Our 24 lessons cover regulations and statutes that apply to small providers (e.g. dentists, chiropractors) and business associates (e.g. IT consultants, cloud services). Topics are color-coded according to 5 compliance categories. Each tutorial summarizes a regulatory subject followed by a vignette set in the town of "Single Peak." We suggest that you watch videos in the order presented. If you need more help, click
Our tutorials were created for small entities with limited funds for HIPAA compliance. Our videos serve as an adjunct to consultation services. We use the website to guide clients to online sources of law. For example; every covered entity (CE) must designate a privacy official to enforce the Privacy Rule. § 164.530 Every CE and every business associate (BA) is required to identify security official to enforce the Security Rule. § 164.308(a)(2)
We provide individual training sessions for office managers and privacy/security officials. We also work with groups. We provide customized programs for the workforce, including multiple-choice test-kits based on our tutorials and your policies and procedures. We also provide seminars and workshops at locations within Southern California. Please contact us for more information and a price quote.
This historical view of HIPAA introduces Priscilla Pruitt and her husband Hudson. They have practiced medicine since the 1970s. Hudson acquired his first computer in 1986. Ten years later, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). The Act was meant to "simplify the administration of health insurance" among other things. President Clinton signed HIPAA in 1996.
The Pruitt Medical Group employs Dr. Kramer, a chiropractor who works part-time as a schoolteacher. The doctors consult Attorney Ann. Is Dr. Kramer a covered entity at school? He teaches health-education to children. Attorney explains that FERPA (not HIPAA) covers school records. HIPAA-covered entities engage in HIPAA-transactions. Kramer is not a CE at school and the school nurse is not a CE. Hudson asks whether he can avoid HIPAA rules by retiring or limiting his practice.
HIPAA jurisdiction is limited. There are only three kinds of covered entities.
Officer Oliver sees Hudson & Priscilla at the ski lodge and asks for advice. A hotel guest ("John Doe") went in the ice-water pool, had chest pains and refused EMT care. Priscilla persuaded the guest to go to the ER. John Doe paid for the exam in full. Upon discharge he was confident HIPAA would protect his privacy. Oliver asked the clerk if the patient was okay. Hospital disclosed no PHI. But John Doe's photo appeared in the newspaper. John called Attorney Ann. What about my privacy? Ann explained why the story was not PHI.
Protected health information (PHI) means "individually identifiable health information" (IIHI). "Identifiable" means there is a reasonable basis to believe the information could be used to identify the individual. "Health information" is broadly defined and may include medical product information and billing records. § 160.103
CEs are permitted to use or disclose PHI according to Privacy Rule § 164.502.
Hudson & Priscilla consult Attorney Ann to clarify the meaning of business associate. They are concerned about Dr. Kramer's patient referrals to the workers comp lawyer. Ann explains why Lois Lawyer is not Kramer's BA. They are also concerned about teenage girls they hired to do janitorial work after school. Ann warns about the risk of snooping. The girls should be treated like workforce members. Give them HIPAA training and do not treat them as BAs.
A BA relationship arises when PHI is outsourced. A BA is anyone who creates, receives, maintains or transmits PHI on behalf of a CE or another BA. The BA relationship arises when a professional service involves the disclosure of PHI. The BA works outside the CE's workforce. The BA is not under direct control of the covered entity. A CE may be a BA of another CE. The HITECH rule defines health information organizations and e-prescribing vendors as BAs. § 160.103
The Pruitt Medical Group received a complaint notice from OCR. Complainant was a teenage girl receiving chiropractic treatment from Kramer and medical treatment from Hudson. Her prescription information was disclosed. Hudson and Kramer discuss the letter then Hudson consults Attorney Ann. She calls OCR. Days later, Investigator Ito inspects the office and discovers the cause of the incident.
HIPAA has many different methods of enforcement. A fine happens at the end of the road. Congress delegated HIPAA enforcement to the Department of Health and Human Services (HHS). HIPAA enforcement was delegated to the Office for Civil Rights (OCR). The first principle for compliance is cooperation. OCR may provide technical assistance. When someone files a complaint, OCR must investigate cases of willful neglect. It has discretion to investigate lesser complaints.
