describes in more detail:

Secret 1: The Process of Building Doctor Referrals Is All About Relationships, Relationships and Relationships
Secret 2: Prioritize Your Referral Base
Secret 3: Protect What You Have Worked So Hard to Build
Secret #4: Staffs Often Drive Referrals in the Real World
Secret #5: Give Referring Offices Exactly What They Want
Secret #6: Food Still Works
Secret #7: Gifts and Entertainment Work, Too
Secret # 8: Communicate Regularly and Consistently
Secret #9: Hire One Or More Physician Liaisons
Secret #10: A Surprising Ingredient to Look for When Hiring a Physician Liaison is Commissioned Sales Experience.
Secret #11: Never Send Your Physician Liaison Into Battle Unarmed

The key take-away from this article is that it takes time to develop the necessary relationships that will lead to lasting referrals. The staff members, especially MA’s and Front Office staff, at your referral sources do play a key role in funneling patients to you or somewhere else and they should not be discounted. Taking care of them may go farther than you think. Focusing on everyone is not the best use of time, but the prioritization process described will make your time most effective in driving referrals.

The article has a few well placed quotes to get the point across about relationship management, but one in particular stands out and really drives the point home…

“Some of the biggest challenges in relationships come from the fact that most people enter a relationship in order to get something. They’re trying to find someone who’s going to make them feel good. In reality, the only way a relationship will last is if you see your relationship as a place that you go to give, and not a place that you go to take.” – Anthony Robbins

This is a great mentality to keep in mind with every referral source…

HIPAA Security: I manage electronic patient health information. Now what?

HSP_logo-paragraph-symb-iconThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of HHS to develop regulations protecting the privacy and security of certain health information. HHS developed what we commonly call the HIPAA Security Rule and the HIPAA Privacy Rule. Any “covered entity” is required to have a formal Privacy Policy and, if involved in the transfer or storage of electronic patient health information, a Security Policy must also be in place.  As a core part of the Security Policy, a Risk Assessment must be performed that is typically documented in the form of a Risk Mitigation Policy.

If you have ever sat down to read the actual Privacy and Security sections of the rule, you might have found out very quickly that just trying to decipher the text and find the right resources that explain how to even get started is a difficult task of its own. This article is not designed to walk you through the creation process of a Security Policy, or even a Privacy Policy, it is geared towards organizing very helpful resources that will assist in the creation and development process of these needed compliance documents. It is very possible to develop these documents on your own without the help of outside consulting firms, but that also depends on how much time you are able to dedicate to the project and available resources around you to support the process.

If you have not already visited the HHS website, you may want to start here, which begins with an overview of understanding health information privacy. This is a great place to start, particularly with the summaries of the HIPAA Privacy Rule and HIPAA Security Rule. For a copy of the full combined text of the HIPAA Administrative Simplification Regulations, including the Privacy and Security Rules, that can be found here.

One of the most difficult components of HIPAA is bringing your healthcare organization up to standard with the Security Rule, especially if you have recently implemented a lot of new technology, such as an EHR, new PC’s/Tablets/Other devices, Lab Systems (LIMS), Interfaces, back-up and storage, etc…  All of these types of technology serve as mediums for transportation of electronic patient health information, or as HIPAA refers to it, Electronic Protected Health Information (EPHI). The Security Rule requires that you take into account every device, server, storage media, interface or connection that uses, creates or transmits EPHI, and document a formal policy around how that data will remain protected and secure, even in the event of disaster or outage. The Security Rule is broken into 3 main parts: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each part focuses on a different area of protecting and securing EPHI, based on different rule requirements. Luckily, there are also some great resources that allow you to gain a very good understanding of the Security Rule requirements written by HHS.  They are called the HIPAA Security Series, which are 7 documents that break the rule a part in an easy to read and follow manner. Under the section title “Security Rule Educational Paper Series” you will see the links to the 7 security series documents. It is highly recommended that you read each of these documents closely.  These documents will play a very big role in walking you through the creation and implementation of security standards.  Security Series 6 gives you a detailed understanding of the risk analysis and risk management process.

If you scroll a little bit further down on that same page, under the title of “(NIST) Special Publications” you will find 8 more documents that were developed by the National Institute of Standards and Technology.  Each of these documents is specific to security and compliance of different technologies used.  Just read the titles of each to see which may apply to your organization, based upon your technical environment.  These documents are especially geared towards IT professionals and technical managers. If you do have an IT person/department, this is the area they may want to spend some time getting familiar with.

