EXECUTIVE SUMMARY

Misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) continue despite years of education. Some wrong interpretations can jeopardize patient safety.

  • Not every improper disclosure of protected health information qualifies as a breach.
  • A patient’s written statement to release data must meet certain requirements.
  • HIPAA does not require retaining records for six years.

Despite years of educational efforts about Health Insurance Portability and Accountability Act (HIPAA) compliance, healthcare employees can labor under many misconceptions about what the privacy rule requires and what is and is not allowed. In addition to making daily work more difficult, these misconceptions can threaten patient safety and quality of care.

The scope of HIPAA is the root of many misconceptions, says Stephanie Winer Schreiber, JD, shareholder with Buchanan Ingersoll & Rooney in Pittsburgh.

“The No. 1 misconception is that all healthcare information held by anyone is protected by HIPAA. I often hear people say they know something about someone’s health but they can’t disclose it because it is covered by HIPAA,” she says. “HIPAA only covers certain information held by a covered entity or a business associate, with some information excluded. Other than that, you may be subject to some state laws and restrictions as an employer, but HIPAA is not always applicable.”

COVID-19 has raised more questions about how HIPAA applies to the use of protected health information (PHI) in telemedicine and the transmission of data through texts and other electronic communications, Schreiber notes. Although some rules were relaxed to help healthcare organizations cope with the pandemic, Schreiber says staff should understand it is not a permanent change to HIPAA.

“As providers begin to go back to whatever normal is, they need to be sure their ducks are in a row regarding things they were permitted to slip a little bit during the pandemic,” she says.

Not Every Disclosure Is a Breach

Johnathan A. Rhodes, JD, counsel with Fennemore Craig in Denver, offers this list of common HIPAA misconceptions:

  • A breach occurs any time PHI is improperly used or disclosed. Not all improper uses or disclosures of PHI constitute a breach, Rhodes says. The term “breach” is defined by regulation and requires a full risk analysis, including the extent risk was mitigated, and whether the PHI was actually viewed. The definition also includes some situations that would not be considered a breach. If an improper use or disclosure is a breach, that will trigger certain reporting and notice obligations. However, that analysis should be completed before making that determination, Rhodes says.
  • Release of PHI is required any time an entity is subpoenaed. You are not required to release PHI every time you receive a subpoena, Rhodes says. HIPAA permits, not mandates, that PHI is released after receiving a subpoena. However, that subpoena must meet specific requirements to comply with HIPAA before any PHI is released.
  • A written statement from the patient is sufficient to release PHI under HIPAA. A written patient statement authorizing the release of PHI is not the same as a valid authorization under HIPAA, Rhodes says. A valid patient authorization under HIPAA must contain certain elements, such as a description of the PHI, and the purpose of the release. Any authorization should follow the regulatory requirements under HIPAA before PHI is released. A simple, signed statement from the patient generally is insufficient, he says.
  • HIPAA is the only law that governs medical records. HIPAA generally pre-empts state law regarding privacy and security of PHI, unless the state law is more stringent than what HIPAA requires, Rhodes explains. While HIPAA will be the governing law most of the time, it is important to check state privacy rules as well.
  • HIPAA requires covered entities to retain medical records for at least six years. HIPAA does not specify a record retention requirement. Retention requirements for medical records are governed by state law, Rhodes says. Rather, HIPAA requires that all HIPAA documents be maintained for six years from when the document was created (or, in the case of a HIPAA policy, six years from when the policy was in effect). These documents include policies, authorizations, complaints, business associate agreements, and risk assessments.

Employee Health Records Are Different

One of the most common misconceptions about HIPAA is that it applies to employee health records, says Erin S. Whaley, JD, partner with Troutman Pepper in Richmond, VA. For a healthcare provider, it is easy to say all records relating to the health of an individual are governed by HIPAA, she says. However, if those records are held by the employer in its capacity as an employer — and not its capacity as a healthcare provider — the records are protected under employment-related laws, but not HIPAA.

For instance, if an employee submits health information to the employer to support a Family and Medical Leave Act claim, that information is not protected by HIPAA.

“Another common misconception is that if a provider is using a hosted EMR [electronic medical record], the EMR vendor will be responsible for all aspects of HIPAA security. This is incorrect for a couple of reasons,” Whaley explains. “First, even though the EMR is hosted, the healthcare provider must still conduct a risk assessment. While the provider can rely on information from the vendor in that risk assessment, the provider must undertake the required analysis. Second, there are likely machines and equipment outside of the EMR that store PHI and are not managed by the EMR vendor.”

