What You Think You Know About HIPAA Might Be Wrong
Healthcare organizations take HIPAA seriously and typically devote substantial resources to education and monitoring, but misconceptions about the privacy law still can trip up the best efforts.
One of the most common misconceptions concerns when a healthcare provider needs a business associate agreement (BAA) with a vendor, says Ira Parghi, LLB, an attorney with Ropes & Gray in San Francisco.
HIPAA requires covered entities, including hospitals, to put BAAs in place with their vendors in certain circumstances, but there is a fair amount of confusion as to what those circumstances are, Parghi says.
HIPAA requires a BAA if the vendor receives protected health information (PHI) from the covered entity to provide services to or on behalf of the covered entity, Parghi explains. The decision to frame a certain vendor relationship as a business associate relationship has important implications, she notes.
“The BAA, or other accompanying contract, must set forth a number of required elements, with the result that a BA relationship entails certain concrete contractual obligations. HIPAA also imposes certain duties, such as the requirement to have privacy and security policies, on BAs as well as covered entities,” Parghi says. “And from an enforcement perspective, growing attention is being placed on BA relationships, with regulators often asking, for instance, how the covered entity has managed a particular BA relationship, or whether and how the BA has implemented its own training and policy requirements.”
Both parties in a BA relationship must be prepared, organizationally and financially, to “manage to” the agreement, Parghi says, meaning they must organize their operations in such a way as to uphold their various contractual and HIPAA obligations, some of which can be quite resource-intensive.
Some covered entities have erred on the side of requiring BAAs with all their vendors as a matter of course, without considering the specific nature of a particular vendor relationship. Consequently, such covered entities require BAAs from vendors that do not receive PHI from the covered entity (and are, therefore, not BAs), or who only come into occasional incidental contact with PHI while performing their work (and, therefore, fall under the HIPAA exception for incidental disclosures).
“We have seen healthcare institutions try to enter into BAAs with elevator servicing companies, cafeteria management companies, and the like, and in general, such relationships are not going to constitute BA relationships for HIPAA purposes,” Parghi says. “On the other side of the spectrum, some covered entities do not require their vendors to sign BAAs when they should. For instance, vendors of electronic medical record platforms, and the companies that respond to patient requests for record copies on behalf of hospitals, are almost certainly going to be BAs.”
Outside attorneys and other experts, collection companies, photocopy companies, and practice support vendors may be BAs, depending on, for instance, the type of information disclosed to them, Parghi says. An attorney who assists on a corporate deal without ever seeing the names or any other information about patients likely is not a BA, but an attorney who provides advice on potential HIPAA breaches and reviews specific privacy incidents while conducting that work likely is.
A company that only photocopies financial records that have no patient information may not be a BA, but a company that photocopies clinical information likely is, she explains.
“Related to this, some covered entities have been known to sign BAAs provided to them by their vendors without carefully reviewing them, or to vary the terms of their own forms of a BAA too readily when asked to by a vendor, without weighing the request carefully. These approaches, too, can create risk,” she says.
HIPAA also sets out certain exceptions to the BA requirement, Parghi notes. For example, exceptions may apply to vendors that are serving as “conduits” for PHI only, vendors who only come into incidental contact with PHI and take certain required precautions, and vendors who are healthcare providers to the patients in question. These also require fact-specific analyses, rather than assuming the answer.
“Whether a particular HIPAA exception to the BA requirement applies in a certain case, and what operational and other steps should be taken to ensure that that exception applies coherently, are questions that covered entities and vendors are urged to discuss with their legal advisors,” Parghi says.
Legal advice also is a good idea when considering whether to carry out risk analyses under attorney privilege, Parghi says. There may be pros and cons to both approaches.
The popularity of concierge medicine, or the overall effort to make physicians more accessible to patients, increases the risk of HIPAA breaches via telephone, says Andy Altorfer, CEO of CirrusMD, a healthcare technology company in Denver. The physician may provide his or her cellphone number to the patient, giving little thought to the security of exchanging PHI in that way, he says.
“Sometimes, they have the patient sign a waiver, but that does not absolve your data security concerns,” Altorfer says. “Texts are stored on non-secure telecom servers, with identifiable patient information and PHI. You don’t have BAAs with those entities and they have no documented security or auditing, so typical phone texts will always be a fundamental HIPAA security breach.”
