S2 E30: Common HIPAA Privacy Rule Mistakes

Audio version

Common HIPAA Privacy Rule Mistakes

Transcript

Jordan Eisner:  Welcome to Compliance Pointers.I’m here today with Carol Amick, Director of Healthcare Services at CompliancePoint.Hey there, Carol.

Carol Amick: Good morning, Jordan.

Jordan Eisner: And for those listening and not viewing, I’m Jordan Eisner, host of Compliance Pointers, VP of Sales at CompliancePoint. And I get the pleasure of speaking with Carol today.

Carol has been on this podcast probably more time than anybody else. Don’t roll your eyes. You’re happy to be here. You don’t have a million other things you need to be doing right now.

So I think this will be a quick one today.

We’ve talked about Carol’s background a little bit in the past and for those of you that have listened, not watched because this is Carol’s first time on camera for the podcast, but for those of you that have been listening to the podcast, she has a long and extended intensive career in healthcare and HIPAA. She’s an expert in HITRUST. She’s worked on the client side. She’s worked at big consulting firms. She’s worked at small and mid-sized consulting firms like CompliancePoint. Has been doing this a long time. In my experience working with Carol, I’ve really never seen her not know the answer to a question HIPAA or similar related. So great resource.

So today Carol and I are going to be talking about the mistakes that she sees organizations make regarding the HIPAA Privacy Rule. Now just some, I guess HIPAA 101 and that’s about as far as I can go really, but HIPAA has three rules, the Privacy Rule, the Security Rule and the Breach Notification Rule.

I’ve heard mentioned sometimes of another rule Carol, but those are the three ones that I always focus on and organizations, I think if you’re a business associate, it’s more security rule, maybe portions of breach notification that are going to concern you.

Whereas if you’re a covered entity or you’re providing care, it’s all of them, right? It’s all applicable.

And so the privacy rule can sometimes be confused with complying with all of HIPAA or risk assessment against it can be confused with the security rule requirement for a security risk assessment, which is an annual requirement, not necessarily a case for privacy, but I’m getting off track. It’s not the point of what we’re trying to get to, but we’re going to be talking about mistakes you see with that.

Anything you’d add to the HIPAA 101 and the privacy rule before we do get into the questions?

Carol Amick: Yeah, there is no fourth rule.

Jordan Eisner: Okay. Somebody said, I don’t know, maybe an amendment or something. I always knew it was the three rules, but I’ve heard people say something to the three rules.

Carol Amick: There was a change to the security rule in the High-Tech Act several years ago, but they’ve always just been the three rules. And so that’s what you want to try to comply with and you’re right. The ones we’re talking about today are specifically focused on covered entities that provide healthcare. So doctors, insurance companies, hospitals, clinics, et cetera.

Jordan Eisner: Well, let’s talk first about a website, right? The soul to an organization these days. And I know that you’re thinking, well, these are physical locations of providing care, but a lot of the privacy, not a lot, but the privacy requirements can have to do with an organization’s website and what they’re putting out there.

So what are mistakes or failures that you’re seeing there for organizations that have their own websites in terms of the HIPAA Privacy Rule?

Carol Amick: So probably the biggest mistake I have seen is that if you are a covered entity and you have a website, you are supposed to put that notice of privacy practices, which is the notice that outlines to your patients are their responsible parties, what you can and cannot do with their protected health information that is supposed to be accessible on the website.

And the Office of Civil Rights that’s in charge with enforcing HIPAA has made it clear that that needs to be a prominent link on your homepage.

So I did a survey of about 30 websites and for 75% or so, I couldn’t find the notice of privacy practices anywhere, much less on the homepage where it needs to be. So you have to be careful.

I know when I worked at a hospital one time, the marketing department said, I need my going, look at our fancy new web page and the compliance department went and looked as if where’s the notice of privacy practices and the response was, well, it was clutter. Okay. Well, it may be clutter, but it’s legal clutter. So put the clutter on the front page of your web page.

