OCR Issues Model Notices of Privacy Practices

As the compliance date for the final Omnibus HIPAA privacy and security rule looms, September 23, 2013, the Office for Civil Rights and Office of the National Coordinator for Health Information Technology lend a helping hand to covered entities by publishing model Notices of Privacy Practices (NPP) for health care providers and health plans. The Omnibus Rule implements a number of changes required under HITECH , including “material” changes to NPPs.

The model NPPs reflect these changes and are designed to help covered entities meet their obligation to develop and distribute clear, user friendly notices. The agencies also provided optional formats for the NPPs:

  • Notice in the form of a booklet;
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
  • A notice with the design elements found in the booklet, but formatted for full page presentation; and
  • A text only version of the notice.

Note to covered entities: The agencies state that the model NPPs reflect the regulatory changes of the Omnibus Rule, and can serve as a baseline for compliance. Covered entities will still have to tailor the notices to their particular circumstances and insert information specific to their organizations. In addition, covered entities should review the rules for how and when notices need to be provided. See 45 CFR 164.520. For example, NPPs generally can be provided by email provided the recipient has consented. Also, if a covered entity maintains a website about its customer services or benefits, it must prominently post the NPP on that site.

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.

How Do You Know Who is a HIPAA Business Associate?

One of the first processes we go through for HIPAA Compliance is to identify all Business Associates (BAs).  That has to be done for CEs and BAs alike.  The Final Rule has changed the status and viewpoints for many CEs and BAs. We have addressed a lot of questions on the topic lately.  Now seemed like a good time to go through some of the examples and tips we have discussed with a variety of clients.

The new rule makes it clear.  Signing an agreement doesn’t make you a BA, doing work that gives you access to PHI makes you a BA.  People have claimed exemptions for various reasons for years and that can’t be done any longer.  There are many BAs struggling with the process right now.  Last week, a BA responded to a readiness survey from one of the CEs in our compliance program with a single question “Do we have to fill this out?”.  I am certain that business qualifies as a BA and they obviously have no idea what is going on.  Checking on your BAs should be a top priority based on what we are seeing and hearing.

A great way to make sure you have all BAs on a list is to use your accounts payable as well as the 1099s you generated.  Take a minute to think about every one of them because some may need attention for other HIPAA reasons than being a BA.  We expect at least 5 or 6 BAs for most groups we work with on compliance.  Depending on their structure, size and activities there can many more.  Small CEs and BAs have a different environment than large entities.  It is worth going through the whole list.

Here is a list of similar businesses you may find on your AP/1099 list.

  1. Scrubs That Are Best   – Scrubs Service – We will call them STAB
  2. Clean and Pretty – Cleaning Service – CaP
  3. People Ask You,  Inc – Collections Service  – PAY
  4. Patterson, Salvatori, Bitterman and Enis – Attorneys –  PSBE
  5. Zimmerman and Pierce – Heating and Air Service –  ZaP
  6. Melissa Odum-Madison – Contracted bookkeeper – MOM
  7. Shred, Haul, Install and Track – document management – we will just call them shredding company
  8. Hippert, Ikemoto, Paine, Abruzzo and Alvarez  –  CPA Firm – HIPAA
  9. Advanced Concepts for Your Information Technology – IT support – what everyone calls them –  the computer guy
  10. Medical Equipment Devices – provide medical devices for tests – MED

Now, let’s go through the list and discuss how they may be classified and evaluated.

1- STAB only supplies scrubs for the office so that shouldn’t be a big deal and no HIPAA involved right.  But, in our conversation about BAs we learned that the STAB delivery staff has keys to the back door to drop off the clean and pick up the dirty each week.  That leads to more questions and decisions that must be made due to their physical access controls.  While they aren’t a BA for the work they do, they have access that does involve HIPAA regulations and may have been missed without this exercise.  Don’t put them on your BA list but put it on your “gotta deal with that one” list.

