The document summarizes common myths about HIPAA regulations. It discusses 20 myths across several categories, including general myths, business associate myths, and health IT myths. Each myth is stated and then explained to clarify the true requirements of HIPAA. The document aims to debunk misconceptions about what HIPAA does and does not regulate regarding the privacy and security of protected health information.
1. • September 23 - Omnibus Celebration
• October 21 - Top 5 Compliance tools
• November 13 - Human Resources issues for todays medical practitioner
855.85HIPAA
www.compliancygroup.com
Industry leading Education
Certified Partner Program
For Today
• Please ask questions
• Todays Slides http://compliancy-group.com/slides023/
• Upcoming & Past webinars:
http://compliancy-group.com/webinar/
Get Involved
#cgwebinar
2. HIPAA MYTHS: HOW MUCH DO YOU KNOW?
COMMON MYTHS DEBUNKED & EXPLAINED
Matthew Fisher, Esq.
Mirick O’Connell DeMallie & Lougee, LLP
3. WHAT IS HIPAA?
§ Need brief introduction first
§ May begin to answers myths, but always useful
to have basic background
4. HIPAA: OVERVIEW
§ Many implications, but most important are regulating
privacy and security of protected health information
(PHI)
• Privacy – addresses use and disclosure
• Security – addresses storage and transmission
n Consider statute and implementing regulations
¨ 1996 - Originally enacted
¨ 2009 - Significantly modified by HITECH
¨ 2013 - Final Rule implementing HITECH published
5. HIPAA: WHO IS SUBJECT?
§ Covered Entities
• Health Care Providers (meeting certain conditions)
• Health Insurers
• Health Care Clearinghouses
§ Business Associates
• Any entity that assists with or performs functions for a
covered entity for any activity regulated by HIPAA
• Very broad (e.g. law firms)
§ Subcontractors of Business Associates
6. HIPAA: WHAT DOES IT COVER?
§ “Protected Health Information” or “PHI”
§ Term of art defined by statute and regulations
§ If not PHI, then not covered by HIPAA
7. HIPAA: PRIVACY RULE
§ General Purpose – regulates “use” and
“disclosure” of PHI by “covered entities” and
“business associates”
• Allows for certain, limited uses and disclosures without
requiring authorization
• Others require notice to and/or authorization from the
patient
§ Imposes numerous compliance requirements on
entities (e.g. tracking, reporting, training)
8. HIPAA: SECURITY RULE
§ General purpose – creates
standard security measures for
the protection of PHI that is
created, received, used or
maintained by covered entity
§ Includes various technical
requirements and specifications
9. HIPAA: BREACH NOTIFICATION RULE
§ General purpose - requires notification if a
“breach” of PHI occurs
• Applies to a breach by any entity handling PHI
• Final rule claimed to create an objective standard, but
still has subjective elements
• Presumption of a breach, breaching entity must prove
why notification is not needed
§ Increasing exposure to enforcement actions by
Office of Civil Rights (OCR)
12. MYTH #1
§ Healthcare providers are prevented from sharing
protected health information with a patient’s
family members and caregivers.
13. MYTH #1 EXPLANATION
§ FICTION
§ Providers are permitted to share information with
family members and caregivers in certain
circumstances
§ Patient can impact through specific authorization
or denial
14. MYTH #2
§ Only a patient or the patient’s personal
representative may obtain a copy of that
patient’s medical record.
15. MYTH #2 EXPLAINED
§ FICTION
§ Many permissible uses and disclosures
§ Do not always need permission
16. MYTH #3
§ HIPAA prevents providers and patients from
communicating by email.
17. MYTH #3 EXPLAINED
§ FICTION
§ Any information may be sent by email
§ May need to implement certain protections
§ Providers should send as instructed by patient
18. MYTH #4
§ Providers are
obligated to
provide a
patient their
entire medical
record upon
request.
19. MYTH #4 EXPLAINED
§ FICTION
§ Certain parts of a record may be exempt from
disclosure – often mental health information
§ State law may influence – must be reviewed in
addition to HIPAA
20. MYTH #5
§ HIPAA protects all protected health information
no matter who is in possession of it.
21. MYTH #5 EXPLAINED
§ FICTION
§ Only “covered entities” and their “business
associates” must comply with HIPAA
§ Context in which protected health information is
held important for determining obligations
22. MYTH #6
§ HIPAA obligates providers to correct any errors
that may be in an individual’s medical record.
23. MYTH #6 EXPLAINED
§ FICTION
§ Individuals have the right to request
amendments
§ Request does not guarantee change will be
made
24. MYTH #7
§ Your medical records will not impact your credit
score or credit generally.
25. MYTH #7 EXPLAINED
§ Partial FACT
§ The record itself does not impact an individual’s
credit
§ However, failure to pay for medical treatments
can be reported to credit agencies
26. MYTH #8
§ Protected health information cannot be sold or
used for marketing.