Hudson reminds Priscilla that the NPP must be updated. Priscilla consults Attorney Ann. She is concerned about "marketing" because they are using PHI for direct mail advertising for chiropractic services. Ann explains new NPP rules from HITECH. She also explains fundraising and TPO email communications. She advises Priscilla to purchase an updated NPP poster and get new brochures.
The privacy official is an administrative requirement in the Privacy. § 164.530 The privacy official is responsible for the CE's policies and procedures. That person must train the workforce. He must approve policies and procedures to allow patients to make complaints and must approve sanction procedures for the workforce. The privacy official must stay abreast of changes in the law. Policies and procedures must be documented in written form.
Hudson reminds Priscilla, the NPP must be updated. Priscilla consults Ann. Priscilla is concerned about rules on "marketing" because they are sending direct mail advertising for Kramer's chiropractic services. Ann explains new marketing definition according to HITECH. She also explains new fundraising rules. She says TPO email communications are permitted. She advises Priscilla to purchase an updated NPP poster and get new brochures.
The NPP is compliance document that explains what the covered entity can and cannot do with PHI. The NPP regulation resides in Privacy Rule, Subpart E. § 164.520 The Privacy rule establishes the right of an individual to receive adequate notice of an entity's privacy practices. NPP templates can be purchased or copied from many different sources. But the NPP should be tailored to fit the covered entity. The privacy rule requires eight elements of content.
Sister Agnes asks for electronic PHI on behalf of all the Sisters at the Retirement Home. Most records are paper, not electronic. Hudson consults Computer Guy. How much does it cost to scan a thousand pages? Guy will provide a cost estimate. Agnes leaves the office. Belle asks Hudson if HIPAA permits her to fax immunization records to the child's school. The child's parents are military, stationed in Germany. Hudson says they can send vaccination records without an authorization but they must obtain a "writing" with instructions.
Every individual has a right to review his or her medical records according to California law and HIPAA. HIPAA has five basic guidelines for access. § 164.524 California access laws are in the Health & Safety Code. Federal preemption invalidates state law if the law is contrary to HIPAA and both cannot be followed. States may impose additional rules if the state law is more stringent than HIPAA. "More stringent" means the law provides greater access to PHI or affords better privacy protection.
Sisters Agnes and Edith watch an ambulance leave the dentist's office. Hospital clerk refuses to disclose PHI because Sisters cannot name the patient. ER Doctor discusses husband's condition with wife. Pastor is permitted to view religious affiliations for pastoral visits. Pharmacist informally discloses PHI to wife. Fred calls Red Cross requesting medical information about daughter stationed in Germany. Wilma checks on a friend at the nursing home.
A provider may share relevant information with a patient's family and persons involved in patient care. The rule for informal disclosures is § 164.510 of the Privacy Rule. There are two kinds of disclosure standards. The first relates to facility directories. The second relates to patient care and notifications. A facility can notify significant others about the patient's general condition. If the patient has capacity to make decisions, providers must try to get the patient's permission.
Pete's mother Mary went from the dentist's office to the hospital. Pete accused the dentist of causing nitrous oxide overdose. Hudson contacts the Dental Board and sends PHI by fax. Investigator asks for additional dental records. Coincidentally, the dental office bursts into flames. Fire chief interviews dentist then contacts the State. The State Fire Marshal involves DEA and FDA. All three agencies use Mary's PHI without giving her an opportunity to object to disclosure of PHI.
Public necessity can overtake personal privacy, according to section 164.508. Disclosures must always be limited to relevant information. PHI is routinely collected for vital statistics and certain diseases. Local governments must review reports of child abuse. FDA collects PHI to regulate products. OSHA collects PHI relevant to work injuries. Health oversight agencies may use PHI to investigate licensees. Organ procurement agencies may access PHI without the family's authorization. Military and Workers Comp are not subject to HIPAA.