HIPAA Security Rule compliance remains challenging for some healthcare providers, Parghi says. They often misunderstand the nature and scope of their obligations under the Security Rule, she says.
The Security Rule is organized into three sections that discuss the technical, administrative, and physical safeguards that a covered entity must carry out with respect to electronic PHI, Parghi explains. Each category of safeguards enumerates specific implementation standards, some of which are “required” and others of which are “addressable.” All the implementation standards are “technology neutral,” meaning that they do not mandate the use of specific technologies, she says.
“One common point of confusion for covered entities arises with the interpretation of ‘addressable’ implementation standards. Addressable standards, contrary to common perception, are not optional. They must be implemented if it is reasonable and appropriate to implement them,” she explains. “And if the decision is made to not implement them, the decision should be appropriately documented. Unfortunately, some covered entities have misunderstood this requirement, and hence not approached these decisions and their documentation appropriately.”
In addition, Parghi says healthcare providers sometimes fail to appreciate that many of the obligations arising under the Security Rule are ongoing obligations, not “one-time only” technological fixes. For instance, risk analyses under the Security Rule are supposed to be updated annually and also in the event of certain material changes, such as a change to a hospital’s electronic medical record system.
“Regulators have sometimes asked for annual risk analyses from the years before, during, and after a breach, and providers who have not updated those risk analyses annually have found themselves penalized,” she says. “Likewise, ePHI access and use is required to be monitored on an ongoing basis, and regulators may request evidence that, during a certain time frame, such access and use was properly monitored, and instances of potentially improper access or use appropriately investigated.”
Misconceptions also can arise over the potential scope of Security Rule compliance investigations, which often are much more expansive in scope than one might expect, she says. Regulator inquiries may not just focus on the specific requirements in the Security Rule that are pertinent to a particular privacy or security incident, more broadly assessing general compliance with Security Rule requirements. For instance, regulators may ask for copies of annually updated risk analyses, various policies and procedures, information about access controls, breach assessments, security logs, and the like, Parghi says.
“A healthcare provider undergoing a Security Rule investigation may find that, once the hood of the car is opened, much of it will be inspected,” Parghi says.
Security Rule compliance is most effective when a range of stakeholders are included, Parghi says. Successfully implementing the various requirements under the Security Rule is an ongoing, and resource-intensive, process, she notes.
“In our experience, the healthcare providers who are most successful have generally been able to bring together important stakeholders from seemingly disparate functions in the organization, such as information security, compliance, information technology, and clinical risk management, and encouraged them to work cooperatively,” Parghi says. “Too often, the only personnel who understand HIPAA are the ones who lack technological training, and the only personnel with technological expertise are not well-trained on HIPAA’s Security Rule requirements.”
Healthcare providers also can misunderstand what is allowed when providing patient information to clinicians, says Heather Delgado, JD, partner with the firm of Barnes & Thornburg in Chicago. Physicians sometimes request information on a patient and are told that it cannot be provided because of HIPAA restrictions, and Delgado says that almost always is not correct.
“There is a treatment exception in HIPAA that allows clinicians to share information about patients, but we still see clinicians refused and there is no reason for it,” Delgado says. “When they block that access, that’s actually when they’re in violation of HIPAA because HIPAA fully states that you can share PHI for treatment purposes. This can come up often with specialty providers trying to get information on a patient, and it can be detrimental to the patient’s care and safety.”
Delgado notes that healthcare providers often assess the success of their HIPAA training by how well employees know when and how to protect PHI, without also assessing their understanding of when not to block access. This can lead to employees choosing to err on the side of caution and say no to data access when they are doubtful or just don’t know if it is allowed, she says.
“A lot of the HIPAA mistakes you see could be prevented from the outset if there was proper training,” Delgado says.
SOURCES
- Andy Altorfer, CEO, CirrusMD, Denver. Telephone: (720) 593-9549. Email: [email protected].
- Heather Delgado, JD, Partner, Barnes & Thornburg, Chicago. Telephone: (312) 338-5905. Email: [email protected].
- Ira Parghi, LLB, Ropes & Gray, San Francisco. Telephone: (415) 315-1285. Email: [email protected].
Healthcare organizations take HIPAA seriously and typically devote substantial resources to education and monitoring, but misconceptions about the privacy law still can trip up the best efforts.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.