The other thing is if you bought this web page or this information from a third-party vendor, make sure it’s right. I actually clicked on one and it was, it starts out, you know, insert company name here. It doesn’t necessarily make the impression you’re going for if you don’t even have your name in that. So make sure you check that too. If you’ve had somebody helping you with the website or you bought some canned content for your website, you don’t want it to be insert company name. You want it to be doctor X or company, a hospital Y or whatever.

And this was a fairly large healthcare company actually that did that.

Jordan Eisner: I think that’s rooted in communication between compliance team, legal team, marketing team, whoever and the failure to communicate when you’re going live on a website or making updates. Those parties, those groups need to be involved in those decisions and what’s finalized and published, especially when it’s public-facing.

Carol Amick: And it needs to be current. If you change your notice of privacy practices for any reason, that one on the website needs to be updated too. So if you haven’t looked at it in several years, you put your website together four or five years ago, you haven’t checked it. Make sure it’s still there. Make sure it’s what you’re currently using. Make sure the link still works. All those good things.

And keep in mind, this is the healthcare notice of privacy practices. If you have on your website, and you probably do because you need this to the tracking notice of privacy practices and all that stuff, that’s not the same thing and that will not suffice. You’ve got to kind of have both. You’re going to have to have the link that says, this is what we do with your data from the website side and this is what we do with your data from the healthcare side. So you probably need two notices on there. I know a lot of people don’t want to do that, but thinking they’ve got one, that’s good. But if you’re a healthcare provider, you probably going to need two.

Jordan Eisner: Okay. That’s helpful. You wouldn’t need to do anything website or tracking-related elsewhere, right?

Carol Amick: There’s a lot of content on tracking. And I think we’ve talked about that in the past. Right now, they seem to be that they’re not enforcing the tracking things, but there are some things you will want to think about on your website.

The other thing that we saw very recently is you may have on your website, this isn’t really related to tracking, but I did want to make sure to bring it up. So I’m going to jump ahead a little, you may have on your website, a little logo that says, I’m HIPAA compliant that you got from a vendor or something. In addition to worrying about the Office of Civil Rights at the Department of Health and Human Services, you also have to worry about the Federal Trade Commission and their health breach notification rule. And they have recently, they came out with an article that said, look, there is no formal HIPAA certification. That’s one of the reasons CompliancePoint doesn’t offer one.

The FTC said the only people that can offer that would be the Department of Health and Human Services and they aren’t doing it. And so if you have that on your website implying that government approval, you could be held liable for false advertising.

Actually, it’s interesting. And so could the company that gave you the logo that said you are HIPAA compliant. So one of the things we’ve chosen not to do is say you’re HIPAA compliant. We will, we will give you a report that says as an independent reviewer, we have assessed you, we have audited you, and we found you to be compliant. But that’s kind of a different statement than you putting a legal logo off that it makes it look like you have been form approved because the FTC is really starting to crack down in healthcare. I think they feel like the Office of Civil Rights isn’t doing enough. And so they are really starting to crack down.

And that’s been an interesting one that we’ll be watching to see what kind of enforcement they really do there. But that is something to think about if you have the HIPAA-compliant logo or you’ve said you’re HIPAA compliant and you haven’t really, you’re not really sure.

Jordan Eisner: Yeah, I have many a time prospects come. We need to be HIPAA certified and it’s, well, there is no HIPAA certification.

So the other moving on from privacy notices, but perhaps one add on question to it. Those are what we’re signing when we go to any covered entity as well.

Right with all the paperwork we have to sign as a privacy notices being made there too. What about posting on the doors or the windows of the entries of the organization? Where else would a privacy, HIPAA privacy notice need to be?

Carol Amick: Well, a couple of things. It does need posted in your lobby or you’re waiting your areas. So they can see it. It needs to be available to give your patients or their responsible parties in a paper form.

The other thing I would suggest that you think about with your privacy notice that we’re seeing a lot of is online registration. So you probably got an opportunity when you’re taking your kids to a doctor or something and you’re sitting up at an appointment. They’ll ask you to fill out your paperwork in advance online.

Both myself and my team have been watching this and I’ve had a couple of issues lately before I have actually registered online. And when you get to the notice of privacy practices, there’s a little button at the bottom that says, you know, click here to acknowledge acceptance.