Dentist's fire was on FaceBook. Hudson's brother, a dentist, asks what happened. Hudson worries about fire risk. He prescribes oxygen to a patient who smokes. Should we talk about this? says Dan. Hudson says HIPAA permits TPO disclosure. But I'm a dentist, says Dan. Fire safety is "operational," says Hudson. Dan suggests, try calling the Fire Marshal. Patient is evicted from no-smoking apartment. Hudson consults Attorney Ann. She explains "imminent threat" exception and informs Hudson that all tenants must go. The building is being renovated.
The TPO rule is § 164.506 of the Privacy Rule. Definitions of treatment, payment and operations are § 164.501. Treatment means provision, coordination, or management of health care by one or more health care providers including the coordination or management of health care, by a health care provider with a third party. TPO exception does not apply to PHI that requires a signed authorization, e.g., psychotherapy notes and marketing.
Penny lives with grandparents while her parents are stationed in Germany. On Skype, she asks Mother about going to a party. Penny did not know it was a tattoo party. A girlfriend admires Penny's tattoo. What will your mother say? Penny wants to hide the tattoo for a time. She consults Uncle Harvey, an ER physician and biker with tattoos. Harvey suggests getting tested at Planned Parenthood. He explains how to request extra privacy protection from Priscilla, her family doctor.
The right to request extra privacy protection is provided in § 164.522. There are two categories of protections: restrictions and confidential communications. The rule applies to TPO and informal disclosures. A CE is not required to agree to a patient's request unless they pay for services in full. PHI disclosures required by law cannot be restricted. Termination of a restriction must be documented in writing. Providers must accommodate reasonable requests for confidential communications.
Single Peak was selected for a clinical study on Goldtone Suntan Lotion for children. Clinical investigator Goldie visits the Pruitt Medical Group and explains details of the study to Priscilla. Each subject's privacy is protected by using data that is not individually identifiable. She explains how PHI is de-identified. Priscilla asks Goldie to seek a contribution for the children's Bike Fiesta. CEs may use certain demographic PHI without a patient's authorization for fundraising purposes.
De-identification rules are covered in § 164.514. There is no HIPAA jurisdiction if all 18 identifiers (A through R) are removed. However, the person disclosing the information must not have actual knowledge that the remaining information could identify someone. Another method of de-identification is expert determination through statistical and scientific methods. Fundraising and underwriting is also regulated by section 164.514, subsections f and g.
Computer Guy asks Pete to help him run the photocopy business. Guy explains rules for HIPAA authorizations to Pete. Lois Lawyer calls Pete and asks him to come to the office. She needs help with two clients. Sister Agnes was admitted to the hospital. Her caregiver-niece tried to get records copied but the authorization was refused. The second case is a Workers Comp claim. Lois is submits a letter to clarify Wanda's gynecology records should not be copied.
The federal rule for authorized uses and disclosures of PHI is § 164.510. States have different statutes for authorization forms and disclosures of medical information. California's law is Civil Code§ 56.11. State laws can be more stringent than HIPAA as long as it isn't contrary to HIPAA. "More stringent" means the law provides greater access to PHI or affords better privacy protection.
While shopping, Waitress Wanda tells Jenna she is mad at Dr. Priscilla. Her STD diagnosis (Trichomonas) is wrong. Coincidentally, Wanda and Jenna had urine tests at Pruitt Medical office on the same day. Specimens were probably switched because Jenna was subsequently diagnosed with Trichomonas at a different clinic. Wanda asks Priscilla to amend PHI. Priscilla must verify error. Lab tech has month-long vacation. Wanda consults Lawyer on amending PHI. In California, patients are entitled to to insert 250-word addendum.
The rule for amending PHI is § 164.526. California's Patient Access to Health Record Act is in the Health & Safety Code. HIPAA has six basic guidelines for amending PHI. A patient can amend any PHI in the designated record set (information that od used to make decisions about the patientz. A provider may deny a request if the record was created by someone else, or if the record is restricted or not available, or if the record doesn't need to be amended. The provider may require the patient to make the request in writing.
