Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility's CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients' names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
Q: I was recently hired for a position at a long-term care facility. Upon getting acclimated, I learned that the facility has completed handwritten logs for every fax that was sent out since 2003. This document is referred to as the HIPAA fax log and contains the date the fax was sent, to whom it was sent, by whom it was sent, the number of pages, and whether a cover sheet with confidentiality statement was included. I would like to do away with this form since fax machines can generate their own logs. However, if this is a necessary process then I would like to follow official guidelines and update the facility's policies and procedures accordingly. Does the HIPAA Privacy or Security Rule require these logs? If so, what information must we include?
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is a BOH editorial advisory board member.
In my experience, most organizations in the health-care industry?both covered entities and business associates?have taken the steps to put policies, business processes, and training programs in place to help ensure compliance with the HIPAA Security Rule. Still, there's a gaping hole in many healthcare compliance and security programs: a lack of technical security testing of Web applications, mobile applications, and network systems.
As the use of electronic health records (EHR) surges and organizations work toward meaningful use attestation, more in-depth monitoring of electronic patient records is becoming increasingly necessary.
The intent of quality and safety programs is to evaluate and monitor performance and to improve results. Organizations develop annual quality and safety plans with measurable objectives that departments adopt and include as integral aspects of their performance improvement plans.
Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements?other than to perform audits?that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?
Albert Einstein once said "The difference between stupidity and genius is that genius has its limits." To paraphrase Einstein, the difference between security and compliance is that compliance has its limits. With each high-profile breach that makes headlines, organizations likely question the link between compliance and security, wondering whether the two are one and the same.
Although numerous privacy and security laws apply to healthcare entities, HIPAA rules and requirements tend to receive the most emphasis?and generate the most angst. The terms HIPAA-compliant vendor, HIPAA cop, and HIPAA disciplinary action are anathema to experienced and serious privacy and information security professionals. HIPAA, as has been noted, represents the floor of requirements intended to protect the privacy and security of patient information. More stringent privacy requirements have existed at the state and national levels for several years before the HIPAA Privacy Rule was implemented (e.g., state medical records laws and requirements). Notably, many organizations implement policies and procedures that are more stringent than that required by HIPAA. Some of this is due to misinformation or misunderstanding of the HIPAA rules.