For instance, copy machines are likely to store PHI and must be scrubbed before they are sold or returned to the vendor. These additional sources of electronic PHI must be counted for the risk assessment so the provider can apply proper safeguards and mitigation measures. These misconceptions can hinder patient care and interfere with healthcare operations, Whaley says.

One misconception that hinders patient care is that a patient must sign a specific form to release his or her record to another provider for treatment, Whaley says. An authorization is not required to disclose PHI for treatment.

“Sometimes, the healthcare provider adopts a policy requiring the provider’s specific medical records release form to be signed. The provider tells staff that this form is required by HIPAA, but it is not,” she says. “In addition, HIPAA does not require a wet signature. E-signatures are acceptable as long as they meet the applicable requirements of e-sign laws. When a provider adopts a policy requiring a wet signature from patients on the provider’s specific medical records release form, this can inhibit, or at least delay, the transfer of records.”

The 21st Century Cures Act regulations aimed at prohibiting information-blocking should help address provider practices that inhibit patient-directed record transfers, Whaley notes. (More information is available at: https://www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification.)

Providers have appropriately trained their staff on the importance of maintaining the confidentiality and security of PHI, Whaley says, but they typically have not spent as much, if any, time training their staff on the individual rights provisions in the Privacy Rule. Healthcare leaders can remind their staff these individual rights must be respected and create realistic and workable policies to enable this compliance, she says.

“While the risk of penalties from an unauthorized disclosure is greater than the risk of penalties from violating the individual access rights by being overly strict in its application, we may start to see that balance shift. Between the 21st Century Cures Act regulations and new cases where providers are fined for not providing access, it is important that providers be prepared to respond to individual requests for access,” Whaley says. “For instance, in September 2019, one hospital paid $85,000 to OCR [Office for Civil Rights] to settle a potential HIPAA violation resulting from its failure to provide records in response to a request for access.” (Find out more at: https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html.)

No Private Right of Action

A common misconception about HIPAA is that many people believe it creates a private right of action, says Heather Macre, JD, director with Fennemore Craig in Phoenix. Another is that following HIPAA means one does not have to know state privacy laws.

“There also is the belief that HIPAA somehow impedes medical care by limiting communications between physicians and within health systems. These misconceptions often lead to situations where physicians and healthcare workers do not communicate effectively with one another,” she says. “Leaders can help dispel these myths by making sure that all staff are trained to implement and understand both HIPAA and HITECH [Health Information Technology for Economic and Clinical Health Act]. Education is the key.”

One major misconception is HIPAA applies to all medical information and anyone who has access is restricted from disclosing it, says Jeffrey Drummond, JD, an attorney with Jackson Walker in Dallas.

“I’ve dealt with many employers, landlords, and business operators who feel that they cannot provide information to customers about tenants or employees who have tested positive for COVID-19, even though they are not a HIPAA-covered entity or business associate,” Drummond says. “Many people also believe that every entity in the healthcare industry is covered by HIPAA, even though healthcare providers are only covered entities if they conduct certain HIPAA-regulated electronic transactions.”

Another misconception: All uses or disclosures of PHI are prohibited unless the patient specifically consents. This misconception is particularly common within the healthcare industry among people who should know better, he says.

“Obviously, even HIPAA-covered entities may use and disclose PHI for treatment, payment, healthcare operations, and as required by law, as long as it is consistent with the covered entity’s notice of privacy practices” Drummond explains. “Most of these misconceptions result in people thinking that data cannot be disclosed, or that a particular disclosure is a HIPAA violation when it’s not. It certainly can interfere with care when covered entities or employees feel that they are prohibited from making a permitted disclosure, which can result in delayed or reduced care.”

Avoid Overly Strict Interpretations

Regular training is the best way to keep employees from an overly strict interpretation, Drummond says. This includes training specifically when these incidents occur so lessons are learned while the situation is fresh.

One of the best ways to dispel the myths in the general public is a fully developed and plain-language notice of privacy practices, Drummond says. When patients complain that a particular use or disclosure is a HIPAA breach, the best response is to show a specific description of the use or disclosure in the notice of privacy practices.

