Maintaining Compliance In An HIPAA Audit


HIPPA Compliance: Take These Steps to Protect Yourself During HIPAA Audits

Plus, know exactly what a breach is

Establishing HIPAA protocols isn’t a one-time job. Make sure your privacy and security practices are up-to-date to account for new information management applications and systems or state laws to ensure HIPAA compliance.

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

During 2008, some new laws were already making their way through various committees in the U.S. government. And making its way towards adoption when all of a sudden they say, “Well, let's have a stimulus bill.” And that gets (wrapped) up into the all the various things that became the stimulus bill which is really, you know, it wasn't invented overnight. Those were really put together out of a lot of stuff that was already working its way through Congress the way so many things happened.

And so the HITECH Act which had all these kind of stuff in it which had the privacy changes that help the HIPAA breach notification, all that kind of stuff that became Title 13 of ARRA. And so Title 13 Subtitle D is a privacy section.

So, in ARRA if you look at all of the sections, there are 134 something or there, that's all the Title 13 for the 1-3 and Subtitle D is the 4. And so, all sections that begin with 134 or something that's all the stuff that has to do with the privacy and all that's in ARRA which is where the breach notification now comes from.

HIPAA Compliance: Now, in 13400 that's where the definitions are. And there's a couple of definitions that were in ARRA that really got the whole ball started with breach notification. In fact, the very first definition they listed in that section of ARRA, in the HITECH Act is for a breach. What is a breach?

And what they say in the law is that a breach is – make note of what we're saying what's in the law because there are some questions about the differences in what's in the law and what's in the regulations that’s come out that may lead us some changes or may it not. But there's certainly no end of controversy.

So, unauthorized acquisition, access, use or disclosure that compromises privacy or security of PHI, that means some information that's been disclosed that there's something that winds up being in violation of the privacy or the security rule somehow.

They have some exceptions built with the law which is nice. It's good to have some things built-in for regulators sort of what beyond this in the regulation. But what's built in the law is that they say, “It's not definitely kind of the breach if the information cannot reasonably be retained.” And that's kind of what is the information that's been accessed, used or disclosed that can't reasonably be retained.

Maybe if they some examples along with their regulations and this is the kind of thing that sounds like it's more like if you hand somebody a discharge summary as you're leaving the office and it's the wrong person discharge summary, maybe that's not really enough information to if nobody had a chance to look at it, they're going see what's going on and there's not really anything that's been exchanged, nothing is being retained. So, it's an interesting exception.

Other exception though is that, it doesn't include unintentional or inadvertent acts by employees or staff as long as are in good faith and within the scope of their job. In other words, if you're working as a nurse in a hospital and you're looking up a health record on an individual in health record system, and you're looking at (Mary Smith). Well, how many (Mary Smiths) may you have in there? You may open-up the wrong record before you find the right (Mary Smith).

And that's the kind of thing that does not really what you want to look at as a breach. That's not an intentional on purpose disclosure. This is an unintentional inadvertent disclosure. It's certainly within the scope of the job. It's just happens to be the wrong record and these things happen.

So, it's good they have these kinds of things in here that gives you some room to move that it's not really just going to make it. So that every time, the last little thing is looked at by the wrong person, it winds up being a breach because it's not reasonable to look at that way.

And so, there's also another definition you can refer to maintain HIPAA compliance. There's a thing called a personal health record. That's definition number 11 in 13400 of the HITECH Act.

PHIs vs EHRs

And personal health record is as oppose to electronic health record, electronic health record is something that the providers maintain. But the personal health record is something that is provided by or on behalf of the individual and managed by or for the individual. So this is not the stuff that's in the hands of the doctor's offices.

Certainly, you may have information that is fed into this by your doctor's offices. And in fact there are some hospital groups and healthcare groups that are now establishing personal health records that tie in with electronic health record. So you wind up with something who does a personal record that's also tied in with the information that is provided by maybe more of the electronic health record than PHR.

And so, what they have done here is they've said that there's a new thing called a personal health record. It's put out by an organization that's not one of the standard HHS kind of things. And it's managed by the individual and that's what a personal health record is. And so, they sort of define this is a separate thing. Again, that's why you do things that just didn't exist years ago when they first put together HIPAA and HIPAA compliance pre requisites. There was no such thing.

For similar topics, check out our audio conferences on HIPAA compliance.