Unfortunately, what the law actually says is that I don’t have to acknowledge acceptance. I don’t have to agree. And you have to still treat me even if I don’t agree with the notice of privacy practices. So you’re a little electronic forcing people to say, I’m accepting the policy regardless and maybe a violation of the law because you aren’t giving them that opt-out process.

Now in person, generally what we see is people do have that opt-out process. They will make a note in the registration system that said it was offered to the patient out of the responsible party and they declined to sign.

And that’s fine. You just keep going. You’re still going to go by those same things that doesn’t mean you can’t use the PHI in the manner in which you plan to use it. It’s just that’s the way the regulations are written.

But if you have the electronic and you’re not letting them opt out or not letting them pick a button that says, I’m not going to sign this, you’re probably setting yourself up for an issue should you have an investigation or a view by a government agency because you are not fully compliant with the terms of how you do the privacy notice. And basically forcing them to accept that as part of the treatment and that would be considered a violation.

Jordan Eisner: Okay. Shifting from notice, what about privacy policies written procedures? What do you see organizations doing or making mistakes or doing things incorrectly there?

Carol Amick: So HIPAA is over 20 years old and a lot of us sit down when it came out and we bought, we either wrote a policy set or we bought one off the rack. We went to, you know, Bubba Gump’s Homegrown Policies and they had a policy set and we pulled it in and then we put it in a desk drawer and we’re done.

If that’s what you did, things have changed. I mean, think about it. You probably are much more dependent on technology than you were 20 years ago. So your policy procedures need to be updated every year and they need to reflect what’s really going on in your organization and you need to make sure your staff knows where to start, knows how to use them and has been trained on them.

So you want to make sure your policy and procedures are current and updated. A lot of times, it’s sometimes interesting, we will go look at them and let’s say the doctor got acquired by somebody. So a lot of doctors’ offices have been acquired by hospitals. We pulled the policy procedure set and they still have paper ones because they’ve never done anything like, and it has their name on it, but that’s not what the policies they’re using anymore because they don’t own their own practice anymore.

Same thing if you’ve been acquired by, if you’ve merged your two practices together, you’ve got to make sure you’ve updated that.

The government is not going to be really impressed when you say, well, here are my policy and procedures and they haven’t been updated in 20 years and they don’t even have the right name of the organization on them.

I had somebody one time hand me some right off a fax machine trying to prove they were theirs, unfortunately. They have the hospital across town’s name on them.

Jordan Eisner: Like I said, you’ve seen it all.

Carol Amick: Go in and update them. Make sure they’re in good shape. Make sure you’ve got them done. Make sure they reflect your current operations. I think that’s really key and that you are training your staff to them so that they know what’s going on.

Keep in mind, particularly with PHI, that we need to make sure that we stress all the various electronic indicators that are part of the patient’s information in those policies. So their web address, their email address, all those kind of things now have to be tracked and understood as a PHI.

Jordan Eisner: Good points.

Now breach notification, not the rule, but under the privacy rule, right, in terms of a breach of privacy, where do you see mistakes there?

Carol Amick: A couple of things. And I got one recently.

One of my doctors was breached and the regulations say you must email. I mean, excuse me, you must mail via the US Postal Service letters to the people who have been breached, outlining what happened, what you’ve done, et cetera, et cetera.

They decided that was going to be expensive and I’m sure it is. And they sent me an email. But unfortunately, the email doesn’t meet the law. I realize that we can communicate a lot with email now. But the regulations have not changed. They still require that you do this, the old fashioned way, envelope, paper, all that stuff. So that’s not going to be the get-out-of-jail-free card that you sent me an email.

The other thing to keep in mind is if you can’t reach people, and if it’s over about 100 people you can’t reach, you’ve got to put a notice on your web page, on the home page again. It can’t be buried back on page 23, your privacy page that says we’ve, you know, click care for breach information, put that information on there, and a toll-free number that people can call to ask questions about. So I mean, a lot of doctors, offices, clinics, for example, don’t have an automatic toll-free number. You have to set one up for the 60 or 90 days you leave that thing active.

