Tag: Protected Health Information (PHI)
HIPAA Compliance is Not A Choice
|
The HHS Office for Civil Rights (OCR) just sent another clear message: HIPAA compliance isn’t optional no matter your practice size. The OCR has reached a resolution with Vision Upright MRI, a small California imaging provider, after a breach of unsecured protected health information (PHI) impacted 21,778 patients. The breach originated from an unsecured server that housed radiology images and lacked proper risk analysis, audit controls, and breach notification procedures. What happened:
As a result, the total settlement cost was a $5,000 fine plus 2 years of monitoring in addition to mandatory corrective actions including:
Why this matters to you:Whether you’re a solo provider or part of a large system, OCR expects every HIPAA-covered entity to:
|
HIPAA: Back to the Basics with the BAA, Physician Practice, 2021.08.12
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2021/08/HIPAA-Back-to-basics-with-the-BAA-2021.08.12.pdf” download=”all” viewer=”google”]
HIPAA: Back to Basics with the BAA
With cybersecurity and criminal government actions involving protected health information (PHI), now is a good time to understand the importance of the required Business Associate Agreement (BAA).
HIPAA: Back to basics with the BAA
Defined: “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. (emphasis added).
Business Associates encompasses a wide range of persons, which include, but are not limited to: accountants, attorneys, private equity firms, technology companies, app developers, independent contractors, medical device companies, and pharmaceutical companies. Bottom line—if you or your company “creates, receives, maintains, or transmits” protected health information in an electronic form, a BAA is required. This is not new—the requirement existed long before the HIPAA Final Omnibus Rule was published in the Federal Register on January 25, 2013.
HIPAA compliance is not optional and depending on the facts and circumstances, may lead to significant civil and/or criminal liability.
HIPAA, like the Federal Anti-Kickback Statute (AKS), has criminal penalties available to HHS. The DOJ is responsible for criminal prosecutions, as HHS states on its website.
The Patient Right to their Medical Record: Format, Fees and other Requirements. (MGMA) 1/31/2020
The below excerpt is copied from: Drew Voytal, Associate Director MGMA Goverment Affairs, GovChat
Following a federal court ruling, the Office for Civil Rights (OCR), the federal agency tasked with enforcing the HIPAA privacy and security rules, issued a notice modifying the agency’s policy regarding the fees practices and others are permitted to charge when a patient requests that their medical record be sent to a third party (such as a law firm). The court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.”
In light of this ruling and policy change, practices are no longer prohibited from setting their own fee for sending a patient’s medical record to a third party. Despite this change in policy, practices are still limited in what they can charge patients when they request a copy of their medical record for themselves and OCR has emphasized that they plan to “vigorously enforce” the patient right to access their information. To better understand practice rights and responsibilities in this area, GovChat participants are encouraged to download the updated MGMA member-benefit resource: The Patient Right to their Medical Record: Format, Fees and other Requirements.
Please feel free to reach out with any questions or comments.
——————————
Drew Voytal
Associate Director
MGMA Government Affairs
Washington, DC
——————————
The
following is an excerpt from The Patient Right to their
Medical Record: Format, Fees and other Requirements.
Charging
patients fees for copies of PHI
Practices are
permitted to impose a “reasonable, cost-based fee” for the PHI, including:
1. Labor
for the actual copying of the PHI, whether in paper or electronic form (i.e.,
labor to scan records, prepare an e-mail, transferring PHI from one format to
another, and other activities).
2. Labor
to prepare an explanation or summary of the PHI, if the patient in advance both
chooses to receive an explanation or summary and agrees to the fee that may be
charged.
3. Supplies
for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD
or USB drive) if the patient requests that the electronic copy be provided on
portable media
4. Postage, when the patient requests that
the copy, or the summary or explanation, be mailed.
The practice
must inform the patient in advance of the approximate fee that may be charged
for the copy.
NOTE: Labor
for copying cannot include costs associated with reviewing the request for
access or searching for and retrieving the PHI.
There
are three ways a practice can calculate this reasonable, cost-based fee for the
PHI maintained electronically:
• Actual costs;
• Average costs; or
• Flat fee
NOTE:
Flat fees cannot exceed $6.50, inclusive of all labor, supplies, and any
applicable postage.
A practice may
not:
• Withhold a patient’s PHI (even if the
patient has an outstanding account balance);
• Withhold the PHI and apply the fee
charged to the outstanding account balance;
• Charge patients a fee to view or
inspect their PHI; or
• Charge a patient who takes notes or
pictures to capture PHI.
TIP:
While the Privacy Rule does permit practices to charge patients a cost-based
fee for a copy of their medical record, practices should consider implementing
a policy of providing a no-cost option for the first request
Sending
PHI to third parties:
• A
practice must transmit the PHI directly to another person or entity designated
by the patient.
• The
request from the patient must be in writing, signed by the patient, and clearly
identify the designated person/entity and where to send the PHI. Practices must
take action within 30 days.
• Practices
may rely on the information provided in writing by the patient about the
identity of the designated person and where to send the PHI for purposes of
verification of the designated third party as an authorized recipient. However,
practices must implement “reasonable safeguards” to carry out the request, such
as taking reasonable steps to verify the identity of the patient making the
access request and to enter the correct information into the practice’s system.
• Practices
must safeguard the PHI in transit and may be liable for impermissible
disclosures that occur in transit. The only exception, as noted above, arises
when a patient has requested that the PHI be sent to the third party in an
unsecure manner. If the patient was warned of and accepted the security risks,
the practice is not responsible or liable for disclosures that occur in
transit.
UPDATE
AS OF JAN. 2020: Following a court ruling, the Office for
Civil Rights has revised its policy regarding the fees practices can charge for
patient records that are sent to third-parties. There is no longer a
prohibition on practices setting their own fees for transmitting patient data
to a third party. However, the fee limitations outlined in this document still
apply when patients request their data for their own use.
Intersection
of HIPAA with State Law
- Practices
must comply with any additional requirements under state laws or regulations if
they are more stringent than those outlined under the federal standards. - For
example, practices must comply with state law should it require that the
patient is to be provided one free copy of their PHI. HIPAA does not override
those State laws that provide individuals with greater rights of access to
their PHI.
NOTE:
Search and retrieval costs or other costs not permitted by the Privacy
Rule may not be charged to patients, even if authorized by state law. Example:
If state law limits
costs to 25 cents a page and the actual cost is only four cents per page, then
the practice may charge only four cents. If the cost is 30 cents per page and
state law allows for 25 cents, then the practice may charge no more than 25
cents.
Fees for Copies of Medical Records, TMA office of the General Counsel
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2020/01/Fees-for-Medical-Records-TMA-Office-of-the-General-Counsel-122017.pdf” download=”all” viewer=”google”]
The Patient Right to their Medical Record – Format, Fees and other Requirements, MGMA 01312020
The attached is an excerpt from MGMA regarding Release of Medical Records.
[embeddoc url=”https://community.poetllc.org/wp-content/uploads/2020/01/The-Patient-Right-to-their-Medical-Record-Format-Fees-and-other-Requirements-MGMA-01312020.docx” download=”all” viewer=”microsoft”]
Recent Comments