It is important to ensure a proper understanding of HIPAA rather than letting employees err on the side of caution with an overly strict interpretation, Drummond says.

“In the most extreme example of medical record privacy, nobody will know my PHI, not even my doctor. Obviously, I’m not going to get good healthcare if not even my doctor knows what’s wrong with me,” he says. “On the other hand, a zero-privacy environment will necessarily result in better healthcare, since the medical industry would be able to learn everything about healthcare. Thus, perfect privacy results in bad healthcare, while the best healthcare can only occur when privacy is limited. Neither of those situations is great.”

Best privacy practices must be balanced with best healthcare practices and find a middle ground, he says. Good healthcare depends on the use and disclosure of information; patients cannot be treated or cured if their care providers do not share necessary information.

“While an overly restrictive interpretation might not matter in many situations, when that interpretation becomes the norm among the staff, a patient’s healthcare may suffer,” he says.

Use Video Cameras

When it comes to video and privacy, there is some confusion about whether a patient’s room can be on live video or if that would be a violation of HIPAA, says Paul Baratta, business development manager for healthcare at Axis Communications.

However, as long as the video images are protected, not publicly viewable, and the hospital informs the patient of its presence, then video is permissible, he says. Public areas like hallways, lobbies, and stairwells are not considered private areas and can be surveilled with video. One common way to ensure privacy is using patient video images in real time and not recording those images, he says.

There can be a misunderstanding of the requirements when a patient chooses to receive his or her records, says Kevin Dunnahoo, associate director with Protiviti, a healthcare cybersecurity company in Dallas. Many organizations believe they have to ensure the delivery mechanism of the record is secured, he says.

“The patient has the authority to authorize disclosure of their record in any means that is feasible, including unsecured transmission or storage methods like email, USBs, or CDs,” he says. “While the covered entity or business associate should be protecting these data according to HIPAA while in their custody, those requirements are done once you have the direction of the patient to disclose it if you are following their guidance and direction.”

Telehealth Rules May Confuse

On March 17, OCR loosened regulations for HIPAA enforcement due to COVID-19 and the need for more telehealth services, notes Nasir Pasha, JD, outside general counsel with Altus Health, a network of physicians, hospitals, emergency rooms, and other facilities based in Houston. Those changes may lead to some misconceptions in the marketplace.

HIPAA still is law. OCR’s reduced enforcement is mostly limited to telehealth services, he says. Another common misconception: No one is 100% compliant, and no one will ever check for compliance.

“Definitely not true. All it takes is a simple data breach or a complaint by a whistleblower that will result in an audit,” Pasha says. “One of the most common misconceptions about HIPAA is that it strictly prohibits sharing of any information regarding a patient’s medical condition or status. However, it is common for medical professionals to generally inform family members of a patient’s medical status without violating HIPAA.”

Of course, most healthcare facilities will require a patient to sign a release to share medical information to family members. This allows the patient and the facility to protect the patient’s medical information, he says.

The other more common misconception is HIPAA applies only to healthcare facilities and providers. It also applies to any person who handles, stores, or otherwise has access to PHI. Covered entities are responsible for ensuring these business associates are HIPAA compliant.

“For covered entities, it is a matter of properly identifying who is a business associate and ensuring that the covered entity and business associate enter into a business associate agreement,” Pasha explains. “Because of the misconception that HIPAA only applies to healthcare facilities or providers, if a covered entity does enter into an agreement with a third party that may come into contact with PHI, it’s important for the covered entity to train, conduct regular audits, and have open channels for communication to prevent potential breaches.”

“Leadership begins at the top. A healthcare facility or provider should have a strong compliance program and regular employee training to make sure employees, staff, contractors, and anyone else who might come into contact with PHI understand that they have a responsibility to protect PHI,” he continues. “A strict interpretation of HIPAA might better protect PHI, and it is important for employees to know where and when they can share PHI and when they cannot.”

One of the more common HIPAA breaches is unintentionally releasing PHI, such as discussing a patient’s medical condition where others can overhear, or gossiping, Pasha notes. Avoiding that may seem like common sense, but both are violations of HIPAA and could easily occur.

“However, if employees are discussing a patient’s medical condition as part of providing medical care, then that would be proper,” Pasha says. “This goes back to properly training employees to understand the difference.”

