Legal & Regulatory Issues HIPAA Compliance Practice Tips Lynn S. Muller, RN, BA-HCM, CCM, JD
W hen it comes to Health Insurance Portability and Accountability Act (HIPAA), it seems that somebody is always trying to complicate things. More and more, questions regarding HIPAA compliance seem to relate, not to complex platform, encryption or data storage issues, but to duties health practitioners have had since they became practitioners: the duty to protect patient confidentiality and respect privacy. There is an old saying that is abbreviated as “K.I.S.S.”: Keep It Simple Sweetie, which just might be the answer.
Dos and Don’ts of Everyday Practice Every time I think enough has been said about HIPAA, I find that the hunger for plain and simple answers to compliance questions simply does not end. I thought my clients were asking particularly obvious questions, until I realized that similar questions are being asked all over the country. I was contacted by a relatively small provider practice who asked, Can I send our treatment notes to a physician? After a few questions and determining that it was Disclaimer: The information contained in this department is for educational purposes only. It is not legal advice, which can be given only by an attorney admitted to practice in the jurisdiction/ state(s) in which you practice. Do you have a question or issue you would like answered here? We encourage all readers to submit questions and/or manuscripts, as well as topics you would like to see addressed in this department. Inquiries are accepted by e-mail at: [email protected] Address correspondence to Lynn S. Muller, Esq., RN, BA-HCM, CCM, JD, Muller & Muller, 15 West Main Street, Suite C, P.O. Box 164, Bergenfield, NJ 07621 ([email protected]). The author reports no conflicts of interest.
actually the referring physician who was making the request, in anticipation of a follow-up visit with the patient, the answer was quick and easy. Of course, a physician who is actively participating in the patient’s treatment can have access to treatment notes. This is a prime example of the exceptions contained in the HIPAA regulations; this aspect of HIPAA has been in effect, modified, and updated for more than 10 years. In fact, there has never been a prohibition restraining one covered entity (CE) from conveying protected health information (PHI) to another CE on behalf of a shared patient. There are many sources for information regarding HIPAA compliance, but my preference is to go to the source; the actual regulation or official Web sites, such as http://www.hhs.gov/ocr/ privacy/index.html. There you will find reliable and updated information. “What are Treatment, Payment, and Health Care Operations? The core health care activities of “Treatment,” “Payment,” and “Health Care Operations” are defined in the Privacy Rule at 45 CFR 164.501. “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to, the following:
There has never been a prohibition restraining one covered entity from conveying PHI to another covered entity.
DOI: 10.1097/NCM.0000000000000045
Vol. 19/No. 4
Professional Case Management 191
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 191
16/05/14 5:10 AM
Legal & Regulatory Issues • determining eligibility or coverage under a plan and adjudicating claims; • risk adjustments; • billing and collection activities; • reviewing health care services for medical necessity, coverage, • justification of charges, and the like; • utilization review activities; and • disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the CE). “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. (HHS, 2003, pp. 1–2)
Since HIPAA responsibilities come to us as building blocks, each new aspect an addition or modification of a law that has now been in effect for 18 years, each practitioner should have not only a basic understanding of HIPAA but an enlarging knowledge base regarding HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act and Final Rule, as they relate to one’s practice.