So it is another expense. So people sometimes try to avoid that because, you know, they can just call our regular number. But that’s once again, not compliant with that regulation.

You’ve got to have that toll free number if you’re going to have to put that notice up and if you’ve got a breach that goes back a long way, you’re probably going to either have a lot of return, you’re going to have a lot of return to mail.

I worked in long-term care for quite a while. And just by the nature of long-term care, when we had some breaches and I would mail out letters, I would get a lot of returned mail. Because, you know, sometimes the people weren’t with us, people had moved, and I would have to set up that, that alternate notification with the email, with the toll-free number on my web page. So you want to make sure you do that.

And keep in mind that on the smaller breaches, you still have to report them. If you’ve never reported a breach to the Office of Civil Rights, you’re probably not doing something right. All of us have had at least one breach. I mean, that could be a, you know, so we’ve probably given paperwork out that we didn’t get back. We’ve probably lost the thumb drive. We’ve probably done something.

If it’s small, you don’t have to send the letters, you don’t have to have this, but on an annual basis, you have to kind of list out breaches under 500 and report them to the Office of Civil Rights. So you got to set up a tracking system and you got to track the breaches and report them.

If you’ve never had to do that, I don’t know anybody’s really that perfect in handling all this information.

Jordan Eisner: Yeah. Those are what I thought you were going to say, but good to reiterate and for our audience to capture those.

Okay, here’s the last piece. What about privacy risk assessments?

Carol Amick: Yeah, you know, we focus a lot on security risk assessments and I would recommend that you do a privacy risk assessment too. And that would involve looking at all the things we talked about and looking at the practices going on within your organization to see if you are properly securing it.

Looking at the physical plan. Are you going to set up in such a way that things are secure? For example, right now, you know, you may be able to see when you walk into doctor’s office, you can maybe be able to see a screen. Does that screen have protective information on it? Could people walking into your office see that who shouldn’t see it?

You know, are you still using, you know, paper workers and they’re putting them in the door? Are you got those secure? So physical security comes into that.

Does your staff know what to do? Assessing their skill sets, assessing where you are on that? Do they know what to do?

They get a phone call asking for information over the phone. You got to be careful there. You know, you don’t want to give out information that you shouldn’t to people you shouldn’t. So you want to go through and see where you are against the rule. Kind of assess yourself against the rule.

I think especially since the rule is so old and we’re kind of used to it that we need to start stepping up. Or I talked earlier about notice of privacy practices. One of the things you want to assess is this still what we’re doing? Have we completely changed and we haven’t changed this?

And by the way, if you change it, you do have to let people know you can’t just update on your website and pretend like they’re all going to know it’s been changed. You got to give them new versions and let them know that we have a new some privacy practices.

But yeah, you want to see where you are. I think a lot of us have gotten kind of complacent because it has been so long.

And this is to be honest, not where the big breaches occur. You know, the big breach occurs when your information system is hacked, then they’re going to get 10,000 records. But if that should happen and it happens far more than we’d like to admit and then you want to be able, they’re going to look at your whole operation.

They’re going to ask questions about everything you’re doing. So you want your privacy standards to be in place so that you look good when the Office of Civil Rights does an investigation of your organization.

Jordan Eisner: Okay. I think there’s 20 or so minutes packed to punch. Thank you, Carol.

For any of our listeners concerned with or toying with the idea of how fit their privacy procedures and policies and website statuses, I think this is going to be helpful. So we will wrap it there for our listeners and viewers.

If you are interested in getting in touch with Carol or CompliancePoint and you’ve been listening by this point, you know where to find us.

If you’ve not been listening, CompliancePoint.com, you can email us at connect@CompliancePoint.com directly.

Carol’s on LinkedIn. I’m on LinkedIn. This will be on LinkedIn. So maybe we’ll be tagged and just find us that way. But we’d love to talk and answer any questions or concerns you might have.

And just as a reminder, we put content like this out regularly on not only HIPAA, but HITRUST, marketing compliance, other data privacy areas, information security, cybersecurity, and so on.

So check us out and tune back in till next time. Thanks.