Dennis, DDS and Wife work together. Dennis fixed Wife's broken tooth and prescribed Percocet. Pharmacist refused to dispense narcotics for "ethical" reasons. Dennis and Wife visit Hudson. Dennis, embarrassed by newspaper stories about office fire, worries about his reputation. He requests accounting of PHI disclosures. Hudson says Dental Board invested fire incident and requested prescription records. Hudson promises the Accounting will be ready tomorrow. Do not worry, Dennis is the "best dentist in town."
Patients have a right to obtain an accounting of disclosures of their PHI. Rule § 164.528 covers six years worth of disclosures and has nine exceptions. It does not cover TPO, permitted disclosures or authorized disclosures. Certain public purpose disclosures are not included and limited data sets are not included. Disclosures more than six years ago are not included. The accounting rule is rarely used. But a written plan should be included in your policies and procedures so you can respond quickly and easily if the situation arises.
Gale is pregnant. Priscilla wants to refer her to a specialist in the Big City because Gale has congenital heart disease. Gale wants to learn more about CHD risk before telling Guy she is pregnant. Priscilla asks Belle to make phone-call inquiries. Minutes later, Computer Guy comes to the office and asks if Gale is still there. Gale went back to work, says Belle. Did you hear the news? asks Guy. You mean Gale's pregnancy? says Belle. Guy is surprised and happy. Hudson overhears discussion and talks to Priscilla about minimum necessary requirements.
Minimum necessary standards are covered by two sections of the privacy rule. Section 164.502 is the general rule and § 164.514 explains what an entity must do in order to comply. Generally– a provider must use reasonable efforts to limit PHI disclosures to intended purposes. There are six exceptions to the rule when the minimum necessary rule does not apply: TPO, patient's own reports, authorized disclosures, HHS requests, workers comp, OSHA and OCR audits.
The Pruitt office is located in an old pharmacy building. Pete is cleaning the attic and sorting artifacts and old computers. Pete is now Computer Guy's employee and Hudson's BA. Electronic recycling is a special type of PHI disclosure. Pete wants NAID standards in the BA contract. He wants to donate relics to the Museum. Rx records from persons deceased >50 years are exempt from HIPAA. Club volunteers will verify dates of death. Pete will prepare BA subcontracts for volunteers and he will be responsible for breach notifications.
BA contracts are organizational requirements of the Privacy Rule § 164.504(e); and administrative safeguards § 164.308 and organizational safeguards § 164.314 of the Security Rule. A CE or BA must obtain satisfactory assurance that the other party will appropriately safeguard PHI. If the CE or BA knows of a pattern of activity or practice that constitutes a material breach or violation of the contract, they must take reasonable steps to cure the breach or end the violation. If the problem cannot be cured, the contract must be terminated if feasible.
Someone installed an outdoor hotspot allowing everyone on the Plaza to get free WiFi. The Pruitt's medical building is within range of the hotspot. Priscilla is worried about privacy in the waiting room. One patient taled about "cyber criminals." Hudson and Priscilla consult Computer Guy. Hudson wants to understand the flexibility rule. Guy explains their network and authentication system. He suggests a poster as an inexpensive way to warn patients about the open network. But it is better to establish a secure access point for their patients.
The Security Rule contains "flexibility" principles in § 164.306. CEs may use any security measures that are reasonable and appropriate for implementing the standards. The entity must consider (i) The size, complexity, and capabilities of the CE.(ii) The CE's technical infrastructure, hardware, and software security capabilities. (ii) The costs of security measures, and (iv) The probability and criticality of potential risks to e-PHI. The Privacy Rule includes a mini-security rule that requires "appropriate" safeguards to protect electronic PHI.
Hudson's granddaughter wants to use Grandpa's computer for homework. Hudson says the computer is a "work station." He enables the firewall so Greta cannot access the server. A patient brings a CD with xray films. Dr. Kramer promised to review her films right away. Belle asks Greta if she has seen Kramer. Greta offers to go to his house. Kramer answers the door, Greta gives him the box with CDs. Kramer cannot open the lock. Meanwhile, Hudson is looking for missing CDs. Belle & Hudson discuss physical safeguards. Kramer calls Belle, Are you missing something?
Physical safeguards in § 164.310 includes four standards. Facility access controls to protect places where IT systems and electronic PHI is stored. Workstation control requires policies to specify what happens at each workstation. Workstation security requires policies to restrict access to authorized users. Device and media control requires policies to govern the movement and disposal of e-PHI such as; policies for disposing hardware and electronic media, policies for removing e-PHI from reused media that is re-used, policies for accounting for movements of hardware and electronic media and policies for data backup.
Priscilla and Hudson are planning a road trip to an RV park and taking the dogs. Park has free WiFi but Hudson wants technical safeguards. He asks Computer Guy advice. Perhaps a satellite dish? Guy recommends VPN for secure access, and a monitoring system with text alerts. Priscilla and Hudson eat dinner in the RV while dogs play outside. Dogs pull out the power cord. TV signal goes out. Hudson and Guy both get text message warnings about service interruption. They laugh about the dogs.
Technical safeguards are given in section 164.312 of the Security Rule. Access control, prevents unauthorized persons from viewing electronic PHI. Every workforce member must have a unique user ID. Emergency access plans are required. Automatic logoff is addressable. Encryption bestows a safe harbor against security violations. Most software applications have audit logs to examine system activities. Most IT vendors install mechanisms to ensure integrity. Authentication means passwords, user IDs and other factors such as fingerprints to prove identity.
Pete is frustrated because Hudson wants to offer medical credit cards (a bad idea). Pete provides resignation letter. Hudson calls Pete at home and begs him to come back. Pete explains in detail why he was frustrated. Pete suggests Guy could be the security official to help with administrative security safeguards. Hudson calls a meeting in the conference room. Guy declines Hudson's offer and says only he can weigh security risks v cost of fixing vulnerabilities.
Administrative safeguards require the security officer to conduct risk analyses, train the workforce, manage security incidents and update the organization's policies and procedures. Administrative safeguards are specified in section 164.308 of the Security Rule. This section provides eight administrative standards and a part on business associate contracts. The first standard– Security management—requires policies and procedures to prevent, detect, contain, and correct security violations.
Single Peak merchants are sponsoring the Bike Fiesta, a fundraiser for the hospital. Gale, a member of the fundraising committee, works for the newspaper. She signed a BA agreement to use hospital PHI. She goes to the Coffeehouse for lunch. Scarlett congratulates Gale on the newspaper story about Pete's child, a cancer patient and Fiesta contestant. Scarlett suggests email to Pharmacist at the hospital pharmacy. Fay receives Gales email with hospital PHI spreadsheet. Pete walks into the pharmacy. Fay consults him about HIPAA rules and asks whether the email was a breach.
HITECH replaced the "risk of harm" test with a more complicated definition of breach. The new definition in § 164.402 requires entities to assess the probability that PHI was compromised. First is a list of exceptions for trivial disclosures. If there is no exclusion, a breach is presumed unless the four step analysis proves otherwise. 1) Examine the nature and extent of PHI involved. 2) Examine the person who used or received the PHI. 3) Estimate likelihood PHI was actually acquired or viewed. 4) Assess extent of mitigation already done.
Hudson's patient was mugged and her purse was stolen. Officer Oliver takes the report. Mary calls her son Pete. He comes over and helps her review EOBs. They find an error and suspect medical identity theft. Pete calls Officer Oliver. The suspect is caught and interrogated and he admits to selling Medicare cards to Dr. Frawley. Hudson's former employee was part of the same fraud ring. Officer Oliver asks Hudson to delay breach notification per FBI request. The former employee is still missing. Oliver and Hudson discuss rules for HIPAA breach reporting.
Subpart D regulates breach notifications. The rule applies to "unsecured PHI," information that has not been rendered unusable by HHS methodology. When a breach is discovered, HIPAA § 164.404(b) requires covered entities (CEs) to notify affected individuals "no later than 60 days." California Civ. Code § 1798.82 requires notifications when "personal information" is breached.
© Darnall Law Office 2015