Notice of Privacy Practices Under the Final Rule, there is a requirement that Notices of Privacy Practices (NPP) be updated. If you work for a large CE, like a hospital, typically this responsibility falls to someone other than you. As with everything else HIPAA, one size does not fit all. Whether you serve on a committee in a large CE or bear the burden yourself as an independent case manager, small business owner and Business Associate (BA), you should be knowledgeable regarding the contents of the NPP and able to answer questions from patients. It is simply not enough to get a form, have it signed, and file it away. The good news is that information is readily available with model NPPs and practice guidance (HealthIT, 2014). It is important that the NPP be meaningful and receipt acknowledged. In the past, it was not uncommon for a form to be given to patients, in a large stack of other papers, requiring such as medical history and insurance information, and requesting a signature on a form titled “Privacy Policies” or similar, without ever being provided with the actual NPP or an opportunity to ask questions. This is not acceptable practice. Consumers are entitled to be informed fully. More recently, I am pleased to report that I have observed practitioners sitting with patients actually
192
Case managers, who are small business owners or sole practitioners, must always be mindful that their HIPAA obligations. reading the NPP to the patient, or at least a summary of rights and responsibilities, before accepting a signature on an acknowledgment. Not only is the latter procedure appropriate, when necessary, but it goes a long way to enhancing the professionalism of the CE and its staff. Times are changing, but it is becoming more common for a patient, or that patient’s parent or guardian, to inquire about specific policies. Those that appear most important to consumers are: Who will you tell? What will you tell and how will you deliver the information? Specific permission to leave information, on voice mail (home and/or other), and on cell phones, should be clearly stated and then that information needs to be conveyed to all necessary staff who might have reason to contact the patient. Policies and procedures that are readily available to staff for reference and discussed in in-service educational opportunities are essential. In the first 10 years of Compliance (2003–2013), “the compliance issues investigated most are, compiled cumulatively, in order of frequency: 1. impermissible uses and disclosures of protected health information; 2. lack of safeguards of protected health information; 3. lack of patient access to their protected health information; 4. uses or disclosures of more than the minimum necessary protected health information; and 5. lack of administrative safeguards of electronic protected health information.” (OCR, 2013, p. 2)
Industry Response to HIPAA Mandates There is no doubt that HIPAA covered entities (CE), their business associates (BA) and BA subcontractors, are required to have Business Associate Agreements (BAA; HHS, 2013). Health care practitioners and other CEs have been struggling to find simple and secure ways of compliance with HIPAA, HITECH, and HIPAA Final Rule mandates. Necessary communications, including the sharing of patient PHI, have carried the cloak of caution with it with every click. Google has taken substantial steps to assist CEs and stands ready and willing to enter into HIPAA BAA with those who use three Google Applications: Gmail,
Professional Case Management Vol. 19/No. 4
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 192
16/05/14 5:10 AM
Legal & Regulatory Issues Calendar, and Drive (Ouellette, 2014). This certainly gives a viable choice to CEs and their BAs, particularly for small businesses, who are unable to invest in sophisticated information technology (IT) systems. Case managers who are small business owners or sole practitioners must always be mindful of their HIPAA obligations, typically as BAs. These duties must be taken seriously and well documented. “Organizations are likely already beginning to use those [Google] services with more regularity” (Ouellette, 2014, p. 1). Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a BAA with Google. Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services. Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI” (Google, 2014, p. 1). It is important to remember that these services are not automatic and require that a CE or their BA is a Google business customer. “To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time” (Google, 2014, p. 1). For further information on eligible apps, go to https://support.google.com.
REFERENCES Google. (2014). HIPAA compliance with Google Apps. Retrieved from Google: https://support.google.com/a/ answer/3407054?hl=en HealthIT. (2014, March). Model notices of privacy practice. Retrieved from HealthIT.gov: http://www. healthit.gov/providers-professionals/model-noticesprivacy-practices HHS. (2003, April). Uses and disclosures for treatment, payment and healthcare operations. Retrieved from hhs.gov: http://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/usesanddisclosures fortpo.html HHS. (2013, January 25). Final rule. Retrieved from www .FDsys.gov: http://federalregister.gov/a/2013-01073 OCR. (2013, December 31). Enforcement Highlights. Retrieved from HHS.gov: http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/highlights/12312013.html Ouellette, P. (2014, February 13). What will Google cloud BAA support mean for health developers? Retrieved from Health IT Security: ttp://healthitsecurity .com/2014/02/13/what-will-hipaa-baa-support-meanfor-healthcare-developers/
Lynn S. Muller, RN, BA-HCM, CCM, JD, is a nurse attorney and managing partner of Muller & Muller. She is a CCM with extensive nursing and case management experience. Her practice includes family law, wills, trusts and estates, defense of health care professionals before the state licensing boards, as well as transactional and consulting work for practitioners and health care companies on such issues as regulatory investigation and compliance. Lynn is an adjunct professor in the Doctor of Nursing Program at Saint Peters University, where she teaches Legal and Ethical Parameters of Advance Practice Nursing and Health Policy and Politics. She is the author of numerous articles in professional journals and is the author of the legal chapters of the third edition of Case Management: A Practical Guide for Education and Practice and the second edition of CMSA Core Curriculum for Case Management. She is a former commissioner of CCMC, past president of the NJ Chapter of CMSA, and a former public defender, judge, and councilwoman.
