View Entire Collection
By Clinical Topic
By State Requirement
Diabetes – Summer 2012
Fluids & Electrolytes
Future of Nursing Initiative
Heart Failure - Fall 2011
Influenza - Winter 2011
Nursing Ethics - Fall 2011
Trauma - Fall 2010
Traumatic Brain Injury - Fall 2010
When it comes to Health Insurance Portability and Accountability Act (HIPAA), it seems that somebody is always trying to complicate things. More and more, questions regarding HIPAA compliance seem to relate, not to complex platform, encryption or data storage issues, but to duties health practitioners have had since they became practitioners: the duty to protect patient confidentiality and respect privacy. There is an old saying that is abbreviated as "K.I.S.S.": Keep It Simple Sweetie, which just might be the answer.
Every time I think enough has been said about HIPAA, I find that the hunger for plain and simple answers to compliance questions simply does not end. I thought my clients were asking particularly obvious questions, until I realized that similar questions are being asked all over the country. I was contacted by a relatively small provider practice who asked, Can I send our treatment notes to a physician? After a few questions and determining that it was actually the referring physician who was making the request, in anticipation of a follow-up visit with the patient, the answer was quick and easy. Of course, a physician who is actively participating in the patient's treatment can have access to treatment notes. This is a prime example of the exceptions contained in the HIPAA regulations; this aspect of HIPAA has been in effect, modified, and updated for more than 10 years. In fact, there has never been a prohibition restraining one covered entity (CE) from conveying protected health information (PHI) to another CE on behalf of a shared patient. There are many sources for information regarding HIPAA compliance, but my preference is to go to the source; the actual regulation or official Web sites, such as http://www.hhs.gov/ocr/privacy/index.html. There you will find reliable and updated information.
"What are Treatment, Payment, and Health Care Operations? The core health care activities of "Treatment," "Payment," and "Health Care Operations" are defined in the Privacy Rule at 45 CFR 164.501.
"Treatment" generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
"Payment" encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to, the following:
* determining eligibility or coverage under a plan and adjudicating claims;
* risk adjustments;
* billing and collection activities;
* reviewing health care services for medical necessity, coverage,
* justification of charges, and the like;
* utilization review activities; and
* disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the CE).
"Health care operations" are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. (HHS, 2003, pp. 1-2)
Since HIPAA responsibilities come to us as building blocks, each new aspect an addition or modification of a law that has now been in effect for 18 years, each practitioner should have not only a basic understanding of HIPAA but an enlarging knowledge base regarding HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act and Final Rule, as they relate to one's practice.
Under the Final Rule, there is a requirement that Notices of Privacy Practices (NPP) be updated. If you work for a large CE, like a hospital, typically this responsibility falls to someone other than you. As with everything else HIPAA, one size does not fit all. Whether you serve on a committee in a large CE or bear the burden yourself as an independent case manager, small business owner and Business Associate (BA), you should be knowledgeable regarding the contents of the NPP and able to answer questions from patients. It is simply not enough to get a form, have it signed, and file it away. The good news is that information is readily available with model NPPs and practice guidance (HealthIT, 2014).
It is important that the NPP be meaningful and receipt acknowledged. In the past, it was not uncommon for a form to be given to patients, in a large stack of other papers, requiring such as medical history and insurance information, and requesting a signature on a form titled "Privacy Policies" or similar, without ever being provided with the actual NPP or an opportunity to ask questions. This is not acceptable practice. Consumers are entitled to be informed fully. More recently, I am pleased to report that I have observed practitioners sitting with patients actually reading the NPP to the patient, or at least a summary of rights and responsibilities, before accepting a signature on an acknowledgment. Not only is the latter procedure appropriate, when necessary, but it goes a long way to enhancing the professionalism of the CE and its staff. Times are changing, but it is becoming more common for a patient, or that patient's parent or guardian, to inquire about specific policies. Those that appear most important to consumers are: Who will you tell? What will you tell and how will you deliver the information? Specific permission to leave information, on voice mail (home and/or other), and on cell phones, should be clearly stated and then that information needs to be conveyed to all necessary staff who might have reason to contact the patient. Policies and procedures that are readily available to staff for reference and discussed in in-service educational opportunities are essential.
