American Academy of Audiology Responses to Questions from HIPAA Webinar

Size: px

Start display at page:

Download "American Academy of Audiology Responses to Questions from HIPAA Webinar"

Ginger Henry
6 years ago
Views:

1 American Academy of Audiology Responses to Questions from HIPAA Webinar IMPORTANT: DISCLAIMER REGARDING THE USE OF THIS INFORMATION: THESE RESPONSES ARE NOT INTENDED AS, AND DO NOT CONSTITUTE, LEGAL OR OTHER PROFESSIONAL ADVICE. This information is distributed with the understanding that PYA is not engaged in rendering financial, legal, or other professional advice through these responses. PYA and the contributors have used their best skills to ensure that the content is accurate; however, the information contained in this manual is for informational purposes only. This document should be used only as a general reference. Do you have to have the notification in writing for the updated HIPPA? Do they sign a form or can we just note in chart we offered? Do we have to have proof that we have advised patients of the updated privacy policy? You need to notify patients that there is a material change to your NPP but there is not a requirement to give them copies, unless requested, as you did when they were new patients; however, new patients must be given the update version of the NPP Do we have to have proof that we have advised patients of the updated privacy policy? You need to notify patients that there is a material change and offer then them the option to receive a copy of the updated NPP. You do not have to give each patient a new NPP; however, you should have evidence that they were properly notified that it is available, including on your website. This is the language from the OCR website: The notice must include an effective date. See 45 CFR (b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR (b)(3), (c)(1)(i)(C) for health plans, and (c)(2)(iv) for covered health care providers with direct treatment relationships with individuals. Prepared for American Academy of Audiology Page 1 October 8, 2013

2 American Academy of Audiology Responses to Questions from HIPAA Webinar Providing the Notice. A covered entity must make its notice available to any person who asks for it. A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits. Would we have to obtain a business associate agreement with other health care providers that refer to our clinic? I am attaching a decision tree for when someone is a BA if it is related to Treatment, Payment and Operation then you should not need a BAA. I am including our decision tree that is a part of our manual. Also, the following is the link to the CMS response to who is your BA if it is related to Treatment, Payment, and Operation - "A generic newsletter to existing patients providing general information- is there a concern of those? Such as needing to be in an envelope? Can you document any monetary info in a chart note like if you quoted them a specific amount for a hearing device, or earmold etc... To my knowledge, there is no HIPAA rule related to this; however, our recommendation is not to put financial information in the clinical chart you may want to check with your malpractice carrier for additional guidance. Can you leave a phone message to a patient at a number in their file? Patients should have the option to choose their preferred way and best number for being contacted. Once they have expressed this preference, you are obligated to comply. If we are part of a buying group do we need a Business Associate agreement with each separate hearing aid company, or is an agreement with the buying group management adequate. I am not sure of the response and could not find anything specific to that; however, you may want to see if the buying group has subcontractor agreements (with BAA obligations) with the individual companies. If not, then you should pursue a BAA with each company. To send medical records, can we use fax and must it be encrypted? Prepared for American Academy of Audiology Page 2 October 8, 2013

3 American Academy of Audiology Responses to Questions from HIPAA Webinar Does remuneration include volume discount funds that a practice receives from a manufacturer over the course of a year? (see guidance on marketing and authorizations) "Or newsletters that are NOT selling anything but during the summer months recommend they consider a Drying kit... Do they need to have signed an authorization allowing that newsletter? I.e. is that considered marketing if it's part of the normal, generic newsletter to our existing patient data base (see guidance on marketing and authorizations) If we send out birthday postcards do those need to be in envelopes also? They only say happy birthday - come pick up free batteries. I don t know of a specific rule that addresses birthday post cards but I would not include any PHI, i.e. birthdate, information related to diagnosis, etc. the free batteries offer may imply a diagnosis. "Do we have to have a patient authorization for general s to patients? This is the link for an OCR FAQ related to s to patients Some additional direction from HIPAA FAQ s Does the Security Rule allow for sending electronic PHI (e-phi) in an or over the Internet? If so, what protections must be applied? Answer: The Security Rule does not expressly prohibit the use of for sending e-phi. However, the standards for access control (45 CFR (a)), integrity (45 CFR (c)(1)), and transmission security (45 CFR (e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-phi. The standard for transmission security ( (e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-phi as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-phi to be sent over an electronic open network as long as it is adequately protected. Prepared for American Academy of Audiology Page 3 October 8, 2013

4 American Academy of Audiology Responses to Questions from HIPAA Webinar If we access our software from a lap top is it considered "safe" if it is password protected or do we need additional measures to protect? I recommend that you discuss this with your internal IT or IT vendor to determine how access is acquired and the likelihood that any data could be retrieved if the laptop is stolen, lost, etc. In addition, make sure that you are following guidance on individual password protection. The following is from the CMS website re: encryption requirements. Is the use of encryption mandatory in the Security Rule? Answer: No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR (a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-phi. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision What liability is there if PHI mailed through the post office, is that considered secure? If the patient has requested something be mailed to them, best practices would dictate that you confirm address, send the minimum needed and make sure that the mailing envelope is secure and preferably trackable. THE US Postal system is seen as a conduit and not a Business Associates but you should use caution with any PHI being mailed and preferably have it trackable i.e. certified, registered, etc. Can you allow children to file charts? To my knowledge these is no specification on an age limit re: HIPAA and work responsibilities but I would recommend that whoever is handling be fully trained and understand the privacy and security rules and be able to adhere to them. The entity absorbs the risk as if with any other employee working on their behalf. Prepared for American Academy of Audiology Page 4 October 8, 2013

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed