HIPAA is the primary regulatory scheme governing medical practitioners as to privacy and security. But many clinicians are also impacted by rules from other federal and state acts such as FERPA, IDEA, and DOD security requirements.
What is required by HIPAA?
Healthcare providers are one of the three explicitly “covered entities” required to comply with HIPAA and its security, privacy regulations, and the HITECH Act extensions. The practical impact on clinicians is in how PHI (Protected Health Information) is managed. The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associates, in any form or medium, whether electronic, on paper, or oral.
HIPAA gives patients certain rights over their PHI that include:
- Right to receive a notice of privacy practices.
- Right to access and request a copy of medical records.
- Right to request amendments to medical records.
- Right to an accounting of disclosures.
Most clinicians use vendor associates to help provide services such as technical support, email, patient record management, telehealth, etc. These vendors with access to PHI are required to sign a business associate agreement (BA) with the clinician. This is important because many vendors in the telehealth arena balk or have caveats about what BA agreements they will sign.
Why is HIPAA and other regulatory compliance important?
HIPAA compliance matters because failure to comply can bring civil and criminal penalties. The fines can be devastating. For example, sending a list of 100 patient records to the wrong vendor can potentially result in penalty. Each patient represents a separate punishable event, so one misdirected data feed can result in 100 separate violations.
Many telehealth platforms claim they do not need to follow HIPAA because they only set up blind sessions and never see the data. If this is true it means that the system will never integrate into a clinician’s workflow. The only safe decision for a clinician is to pick a provider that is “all in” on privacy and security and has implemented in detail all of the regulations. A vendor that won’t sign a clinician’s regular BA agreement should be viewed with suspicion. Emmdata one of the Cogtrium parent companies has managed HIPAA covered data for millions of patients as a business associate with healthcare payers and providers. We take privacy and security very seriously. Our data center is SOC 2 (Type II) certified as well as PCI-DSS-AOC certified.
As a healthcare provider do I have to comply with HIPAA?
HIPAA, HITECH and other federal laws and regulations were implemented to assure privacy and security of “Protected Health Information” (PHI). Generally, all health care providers, health plans, and health clearinghouses are covered. If you are providing health care to patients in any of its many specialties and practices, you are likely required to meet the regulations.
What are “Business Associates” and why are they important?
Often a provider as a “covered entity” engages vendor associates to assist in treatment, payment or health care operations where PHI is accessed. These other entities are business associates under the laws and regulations. A provider must have a business associate agreement with all of its business associates. A provider must have a written business associate agreement with each of its business associates. The federal government has outlined explicit provisions that must be in these agreements. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
The HITECH Act extensions to HIPAA extend the criminal and civil penalties to business associates. A health care provider must take care in considering business associates as to how these agreements are managed and administered.
Are there exceptions for providers?
Generally, there are no exceptions for HIPAA compliance. Some narrow and specific rules are introduced by FERPA and IDEA legislation that affect many school districts. Under IDEA legislation school districts are required to provide certain medical services including speech and language, occupational therapy, etc. when certain conditions apply. Medicaid can reimburse for these services if the legislative requirements are accomplished. These are the special education initiatives of most school districts. FERPA is a federal act that protects the privacy and security of student information and assures parental access and consent. The security and privacy considerations of these acts are very similar. Our approach is to comply with all of them and not require our clients to guess what they have to do.
How does HIPAA impact telehealth?
Telehealth is growing healthcare service delivery option. Generally, telehealth sessions, and the attendant management from scheduling to billing are all covered by HIPAA and the federal regulations. Often when a telehealth provider says they are HIPAA compliant they are really just saying they have security around the actual session in that they don’t know who is on either end. The moment a service begins scheduling, adding information, billing, etc. a business associate agreement is required.
Without gimmicks or tricks we provide a full business associate agreement based on the government template examples. Many clinics have invested legal resources in devising their own business associate agreements. Almost always we can sign these as long as they meet the Health and Human Services guidelines for business associate agreements. HHS BA Guidance
We have extensive experience through our parent company, Emmdata. Emmdata has assisted over 90 health plans implement HIPAA Privacy and Security – policies and procedures. We take privacy and security very seriously. Emmdata has managed health data on over 2.5 million patients.
Getting HIPAA right is very important beyond just the best interest of patients. Breaches and failure to implement HIPAA can result in significant fines and penalties of healthcare providers.
Are there HIPAA compliance certifications?
Unfortunately, there are no such programs. Certification of health technology is regulated under the HITECH Act by the Office of the National Coordinator for Health Information Technology ( ONC) in collaboration with the National Institute of Standards and Technology ( NIST). HIPAA rules do “not assume the task of certifying software and off-the-shelf products” (the Final Security Rule) neither do they set criteria for or accredit independent agencies that do HIPAA certifications.
For services such as telehealth the best approach is to understand which vendors impact PHI and making sure there is a complete BA agreement in place for all of the services. Avoid vendors that balk on signing fully compliant business associate agreements. Ask about how potential vendors manage and maintain PHI. They each are required by HITECH Act to have written policies and procedures as to how they implement privacy and security regulations.