Vol. 19/No. 4
Professional Case Management 193
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 193
16/05/14 5:10 AM
W hen it comes to Health Insurance Portability and Accountability Act (HIPAA), it seems that somebody is always trying to complicate things. More and more, questions regarding HIPAA compliance seem to relate, not to complex platform, encryption or data storage issues, but to duties health practitioners have had since they became practitioners: the duty to protect patient confidentiality and respect privacy. There is an old saying that is abbreviated as “K.I.S.S.”: Keep It Simple Sweetie, which just might be the answer.
Dos and Don’ts of Everyday Practice Every time I think enough has been said about HIPAA, I find that the hunger for plain and simple answers to compliance questions simply does not end. I thought my clients were asking particularly obvious questions, until I realized that similar questions are being asked all over the country. I was contacted by a relatively small provider practice who asked, Can I send our treatment notes to a physician? After a few questions and determining that it was Disclaimer: The information contained in this department is for educational purposes only. It is not legal advice, which can be given only by an attorney admitted to practice in the jurisdiction/ state(s) in which you practice. Do you have a question or issue you would like answered here? We encourage all readers to submit questions and/or manuscripts, as well as topics you would like to see addressed in this department. Inquiries are accepted by e-mail at: [email protected] Address correspondence to Lynn S. Muller, Esq., RN, BA-HCM, CCM, JD, Muller & Muller, 15 West Main Street, Suite C, P.O. Box 164, Bergenfield, NJ 07621 ([email protected]). The author reports no conflicts of interest.
actually the referring physician who was making the request, in anticipation of a follow-up visit with the patient, the answer was quick and easy. Of course, a physician who is actively participating in the patient’s treatment can have access to treatment notes. This is a prime example of the exceptions contained in the HIPAA regulations; this aspect of HIPAA has been in effect, modified, and updated for more than 10 years. In fact, there has never been a prohibition restraining one covered entity (CE) from conveying protected health information (PHI) to another CE on behalf of a shared patient. There are many sources for information regarding HIPAA compliance, but my preference is to go to the source; the actual regulation or official Web sites, such as http://www.hhs.gov/ocr/ privacy/index.html. There you will find reliable and updated information. “What are Treatment, Payment, and Health Care Operations? The core health care activities of “Treatment,” “Payment,” and “Health Care Operations” are defined in the Privacy Rule at 45 CFR 164.501. “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to, the following:
There has never been a prohibition restraining one covered entity from conveying PHI to another covered entity.
DOI: 10.1097/NCM.0000000000000045
Vol. 19/No. 4
Professional Case Management 191
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 191
16/05/14 5:10 AM
Legal & Regulatory Issues • determining eligibility or coverage under a plan and adjudicating claims; • risk adjustments; • billing and collection activities; • reviewing health care services for medical necessity, coverage, • justification of charges, and the like; • utilization review activities; and • disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the CE). “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. (HHS, 2003, pp. 1–2)
Since HIPAA responsibilities come to us as building blocks, each new aspect an addition or modification of a law that has now been in effect for 18 years, each practitioner should have not only a basic understanding of HIPAA but an enlarging knowledge base regarding HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act and Final Rule, as they relate to one’s practice.
Notice of Privacy Practices Under the Final Rule, there is a requirement that Notices of Privacy Practices (NPP) be updated. If you work for a large CE, like a hospital, typically this responsibility falls to someone other than you. As with everything else HIPAA, one size does not fit all. Whether you serve on a committee in a large CE or bear the burden yourself as an independent case manager, small business owner and Business Associate (BA), you should be knowledgeable regarding the contents of the NPP and able to answer questions from patients. It is simply not enough to get a form, have it signed, and file it away. The good news is that information is readily available with model NPPs and practice guidance (HealthIT, 2014). It is important that the NPP be meaningful and receipt acknowledged. In the past, it was not uncommon for a form to be given to patients, in a large stack of other papers, requiring such as medical history and insurance information, and requesting a signature on a form titled “Privacy Policies” or similar, without ever being provided with the actual NPP or an opportunity to ask questions. This is not acceptable practice. Consumers are entitled to be informed fully. More recently, I am pleased to report that I have observed practitioners sitting with patients actually
192
