Frequently Asked Questions:
What procedures are required under HIPAA if a breach of personal health information occurs in our facility?
When a breach of PHI occurs, the organization must determine if the breach is notifiable by first performing a risk assessment. Breaches are notifiable if the assessment shows that the breach does not fall under one of the exceptions and there is a significant risk of financial, reputational, or other harm to the individual as a result of the impermissible use or disclosure.
If it is determined to be a notifiable breach, then the covered entity must notify the affected individual (by letter, or other means as detailed in the rule) within 60 days of the date the breach was found. If the breach involves less than 500 individuals, the Department of Health and Human Services (HHS) must be notified within 60 days after the end of the calendar year in which the breach takes place. If it involves more than 500 individuals, then HHS must be notified immediately, and the information is placed on the HHS website. The covered entity must also notify the media.
There are many more details regarding this rule available in the MedSafe HIPAA /HITECH Policy and Procedure Manual.
Is it really possible that individual employees can be held personally liable for a HIPAA breach of personal health information?
Yes. As part of the strengthening of the enforcement provisions of the HITECH Act (Health Information Technology for Clinical and Economic Health Act), the individual State Attorney Generals (SAGs) were given the authority, on behalf of state residents, to bring civil actions against individuals who violate the HIPAA laws. Up until HITECH became law, only covered entities, and sometimes business associates, could be held liable. Now, individual employees who are found to have violated these laws can be fined separately. Also, if the OCR feels that a complaint may involve criminal violations under HIPAA, the information is relayed to the Department of Justice for further evaluation. Criminal jail time and fines are possible for individual employees who have not obeyed the law.
What are some of the most common HIPAA violations found by the Office for Civil Rights? What do we need to be especially careful of in case of an audit?
The HIPAA laws were issued by the Department of Health and Human Services (HHS). Statistics from HHS state that since April 2003, the Office for Civil Rights (responsible for enforcing the laws) have received over 62,708 HIPAA Privacy complaints and resolved over 14,105 through investigation and enforcement. During this time, the compliance issues investigated most (in order of frequency) have been:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the Minimum Necessary protected health information; and
- Complaints to the covered entity.
Limited numbers of OCR audits (being performed by KPMG, a contracted firm) are being performed this year, and these numbers are expected to substantially increase once the initial, pilot program has been fine-tuned. One of the most important procedures an organization must complete, and continue to update, is the security risk analysis, as it is one of the first measures KPMG will be analyzing.
The importance of staff training cannot be stressed enough. If your employees are not trained properly and commit a violation, not only are you liable for the violation, so are they. Don't find yourself in this difficult situation; make sure you have the correct policies and procedures in place and that your staff members are well-versed in the HIPAA laws.
Under HIPAA, are we allowed to disclose the records received from other, previous providers without a patient’s written authorization?
According to the Department of Health and Human Services, the Privacy Rule allows doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information,( such as X-rays, laboratory and pathology reports, diagnoses, and other medical information), for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.
Older portions of a patient’s medical record that were created by other previous providers are considered part of the total record. The HIPAA Privacy Rule allows the current provider to share those documents with other covered entities, as long as the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.
The Rule defines treatment as the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
As the patient may not want his/her PHI to be shared with certain individuals or covered entities, when disclosing personal health information (PHI) always be sure to check on whether the patient has filed a lawful “Request for Restrictions” with the practice, as is their right. This request must be in written or electronic form, and must be accessible to staff members. State laws should also be consulted regarding restrictions on certain types of PHI, such as those relating to HIV/AIDS, mental health, or substance abuse.
My IT vendor tells me that they have checked all of the electronic systems we are using to store, access, and disseminate personal health information (PHI), and they are secure. Is this analysis enough to meet the HIPAA requirements?
No. HIPAA requires that organizations have in place appropriate administrative, technical and physical safeguards of all potential risk areas, not just electronic. A security risk analysis, which generally is concerned with ePHI, is only part of that process, and requires organizations to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”
All PHI, including oral and written, must be protected from any intentional or unintentional use or disclosure that is in violation of the HIPAA rules. Processes must be in place to safeguard PHI during destruction, printing and copying, storage (including the physical management of paper records), oral disclosures, employee access, etc. Minimum necessary requirements, control of incidental uses of PHI, and many other facets involved in protecting non-electronic PHI must be followed.
Is it necessary to give all existing patients a new copy of the HIPAA Privacy Notice whenever it is updated?
No. HIPAA only requires that direct treatment providers give new patients a copy at the first encounter, and post the new Notice (not a summary) where all patients can view it. For most facilities this is usually the waiting room. The new copy must contain the new effective date of the Notice. It is also required that you post the new version on the organization’s website.
