Archive for the ‘HIPAA – Health Information Privacy’ Category

Wisconsin HIPAA Resources –

Thursday, May 21st, 2020

HIPAA Privacy:

Privacy Rule (HHS)
HIPAA Privacy Rule & Public Health (CDC)

HITECH Privacy regulation


Breach Notification for Unsecured Protected Health Information – Interim Final Rule (August 24, 2009)


HITECH Act Enforcement Interim Final Rule (October 29, 2009)


Individuals’ Right under HIPAA to Access their Health Information (February 25, 2016)


Updated Joint Guidance on Application of HIPAA and FERPA to Student Health Records (December 2019 Update) –


Other Privacy Guidance Documents

Privacy and Security Standards –
Security Rule


HIPAA Administrative Simplification Statute & Rules


NIST Security Resource


HHS Office of Civil Rights Security Rule


HHS Office of Civil Rights Security Guidance Documents and Other Important Links


State Confidentiality Law Links:

Wisconsin Stat. § 51.30 – State Alcohol, Drug Abuse, Developmental Disabilities and Mental Health Act –


Wisconsin Stat. § 146.816 – Uses and Disclosures of Protected Health Information –


Wisconsin Admin. Code ch. DHS 92 – Confidentiality of treatment records –


Wisconsin Admin. Code ch. DHS 94 – Patients Rights & Resolutions of Grievances –


Medicaid

Wisconsin Stat. § 49.475 – Information about Medicaid Assistance beneficiaries –
Wisconsin Admin. Code ch. DHS 108 – General Medicaid Administration –
Provider

Wisconsin Stat. § 146.81-84 – Miscellaneous Health Provisions (health care records) –
Wisconsin Stat. § 146.816 – Uses and Disclosures of Protected Health Information –
Wisconsin Stat. § 252.15 – Communicable Diseases – Restrictions on Use of HIV Tests –


Long-Term Care (Family Care)

Wisconsin Stat. ch. 46 – Long-term Care (Confidentiality – Exchange of Information) –


Wisconsin Admin. Code ch. DHS 10 – Confidentiality and Exchange of Information (Family Care)
§ DHS 10.23(7) ADRCs
§ DHS 10.45(5)

CMOS
Other

HIPAA COW (HIPAA Collaborative of Wisconsin) –
Wisconsin Office of Privacy Protection
FTC Privacy Initiatives

Denial of Access to Deadbeat Patients

Thursday, April 23rd, 2020

By Fisher, JD, CHC, CCEP

Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance

A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

linkscolor = “000000”; highlightscolor = “888888”; backgroundcolor = “FFFFFF”; channel = “none”;

Read more here: Health Law Blog

  

Complying with HIPAA and Beyond during COVID-19

Thursday, April 23rd, 2020

By John Fisher, JD, CHC, CCEP

Safeguarding Patient Health Information in an Emergency Situation

Even in an emergency situation such as that presented by the COVID-19 pandemic, covered entities must continue to meet their obligations under federal and state laws protecting confidentiality of patient health care information, to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. They must continue to comply with the administrative, physical, and technical safeguards of the security rule and privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Covered Entities must continue to comply with HIPAA and other confidentiality laws during the COVID-19 pandemic. Certain emergency provisions may apply in applicable state and federal regulations.

The obligation to conduct periodic HIPAA security assessments continues, even during the existence of an emergency or natural disaster. The obligation to meet the requirements of state laws protecting special status health information such as mental health records and drug and alcohol rehabilitation records, also continues through a pandemic.

Each of the bodies of regulations that apply to patient health information contain certain specific provisions that can apply during a pandemic. For example, HIPAA permits disclosures to public health authorities and others

Read more here: Health Law Blog

  

Faxing Patient Health Information to Wrong Number – Compliance Risk Area

Thursday, April 16th, 2020

By Fisher, JD, CHC, CCEP

faxing phi wrong number

Physician Revises Faxing Procedures to Safeguard PHI After Faxing PHI to Employer  by Mistake

A medical office recently settled with OCR after it allegedly disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider.  The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient.  To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Two things pop about about this instance.  First, this was clearly a privacy violation.  The patient’s protected health information, which incidentally revealed his or her HIV status, we sent to the employer.  Secondly, it was evident from the facts that this was a mistake.  We aren’t told exactly how this mistake was made.  Was the fax number written down in the wrong box on the patient’s records?  Did the employee who faxed the records put the incorrect number on the fax cover sheet?  We may never know.  But

Read more here: Health Law Blog

  

Providing Protected Health Information in Response to Subpoena

Monday, March 12th, 2018

By Fisher, JD, CHC, CCEP

unauthorized release phi subpoena

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

A health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are

Read more here: Health Law Blog

  

