Anesthesia Compliance Consultants presents a review of HIPAA for Anesthesia. These are timely topics related to HIPAA Privacy that affect Anesthesia Practices today. These are important issues every anesthesia provider should review to stay HIPAA compliant.

Office of Civil Rights Requirements

The Office of Civil Rights early spelled out the steps and requirements for a HIPAA Security Risk Analysis. As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization. Furthermore, entities must consider the potential risks, threats, and vulnerabilities to all of the covered entities ePHI. This includes PHI which is created received, maintained, or transmitted, including the source or location of the ePHI

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis???Many organizations use these interchangeably, however, they are not correct in doing so.??Don?t make the same mistake.

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.??The Gap Analysis is usually a limited evaluation of a covered entity or business associate?s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.??As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices, and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

More topics on HIPAA for Anesthesia

Permitted Uses and Disclosures of PHI

Sharing Protected Health Information

Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules. All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines. The Office for Civil Rights permits the use and disclosure of PHI treatment, payment, and health care operations.

Sharing with Health Care Providers

Keep in mind that HHS wrote HIPAA to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. ?For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is?compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination. ?This has expanded the “permitted uses and disclosures of PHI.” ?This activity didn?t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. ?A health care provider may disclose PHI to another for this treatment purposes without patient authorization. ?This information must be shared with all employees of the organization.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as?they manage their PHI. ?One must also realize that there are other ways that one may safely share PHI without having to obtain permission. ?An example would be if there is an order from a court or for law enforcement purposes.

Disclosures to Law Enforcement

Sometimes it is hard to determine what are the permissible disclosures to law enforcement. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists .

The HIPAA Rule permits disclosures when required by law. This may be necessary to respond to subpoena?s and court orders with specific requirements.? In addition this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.? State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease. The law requires it in response to an enforcement official’s request for information about a victim or suspected victim of a crime.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know ?the permissible disclosures to law enforcement.

More topics on HIPAA for Anesthesia

Protecting PHI

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information. ?To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards. ?They help prevent unauthorized uses or disclosures of PHI. ?In addition safeguards must be part of every privacy compliance plan. ?Organizations must share this with all members of the organization.

Safeguards for Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. ?Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. ?Finally you may ask the persons to leave the room providing the patient an opportunity to object.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person. Providers must dispose of all paper products that have PHI in a shredder once no longer used. Personnel must make every effort to give the patients summary to the correct patient. When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.

Electronic PHI

Password protect all computers in order to protect electronic PHI. Employees must only use the computer medical accounts to which they are assigned. One must consider the use of encryption of any email or texts that contains ePHI.

Use of Reasonable Safeguards for PHI Prevent Violations

In conclusion the use of reasonable safeguards may be the difference between an??Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to

permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

More topics on HIPAA for Anesthesia

Why Technical Safeguards?

Technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. They are key elements that help to maintain the safety of ePHI as the internet changes. ?Consequently technical safeguards are important due to technology advancements in the health care industry. The challenge of healthcare organizations is that of protecting electronic protected health information (EPHI). ?Most importantly, this includes items such as electronic health records, from various internal and external risks.

Comply with Technical Safeguards

The HIPAA Security Rule, requires for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications. ?A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as ?the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.? ?Consequently, this rule is based on several fundamental concepts. ?These are flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.

Implementing “The Security Rule”

The Rule allows the use of security measures. Consequently, these allows it to reasonably and appropriately implement the standards and implementation specifications. Because of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization. There are a variety of measures which can assist an organization to meet these standards. A more detailed description can be found at the HIPAA Security Series published by HHS.gov.

Access Controls

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of the Information Access Management standard under the Administrative Safeguards section of the Rule.

New Guidance form HHS

The Department of Health and Human Services (HHS) on December 12, 2012 published a News Release on its website regarding a new initiative for providers that provides guidance on how to safely keep PHI on mobile devices. The initiative is called, ?Know the Risks, Take the Steps, Protect and Secure Health Information.?

The recommendations place providers on notice as to what the expectations are of the HHS to protect PHI:

• Use a password or other user authentication.
• Install and enable encryption.
• Install and activate remote wiping and/or remote disabling.
• Disable and do not install or use file sharing applications.
• Install and enable a firewall.
• Install and enable security software.
• Keep your security software up to date.
• Research mobile applications before downloading.
• Maintain physical control (i.e., protect against lost devices).
• Use adequate security to send or receive health information over public Wi-Fi networks.
• Delete all stored health information before discarding or reusing the mobile device

Please review the security that you use for your mobile devices to assure that you are providing?the protections that are expected

The Importance of “The Security Rule”

Technical safeguards are important due to technology advancements. ?The take away is that Technical Safeguards protect PHI. ?Most importantly covered entities and business associates who deal with electronic PHI must review their use of Technical Safeguards to be fully in compliance.

More topics on HIPAA for Anesthesia

HIPAA Security Rule

The decision to use encryption of ePHI as a safeguard depends on several factors. ?The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest. ?The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI.

They defined the encryption standard as an addressable requirement and can be confusing. ?Consequently, if it is a reasonable and appropriate?safeguard for the protection of ePHI?it should be implemented.?The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI. ?Consequently, an organization should consider the use of this and implement it in its management of ePHI. ?Eventually, the entity must document this in the plan.

No Specific Requirements

When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards. ?It is up to the organization to do a careful risk assessment. ? Based on this they may create the appropriate mechanism to?protect ePHI. ?Presently the use of encryption of ePHI is an effective tool. ?It is a good safeguard for the safe transmission of email and texts through the cloud. ?In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Alternative to Encryption

A health care provider?may determine that encryption isn?t reasonable and appropriate based on its security risk assessment. ? They may then present their alternative to protect ePHI. ?They may also decide to do neither and determine the standard may otherwise be met.? The provider should document its reasons for its decision.

