Since the last major update of the HIPAA regulations in 2013, there have been only minor changes to the rules, involving the access of laboratory test information by individuals, and the release of information related to mental health prohibitors for firearms ownership. The first change, on access of laboratory information, enables the kind of ready access to test results that is so important to disease management for so many patients today, but does present a big change from long-held practices. The second change, on releases of information to the National Instant Criminal Background Check system, applies to a limited set of entities, those that are enabled to make commitment decisions and decisions about whether or not individuals should be allowed to purchase a gun, such as county courts in many locations, for example. Policies need to reflect these changes.But beyond these changes, there has been a wealth of new information that guides the interpretation and application of the HIPAA regulations, based on guidance from HHS as well as inferences from enforcement actions, security risks, and attacks of systems and data by nefarious individuals.
The 2016 Guidance on Access of PHI by Individuals prepared by the HHS Office for Civil Rights details how to handle a wide variety of patient access-related issues according to the rules, and some of these rules may come as a surprise to many offices. Policies and training need to reflect the guidance and ensure ready access to PHI for patients.
Enforcement actions have revealed a number of issues of importance, in particular, the need to perform regular reviews of access and use of PHI, and the need to not only perform a thorough and accurate enterprise-wide risk analysis, but also to plan and execute the mitigation of the risks discovered. Having a good set of security policies helps guide organizations in their reviews and assessments and ensure good practices.
Protection of privacy also requires that access to systems with PHI is properly protected, but the modern health care office accesses not only its own systems but those provided by outside entities, such as insurers. When staff depart, it is essential that policies make sure all of their accesses are terminated so that information is not improperly accessed post-employment. Finally, threats like ransomware and breaches call for a coordinated response according to defined policies that can address these modern threats.
Although the actual recent changes in the HIPAA regulations have been few, there has been plenty of guidance as well as evidence, such as enforcement actions and breach causes, that shows how various rules should be interpreted in order to avoid violations. This guidance and evidence indicate that certain HIPAA policies should be reviewed to ensure they provide the necessary support for compliance as it has come to be interpreted over the last few years.
A great deal more is known now about how to be in compliance with the rules, and what kind of efforts must be undertaken to avoid issues. Healthcare organizations need to see if their policies and procedures are up to snuff to support the latest rulings and guidance, and be prepared to update them as necessary.
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than 16 years of experience specializing in HIPAA compliance, more than 34 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and 8 years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.