2- CaP only comes in to clean so they should be fine.  We have had them for years and it is a family business.  No HIPAA problems, right.  That depends.  Do you lock up all your charts and computers every night?  Do they only clean when someone is at the office who watches over their work?   In March, the Atlanta Journal reported a case of identify theft that involved office cleaning companies.  People would work for a cleaning company just for a week filling in for someone and stick a usb device in a couple of computers the first night.  Pick it up the last night of their temp job.  The whole time it is logging keystrokes on each computer.  They end up with all the information typed on that computer for the week.  Personally, I find it hard to give cleaning companies the benefit of the doubt in offices any longer.  I think they need to be BAs to be cleaning offices for CEs and BAs now.  There are some cases where they aren’t but it requires laying out very specific guidelines on how the service will be managed in your office.  Most small businesses don’t have that ability.

3- PAY gets a list of patients and all their contact information in order to do the collections.  I have heard some collection companies claim they don’t get treatment information so they aren’t BAs.  What do you give them to contact your patients?  To do your collections they know they saw your practice and they have to have some reference like date of service maybe.  Then, you have to give the date of birth, address, phone.  Well, you see what I mean.  I recommend you treat them as a BA or get a HIPAA attorney involved with an opinion.

4- PSBE handles malpractice claims among other duties for your practice.  There are plenty of references pointing out that they are BAs.  Don’t be surprised if they aren’t eager to admit it, though.  It isn’t unheard of but should be less likely under the new rules.

5- ZaP doesn’t need access to any PHI in order to do their job for you.  But, just as with STAB, the discussion does bring up another issue.  When they come in to work on things in your office does anyone notice what they are doing or where they are at while they are doing it?  Incidental disclosures may happen through the vents they are working on but what about the story about the USB drive and the cleaning crew.  Should you really just let them roam around the office without a thought?  Add another one to the ”gotta deal with that one” list.

6- Good ol’ MOM comes in and helps do the bookkeeping.  She works for us on a 1099 basis but only for us and no other practices or businesses.  Part of the bookkeeping work does make it necessary for her to have access to PHI so what do we do?  Is MOM a BA?  Oh no!  That will just not work – what are we going to do?  Who is going to tell Dr. Madison that MOM is a BA.  Wait, calm down.  No one needs to upset MOM or Dr. Madison.  A 1099 does not make anyone a BA.  In this case, MOM is a member of your workforce under HIPAA definitions.  Include her in the same training and rules you use for all your other employees.  Add it to your ”gotta deal with that one” list to make sure she is included in all the training programs.

7- The shredding company.  We have them covered, they know they are a BA and we have a BAA with them.  But, we still need to see the status of the BAA and update it with the latest requirements.  They also need to provide some assurance they actually are following compliance requirements.  Another thing, though.  As you were pointing out your shredding bins they are just large garbage containers with a lid on them.  There are no locks or anything.  Anyone can open them up and take things out, at will.  They sit over out of the way so no one notices them.  When you contact your shredding company you should probably ask for a more secure container.  One that isn’t so likely to dump things out on the street or be easy access to grab a handful of documents.

8- HIPAA knows they have to deal with HIPAA.  It is in their name!  They write refund checks and have all the details of that patient to reference for accounting for the refund checks.  BA.

9- The computer guy is what everyone calls IT companies in their office.  We are used to it.  We are also used to having access to everything.  There are some “computer guys” that make a case for not being a BA themselves because they never look at the patient data.  Having access to everything means access to everything including ePHI.  You really must have an IT company that is a BA and understands HIPAA Security Rule requirements.  They have to help you implement, monitor and manage your compliance.  BA, big time, because you need them to be one unless you have your own in house IT skills to manage it.

10- MED is like most device companies trying to figure out exactly how they will handle HIPAA.  They have to do it.  It is in discussions all over the place how much data those devices hold now.  They should be prepared more than any of the others on this list for your BA readiness survey.

Hopefully, this helps answer some questions concerning BAs for all those involved.  It may open up more questions but at least we are talking about it differently than before.

Reposted with permission from smallproviderhipaa.com