Friday the 13th HIPAA-Stitions: Demystifying the Myths

Friday the 13^th comes around on average 2-3 times per year.  In 2015, Friday the 13^th will visit us 3 different times.  Friday the 13^th is thought to be one of the most unlucky days of the year – plaguing us with many different superstitions that cause fear among people.  From the masked Jason chasing people down an empty, dark street to the crazy doll, Chucky, that comes to life and attacks, the dread of the 13th of the month has created angst and fear to society! 

Just like all the superstitions and fears we face on Friday the 13th, HIPAA is full off different myths and fears created among the healthcare community.  Healthcare organizations fear HIPAA as it is going to cause issues and destruction among their organization.  Different interpretations and analysis of the HIPAA requirements has created confusions and fears among the healthcare community. 

In honor of Friday the 13^th – Lets Demystify 13 of Today’s HIPAA-Stitions

1. HIPAA prohibits me from taking care of patients and releasing information for continuity of care.

HIPAA allows the sharing of patient information for the purpose of treatment, payment, and healthcare operations (TPO).  If a provider needs to release patient information to help in the continuity of care, that is an acceptable disclosure under the HIPAA regulations.  It is smart to check with state requirements on the protection of patient information as some states do requirement a signed authorization for any use or disclosure of patient information. 

2. The HIPAA Security Risk Analysis only needs to be completed one time.

The HIPAA regulations actually do not define what the frequency of the HIPAA risk analysis needs to be.  Built to be scalable, the HIPAA security rule allows the covered entity or business associate to define the frequency; however, do it one time and never again is not an acceptable practice and leaves the organization vulnerable to non-compliance and risks to PHI.

3. Texting is considered a way of communicating about patients and has no concerns with HIPAA compliance.

Normal SMS texting is not a secure means of communications with protected health information.  In fact, texting using normal SMS format is quite risky to the healthcare organization.  If a healthcare organization is going to allow texting as a means of communications regarding patients (think about this before saying yes), a secure solution for texting should be implemented as well as a policy and procedure for effective management of texting with patient information.  Think about not only how to manage the data as it is in transmission from device to device, but also how you will manage the devices and the information that may be stored on the device.  

4. HIPAA prohibits me from sending patient reminders about appointments and leaving messages on phones.

The HIPAA privacy rule allow for all providers to communicate with their patients regarding their health care, which includes reminders about appointments. This includes communicating with patients at their homes, whether through the mail or by phone. The HIPAA regulations do not prohibit a provider from leaving messages for patients on their voicemail; however, it does require that the covered entity provides adequate safeguards to the privacy of a patient, which may include getting agreement from the patient to leave a voicemail at a specific number or send information regarding care to a specific address. 

5. Since the EHR we use is a cloud based EHR, I don’t have to worry about having a written contingency plan in place.

Using a cloud based, EHR may eliminate an organization’s need to manage the backup process for the EHR system; however, it doesn’t completely eliminate the need to create and implement a contingency plan.  The contingency plan is intended to cover so much more than how the information is backed up, such as how the organization will work in emergency mode, what systems are most vital to the day to day operations or the organization, and how recovery of data will occur.  Another aspect to think about is the EHR may only be one of the systems that stores and maintains patient information.  If you have other systems or are storing information regarding patients in other electronic locations, it is important to have a plan in place on how that information is being backed up and restored in the case of an emergency. 

6. As long as we have passwords in place to get into our systems with patient information, the information is considered secure.

A common misunderstanding of the application of passwords is that they make a system secure when implemented – but they don’t.  Passwords do provide an appropriate safeguard and a layer of security to patient information; however, the protection is only as good as the password.  To help better manage the use of passwords, strong passwords should be implemented on any systems that provide access to patient information.  Strong passwords should be a minimum of 8 characters in length and use uppercase letter, lowercase letters, numbers and systems – 3 of the 4 is the minimum recommendation.  Remember that the only true way to make information secure is to encryption the information or destroy the information using appropriate means.

7. My business associate states they are HIPAA compliant so there is no need to worry about the protection of the information shared with them.

No organization is out there certifying healthcare organizations as “HIPAA Compliant.”  Any third party organization that is stating that they are HIPAA complaint most likely means that they have created an internal program to meet the requirements of the HIPAA regulations as they apply to business associates.  It is best practices that covered entities as business associates about the safeguards used to protect the information they are sharing and what makes them “HIPAA Compliant.”

8. I don’t have an electronic health record; therefore, the HIPAA security rule doesn’t apply to me.

HIPAA doesn’t distinguish between systems where information is stored on where the security rule applies and doesn’t apply.  Rather HIPAA focuses on the media type of the information – electronic, paper, and oral.  The security rule applies specifically to all electronic protected health information, which is PHI that is created, received, maintained or transmitted in electronic form.  An electronic health record is only one source of electronic protected health information. 

9. Meaningful use changed requirements for the HIPAA risk analysis.

The meaningful use requirements didn’t actually change any of the requirements that HIPAA mandates – it actually points directly to the HIPAA requirements for the conducting of the HIPAA risk analysis for protecting patient information.  The only ‘change’ is that if you are participating in the meaningful use program, a HIPAA risk analysis must be conducted or updated for each year that you attest for meaningful use.

10. Every unauthorized use and disclosure of patient information is considered a data breach.

In order to determine if a breach occurred from an unauthorized use or disclosure of information, an investigation must be completed by the covered entity or business associate to determine the risk to the patient information.  Per the Omnibus Rule of 2013, an unauthorized use or disclosure of health information is not considered a breach if there is low probability that the information has been compromised. 

11. Since the patient won’t sign my Notice of Privacy Practices, I am not allowed to treat that patient.

A patient refusing to sign the notice of privacy practice acknowledgement doesn’t prohibit the provider to take care of the patient.  The regulations state that the covered entity should make reasonable effort to get an acknowledgement of the notice of privacy practices signed.  By signing the acknowledgement, the patient is only documenting that they have been given or offered a copy of the notice of privacy practice, which explains how the organization will use and safeguard their protected health information. 

12. The HIPAA regulations prohibit Provider/Patient e-mail communication

The HIPAA regulations do not prohibit provider from communicating with patients through e-mail.  The regulations actually state that if the provider is going to communicate with patients through e-mail, proper safeguards should be implemented to protect the information.  Additionally, the Omnibus Rule states that e-mail can be sent to a patient without encryption as long as the patient agrees to it and is aware of the risks to the information. 

13. Since I fully implemented a HIPAA compliance program, data breaches will not occur at my organization.

Just because an organization implements a full HIPAA compliance program and addresses all areas of potential risk to their organization, there is no guarantee that a data breach is not going to occur.  With the sophistication of recent data attacks and human interaction, there is always going to be a risk that a data breach can occur.  The best scenario is having a fully implemented HIPAA compliance program and assure adequate training to workforce members.  Reducing and managing potential risks is the best avenue to take – no organization is without some risk.  

When evaluating HIPPA and operationalizing it to ‘fit’ a specific organization, HIPAA doesn’t have to be feared!  Overcome the common HIPAA-Stitions and being successful with HIPAA compliance can be a goal reached by all organizations – large and small.  Don’t fear HIPAA as we fear Friday the 13th, instead take it on full speed and don’t look back until you met the appropriate level of compliance.

Danika