Patients are allowed to receive a copy if they ask for one. Organizations should use a good-faith effort to obtain the individual’s written acknowledgment of receipt of the notice, but healthcare services must be provided even if the patient refuses to sign.
Indirect treatment providers (those who deliver care to the individual based on the orders of another healthcare provider, such as laboratory and imaging services), must provide the new Notice to patients upon request, and also post it on the organization’s website.
Is it necessary for my practice to use safety needles / syringes if I can demonstrate that we have not had any sharps injuries in the last year? What if there are no acceptable devices that can be used for my purposes?
As part of the Needlestick Safety and Prevention Act of 2000, which modified the OSHA Bloodborne Pathogens standard, employers having employees that could potentially be occupationally exposed to human blood while performing their duties are required to identify, evaluate and implement safer medical devices on at least an annual basis. They must evaluate innovations and technological developments that eliminate or reduce exposure to bloodborne pathogens, whether or not there have been any injuries in the workplace.
OSHA has made the use of safety devices a priority when performing inspections. The Act has been in place for over 10 years, and OSHA expects to see compliance at this time.
The Bloodborne Pathogen Standard requires that health care providers have an Exposure Control Plan (ECP) in place, and review it at least annually. It’s important to remember that part of the Exposure Control Plan’s annual review includes evaluating potential employee exposures (especially in light of any new procedures performed), evaluating employee exposures that have occurred during the past year (a Sharps Injury Log must be used throughout the year) and then performing an annual evaluation of safety devices to determine if any newer, more superior technologies are available.
Even if a facility has selected safety needle device(s) and are using them satisfactorily, they are still required to determine if the facility’s chosen device(s) remain preferable to any newly developed products. This must be documented in the ECP.
Once the organization has identified an acceptable safety device, employers are required to have them available, and employees are required to use them. Under the Act, acceptable reasons for not using a safer product are that there is no suitable device available (unlikely at this time), or that the devices evaluated would be deemed unsafe to the patient or to employees. Cost may not figure into the equation for selecting safety needles, unless the cost can be demonstrated to be prohibitive to the business.
In the annual evaluation of safety devices, employers are required to solicit input from employees responsible for direct patient care in the identification, selection and evaluation of effective devices. The employees selected must represent the range of exposure situations encountered in the workplace (e.g., emergency department, pediatrics, nuclear medicine). The employer must document the process by which the input was requested and identify the employees or the positions of those employees who were involved.
Practices may develop their own evaluation forms and recordkeeping materials, although MedSafe provides these materials as part of the Safety and Health (OSHA) Program.
The standard does not specify the level of detail or the number of devices that must be included in the evaluation and documentation, however, sufficient information must be provided to substantiate the facility’s judgment. Consideration and implementation of safer medical devices could be documented in the ECP by describing the safer devices identified as candidates for adoption, the method or methods used to evaluate the devices, the results of the evaluations; and the justification for selection decisions.
I have heard that OSHA has announced a final rule that updates the Hazard Communication Standard (HCS). What does this mean for employers?
The Occupational Safety and Health Administration (OSHA) has modified the existing Hazard Communication Standard and aligned it with the United Nations’ Globally Harmonized System of Classification and Labeling of Chemicals (GHS). According to OSHA, “the GHS was negotiated in a multi-year process by hazard communication experts from many different countries, international organizations, and stakeholder groups. It is based on major existing systems around the world, including OSHA's Hazard Communication Standard and the chemical classification and labeling systems of other US agencies.”
Once implemented, the revised standard will make it safer for workers by providing easily understandable information on appropriate handling and safe use of hazardous chemicals.
The major changes to the Standard include:
- Hazard classification: Provides specific criteria for classification of health and physical hazards, as well as classification of mixtures.
- Labels: Chemical manufacturers and importers will be required to provide a label that includes a harmonized signal word, pictogram, and hazard statement for each hazard class and category. Precautionary statements must also be provided.
- Safety Data Sheets: (previously referred to as Material Safety data Sheets) will now have a specified 16-section format.
- Information and training: Employers are required to train workers by December 1, 2013 on the new labels elements and safety data sheets format to facilitate recognition and understanding.
Employees must be trained on the new label elements (e.g., pictograms and signal words) and SDS format by December 2013. Full compliance with the final rule will begin in 2015.
The table below, provided by OSHA, is a summary of the effective dates for the new requirements:
Effective Completion Date
December 1, 2013
Train employees on the new label elements and safety data sheet (SDS) format.
June 1, 2015
December 1, 2015
Compliance with all modified provisions of this final rule, except:
The Distributor shall not ship containers labeled by the chemical manufacturer or importer unless it is a GHS label
Chemical manufacturers, importers, distributors and employers
June 1, 2016
Update alternative workplace labeling and hazard communication program as necessary, and provide additional employee training for newly identified physical or health hazards.
Transition Period to the effective completion dates noted above
May comply with either 29 CFR 1910.1200 (the final standard), or the current standard, or both
Chemical manufacturers, importers, distributors, and employers
During the phase-in period, employers are allowed to be in compliance with either the existing HCS, the revised HCS, or both.
OSHA is requiring that employees are trained on the new label elements (e.g., new pictograms and signal words) and SDS format by December 2013, while full compliance with the final rule will begin in 2015.
What is the recommended way to monitor whether a sterilization process has been effective?
There are three methods used to monitor the sterilization process, mechanical, chemical, and biological. The Centers for Disease Control and Prevention (CDC) has described them as:
Mechanical techniques for monitoring sterilization include assessing the cycle time, temperature, and pressure of sterilization equipment by observing the gauges or displays on the sterilizer. Correct readings do not ensure sterilization, but incorrect readings could be the first indication that a problem has occurred with the sterilization cycle.
Chemical indicators, internal and external, use sensitive chemicals to assess physical conditions such as temperature during the sterilization process. Chemical indicators such as heat-sensitive tape change color rapidly when a given parameter is reached. An internal chemical indicator should be placed in every sterilization package to ensure the sterilization agent has penetrated the packaging material and actually reached the instruments inside. An external indicator should be used when the internal indicator cannot be seen from outside the package.
Biological indicators (BIs, otherwise known as spore testing), are the most accepted means of monitoring the sterilization process because they directly determine whether the most resistant microorganisms (e.g., Geobacillus or Bacillus species) are present, rather than merely determine whether the physical and chemical conditions necessary for sterilization are met. Because spores used in BIs are more resistant and present in greater numbers than are the common microbial contaminants found on patient care equipment, an inactivated BI indicates that other potential pathogens in the load have also been killed.
The CDC recommends that biological monitoring be performed at least weekly, and in addition:
- Whenever a new type of packaging material or tray is used.
- After training new sterilization personnel.
- After a sterilizer has been repaired.
- After any change in the sterilizer loading procedures.
It should be noted that many professional state boards and state Departments of Public Health require that spore testing be performed, at minimum, on a weekly basis. This may be considered a major violation during state inspections.
What are some of the considerations I should take into account when establishing an Emergency Response Plan?
Begin with an evaluation of the type of emergencies you may experience. This will generally depend on geographic location. Each type of possible emergency must have a particular response. For instance, employees would evacuate prior to a hurricane, but shelter-in-place during tornado warnings and earthquakes. Depending on the situation, some or all of the employees may be allowed to evacuate or are sent home, while others may be required to perform certain duties and may be asked to remain on site, even for a short time.
In developing your site-specific plan, you should consider the following:
- Local police, fire and emergency response resources available, how you will contact them (especially if power is lost), and their expected response times
- Site accessibility (all areas) to emergency personnel and equipment
- Designating two escape routes from the facility
- Deciding on the safest place to seek shelter for employees / patients / clients; when to evacuate vs. sheltering-in-place; which areas should remain off-limits, and how the information will be communicated to all individuals
- Setting up a telephone call tree, call-in voice recording, or some other method of communicating with your employees during an emergency—and make sure all employees are aware of it
- Training some employees in first aid / CPR
- Creating an emergency business contractors list
- Discussing power back-up options with in-house maintenance personnel and / or utility service providers (such as battery backup procedures for fire and alarm equipment, computers / databases etc.)
- Backing up records and critical data, and keeping a copy off-site
- Evaluating problems that may be encountered because of a building’s age and construction
- Creating a list of the names and numbers of social agencies that can help provide for basic needs in the event of a disaster, such as the American Red Cross, the Salvation Army and the United Way
- Deciding in advance what you will do if your building is unusable
- Meeting with your insurance provider to review coverage
- Creating a list of equipment / inventory on site
- Deciding which emergency supplies the company can provide
- Elevating valuable inventory, electric machinery, and important records off the floor in case of flooding
- Attaching equipment / cabinets to walls, etc., to prevent damage, and placing heavier items on low shelves
- Using computer anti-virus software and firewalls
- Keeping the building’s HVAC system maintained
Other, more expensive considerations that may be helpful, depending on the organization’s needs, include:
- Purchasing and installing a generator to provide power for essential operations
- Installation of automatic sprinkler systems
- Upgrading your building’s HVAC system to secure outdoor air intakes and increase filter efficiency
- Evaluating your building to make sure it meets local codes—you may want to consider hiring a professional engineer to investigate wind, fire and seismic building resistance
- Sending safety personnel to emergency response conferences/trainings
- Discussing the costs of additional insurance for flood, earthquakes and business interruption