Medical Alerts – HIPAA Implications of Flagging Patient Records

Wednesday, March 7th, 2018

By Fisher, JD, CHC, CCEP

AIDS identification external alert HIPAA

Identification of AIDS Status Through Medical Alert System

Dentist Revises Process to Safeguard Medical Alert PHI

A recent OCR investigation of a dental practice’s flagging of patients records highlights a potential HIPAA violation.  The OCR investigation confirmed allegations that the dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover.   Records were handled so that other patients and staff without need to know could read the sticker.  A patient complaint commenced an OCR investigation into whether the practice potentially identified the AIDS status of patients within the office.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

The lesson here is not to place special medical alerts on the outside of physical patient records.  This is a particularly bad practice in a dental office where the typical office setup can

Read more here: Health Law Blog

  

Applying Section 1557 Discrimination Rules to Employer Sponsored Health Plans

Sunday, February 11th, 2018

By Fisher, JD, CHC, CCEP

Health Plan 1557 Compliance

Section 1557 Covered Entities and Employer Sponsored Health Plans

Section 1557 of the Affordable Care Act (ACA) prohibits “covered entities” discrimination in health programs that receive federal financial assistance from the Department of Human and Health Services.  Regulations were issued in 2016 that define the details of compliance with Section 1557 which prohibits discrimination based on race, color, national origin, age, disability and sex.  (including discrimination based on pregnancy, gender identity and sex stereotyping).  The stated purpose for the rules is to expand access and eliminate barriers to the ability to obtain health care coverage.

The definition of “covered entities” to which Section 1557 apply is extremely broad.  Through the broad definition, the requirements of Section 1557 apply to any health program or activity that received federal financial assistance through the Department of Health and Human Service.  This definition includes most health care providers, such as hospitals, nursing homes, and physician, who receive Medicare or Medicaid reimbursement, insurance marketplace and exchanges and participating health plans.

The Section 1557 rules extend to some (but not all) employers that are group health plan sponsors.  Determining whether Section 1557 applies to a specific employer can be quite complicated and is based on several factors such as

Read more here: Health Law Blog

  

Medical Record Copying Charges In Wisconsin

Wednesday, May 7th, 2014

Wisconsin Law Release of Patient Medical Records

Wisconsin Law requires health care organizations to provide records are to patients “on request.”  Records can be provided directly to the health care provider subject to payment of the statutory fees.  Patient must deliver an “informed consent” to the organization consenting to release of their records.

Fees were revised as provided below:

(a) A patient’s health care records shall be provided to the patient’s health care provider upon request and, except as provided in s. 146.82 (2), with a statement of informed consent.

(b) The health care provider under par. (a) may be charged reasonable costs for the provision of the patient’s health care records.

(2) The health care provider shall provide each patient with a statement paraphrasing the provisions of this section either upon admission to an inpatient health care facility, as defined in s. 50.135 (1), or upon the first provision of services by the health care provider.

(3) The health care provider shall note the time and date of each request by a patient or person authorized by the patient to inspect the patient’s health care records, the name of the inspecting person, the time and date of inspection and identify the records released for inspection.

 (3f)

(a) Except as provided in sub. (1f) or s. 51.30 or 146.82 (2), if a person requests copies of a patient’s health care records, provides informed consent, and pays the applicable fees under par. (b), the health care provider shall provide the person making the request copies of the requested records.

 (b) Except as provided in sub. (1f), a health care provider may charge no more than the total of all of the following that apply for providing the copies requested under par. (a):

Revised Fees for Patient records:

 Wisconsin Medical Record Maximum Fees through June 30, 2014 — (last year’s fees noted for reference)

Paper copies

  • First 25 pages: $1.04/page ($1.02/page)
  • Pages 26-50: 77 cents/page (76 cents/page)
  • Pages 51-100: 52 cents/page (51 cents/page)
  • Pages 101 and above: 31 cents/page (30 cents/page)

Microfiche or Microfilm: $1.55/page ($1.52/page)

Print of an X-ray (per image): $10.32 ($10.15)

If the requestor is not the patient or a person authorized by the patient

  • Certification of copies: $8.26 ($8.12)
  • Retrieval fee: $20.65 ($20.30)

When Does HIPAA Override State Medical Privacy Laws

Thursday, March 14th, 2013

HIPAA Preemption of State Law

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

  • relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information
  • provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
  • requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

Additional areas that permit State law to have an exception from the Federal preemption rules can be created by formal request from the State if certain requirements are met.  The Department of Health and Human Services (HHS) may, following request from a State, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. The Secretary of HHS must determine that one of the following criteria apply before granting and exception from the HIPAA preemption rules. These criteria require a showing that the state law at issue:

  1.  is necessary to prevent fraud and abuse related to the provision of or payment for health care,
  2. is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
  3. is necessary for State reporting on health care delivery or costs,
  4. is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
  5. has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. In order to be considered “contrary”  it must be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.