With the promulgation of the HITECH Act, meaningful use, breach notification, and increased HIPAA violation fines, it appears that the HIPAA Security Rule ("SR") has taken all of the oxygen out of the room, and rightfully so. The SR had largely been neglected for all of those years that the healthcare industry remained on paper. After HITECH and the mass movement to EHRs, it could no longer be ignored. All of a sudden Risk Assessments, encryption, and a host of other SR topics dominated the conversation. In the "rush" to comply with the SR, many organizations have neglected the Privacy Rule ("PR") because after all, most of these organizations felt (or had been told by their compliance officers) that they had long since achieved full compliance with the PR. It was that SR that required all their attention. This article explores various components of the PR and why organizations, despite their protestations to the contrary, are not even close to full compliance with the PR.
We like to break down the PR into three major sections: (1) Uses & Disclosures ("U&D"); (2) Patients' Bill of Rights ("PBR"); and (3) Administrative requirements. The U&D encompasses Sections 164.502 (the "General Rules") through 164.514. The General Rules are key to unlocking the meaning and purpose of the PR and can be summarized as follows:
§ 164.502 Uses and disclosures of protected health information: general rules
(1) Permitted uses & disclosures
(2) Required disclosures
(b) Standard: minimum necessary
(1) Minimum necessary applies
(2) Minimum necessary does not apply
(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction
(d) Standard: Uses and disclosures of de-identified protected health information
(1) Uses and disclosures to create de-identified information
(2) Uses and disclosures of de-identified information
(e) (1) Standard: disclosures to business associates
(2) Implementation specification: documentation
(f) Standard: deceased individuals
(g) (1) Standard: personal representatives
(2) Implementation specification: adults and emancipated minors
(3) Implementation specification: unemancipated minors
(4) Implementation specification: deceased individuals
(5) Implementation specification: abuse, neglect, endangerment situations
(h) Standard: confidential communications
(i) Standard: uses and disclosures consistent with notice
(j) Standard: disclosures by whistleblowers and workforce member crime victims
(1) Disclosures by whistleblowers
(2) Disclosures by workforce members who are victims of a crime
The General Rules "swallow" all of the other rules up to and including Section 164.514. It is the starting point for determining whether or not the PR has been violated. Recall that the PR concerns itself with permissible (or impermissible depending on your perspective) uses and disclosures of protected health information ("PHI"). An organization has many reasons for developing and mastering a methodology for determining whether or not the PR has been violated. For example, if you want to sanction an employee for a PR violation then you better have a consistent methodology that you apply to all employees or you will likely be facing a discrimination law suit. In addition, before you can determine whether or not a Breach has occurred you need to determine whether or not the PR has been violated. If the PR has NOT been violated then there is no Breach by definition. Just to refresh your memory, although we are quite certain that most of you have this memorized by now, there is a three step process/framework used to determine whether or not a Breach has occurred:
- Was there an impermissible use or disclosure of unsecured PHI?
- Does an exception to the breach rule apply?
- Is there a low probability that the protected health information was compromised?
Step 1 (in part) asks the question: "Has the PR been violated?" if the answer to this question is NO then there is no need to continue further with the analysis, there has not been a Breach (See our Breach Notification Framework for more information). We are willing to bet "dollars to donuts" that most covered entities do not have a rigorous (or any) methodology for determining when the PR has been violated.
However, lack of a methodology for determining when a PR violation has occurred is the proverbial "tip of the iceberg" vis-a-vis PR compliance (or lack thereof). The biggest part of the rule where covered entities and business associates, both large and small, fall short is in what we call the Patients' Bill of Rights ("PBR"). The PBR encompasses sections 164.520 through 164.528. Section 164.520 is the "Notice of Privacy Practices" and one would think that surely all covered entities comply with this section, but not so. Often (quite often) the world changes and organizations fail to keep pace.
Now we all get sick of filling out those HIPAA forms each time we visit a new doctor, BUT we do it anyway because we don't know that we can actually refuse to sign, but I digress. The point is, the now many, many covered entities are launching "patient portals" on the Internet to engage more with their patients, and often, to capture the attention of new patients. What most covered entities do not realize is that the NOPP must be presented to a patient electronically if the encounter on your portal constitutes their first visit.
Well, you may be thinking, not having an electronic NOPP is no big deal, probably will get a covered just a "slap on the wrist" should it be audited, and I would tend to agree. BUT that's not at the heart of the PR non-compliance that this article wants to illustrate. What is at the heart is the rest of the PBR (i.e. sections § 164.522 through § 164.528). These are the sections of the PBR that we like to say provide "due process" rights to a patient. For example, if a patient requests restrictions as to how the covered entity communicates with a patient regarding his or her PHI, then all "reasonable requests" must be honored. Further if a patient asks for a copy of his or her PHI, then the request must be granted within thirty (30) days, or a written exception process must be invoked. The same holds true if a patient wants to amend his or her PHI.
The bottom line is that most cover entities treat the PBR in a haphazard adhoc way because historically the PBR has NOT been heavily utilized. That trend is changing as we speak and you can bet that when the tech savvy baby boomers retire, covered entities may see an avalanche of PBR requests. Covered entities are woefully unprepared for this challenge. The majority lack vetted processes for dealing with PBR requests and we would venture to say that very little training has been provided to staff pursuant to the PBR. A few years back CigNet got fined $4.3 million for (in part) refusing to provide patients their requested PHI.
The moral of the story is that there is much more to the PR that meets the eye. Covered entities are well advised to revisit and/or develop their PBR processes in an manner that will help the respond to increase demand. Remember ANY complaint to HHS that shows "willful neglect" on its face (e.g. failing to provide PHI in a time manner) mandates an audit. If this happens then it is almost certain to ruin your day. Willful neglect fines (uncured) start a $50,000 per violation. These can add up really fast. It's time to go back and revisit your PR initiative.