It’s been a very interesting few weeks for privacy protection under HIPAA. Just in case you haven’t had a chance to catch up on them, here’s what’s going on. The OCR has announced the protocols under which it’s going to perform audits required by HITECH.
Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare Reform blog from lawfirm Faegre Baker Daniels:
| Privacy Rule | Security Rule |
| Notices of privacy practices | Administrative Safeguards |
| Right to request privacy protection for PHI | Physical Safeguards |
| Access to PHI | Technical Safeguards |
| Administrative requirements | |
| Uses and disclosures of PHI | |
| Amendment of PHI | |
| Accountings of disclosures |
Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough. Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.
While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward. A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.
As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.
I doubt any of us are surprised to see OCR getting tougher on data sharing; in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us. Scary times.
There are a few realities here:
1) I think a (the) reason for the push on the BA is if you look at data breaches, most are from lost laptops, and most of those lost laptops are from a contractor, or BA. Also, a huge portion of these breaches are from contractors to hospitals, not private practice docs.
2) I’ve said it before and I’ll say it again, the breaches from lost/stolen laptops is the easiest #@%&* thing to fix, come on folks
3) Private practice physicians already feel overloaded with HIPAA, I’m guessing at this point, most will shrug their shoulders and say “sure, whatever”.
When I call for an appointment – the receptionest asks for my (in my opinion) medical history. I feel that I should only have to say “This is about my medication” and the appointment should be made. I’ve been ask for details that I do not wish to discuss with an individual that has no medical training. Am I wrong?
Ruby,
You choose what info to give them. Although, the reason their likely asking those questions is to know what kind of appointment to schedule you for. They are under the same HIPAA privacy requirements as the doctor so I wouldn’t be that concerned. Although, if you don’t feel comfortable sharing, just say so.
On our “HIPAA Hotline” which is specifically for physicians, we get an interesting number of patients with concerns very similar to your Ruby.
The other thing I’ve heard a surprising number of times is going to a new doc for an “intro” appointment, then not liking the doc and wanting all of the PHI out of that docs system…which isn’t going to happen.
As a patient you need to understand that when dealing with a doc’s office, your info should be confidential. You can “withhold” info from someone you deem not worthy at the office, but you will likely make things more complicated than they need to be.