As for other resources, there are websites that provide HIPAA training materials and courses, such as HIPAA Survival Guide, or the AMA does have a section on their website dedicated to HIPAA, along with many materials for sale in their AMA Store.  CMS also has information and materials on their website as well.  There are many different resources out there regarding HIPAA and it can get overwhelming just trying to get started, but the resources in this article should provide a good foundation and starting-place for you moving forward.

Medical Billing Best Practices: Metrics and Key Performance Indicators

How does your medical billing department stack up to industry best practices? This is a question that is unfortunately not asked very often among administrators and physicians. Furthermore, it is extremely uncommon to find medical practices or organizations that operate under strict benchmarks and metrics, and have analytical tools in place to monitor daily or monthly activity.

Below are a five key metrics and calculations you can make to quickly determine where your medical billing department stands in terms of performance and collecting the money that it should be. The metrics below are not specialty, size or revenue specific. They will work for any type of medical practice or organization with a medical billing department or medical billing service, if outsourced.

metrics chart

It is important to understand the Net Collections Rate, if you are not familiar, and why it is a better metric for evaluation, as opposed to Gross Collections Rate.  The Gross Collections Rate simply tells you what percent you collected of what you charged.  What matters is what you collected of what you are owed.  That is where the Net Collections Rate comes in handy.  It tells you the full story of how good of a job your medical billing team is doing at bringing in the money you are owed.  The below table shows a simple example that demonstrates the two calculations.

GrossNetChart

Now, if the primary payment was reduced to $40 and no further collecting activity was performed on this claim, the Gross Collections Rate and the Net Collections Rate would be 50% and 83%, respectively.  Which is more meaningful, knowing that you collected 50% of the charge or 83% of what you were owed?

The Net Collections Rate is definitely a metric that needs to be calculated over time and carefully monitored. Typically it is run monthly, quarterly, semi-annually, or annually.  The longer the timeframe, the better idea of overall performance you will see. It is also possible to see Net Collections Rates greater than 100%, due to the fact that the charges and payments most likely are “non-matched” over a period of time.

A good indicator of how well your billing department is collecting on accounts is to calculate the number of days it takes to collect on your Accounts Receivable.  This is done by calculating the Days in A/R Ratio above in the calculations table.  As a best practice, where most of the revenue is generated from office visits, the metric should be less than 30 days. Surgical groups or other types of practices with a larger concentration of hospital-based services, the metric should be between 30-40 days. If your metric is above 40 days, or in severe cases, above 50 days, you have indication of a major collection issue.

Along with the Days in A/R Ratio, calculating the individual 30, 60, 90, 120, 121+ days outstanding buckets is another important piece to be watching.  As A/R ages past 90+ days it becomes harder to collect and more resource intensive. A/R aging past 120 days outstanding has a very high percentage of becoming uncollectable and being written-off to bad debt or sent to a 3rd party collections. Being that the accounts sitting in the 90 days due bucket are at risk of becoming uncollectable next, it makes sense to manage your A/R against a 90+ day metric, rather than 120 days due, as traditionally done. This means that all outstanding A/R greater than 90+ days due, should be no more than 15% of your total receivables.  The recommended best practice is less than 12%, where the higher performing billing offices or services operate at less than 10%.

In looking at denial rates, this is an area that can definitely affect A/R levels and cause delayed payments to the practice when managed improperly.  This can be evaluated by taking the total claims filed and dividing it by the number of line items denied.  Furthermore, on posting, if you use denial reason codes, you should be able to dive a little deeper and quickly find out where the denials are coming from and take corrective action.  Industry averages are closer to 10%, where best practices say 5% is acceptable, and higher performers see less than 2%.

Of the key metrics described above, patient insurance verification is the most challenging to measure. It is a reality that most medical practices do not even perform eligibility verification on patients prior to their visit, because it is extremely resource intensive.  Unfortunately, this can lead to claim denials and non-payment from patients and insurers.  Patients feel it’s the medical practice’s responsibility to know their insurance coverage, while insurances don’t provide the needed information to the practice in an easy to locate manner. All of the responsibility and cost lies with the practice, and some just don’t have the resources to handle the workload. There are companies that provide front office services for eligibility verification and pre-visit checks, along with A/R balance collection and payment plans pre-visit.  If you do not have the capability to capture how many patients you are verifying pre-visit, or simply are not performing the checks, you may want to investigate your claim denials and count the number of eligibility related denials.  Best practices indicate that all patients should be verified prior to visit, including a second check within 24 hours of the visit, depending on insurance.

Incorporating these best practices and metrics into the monthly evaluation of your practice or billing department/service, along with other methods, should give you a good feel for the performance and overall health of the business.

Follow

Get every new post delivered to your Inbox.

Join 198 other followers

%d bloggers like this: