Is managing your release of information requests worth the risk?
As a practice owner or administrator, you don’t need reminding that operating a HIPAA-compliant practice is crucial-and becoming more difficult as the rules and penalties become tighter and more progressive. With “mile markers” from the HITECH act becoming enforceable, this article was written to educate readers by outlining details of exactly how to determine if breach notification is necessary and examining a major change to the Covered Entity (CE) and Business Associate (BA) relationship. The content also provides tried and true best practices and ways to mitigate the risk and liability introduced by the new regulations. Much like using an accountant for your income tax filing, using a reputable BA for outsourced services may provide protection, peace of mind and potential savings.
Focusing on changes to the day-to-day office workflow.
The effects of the changes rolled out in the HITECH Act are widespread and will impact many (if not all) facets of HIPAA compliance. This article places the laser-focus on how the changes will affect the covered entity in their day-to-day office activities that involve sensitive information as opposed to ill-intent or malicious breaches.
To notify or not? The tale of two Mr. Smiths.
To really understand these changes, it is easiest to think about a real-world scenario. We will look at three examples of wrongful disclosure of information, and determine if they are a breach for which you must follow the notification protocols.
Example 1: John Smith, Sr., was born in 1947 and his son, John Smith, Jr., was born in 1974. The father, Mr. Smith Sr., requested a copy of his medical record be mailed to himself. When the records arrived, they were that of his son John Smith, Jr. He immediately called your practice because he is still in need of his information. You must then determine is this a breach for which notification action is required:
• Question One: Was the protected health information secure? In this situation, the answer is, “No.” By HIPAA definition, secure means encrypted or destroyed. These files were loose paper records in a mailing envelope.
• Question Two: Do any of the exclusions apply? (See Appendix A.) No, none of the exclusions apply.
• Question Three: Is there significant risk of financial, reputational, or other harm to the individual that was wrongfully disclosed? In this example, one would hope the answer is, “NO”! (After all, it is his son.) However, as we know an estranged relationship or sensitive information in the file, could be a problem. With verbal confirmation and a documented historical trail, you could confirm with Mr. Smith, Sr., to please either hand over the record to his son or appropriately destroy them. (Note – Mr. Smith Sr. may be unaware of the risk he poses for his son if he simply throws the record in the trash, or even worse, leaves them in his curbside recycle bin. It is crucial to define a script and policy for exactly what your staff should say to Mr. Smith, Sr., to ensure no further disclosure of the information.)HIPAA Compliance Solution
Therefore, it could be determined that this is not a breach and you would not be required to follow the notification protocol. However, you must document what happened and why/how you have determined it is not a breach. It would also certainly be a good PR/Customer Service move to contact Mr. Smith, Jr. and assure him of your protocols to protect his information, because it is highly likely that his father will alert him to this mistake.
Example 2: Let’s alter the above example slightly and assume that Mr. Smith, Sr., did request his information, but provided you a fax number to expedite his receipt of the records. In this scenario, the number is most likely not programmed into your pre-programmed database of frequently used fax numbers so it would need to be hand-keyed. The numbers were accidentally transposed and your office receives a phone call from a local coffee house that they have received the information on their fax. If you can show there is no significant risk of financial, reputational, or other harm to the individual, no notification will be required.
HHS has given guidance for helping you define the term, “significant risk” (See Appendix B):
• Question One: Did the information go to another Covered Entity? In this example, the answer is “No,” because the coffee house is not a Covered Entity.
• Question Two: Were you able to take immediate steps to mitigate the harm including return or destruction of the information AND a written confidentiality agreement? This area is ambiguous, and it would be wise to get counsel from your legal resource. If your staff member who answered the call from the coffee shop followed well-defined, documented guidelines, including securing a signature on a written confidentiality agreement, it could be determined during an audit that you proved no significant risk for further disclosure or ill-intended use of the information. If securing the written confidentiality agreement proves to be unsuccessful, wording such as “Do you agree that you will not further disclose this information and that you have no intention of using any of the information that would prove harmful to the patient?” and a response from the coffee house manager “I agree. I’m sitting next to my shredder and the records are being shredded as we speak,” may help protect your argument for NOT a breach and no notification required. Again, this is a beautiful shade of “gray area” and professional HIPAA legal advice is always recommended. When in doubt, call it a breach and notify!
Therefore, in the above example, you would not be required to follow the notification mandates.
Example 3: Lastly, let’s tweak the above example one last time and assume that Mr. Smith, Sr., requested his information be faxed. However, instead of a phone call from the gracious coffee house manager, your office receives a phone call that is transferred into the medical records voicemail from an individual that does not identify themselves and leaves no additional contact information. You are unable to retrieve the phone number on caller ID, etc.
You are unable to confidently ensure that the information will be disposed of properly or that there is not a significant risk as defined. In this case, you will have to endure the cumbersome burden of following your notification of breach protocol: