HIPPA and Faxing: A Potentially Dangerous Combination
The Right to Privacy
In 1890, Supreme Court Justices Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law Review. They defined privacy as the “right to be left alone.” Over 100 years later the Health Insurance Portability and Accountability Act (HIPAA) established a set of standards for protection of personal health information (PHI).
The world has changed greatly in that 100 years. There was and is a serious need to ensure accountability; to establish a national uniform baseline for privacy and uniform standards for transmission of health information. Today, almost everyone carries a smartphone and has a computer, laptops, and/or notebook to transmit words and images on a host of sites such as SnapChat, Twitter, Facebook, and YouTube for all to see…forever.
And, while there are many seminars and webinars regarding texting and the potential perils of using a mobile device to transmit patient information, no one is talking about faxing. It seems to be such a benign device. But, it is not. Breaches are on the rise. The Office of Civil Rights (OCR) is stepping up their audits.
Many agencies do not have adequate policies that cover the faxing process. First of all consider, is all the faxing done in your agency really necessary? Scanning and email or use of traditional postal service should be considered, if possible. It can be safer.
Consider setting up a “To be Faxed” sending bin close to the fax machine. This way faxing can be done when it is less busy in your agency office. This can reduce errors of transposed or incorrect digits because the sender’s mind may not be fully on the task.
Policy and Procedures For Home Health Agencies
Have a policy requiring reconfirmation of all fax numbers at least every 6-12 months. Your agency should fax an “Agency Fax Number Confirmation” sheet to all offices faxed routinely and confirm their fax number. Have them confirm, sign, date it and fax it back to your agency. Recently, an agency learned that certain numbers embedded in the EMR used had some outdated numbers. Your fax sheet should have your Agency name, phone number, fax number, address, and contact personnel if there is a question. It should include the legal warning as to what a person should do if the fax is sent to the wrong person or agency/company/practice. Include the person and number at your agency who should be contacted in case of a mistaken fax.
HIPAA HITECH has teeth now and the fines are significant. Your bottom line is fragile as is your agency’s reputation. Don’t jeopardize either with an inappropriately sent fax.
SourcesCenters for Medicare & Medicaid (2016). Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/ Centers for Medicare & Medicaid (2016). Can a physician’s office fax patient medical information to another physician’s office? CMS.gov. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/faq/356/can-a-physicians-office-fax-patient-medical-information-to-another-physicans-office/
The HITECH Act
The Health Information Technology for Economic and Clinical Health Act (HITECH) expands upon HIPAA and holds healthcare organizations to a higher level of responsibility for breach of patient information. Under HITECH, if a breach compromises the privacy and security of the patient’s information and poses a significant risk of financial, reputational, or other harm, patient notification is required. Additionally, the Secretary of Health and Human Services and media outlets must be notified under specific circumstances.
On January 17, 2013, the Department of Health and Human Services released the HITECH Act, aka the Omnibus Rule, under HIPAA. This Omnibus Rule represents the most comprehensive set of changes to HIPAA since its origination. It is a part of the American Recovery and Reinvestment Act of 2009. The Act allocated $20 Billion to health information technology projects, expanded the reach of HIPAA by extending certain requirements to business associates, and imposed a nationwide security breach notification law.
The new rule modifies the breach notification standard; imposes new rules regarding disclosures of PHI in marketing and sale of PHI. It enhances patient rights to access and control disclosure of PHI. It also expands specific HIPAA obligations to business associates.
HITECH Breach Notification Provisions
The HITECH Act requires Covered Entities (CEs) and business associates to notify affected individuals, the Department of Health and Human Services, and depending on the breach, the media, following discovery of a breach.
HITECH replaces the original “harm standard” under HIPAA. That standard had stated a breach had occurred if PHI was compromised and had significant risk of financial, reputational, or other harm to an individual as the result of the impermissible use or disclosure of PHI. HITECH amends the breach to clarify that the disclosure of PHI is presumed to be a breach with notification necessary unless a CE can demonstrate low probability that the PHI has been “compromised.”
Four factors must be included in any risk assessment, 1) the type and extent of PHI, 2) who was the unauthorized person committing the breach as well as who received the information, 3) whether the PHI actually was received and viewed, and, 4) the extent to which the PHI has been mitigated. Lawyers are asking what is meant by compromised PHI.
Compliance Officers need to keep HIPAA and compliance in front of personnel. Finding ways to do that can be challenging but well worth the effort. For most organizations, some of their greatest risks are those tied to PHI.
HITECH modifies the definition of business associates to include an entity that “creates, receives, maintains, or transmits” PHI on behalf of a CE. Business associates include subcontractors, vendors of personal health records that provide services on behalf of a CE. Business Associates are held directly accountable now to HIPAA. CEs had to revise their business associate agreements to comply with all applicable provisions of the HIPAA Security Rule. CEs are required to report breaches of unsecured PHI as business associates. CEs must hold business associates to the same stringent standards as they are held.
HIPAA HITECH makes business associates and their subcontractors directly liable for non-compliance with the Security Rule and Privacy Rule requirements. Direct Liability flows from the following violations:
- Failure to provide breach notification to the CE
- Failure to provide access to a copy of electronic PHI to either the CE, or the patient’s designee
- Failure to provide an accounting of disclosures
- Failure to comply with the Security Rule
- Failure via impermissible disclosures of PHI
Individuals now have greater rights to obtain all of their health data, to access electronic copies, and to restrict when their information is shared and with whom. Their information must be available to them within a reasonable time. Even offsite stored info must be made available within 30 days.
Build security into hardware, software, and processes to the greatest extent possible. Make security provisions operate automatically where possible. When replacing manual processes with technology, validate the process and the fact that it does not increase risk. Technology for the sake of technology needs to be monitored also. Review your processes. Educate personnel to be privacy alert.
Build a meaningful HIPAA and Compliance audit system foundation that has value for the organization. It is mandated by the OCR. Agency audits of organizations began last year. Remember, not having an audit program can be costly. The OCR state fine can go up to $1.5 million for breaches.
Susan Carmichael, Chief Compliance Officer at Select Data, Inc.
Frequently Asked Questions
When reviewing the patient authorization, be certain it includes:
- A description of the PHI to be used or disclosed. Be specific
- The persons authorized to use or disclose the PHI
- The person or agency to whom the CE may disclose the PHI
- The purpose of the disclosure use
- The patient’s right to revoke the authorization
- The consequences if the patient refuses to sign
- An expiration date of the form
- Signed and dated by the patient
- PHI may be re-disclosed by a third party and a business associate, subject to the same HIPAA regulations
- Must be written in clear language
A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.
Remember, not having an audit program can be costly. The OCR state fine can go up to $1.5 million for breaches.
You are a leader or have interests in home healthcare and hospice, so you are aware of the challenges and opportunities presented in this electronic age.
- Are you conducting your HIPAA Risk Analysis?
- Do you have your Disaster Preparedness and Recovery Policies and Procedures current?
- Do you have a policy regarding use of social media in the workplace?
- Are you allowing nurses to take pictures of wounds with their personal cell phones?
- Are you employing etechnology ethics ?
- One way to affect change is to provide financial stimulation to create and have physicians and hospitals adopt electronic health records (EHR)
- The BAA states that the Business Associate is obligated to: Use/disclose PHI only as permitted or required by the agreement and by law. Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the BAA.
- Report to the healthcare entity any use or disclosure of PHI not permitted. Require all subcontractors and agents that create, receive, use, disclose, or have access to PHI to agree, in writing tobe held to the same restrictions and conditions on use or disclosure of PHI.
- Prior to ARRA, HITECH Business Associates were not required to meet the obligations for Administrative, Physical, and Technical safeguards, and Procedure and Documentation Requirements.
- NOW the BAA must clearly require the BA to comply with HIPAA regulations just as the CE.
- Breach Log
- Every employee must understand they have personal responsibility for intentional breaches
- Email with PHI is to be encrypted
- to accomplish this goal, privacy rules have been strengthened and the requirements for breach notification and responsibilities of business associates have been greatly increased.