Case managers, who are small business owners or sole practitioners, must always be mindful that their HIPAA obligations. reading the NPP to the patient, or at least a summary of rights and responsibilities, before accepting a signature on an acknowledgment. Not only is the latter procedure appropriate, when necessary, but it goes a long way to enhancing the professionalism of the CE and its staff. Times are changing, but it is becoming more common for a patient, or that patient’s parent or guardian, to inquire about specific policies. Those that appear most important to consumers are: Who will you tell? What will you tell and how will you deliver the information? Specific permission to leave information, on voice mail (home and/or other), and on cell phones, should be clearly stated and then that information needs to be conveyed to all necessary staff who might have reason to contact the patient. Policies and procedures that are readily available to staff for reference and discussed in in-service educational opportunities are essential. In the first 10 years of Compliance (2003–2013), “the compliance issues investigated most are, compiled cumulatively, in order of frequency: 1. impermissible uses and disclosures of protected health information; 2. lack of safeguards of protected health information; 3. lack of patient access to their protected health information; 4. uses or disclosures of more than the minimum necessary protected health information; and 5. lack of administrative safeguards of electronic protected health information.” (OCR, 2013, p. 2)
Industry Response to HIPAA Mandates There is no doubt that HIPAA covered entities (CE), their business associates (BA) and BA subcontractors, are required to have Business Associate Agreements (BAA; HHS, 2013). Health care practitioners and other CEs have been struggling to find simple and secure ways of compliance with HIPAA, HITECH, and HIPAA Final Rule mandates. Necessary communications, including the sharing of patient PHI, have carried the cloak of caution with it with every click. Google has taken substantial steps to assist CEs and stands ready and willing to enter into HIPAA BAA with those who use three Google Applications: Gmail,
Professional Case Management Vol. 19/No. 4
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 192
16/05/14 5:10 AM
Legal & Regulatory Issues Calendar, and Drive (Ouellette, 2014). This certainly gives a viable choice to CEs and their BAs, particularly for small businesses, who are unable to invest in sophisticated information technology (IT) systems. Case managers who are small business owners or sole practitioners must always be mindful of their HIPAA obligations, typically as BAs. These duties must be taken seriously and well documented. “Organizations are likely already beginning to use those [Google] services with more regularity” (Ouellette, 2014, p. 1). Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a BAA with Google. Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services. Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI” (Google, 2014, p. 1). It is important to remember that these services are not automatic and require that a CE or their BA is a Google business customer. “To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time” (Google, 2014, p. 1). For further information on eligible apps, go to https://support.google.com.
REFERENCES Google. (2014). HIPAA compliance with Google Apps. Retrieved from Google: https://support.google.com/a/ answer/3407054?hl=en HealthIT. (2014, March). Model notices of privacy practice. Retrieved from HealthIT.gov: http://www. healthit.gov/providers-professionals/model-noticesprivacy-practices HHS. (2003, April). Uses and disclosures for treatment, payment and healthcare operations. Retrieved from hhs.gov: http://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/usesanddisclosures fortpo.html HHS. (2013, January 25). Final rule. Retrieved from www .FDsys.gov: http://federalregister.gov/a/2013-01073 OCR. (2013, December 31). Enforcement Highlights. Retrieved from HHS.gov: http://www.hhs.gov/ocr/ privacy/hipaa/enforcement/highlights/12312013.html Ouellette, P. (2014, February 13). What will Google cloud BAA support mean for health developers? Retrieved from Health IT Security: ttp://healthitsecurity .com/2014/02/13/what-will-hipaa-baa-support-meanfor-healthcare-developers/
Lynn S. Muller, RN, BA-HCM, CCM, JD, is a nurse attorney and managing partner of Muller & Muller. She is a CCM with extensive nursing and case management experience. Her practice includes family law, wills, trusts and estates, defense of health care professionals before the state licensing boards, as well as transactional and consulting work for practitioners and health care companies on such issues as regulatory investigation and compliance. Lynn is an adjunct professor in the Doctor of Nursing Program at Saint Peters University, where she teaches Legal and Ethical Parameters of Advance Practice Nursing and Health Policy and Politics. She is the author of numerous articles in professional journals and is the author of the legal chapters of the third edition of Case Management: A Practical Guide for Education and Practice and the second edition of CMSA Core Curriculum for Case Management. She is a former commissioner of CCMC, past president of the NJ Chapter of CMSA, and a former public defender, judge, and councilwoman.
Vol. 19/No. 4
Professional Case Management 193
Copyright © 2014 Lippincott Williams & Wilkins. Unauthorized reproduction of this article is prohibited. PCM-D-14-00015_LR 193
16/05/14 5:10 AM
