Introduction and Overview
I want to start by saying upfront that I am obviously not an attorney, so as we work through the definitions and requirements related to HIPAA, I want to make sure that everyone understands this is my perspective and I am not here to give legal counsel. I want to make sure that everyone is on the same page, and if you have questions that concern specific legal issues or legal processes, please see an attorney or some other compliance officer in your facility.
HIPAA: The Basics
What is HIPAA, what does it mean, and what are the areas that we need to focus on as speech-language pathologists? Many people try to spell HIPAA like H-I-P-P-A or H-I-P-P-O. It is H-I-P-A-A, which stands for the Health Insurance Portability and Accountability Act. When we think about HIPAA, we usually think about two different sections called “Title I” and “Title II.” Title I focuses on healthcare access, portability, how to renew your insurance, and what the laws state about those topics. It provides some information on pre-existing conditions, and some other areas. Most people focus on Title II because it is really within the Title II section of the law that we get into the privacy rules and some of the other more specific issues related to sharing of PHI and how we as practitioners, or the facilities that we work in, could potentially get into trouble with violations.
Purposes of HIPAA
We are going to focus a bit more on that Title II portion of the law. In other words, how do we interpret the privacy rule, the security rule, and the breach notification rule?
The privacy rule protects the privacy and addresses the use and disclosure of protected health information (PHI). So, we will talk about what that privacy rule says. There is also the security rule that sets the national standards for security of electronic health records, or electronic protected health information. And then the breach notification rule really comes into play when there has been a breach of information, and what you should do as practitioners or what your facility should do when a breach happens.
Covered entities. When we think about the privacy rule, we have to think about covered entities. We will talk about what those mean and what a covered entity is. The privacy rule applies to any healthcare provider that transmits health information, which could be the providers themselves, a health plan, or it could also be the healthcare clearinghouse.
You, as a speech-language pathologist, would obviously be a healthcare provider, but any healthcare provider would fall under that. Any type of person or organization that furnishes or bills or is paid for healthcare would also be a provider. A nursing home would be a provider as well. Health plans are the insurance companies, the health maintenance organizations (HMOs), government healthcare plans like Medicare, Medicaid, or the Veterans Administration (VA) hospital. Clearinghouses are more the entities that process health information, such as billing services or other healthcare management organizations. These all would be what are considered covered entities.
Business associates. A business associate is any person or organization that is not part of the covered entity’s workforce that performs certain services for said covered entity that includes use or disclosure of health information. They have to also be in compliance with HIPAA rules.
When we think about the practices or facilities that we may work in, we may have an outside organization or outside contractor that handles legal or billing services, or some other type of service that we depend on for certain aspects of how we practice or certain aspects of administration. Those would be business associates, and they would have to also follow HIPAA rules. This is where we sometimes get into trouble, because while the facility may have really strict HIPAA compliance, they may be contracted with another organization or another service outside of their workforce, and those business associates sometimes get into trouble or have breaches, and the facility is still responsible for them. We have to make sure that anyone we contract with that will come in contact with any protected health information is also in compliance and following HIPAA guidelines. That is often where issues will come up.
Protected health information. What is protected health information? It is really any piece of information that can be traced back to the patient that you are working with. That would include, of course, name, address, birth date, social security number, and other demographic information that has been collected on that patient. The types of services that have been provided to that patient, and the payment history for that patient would come under protected health information as well.
The HIPAA privacy rule says all PHI used by a covered entity - you the SLP, or the facility you are working in - must be protected, whether the form of the information is electronic, paper, or oral. We will not talk as much about oral discussions or how those are recorded, but sometimes you do audio recordings and things like that that you need to also protect. Sometimes we do an audio recording during an evaluation; that becomes protected health information. We have to be careful about those and how we end up storing them. Electronic and paper forms, or anything that is related to that patient, has to be protected. It would fall under this privacy rule.
Disclosure of PHI. There are times when we can disclose protected health information. Obviously, we want to be able to disclose information to the patient or to that person's designated representative. Sometimes, we also may have to disclose certain information to the Department of Health and Human Services when you are staying in compliance with certain state or federal regulations and policies. We can also send patient information to insurance companies when you are billing and getting payment. That is an appropriate use of protected health information.
There may be some public interest in certain aspects of protected health information. For example, if there were some type of epidemic or outbreak, reporting names to the Center for Disease Control (CDC) would be appropriate in that situation. There may also be limited data used in certain types of demographic research, looking at large numbers of patients; for example, if there is a cancer cluster, so to speak, in a certain area, and we need to follow up on that. So, there are certain situations where names or certain information can be shared and it will not be in violation of HIPAA. Usually, that is in the case of some type of general public health need, or public health situation that needs to be addressed.
We have to work with patients to make sure that we have authorization any time we want to disclose certain aspects of protected health information. We just talked about how we can legally disclose information. If we have some other reason to disclose, we have to get written permission for that. When we think about working with a patient and having to send information, we have to make sure that we have written authorization from the patient. Not only do we have to get a signature from a patient to make sure that we have the authorization, we have to make sure that the patient understands, in very specific terms, in what context we will be disclosing that information and to whom. We have to make sure that our privacy procedures are upheld; that information has to be shared with our patient.
