Here at SOS Software, we have been in an ongoing process to develop, maintain, and implement detailed policies and procedures to assure that we are doing everything possible to act as responsible Business Associates to our Covered Entity customers. We have been holding monthly training for our staff in which we all take a pre-test, watch an instructional video together, discuss what we have learned, take a post-test to measure how much we have learned, then discuss the results of our testing to be sure we all understand these important concepts.
HIPAA (Health Insurance Portability and Accountability Act of 1996) mandated that electronically stored protected health information (PHI) be handled in such a fashion as to assure the privacy of the patients to whom it belongs. The HITECH (Health Information Technology for Economic and Clinical Health) sections of ARRA (the American Recovery and Reinvestment Act of 2009) also required additional security measures be utilized for all PHI. HITECH extended the same privacy and security requirements to Business Associates of Covered Entities as to the entities themselves.
We have been distressed to find that many of our customers have no idea what HIPAA actually requires. While it is true that the requirements are scalable (small organizations like solo psychiatric or psychological practices do not need to do as much as large ones), some customers seem to think that scalability means they need to do nothing since they are not a community mental health center or a hospital. This is far from accurate.
Every organization that handles PHI is responsible to assure that the privacy and security of that information is guaranteed. Not doing a security risk assessment, not having an incident response plan, not having a disaster plan, not having usable backups of your patient information off site . . . all of these things could easily be considered “willful neglect” by the Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA. If an unhappy patient reports you to OCR as ignoring the requirements of HIPAA and you are found to be guilty of “willful neglect”, OCR must penalize you. Are you prepared to pay at least a $10,000 to $50,000 fine . . . or worse?
If the items I just mentioned above are not very familiar to you, that means you and your organization may not have done your HIPAA homework. You may not need to start at the beginning, but reviewing some of our old posts and links might help you get started. We have found that there are many resources available on the Internet free or at low cost. You might consider some of those. Seth plans to attend a free webinar he got notice of last week. He has started a workgroup of some of our customers who are trying to help themselves and one another move their security and privacy programs forward.
What do you need to do to become HIPAA compliant?
What do you or your organization already do to assure your compliance?
Do you know who your Privacy Officer is?
Please share some of the steps you and your organization have taken to assure that your organization is HIPAA compliant. Let us know what you do on an ongoing basis to be sure new employees are educated to the requirements. Just enter your comments below.
Kathy says:
Hi Dave,
Thanks for your input. As I understand it, there is no REQUIREMENT for email to be encrypted. HOWEVER, email is notoriously insecure. A provider who decides to ignore that reality and send PHI by email might be seen as failing to use reasonable precautions and safeguards to protect PHI.
Ah yes, fax transmissions. It is not clear to me that faxing PHI is acceptable….at least, not without a variety of safeguards.
I went to the Office of Civil Rights – HIPAA website and searched for ‘fax transmissions PHI’ and at first, got the link to only one document: http://surl.sosoft.com/3c
The document was the Federal Register/Vol. 64, No. 212, from Wednesday, November 3, 1999/Proposed Rules. On page 59938 the following was stated:
“This definition would not
include ‘‘paper-to-paper’’ faxes, or
person-to-person telephone calls, video
teleconferencing, or messages left on
voice-mail. The key concept that
determines if a transmission meets the
definition is whether the source or
target of the transmission is a computer.
The medium or the machine through
which the information is transmitted or
rendered is irrelevant.”
This document is related to the Privacy of PHI, specifically 45 CFR Parts 160 through 164 Standards for Privacy of Individually Identifiable Health Information; Proposed Rule. Because the original law was focused on Privacy of PHI stored or transmitted in an electronic format, the rule makers seemed to make a choice to ignore the risks of faxing information to the wrong party.
I did a little more searching on the OCR site with slightly different terms and results. I came up with a couple of other things.
When I searched for ‘fax PHI security privacy’ I got 3 results (http://surl.sosoft.com/3a); 1 was a direct answer to your question, but only related to the Security Rule.
http://surl.sosoft.com/3b
“Does the Security Rule apply to written and oral communications?
Answer:
No. The standards and specifications of the Security Rule are specific to electronic protected health information (e-PHI). It should be noted however that e-PHI also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. In contrast, the requirements of the Privacy Rule apply to all forms of PHI, including written and oral.”
When I searched for ‘fax privacy PHI’ I got 4 results, 2 of which seemed relevant. (http://surl.sosoft.com/39) Both were related to the case listed below.
“Physician Revises Faxing Procedures to Safeguard PHI
Covered Entity: Health Care Provider
Issue: Safeguards
A doctor’s office disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.”
Sooooooooo……. to get back to your question. It seems that faxing info to the wrong party can definitely be considered a breach. It looks like changing a cover page to indicate that it is a confidential communication intended for a particular recipient was part of the resolution OCR required. My guess is that making a telephone call to the recipient and faxing the information to a particular person who then acknowledges receipt of the PHI would also be a useful Safeguard.
Aren’t you glad you asked!
Dave Zachau says:
Here is a HIPAA question: Is it a HIPAA requirement that all email containing PHI be encrypted? If so, how does one ensure the same level of privacy protection for fax transmissions?
My question comes from this line of thinking:
Assuming email technology used to transmit PHI must include encryption to be HIPAA compliant, I do not understand how HIPAA deals with the facsimile technology used to transmit PHI?
Dave