27. MYTH #8 EXPLAINED
§ Partially FACT
§ HIPAA limits when protected health information
can be used for marketing purposes without
authorization
§ However, de-identified data is not subject to
restrictions
§ Certain, limited marketing also allowed as of
right
28. MYTH #9
§ HIPAA requires patients to
consent to the sharing of
protected health information by
providers.
29. MYTH #9 EXPLAINED
§ FICTION
§ Uses and disclosures for “treatment” purposes
are allowed without requiring an individual’s
consent
§ Transfers between providers occur without
patient involvement
30. MYTH #10
§ HIPAA prevents an individual’s family member
from picking up the patient’s prescriptions.
31. MYTH #10 EXPLAINED
§ FICTION
§ A family member can pick up prescriptions,
medical supplies, x-rays and other similar forms
of protected health information
§ Allowed if providers determines in patient’s best
interests
32. MYTH #11
§ Patients can sue providers for HIPAA violations.
33. MYTH #11 EXPLAINED
§ FICTION
§ There is no private right of action under HIPAA
§ Only the federal or state government can sue to
enforce HIPAA
35. MYTH #12
§ A healthcare
provider or
covered entity
can never be
a business
associate to
another
covered entity.
36. MYTH #12 EXPLAINED
§ FICTION
§ Need to evaluate what function is being
performed
§ For healthcare services, exempted
§ If perform billing, data analysis, data storage or
other functions can be a business associate
§ Review definition
37. MYTH #13
§ A cloud data storage company is not a business
associate because all the company does is store
my information.
38. MYTH #13 EXPLAINED
§ FICTION
§ The Omnibus Rule changed the rules and
expanded who is a business associate
§ Entities that maintain protected information are
business associates
§ Determination is not about access
§ Only “conduits” outside requirements
39. MYTH #14
§ I’ve been using a new business associate
agreement for all arrangements since
September 23, 2013, I’m all set and do not need
to review any previously existing agreements.
40. MYTH #14 EXPLAINED
§ FICTION
§ Primary compliance date was September 23,
2013
§ BUT, then current agreements need to be
replaced by September 22, 2014
§ Review now to ensure all business associate
agreements conform to new requirements
41. MYTH #15
§ A covered entity must get every business
associate to sign a business associate
agreement.
42. MYTH #15 EXPLAINED
§ FACT, but . . .
§ Regulations require covered entity to have
business associate sign
§ What if business associate refuses?
§ Arguably can make reasonable efforts
§ Business associate’s status not driven by
agreement, but regulatory definition
43. MYTH #16
§ Now that business associates may be directly
liable for breaches, covered entities are off the
hook.
44. MYTH #16 EXPLAINED
§ FICTION
§ Even if a business associate is the cause of a
breach, a covered entity’s patients still harmed
§ Covered entities also have obligations to review
and oversee actions of business associates
46. MYTH #17
§ HIPAA will control and regulate all mobile health
apps.
47. MYTH #17 EXPLAINED
§ FICTION
§ Never forget, context determines when HIPAA
applies
§ How will a mobile health app be used
§ Who is collecting the data and why
48. MYTH #18
§ A covered entity has a bring your own device
policy in place, all concerns have been
addressed.
49. MYTH #18 EXPLAINED
§ FICTION
§ When was the BYOD policy prepared and what
is in it?
§ Have all circumstances been addressed.
§ Pay attention to New York and Presbyterian
Hospital and Columbia University settlement
50. MYTH #19
§ Small practices are less complex than larger
organizations and do not have the same security
concerns, so a risk analysis is not necessary.
51. MYTH #19 EXPLAINED
§ FICTION
§ Conducting a risk analysis is a required element
under the Security Rule
§ No exceptions
§ Necessary to help with development and
implementation of security policies
§ Once not enough either
53. MYTH #20
§ HIPAA can be used as an excuse to deny
access to information or otherwise restrict what
individuals may do.
54. MYTH #20 EXPLAINED
§ FICTION
§ Oftentimes, HIPAA is improperly cited as a
reason to deny a request
§ Examples:
• Parent cannot accompany their children
• Visitors must leave a hospital room after a certain
time
• Offices cannot announce patient names in the waiting
room
56. The Guard:
• Intelligent web based solution designed by auditors.
• Used by over 1,000 Covered Entities and Business Associates
• Quickly and cost-effectively Achieve, Illustrate and Maintain
HIPAA, HITECH, and Omnibus Compliance.
• HIPAA Audit Guarantee
Features
• Training, Policy & Procedure Templates Included
• Business Associate Management
• Document & Version Control
• Training & Attestations Tracking
• HIPAA Coaches to Assist every step of the way
www.compliancy-‐group.com
855.85
HIPAA
(855.854.4722)
HIPAA Education Series sponsored by:
57. CONTACT INFORMATION
Matthew Fisher
Mirick O’Connell
100 Front Street
Worcester, MA 01608
(508) 791-8500
mfisher@mirickoconnell.com
@matt_r_fisher