HIPAA: Clearing Up ConfusionExperts Sort Through Complex Issues
There's still plenty of confusion about compliance with the HIPAA Omnibus Rule - and HIPAA in general. That was evident in discussions and presentations at this week's HIPAA security conference.
The event was jointly hosted by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, and the National Institute of Standards and Technology. OCR officials - and other experts - were on hand to explain the most difficult to interpret HIPAA Omnibus provisions.
Here's a sampling of critical issues they addressed.
Health Information Exchange
Many providers are reluctant, or inconsistent, in disclosing patient information to other providers - even when the information is needed for immediate treatment of patients. They often cite HIPAA as the reason they can't disclose patient information. They also cite fears about lawsuits or federal penalties for HIPAA violations.
One audience member asked OCR Director Leon Rodriguez to issue more guidance on this subject. But Rodriguez explained that disclosures of protected health information for treatment, payment and operations have always been permitted under HIPAA. If a compliance issue were to arise, he said, OCR would be unlikely to issue financial penalties for inappropriate disclosures related to treatment. Instead, it would most likely issue a "corrective action" if there was some sort of problem - as long at it wasn't part of an ongoing, "egregious" pattern of inappropriate disclosures.
The HIPAA Omnibus Rule, which will be enforced beginning Sept. 23, makes it clear that business associates and their subcontractors that receive, create, transmit or maintain protected health information are now directly responsible for HIPAA compliance.
But one topic that came up a few times was whether there is a business associate relationship in situations where a covered entity sends encrypted data to a services firm - such as a cloud vendor - that doesn't hold the encryption key.
That's a situation that OCR hadn't specifically identified during the writing of the HIPAA Omnibus Rule, says David Holtzman, an OCR senior information technology and privacy specialist. But OCR will study the issue and may prepare guidance on it, he says.
Another business associate theme that OCR emphasized at the conference is that "it's not the degree of access to PHI but the persistence of custody" that should be considered when trying to decipher if a cloud vendor, for instance, is a business associate under HIPAA Omnibus.
What HIPAA Is and Isn't
OCR officials and other speakers at the conference stressed that HIPAA is a floor, not a ceiling. It's a valve, not a blockage. And they cautioned healthcare organizations not to let security trump patient preference. So what does that all mean?
Clearly, an organization can do more than what's required under HIPAA in terms of safeguarding health information. Similarly, states can issue privacy laws that are even stricter than HIPAA - and many have.
HIPAA isn't meant to block PHI disclosures that are necessary for the wellbeing of patients. That gets to the heart of the issue of sharing information with other providers - and even disclosing information to patients.
HIPAA has been misinterpreted by some healthcare providers to the point where they believe it prevents the release of important information for the treatment of patients, Rodriguez says. There's also confusion among mental health professionals about whether they can (yes they should) contact law enforcement officials about patients who pose an immediate danger to themselves or others, he notes.
Finally, while HIPAA's Security Rule has prompted more organizations to deploy technical safeguards, such as encryption, to protect data, patients can still request that their electronic communications with healthcare providers, such as appointment reminders, be conducted via unsecure e-mail or texting, says conference speaker Adam Greene, a privacy attorney at Davis Wright Tremaine.
"Whatever you do [to comply with] the security rule, you need to be flexible to support the privacy rule and patient preferences," he says. "If patients prefer unencrypted e-mails, that's permissible. Just warn them of the risks."
So, when it comes to complying with the HIPAA privacy and security rules, as well as the modifications in HIPAA Omnibus, it's important to understand the nuances and avoid misinterpretations.
When in doubt, seek counsel from regulatory experts. In the meantime, outreach by OCR, through conferences like this one as well as educational materials and guidance is helpful. So take advantage of those resources.