Tag: HIPAA
Feds Clarify HIPAA Enforcement When PHE Ends
New federal guidance clarifies that relaxed HIPAA enforcement will end at the conclusion of the COVID-19 public health emergency (PHE), while offering instruction on how physicians and others covered by HIPAA can continue to use remote communication technologies to provide audio-only telehealth services.
Back at the start of the pandemic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) said it would not “impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
In the new guidance, OCR reiterated that this discretion remains in effect only until the HHS secretary determines the PHE no longer exists or when it expires, whichever occurs first. Congress previously granted a five-month extension for other COVID-related waivers following the conclusion of the PHE..
OCR issued the guidance in direct response to a December 2021 presidential executive order intended to help ensure patients can continue to benefit from audio-only telemedicine and telehealth services with protection of their personal health information.
The new guidance elaborates on types of technologies, business associate agreements with vendors, and ensuring HIPAA compliance when using audio-only technologies.
The Texas Medical Association has numerous resources designed to help physicians adopt and effectively use telemedicine. Visit TMA’s telemedicine page for more information.
Click on the blue highlighted text within the article for more information.
OR
Head to the Business End File and view articles on Telemedicine, and Telemedicine Policy, Procedure, and Form Templates
HIPAA: Back to the Basics with the BAA, Physician Practice, 2021.08.12
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2021/08/HIPAA-Back-to-basics-with-the-BAA-2021.08.12.pdf” download=”all” viewer=”google”]
2021.01.28, COVID-19 Health Emergency Likely to Last Through 2021, Health Officials Say, TMA
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2021/02/2021.01.28-TMA-COVID-19-Health-Emergency-Likely-to-Last-Through-2021.pdf” download=”all” viewer=”google”]
Emailing Archiving and Hippa Compliance
Make Sure email is a part of your cybersecurity stategy.
Email archiving is an automated process for preserving and protecting all inbound and outbound email messages (as well as attachments and metadata) so they can be accessed later. In other words, email archiving is storing emails and making them searchable.
Email archiving providers take this burden off organizations by storing emails on their servers while making them accessible to designated administrators in the organization. This is different than simply creating an email data backup. Data backups do not allow searching, so if a particular email needs to be found, it might take weeks for you to find it
Is email archiving required for HIPAA compliance?
The Patient Right to their Medical Record: Format, Fees and other Requirements. (MGMA) 1/31/2020
The below excerpt is copied from: Drew Voytal, Associate Director MGMA Goverment Affairs, GovChat
Following a federal court ruling, the Office for Civil Rights (OCR), the federal agency tasked with enforcing the HIPAA privacy and security rules, issued a notice modifying the agency’s policy regarding the fees practices and others are permitted to charge when a patient requests that their medical record be sent to a third party (such as a law firm). The court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.”
In light of this ruling and policy change, practices are no longer prohibited from setting their own fee for sending a patient’s medical record to a third party. Despite this change in policy, practices are still limited in what they can charge patients when they request a copy of their medical record for themselves and OCR has emphasized that they plan to “vigorously enforce” the patient right to access their information. To better understand practice rights and responsibilities in this area, GovChat participants are encouraged to download the updated MGMA member-benefit resource: The Patient Right to their Medical Record: Format, Fees and other Requirements.
Please feel free to reach out with any questions or comments.
——————————
Drew Voytal
Associate Director
MGMA Government Affairs
Washington, DC
——————————
The
following is an excerpt from The Patient Right to their
Medical Record: Format, Fees and other Requirements.
Charging patients fees for copies of PHI
Practices are permitted to impose a “reasonable, cost-based fee” for the PHI, including:
1. Labor for the actual copying of the PHI, whether in paper or electronic form (i.e., labor to scan records, prepare an e-mail, transferring PHI from one format to another, and other activities).
2. Labor to prepare an explanation or summary of the PHI, if the patient in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
3. Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the patient requests that the electronic copy be provided on portable media
4. Postage, when the patient requests that the copy, or the summary or explanation, be mailed.
The practice must inform the patient in advance of the approximate fee that may be charged for the copy.
NOTE: Labor for copying cannot include costs associated with reviewing the request for access or searching for and retrieving the PHI.
There are three ways a practice can calculate this reasonable, cost-based fee for the PHI maintained electronically:
• Actual costs;
• Average costs; or
• Flat fee
NOTE: Flat fees cannot exceed $6.50, inclusive of all labor, supplies, and any applicable postage.
A practice may not:
• Withhold a patient’s PHI (even if the patient has an outstanding account balance);
• Withhold the PHI and apply the fee charged to the outstanding account balance;
• Charge patients a fee to view or inspect their PHI; or
• Charge a patient who takes notes or pictures to capture PHI.
TIP: While the Privacy Rule does permit practices to charge patients a cost-based fee for a copy of their medical record, practices should consider implementing a policy of providing a no-cost option for the first request
Sending PHI to third parties:
• A practice must transmit the PHI directly to another person or entity designated by the patient.
• The request from the patient must be in writing, signed by the patient, and clearly identify the designated person/entity and where to send the PHI. Practices must take action within 30 days.
• Practices may rely on the information provided in writing by the patient about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, practices must implement “reasonable safeguards” to carry out the request, such as taking reasonable steps to verify the identity of the patient making the access request and to enter the correct information into the practice’s system.
• Practices must safeguard the PHI in transit and may be liable for impermissible disclosures that occur in transit. The only exception, as noted above, arises when a patient has requested that the PHI be sent to the third party in an unsecure manner. If the patient was warned of and accepted the security risks, the practice is not responsible or liable for disclosures that occur in transit.
UPDATE AS OF JAN. 2020: Following a court ruling, the Office for Civil Rights has revised its policy regarding the fees practices can charge for patient records that are sent to third-parties. There is no longer a prohibition on practices setting their own fees for transmitting patient data to a third party. However, the fee limitations outlined in this document still apply when patients request their data for their own use.
Intersection of HIPAA with State Law
- Practices must comply with any additional requirements under state laws or regulations if they are more stringent than those outlined under the federal standards.
- For example, practices must comply with state law should it require that the patient is to be provided one free copy of their PHI. HIPAA does not override those State laws that provide individuals with greater rights of access to their PHI.
NOTE: Search and retrieval costs or other costs not permitted by the Privacy Rule may not be charged to patients, even if authorized by state law. Example: If state law limits costs to 25 cents a page and the actual cost is only four cents per page, then the practice may charge only four cents. If the cost is 30 cents per page and state law allows for 25 cents, then the practice may charge no more than 25 cents.
Fees for Copies of Medical Records, TMA office of the General Counsel
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2020/01/Fees-for-Medical-Records-TMA-Office-of-the-General-Counsel-122017.pdf” download=”all” viewer=”google”]
The Patient Right to their Medical Record – Format, Fees and other Requirements, MGMA 01312020
The attached is an excerpt from MGMA regarding Release of Medical Records.
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2020/01/The-Patient-Right-to-their-Medical-Record-Format-Fees-and-other-Requirements-MGMA-01312020.docx” download=”all” viewer=”microsoft”]
HIPAA Self-Assessment Tool
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2020/01/HIPAA-Risk-Assessment-and-Supporting-Documents.pdf” download=”all” viewer=”google”]
Recent Comments