In the first 10 years of Compliance (2003-2013), "the compliance issues investigated most are, compiled cumulatively, in order of frequency:
1. impermissible uses and disclosures of protected health information;
2. lack of safeguards of protected health information;
3. lack of patient access to their protected health information;
4. uses or disclosures of more than the minimum necessary protected health information; and
5. lack of administrative safeguards of electronic protected health information." (OCR, 2013, p. 2)
There is no doubt that HIPAA covered entities (CE), their business associates (BA) and BA subcontractors, are required to have Business Associate Agreements (BAA; HHS, 2013). Health care practitioners and other CEs have been struggling to find simple and secure ways of compliance with HIPAA, HITECH, and HIPAA Final Rule mandates. Necessary communications, including the sharing of patient PHI, have carried the cloak of caution with it with every click. Google has taken substantial steps to assist CEs and stands ready and willing to enter into HIPAA BAA with those who use three Google Applications: Gmail, Calendar, and Drive (Ouellette, 2014). This certainly gives a viable choice to CEs and their BAs, particularly for small businesses, who are unable to invest in sophisticated information technology (IT) systems.
Case managers who are small business owners or sole practitioners must always be mindful of their HIPAA obligations, typically as BAs. These duties must be taken seriously and well documented. "Organizations are likely already beginning to use those [Google] services with more regularity" (Ouellette, 2014, p. 1). Under HIPAA, certain information about a person's health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a BAA with Google. Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services. Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. "Customers who have not entered into a BAA with Google must not use Google services in connection with PHI" (Google, 2014, p. 1).
It is important to remember that these services are not automatic and require that a CE or their BA is a Google business customer. "To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as "Standard Edition") cannot request a BAA from Google at this time" (Google, 2014, p. 1). For further information on eligible apps, go to https://support.google.com.
Google. (2014). HIPAA compliance with Google Apps. Retrieved from Google: https://support.google.com/a/answer/3407054?hl=en[Context Link]
HealthIT. (2014, March). Model notices of privacy practice. Retrieved from HealthIT.gov: http://www.healthit.gov/providers-professionals/model-notices-privacy-practices[Context Link]
HHS. (2003, April). Uses and disclosures for treatment, payment and healthcare operations. Retrieved from hhs.gov: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclo[Context Link]
HHS. (2013, January 25). Final rule. Retrieved from http://www.FDsys.gov: http://federalregister.gov/a/2013-01073
OCR. (2013, December 31). Enforcement Highlights. Retrieved from HHS.gov: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/12312013.html[Context Link]
Ouellette P. (2014, February 13). What will Google cloud BAA support mean for health developers? Retrieved from Health IT Security: http://ttp://healthitsecurity.com/2014/02/13/what-will-hipaa-baa-support-mean-fo[Context Link]
For life-long learning and continuing professional development, come to Lippincott's NursingCenter.
The Growing Global Pertussis Problem
Journal of Christian Nursing, July/September 2014
Expires: 9/30/2016 CE:2.5 $24.95
Conflicts in Goals of Care at the End of Life Are Aggressive Life-Prolonging Interventions and a “Good Death” Compatible?
Journal of Hospice and Palliative Nursing, August 2014
Expires: 8/31/2016 CE:2.8 $24.95
Improving Client and Nurse Satisfaction Through the Utilization of Bedside Report
Journal for Nurses in Professional Development, July/August 2014
Expires: 8/31/2016 CE:2.8 $24.95
More CE Articles
Subscribe to Recommended CE
Connecting with chronically ill patients to improve treatment adherence
The Nurse Practitioner: The American Journal of Primary Health Care, 18September 2014
Free access will expire on November 10, 2014.
Influence of Calcium Abnormalities on the ECG
AACN Advanced Critical Care, July/September 2014
Free access will expire on October 27, 2014.
Key Breast Cancer Takeaways from ASCO 2014
Oncology Times, 10August 2014
Free access will expire on October 27, 2014.
More Recommended Articles
Subscribe to Recommended Articles
Back to Top