- We believe in Corporate Compliance
- We have a strong HIPAA Awareness and Corporate Compliance Plan which assertively strives to protect PHI.
- We notify the Corporate Compliance Officer of suspected or actual incidents of PHI disclosure
Healthcare Providers Receive FTC Red Flag Exemption
The Red Flag Exemption protects physicians, home health and hospice agencies from misguided federal regulation and clarifies that they should no longer be classified as "creditors" for the purposes of the Red Flags Rule.
History of Health Care Red Flag Exemption
On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010. On November 30, 2010, the Senate passed this legislation by unanimous consent. On December 18, 2010, President Obama signed S. 3987, the “Red Flag Program Clarification Act of 2010” (Public Law No: 111-319), which narrows the definition of a creditor for purposes of implementing the so-called “Red Flags Rule.”
The law is important because of its potential impact on the interpretation of the Federal Trade Commission’s (FTC’s) Red Flags Rule which requires creditors to develop identity theft prevention and detection programs, and was originally scheduled to take effect on November 1, 2008. According to the FTC, physicians who do not accept payment from their patients at the time of service are creditors and must comply with the Rule by developing and implementing written identity theft prevention and detection programs in their practices. The Rule is yet another example of unnecessary intrusion into physicians’ practices which increases costs and diverts resources away from value-added services for our patients. (https://www.aapmr.org/advocacy/health-policy/federal/Pages/President-Signs-Red-Flags-Rule-Legislation.aspx)
The following information from the Library of Congress summarizes S 3987 (see http://thomas.loc.gov):
“Amends the Fair Credit Reporting Act, with respect to federal agency (red flag) guidelines regarding identity theft and the users of consumer reports, to define creditor to mean one that regularly and in the ordinary course of business: (1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnishes information to certain consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person, based on the person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.
“Includes in the definition any other type of creditor as the federal agency (banking agency, National Credit Union Administration, or the Federal Trade Commission) having authority over that creditor may determine appropriate, if the creditor offers or maintains accounts subject to a reasonably foreseeable risk of identity theft.
“Excludes from the definition of creditor, however, any creditor that advances funds on behalf of a person for expenses incidental to a service the creditor provides to that person.” (https://www.hipaa.com/healthcare-providers-receive-ftc-red-flags-exemption-from-congress/)
Summary of Health Care Red Flag Exemption
The Red Flag Exemption protects physicians, home health and hospice agencies from misguided federal regulation and clarifies that they should no longer be classified as "creditors" for the purposes of the Red Flags Rule.
Store and Forward vs Persistant Home health care agencies currently have two powerful methods for connecting Point of Care laptops with company EMR systems. The Store and Forward technique enables users to enter patient information into a laptop where the data resides until uploaded to the company EMR destination at a later, more advantageous time. Typically, a server functions as an intermediate processing station to relay information from computer to EMR domain. As the term implies, a Persistent Connection maintains an ongoing network link between a sending device and the provider’s EMR database. All information transmitted along this route arrives in real time, similar to instant messaging. Which method is preferable? The answer depends on an agency’s requirements and priorities. Providers would do well to consider the advantages and disadvantages of both before committing to either one of these effective technologies. Store and Forward Advantages The Store and Forward approach offers Point of Care providers several key advantages. The most prominent is independence. Laptops utilized in this mode are not connected to the Internet, but instead serve as stand-alone devices for storing patient assessment data. The elimination of ‘connection dependence’ offers nurses and therapists considerable freedom and flexibility for conducting full patient assessments wherever and whenever such service is needed. Once an assessment is completed, a caregiver can upload all pertinent medical information to the company EMR at a future time in line with agency needs. Non-reliance on an Internet connection gives the Store and Forward approach particularly high value wherever online services are either compromised or completely non-existent. These areas include certain rural locations and high-population density buildings, both of which may lack an Internet signal or are limited to an intermittent connection. Freedom from Internet connectivity also eliminates the problem of session time-outs. Caregivers can devote their full attention to a thorough assessment, pausing as often as needed without fear of disrupting the process or losing information. All sessions stay intact, whether they last one hour or one day. Disadvantages If exchanging real time information between Point of Care and a company EMR system is a priority, providers definitely require an alternative to Store and Forward. Depending on the location of an assessment, establishing an Internet connection with an EMR system could take hours, assuming a local connection is possible at all. If waiting is not an option, neither is Store and Forward. Another delay inherent to Store and Forward is related to the synching process. Numerous caregivers have discovered that synching the complex Point of Care data from laptop to EMR system can be both cumbersome and inconsistent at times. Furthermore, since information isn’t always in synch, some transmitted data may be ancient history by the time it reaches the agency. Again, if timeliness is crucial, its best to opt for an alternate method of data transmission. Since Store and Forward allows data to linger in limbo for indefinite periods, Point of Care laptops also can become potential targets for privacy compromises. The longer sensitive data resides within a laptop, the greater the chance of info theft. Clearly, this heightened vulnerability could have a major impact on HIPPA compliance. Persistent Connection Advantages As with Store and Forward, a Persistent Connection offers agencies clear-cut advantages. Foremost among these is the method’s built-in capacity for capturing data in real time, thereby providing company EMR systems with a consistent flow of current information. The method is indispensable for agencies that rely on real-time field data. A Persistent Connection also offers increasingly available and reliable connectivity thanks to advanced technologies such as Wymax and 3G. Despite these advances, however, the required technology and installation is minimal with this method because users need nothing more than a browser to connect. For agencies intent on maximizing data security, a Persistent Connection is head and shoulders above the Store and Forward process. The reason is simple. With the former technique, data resides in the EMR system, not the laptop. Info theft becomes virtually impossible because data is never stuck in a vulnerable location. Disadvantages While the advantages of a Persistent Connection are a boon to health care productivity, agencies should be aware of several key drawbacks inherent to the system. First of all, availability depends on location. A Persistent Connection clearly is not a viable solution for companies operating in rural or limited-connectivity areas. A continuous, reliable connection is mandatory. An adjunct to continuous connectivity is a limitation placed on users. Nurses and therapists conducting assessments simply don’t have the option of working offline. Such a restriction can hamper the efforts of professionals who might not have easy access to a network connection. Another drawback concerns one of the most important components of a Persistent Connection – browsers. In certain cases, the functionality of key assessment applications is limited to the sophistication and compatibility of browser technology. The two must support each other flawlessly. Unfortunately, such mutual support is not always the case. When incompatibilities arise, assessment processes can be severely compromised. Perhaps the most exasperating disadvantage inherent to the Persistent Connection method is its notorious time limitation. Much to the frustration of numerous health care professionals, the duration of online assessment sessions is strictly limited. The possibility of an ‘untimely’ timeout can put undue pressure on caregivers to wrap-up an assessment before the last precious second ticks away and forces a start-over. Taking a break to resume at a later interval clearly is out of the question, since this action will gobble up valuable chunks of time. In essence, those performing an assessment are forced to remain glued to the spot until their task is completed – hopefully before the session times out. Choosing Between Two Powerful Solutions Health Care providers determined to implement the most effective Point of Care data linking solution can choose between two outstanding possibilities. Both Store and Forward and Persistent Connection offer agencies an array of distinct benefits for efficient and reliable communication between laptop devices and EMR systems. Selecting the most appropriate method depends upon a careful evaluation of both the advantages and disadvantages of each in relation to company needs. Why a Hybrid model may solve most challenges Currently some vendors may have a hybrid model which would address most of the issues and challenges for either method. That model would operate similar to the persistent mode of communication. Once there would be lack of connectivity to the host sever, it would store the information temporarily on the point of care device. This is important because unlike most store and forward models, it would submit updated data as soon as it can make a connection. This would be transparent to the user and would not require a full "synchronization". More importantly the data then would be removed from the device, eliminating any risk for information to be stolen if the device is lost. It is recommended when looking for a vendor that you ask if they will support a hybrid model. The challenge is that most do not. It would be in your best interest to see how they address the issues that are predicated by the technology their are deploying.