Privacy practice notice. When the patient signs off on something, he should get a copy of those policies and understand exactly why and how the information will be shared. That is why, when you go into doctors' offices or other offices, you have to sign off that you have received a copy of the privacy practices within that provider's office. That all comes back to HIPAA; the patient has to be informed about how information is going to be shared, and how their privacy is going to be protected. All of this goes into the privacy notice.
Again, every covered entity is required to provide every patient with a notice of its privacy practice. It can be a document or brochure. I have seen some places that have that on a website and then follow up with written information that is provided at the actual visit.
What should that information be? It should be a description as to why and how the health information may be used, the duty of the entities to protect PHI, and the patient's rights to use and disclosure, including how to report if he/she feels his privacy has been breached. The policy paper or brochure must have a way for the patient to check on how his/her information is being used. If there is a breach, the patient needs to have a way to report that breach; that goes into protecting their rights as a consumer and as a patient.
The covered healthcare providers that have a direct treatment relationship to a patient must deliver the notice of their privacy practices to patients no later than the first service encounter via personal delivery, electronic delivery, or through the mail. They must also do it by posting the notice in a clear and prominent location, like in the waiting room or in an examination room. In emergency situations, the provider must provide the notice as soon as possible after the emergency abates. It must also be available upon request; if a patient asks for that information, it should be available to him very quickly.
As well, that covered healthcare provider must make an effort to obtain written acknowledgement from patients that they have received those privacy policies. Make sure that has been documented, because when other entities come in for accreditation, they will want to make sure that you are collecting that information -- that patients have been told about their rights in terms of how their information is going to be protected.
Most people refer to this as the “security rule of HIPAA,” but it is also known as the “Security Standards for the Protection of Electronic Protected Health Information.” That is a long title, so most people just refer to this as the “security rule.”
Most of the focus of the security rule is on this idea of electronic protected health information (e-PHI), and thus, the security standards for how PHI is held or transferred in electronic form. When we think about public health information, a lot of that is digitized; it is in electronic form. How is that information being shared between service providers? How is it being shared between a physician and a hospital? If you are working in a hospital, you may be using programs like Epic, or something very similar; how are you sharing that information? Who has access to it? The security rule applies to that.
As I mentioned earlier, it also applies to the same covered entities and business associates as the privacy rule. When we think about how we are keeping that information secure, not only do we, as providers, and the facilities we work in have to follow the security rule, but those business associates that we might be contracting with must also comply with the security rule, and protect that information. It applies to all protected health information a covered entity would create, receive, maintain, or transmit in electronic form -- so that basically is just about everything.
Security rule basics. The basic concepts related to the security rule include confidentiality, integrity and availability of PHI. Obviously, we have to maintain confidentiality. We know that electronic protected health information should not be available or disclosed to unauthorized persons. This rule supports the privacy rule’s prohibition against improper use and disclosure of protected health information. So, confidentiality is extremely important.
We also must maintain integrity of e-PHI. We have to make sure that the electronic medical records are not altered or destroyed in an unauthorized manner. We also need to make sure that they are available so that they are accessible and usable on demand by authorized providers or authorized persons. That is essentially the summary of the components of the security rule.
Because covered entities vary in size and environment, the security rule does not dictate the measures required to ensure security of electronic protected health information. However, it does require covered entities to consider the size, complexity, and capabilities of their organization or facility based on the number of patients they are working with, the technical, hardware, and software infrastructure that is needed to provide that security, the cost of those security measures, and the likelihood and possible impact of potential risks to PHI. We know that there are different-sized practices and hospitals, larger institutions and smaller institutions. Basically, the security rule says - even though it does not dictate how it should be done - that regardless of your size, you need to make sure that you are following this rule. We know that one technology may not be appropriate for a huge hospital system; for example, the Mayo Clinic may have a very involved technological infrastructure devoted to sharing and protecting information, whereas a practice of 20 people is not going to need the same level of hardware or software. You should get what works for the size of practice you are working in.
You still have to make sure that everything is secure, so to accommodate a constantly evolving technology, covered entities must review and modify security measures on a continual basis. We have to make sure that we are staying up to speed with some of the new changes with technology. We now have patients that are texting and emailing and doing lots of things that maybe a few years ago they were not doing. They are expecting us as providers to respond in kind, and to do the same thing. I think we have to be careful about that and make sure that the technology we are using is still compliant with HIPAA, and that we are still protecting the information that is being shared. That being said, sometimes what we see is that these laws do not keep up with the technology that is happening. Technology changes very quickly, we then have new behaviors from the patients that we are working with, and sometimes, those do not quite fit under the law, which might have been written a few years ago. We are going to constantly see those kinds of things as we go forward. But I think we have to do everything we can to make sure that we have the privacy and the security protected for all of our patients.
The security rule requires certain standards to be addressed:
Administrative safeguards. First, we must think about administrative safeguards. We have to make sure that the administration of your practice, your hospital, wherever you are working takes this very seriously. There should be some type of security officer, or a compliance officer, that is making sure that security is in place, that privacy is in place and that everyone who works in that facility is following the HIPAA requirements. That security management process must be in place along with assigned security responsibility. There must be workforce security, and the workforce must be trained in HIPAA and how to keep information secure.