There's still plenty of confusion about compliance with theHIPAA Omnibus Rule, and HIPAA in general. Here's a sampling of critical issues to be aware of in your practice.
Many providers are reluctant, or inconsistent, in disclosing patient information to other providers, even when the information is needed for immediate treatment of patients. They often cite HIPAA as the reason they can't disclose patient information. They also cite fears about lawsuits or federal penalties for HIPAA violations.
Disclosures of protected health information for treatment, payment, and operations have always been permitted under HIPAA. If a compliance issue were to arise, OCR would be unlikely to issue financial penalties for inappropriate disclosures related to treatment. Instead, it would most likely issue a "corrective action" if there was some sort of problem as long as it wasn't part of an ongoing, "egregious" pattern of inappropriate disclosures.
The HIPAA Omnibus Rule, which will be enforced beginning Sept. 23, makes it clear that business associates and their subcontractors that receive, create, transmit or maintain protected health information are now directly responsible for HIPAA compliance.
Another business associate theme that OCR emphasizes is that it's not the degree of access to PHI but the persistence of custody that should be considered when trying to decipher if a cloud vendor, for instance, is a business associate under HIPAA Omnibus.
OCR officials stress that HIPAA is a floor, not a ceiling. It's a valve, not a blockage. And they caution healthcare organizations not to let security trump patient preference. So what does that all mean?
Clearly, an organization can do more than what's required under HIPAA in terms of safeguarding health information. Similarly, states can issue privacy laws that are even stricter than HIPAA and many have.
HIPAA isn't meant to block PHI disclosures that are necessary for the well-being of patients. That gets to the heart of the issue of sharing information with other providers and even disclosing information to patients.
HIPAA has been misinterpreted by some healthcare providers to the point where they believe it prevents the release of important information for the treatment of patients. There's also confusion among mental health professionals about whether they can (yes they should) contact law enforcement officials about patients who pose an immediate danger to themselves or others.
Finally, while HIPAA's Security Rule has prompted more organizations to deploy technical safeguards, such as encryption, to protect data, patients can still request that their electronic communications with healthcare providers, such as appointment reminders, be conducted via unsecured email or texting. Whatever you do to comply with the Security Rule, you need to be flexible to support the privacy rule and patient preferences. If patients prefer unencrypted e-mails, that's permissible. Just warn them of the risks.
So, when it comes to complying with the HIPAA privacy and security rules, as well as the modifications in HIPAA Omnibus, it's important to understand the nuances and avoid misinterpretations.