More topics on HIPAA for Anesthesia

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a?serious matter.?A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. We presume it to be a breach unless it meets certain criteria. The covered entity or business associate must demonstrate there is a low probability that the phi was compromised based on a risk assessment of the following:

1. First, the nature and extent of the PHI, including the types of identifiers and the likelihood of identification
2. Secondly, the unauthorized person to whom they disclosed
3. Third, whether the PHI was acquired or viewed
4. Finally, the extent to which the risk to the patient was mitigated

Paper Breaches

There are many forms of Breaches of Protected Health Information. ?Some examples of breaches of paper PHI are loss of paper files, unsecure disposal, and paperwork given to the wrong person. ?As a result, all entities that handle paper PHI must be aware of how important it is when sharing ?or disposing of this information. ?It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Breaches of Electronic PHI

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site. ?Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.

Verbal Breaches of PHI

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if it’s overheard when safeguards are not used.? It is important for all covered entities and business associates to review their policies. ?As A result they will be able to better protect protected health information whether it is paper, electronic or spoken.

More topics on HIPAA for Anesthesia

Procedures for Making a Complaint

A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an?alleged violation of the Privacy Rule. ?Most importantly the Notice of Privacy Practices must contain contact information for the covered entity?s privacy officer and information on how to submit a complaint to the Office for Civil Rights. ?In addition, ?an organization must file complaints within 180 days of when you knew the violation occurred.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information. ? The organization should maintain records on the complaints and their resolution.?The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI. ?In a filing to the OCR, there should be information about the complainant. ?There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.

On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civil Rights as it investigates complaints.

No Retaliation for Filing a Privacy Complaint

Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. ?Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. ?Finally, an organization must resolve and prevent them from happening again which helps protect the organization. ?On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.

In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.

More topics on HIPAA for Anesthesia

Specific Authorizations

To use the PHI of an individual one must often obtain an authorization.? ?Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition if there are specific laws an authorization is not required.

An authorization for disclosure to an attorney?s office, and to a life or disability insurance company is another example.

Research Projects

To disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office an entity must obtain authorization.

Court Orders

A request with a court order signed by a judge from a court with jurisdiction will not require authorization. ?To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.

State Law is Important

The HIPAA compliant authorization must contain certain elements, but don?t forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.

More topics on HIPAA for Anesthesia

Risk From Many Sources

Using cybersecurity to protect PHI is a key feature of HIPAA. ?Electronic protected health care information or EPHI is at increased risk from many sources:

• Foreign hackers looking for data to sell ? usually on the dark web
• Ransomware attacks that lock up data until a ransom payment is received
• Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
• Spear phishing ?a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds..

What You Can Do

In order to safeguard EPHI against threats:

• First, know how to spot phishing emails.
• Secondly, use strong passwords, two factor authentication and encryption.
• Finally, have policies, procedures and safeguards in place to protect EPHI and?Know who to report an incident to in your organization.

Prepare for Cyberattacks

In the case of a cyberattack or similar emergency an entity must:

1. Execute it response and mitigation procedures and contingency plans.
2. Report the time to other law enforcement agencies.
3. Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
4. Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.

Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. ?For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.

Remember in the event of a cyberattack it is critical to comply with breach reporting requirements.

Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.

More topics on HIPAA for Anesthesia

Texting

The Office for Civil Rights or OCR??with HIPAA oversight??has not produced the long-awaited guidance on texting protected health information. ?Finally, at a Health Information Management Conference in March?the OCR director said healthcare providers could text message their patients with PHI. ?However, the provider must warn the patient that it is not secure. ?In addition, the provider must obtain and document ?patient authorization to receive texts.

Recent Guidance on Sharing PHI Safely

The Centers for Medicare and Medicaid Services or CMS oversees the Conditions of Participation and Conditions for Coverage.? CMS issued a memo on healthcare provider texting protected health information safely on December the 28th of 2017. ?Most importantly the takeaways are:

Texting Protected Health Information

CMS permits texting of patient information among members of the health care team. ? Above all, the?platform must be secure and encrypted as a result, it minimizes the risks to patient privacy and confidentiality. ?Most importantly, HIPAA regulations, the Conditions of Participation and the Condition for Coverage require this as a safeguard.

Texting Patient Orders

Regardless of the platform, CMS prohibits the practice of texting of patient orders. Above all, ?the provider is not in compliance with the Conditions of Participation or Conditions for Coverage if he or she texts patient orders to a member of the care team.

CPOE for Orders

Most importantly, providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of?order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. ?When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.

It is critical for all providers to understand and follow these new guidelines from CMS on Texting Protected Health Information among Healthcare Providers.

More topics on HIPAA for Anesthesia

Sharing PHI

HHS published HIPAA to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. ?Most importantly sensitive PHI and HIPAA is a topic requiring special attention. For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. In addition, the sharing may be electronically and must be in a manner that is?compliant with the Security Rule.

State Laws Protecting PHI

HHS created HIPAA to protect all PHI (Protected Health Information) equally whether it’s sensitive or not.? In addition to this law states have created regulations that offer an even more strict protection.? Of importance the state of Ohio offers increased protection to psychiatric and mental health records and to HIV, AIDS and AIDS related condition records. Sensitive PHI and HIPAA remains a challenge for many practitioners.

Impermissible Use of PHI

Also we present an important lesson from which to learn if one fails to follow these regulations. As an example recently he U.S. Department of Health & Human Services(HHS), Office for Civil Rights (OCR), has announced a settlement based on impermissible disclosure of HIV protected health information (PHI). St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) has paid HHS $387,200 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan.