HIPAA was enacted in 1996. In the years since, most healthcare entities have adapted to the major requirements imposed by HIPAA, HITECH, and the Privacy and Security Rules. Nevertheless, the thicket of regulations still leaves some traps for the unwary. Here are the most frequent tripwires.
First, the goal of HIPAA is integrity and availability of records along with confidentiality. For workflow or other reasons, hospitals or other covered entities are often reluctant to share patient records. With the exception of certain specific carve outs, such as psychotherapy notes, this violates HIPAA. Patients are entitled to their records. Compliance programs must accommodate this legal reality.
Second, HIPAA requires that disclosure of health care records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information (PHI) is only entitled to those data points necessary to perform their function e.g. names and addresses. For practical purposes, a technical solution is not always available – a covered entity may have a single computer system, and cannot realistically reconfigure it for every purpose.
In such instances however, compliance may not be left by the wayside. It must be accomplished by alternative means such as administrative safeguards. For example, a covered entity and business associate may contractually agree to limit access, and combine this restriction with random audits to ensure compliance.
Third, the requirement of minimal disclosure also extends to individual employees and contractors. They are entitled only to those records they need to perform their job functions. Of course, in the real world those functions continually evolve. Employees often switch roles, go on leave, rotate to different units, or complete the tasks that entitled them to access in the first place. Yet access is rarely calibrated to fluctuating business needs. Excessive access is a regulatory risk. Any compliance program needs to regularly reassess employee access. It must adjust PHI access rights to conform to current responsibilities.
Fourth, HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure. They also require that all Business Associates be bound to adhere to the safeguards program. The Business Associate Agreement needs to specifically incorporate this requirement. Technically, the failure to do so, even in the absence of a breach, is a violation. Yet many covered entities overlook this requirement. And if the Business Associate is unwilling to accommodate the requirement, the covered entity needs to evaluate the contractual arrangement, ensure that it meets the identified security criteria, and document the basis for this determination.
Fifth and finally, the healthcare sector is consolidating. The acquisition and consolidation of practices results in transition periods where the successor entity has multiple sets of PHI records under multiple compliance regimes. The result is a program that is either incomplete, incompatible, or is otherwise deficient. This is a serious regulatory risk. While a seamless transition may not be possible, incorporating compliance into the succession plan at the earliest possible stage is the prudent approach.
None of these five steps require mastery of particularly arcane aspects of the HIPAA regulatory scheme. Yet covered entities and business associates regularly stumble on them. Each of these pitfalls is easily remedied. In compliance, as in medicine, an ounce of prevention is worth a pound of cure.