BAA No Panacea

HIPAA has been in place for about 14 years. Since then, “HIPAA” has entered popular culture as a synonym for all things related to healthcare “privacy,” notes Bob Dupuis, vice president of enterprise architecture and security at Arcadia, a population health management services company in Boston.

But while HIPAA requires healthcare organizations to develop and maintain procedures to protect patient information, compliance is only the ground floor. HIPAA compliance does not mean you have what is needed to fully protect patient information from the ever-changing threat landscape, he says.

Many leaders in healthcare organizations who share patient information with third-party vendors think the business associate agreement (BAA) is all that is required to protect an organization from harm should their business associate experience an issue, Dupuis says.

“This just isn’t true. There needs to be more than just an agreement on what would happen should an issue occur,” he says. “A robust BAA is an important legal control, but it is only a backstop. The BAA does not provide any practical security protection for protected health data, nor does it offer any trusted third-party assurance that a vendor has end-to-end security safeguards in place to protect against both known and unknown threats.”

Organizations need to ensure their partners/vendors use a strong program and controls required to protect their patient information, he says. Ideally, this assurance happens through a strong third-party program that either validates the controls via a sometimes-cumbersome vendor risk management process or requires vendors maintain a robust certification, such as HITRUST.

“The lack of strong, consistent, validated controls within healthcare information technology leads to high-profile, reportable breaches that erode trust throughout the healthcare system. This hinders the kind of data-sharing required to drive true change in population health and success in value-based programs,” he says. “The misconceptions around data-sharing result in a similar slowdown of the adoption of new technologies that, if implemented effectively, could drive the change needed in the overall system: higher-quality, better-value care.”

Tech Acquisitions Can Suffer

Misconceptions about BAAs often arise when a healthcare organization is acquiring technology, Dupuis says. The process for selecting technology typically is driven by the features and functionality, with security as a component but not a priority.

Healthcare organizations undergoing a vendor selection process already are performing an exhaustive amount of work to conduct a comprehensive feature-function analysis of each potential product. Additional evaluation of a vendor’s cybersecurity credentials can be complex and labor-intensive, he notes.

There are many potential frameworks and controls to use. Validation of a vendor’s capabilities can require substantial effort from an organization’s security experts. A healthcare organization may not be able to confirm a vendor has the controls they say they do — and may struggle to measure one vendor against another when evaluating commitments to data security, Dupuis says.

“This is where certification programs like HITRUST can be really helpful. The HITRUST CSF framework incorporates existing, globally recognized standards, regulations, and business requirements, including ISO, NIST, PCI, HIPAA, and state laws. To earn certification, vendors are audited by a third party to ensure they comply with hundreds of controls,” he explains. “If a vendor is HITRUST CSF-certified, a healthcare leader who may not be an expert in information security can be confident they are doing business with a partner who has independently verified end-to-end data security.”

Managing the needs of a population — and the needs of the individual patients within that population — requires access to information about services patients are receiving across the care continuum, from emergency departments (EDs) to specialist care and home health, Dupuis says.

“If HIPAA is perceived to be a barrier to sharing data, that misperception can prevent providers from identifying preventive care needs or ensuring patients who visit the ED receive the appropriate follow-up care,” he says.

SOURCES

  • Paul Baratta, Business Development Manager for Healthcare, Axis Communications, Boston.
  • Kevin Dunnahoo, Associate Director, Protiviti, Dallas. Email: kevin.dunnahoo@protiviti.com.
  • Bob Dupuis, Vice President, Enterprise Architecture and Security, Arcadia, Boston. Phone: (781) 531-9129.
  • Heather Macre, JD, Director, Fennemore Craig, Phoenix. Phone: (602) 916-5396. Email: hmacre@fclaw.com.
  • Johnathan A. Rhodes, JD, Fennemore Craig, Denver. Phone: (303) 291-3210. Email: jrhodes@fclaw.com.
  • Nasir Pasha, JD, Outside General Counsel, Altus Health, Santa Monica, CA. Phone: (310) 452-1800.
  • Stephanie Winer Schreiber, JD, Shareholder, Buchanan Ingersoll & Rooney, Pittsburgh. Phone: (412) 392-2148. Email: stephanie.schreiber@bipc.com.
  • Erin S. Whaley, JD, Partner, Troutman Pepper, Richmond, VA. Phone: (804) 697-1389. Email: erin.whaley@troutman.com.