OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
Tips for small covered entities charged with HIPAA compliance
"OCR has bigger fish to fry than me."
You may have heard that before—or even said it. Maybe you're an employee in a tiny healthcare facility. Or maybe you've seen the big headlines on data breaches, noted how they seem to always involve large insurance companies and massive healthcare facilities, and thought, "That won't happen to us."
Know thy BA
BAs are a part of HIPAA life—no matter how big or small your entity is. So how far should CEs go to ensure their BAs are HIPAA compliant?
Roger Shindell, CHPS, the CEO of Carosh Compliance Solutions in Crown Point, Indiana, notes that things changed in the HIPAA Omnibus Rule, HHS' biggest set of modifications to the HIPAA Privacy and Security rules per the HITECH Act. Prior to 2013, if a CE had a valid BA agreement in place, and the BA had a breach, the CE had a safe harbor exemption for the breach, he notes.
Entities are required to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
BA agreements stipulate that the BA will comply with all the requirements under HIPAA/HITECH, per the HIPAA Omnibus Rule. So BAs need to be ready, just like you.
Should CEs offer training to the BAs? No, says Shindell.
"The BA has their own obligation to conduct training," he adds, "and if training is on specific policies and procedures, the CE would not know what these are and what is appropriate."
"Don't click on that link" is a common warning from security officers. That hasn't stopped many staff from clicking on suspicious links that at first glance appear to be valid, and the result can be a significant loss of PHI and other sensitive data. This type of hack, phishing, represents one of the more significant risks when it comes to breaking into networks and stealing data.
PHI and marketing, disclosure of mental health information, and revising NPPs
by Mary D. Brandt, MBA, RHIA, CHE, CHPS
Q. Would a physician be expected to report a patient’s mental and behavioral health information to the National Instant Criminal Background Check System (NICS) or the FBI? Are there specific assurances CEs should get before they release this information?
A. No. Mental health providers are not expected to report information to the NICS or FBI. NICS checks available records on persons who may be disqualified from receiving firearms. It was developed by the FBI in 1998. Individuals are prohibited from buying a gun from a licensed dealer if a background check reveals that they have been any of the following:
Involuntarily committed to a mental institution
Declared incompetent by a lawful authority
Found incompetent to stand trial or found not guilty in a criminal case by reason of insanity
These disqualifications constitute what NICS calls the federal “mental health prohibitor” for gun ownership.
Courts of law are not bound by HIPAA, so they have been free to report mental health determinations to NICS. However, some state agencies covered by HIPAA also make mental health determinations or store records on them. Many of these agencies have refrained from reporting to NICS due to concerns about violating HIPAA.
An HHS rule issued January 6 modified the HIPAA Privacy Rule to specifically allow state agencies that are also CEs to disclose limited information to NICS. Agencies cannot report diagnostic or clinical information about the individual to NICS, only that he or she is subject to the mental health prohibitor, along with basic demographic information. This reporting loophole was not extended to individual physicians, hospitals, and other healthcare professionals. The rule is available at www.gpo.gov/fdsys/pkg/FR-2016-01-06/pdf/2015-33181.pdf.
However, providers may have a duty to warn based on ethical standards, state laws, and court decisions. HIPAA permits a covered healthcare provider to warn appropriate persons if the provider believes there is a serious and imminent threat of a patient physically harming him- or herself or others. See 45 CFR 164.512(j).
Editor’s note Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at firstname.lastname@example.org.