A Couple Of Little Known HIPAA Facts

Last week I was contacted by Corey Goodman, a reporter for HCPro, about a story he is doing that sounds like it will be quite interesting! He is collecting examples and anecdotes about “little know HIPAA facts” and asked me to contribute some for his article.
I anticipate that he will be cutting the couple of little known facts I provided to him down quite a bit, so I wanted to provide them here not only as a future reference for myself, but also for those of you who may be interested!

Little known HIPAA fact: Covered entities must protect protected health information (PHI) appropriately when disposing of it in any form, including hard copy information.
Many people think that HIPAA only applies to PHI in electronic form. While it is true that the Security Rule applies only to electronic PHI, this is covered within the Privacy Rule, which covers PHI in *ALL* forms.

“¬ß 164.530 Administrative requirements.
(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.”

A blog posting I did a couple of years ago provides an example for this…
Back in October 2006 my local news reported that a woman’s personal information, including medical details, were printed on the back of a back-to-school flier Wal-Mart made available in their Boone, Iowa store. The person who got the flier in the store called the woman whose personal details were printed on it, it included her phone number, to let her know about the incident.
The woman’s attorney indicated they were filing a lawsuit against Wal-Mart, and said “The customer was very, very upset with what she found. She told Pat [the person whose info was on the flier] that ‘You don’t know me, but I have some information that I should not have, and I obtained it at the Wal-Mart store.'”
It is not known if this was the only flier with personal information printed on it, or if it was on more, or all, of the fliers. It would be interesting to know if others got this same woman’s information on the fliers they picked up, or if they got medical information about other persons.
This is another good example of how mistakes or oversights happen that result in privacy breaches that are not technical. It is possible that Wal-Mart was printing the fliers on recycled paper, some of which may have come from their pharmacy area. If so, they need to have better controls in place to ensure such sensitive printed data is secured and shredded when disposed. Someone also should have looked through the fliers prior to putting them out for the customers, just as a QA activity. Doing so could have caught this blunder.
It once more boils down to the human element, and the importance of having well communicated and enforced information security policies and procedures.
Depending upon getting all the facts, this incident could well have been a HIPAA violation. The pharmacy portion of Wal-Mart would be a covered entity. If the medical details did come from it and investigation shows there were not reasonable controls in place to prevent the incident from happening, it would would likely be qualified as a HIPAA violation.
Little known fact: Business Associates (BAs) of Covered Entities (CEs) must comply with the terms of HIPAA as outlined within their BA agreement.
Most of the 100+ BAs I’ve reviewed think they do not need to follow any of, or even know about, HIPAA if they, themselves, are not healthcare providers, healthcare payers/insurers, or healthcare clearinghouses.
This is covered within the Privacy Rule, which covers PHI in *ALL* forms.

“¬ß 164.502 Uses and disclosures of protected health information: general rules.
(e)(1) Standard: Disclosures to business associates.
(i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.”
§ 164.504 Uses and disclosures: Organizational requirements.
(e)(1) Standard: Business associate contracts
(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
(E) Make available protected health information in accordance with §164.524;
(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;
(G) Make available the information required to provide an accounting of disclosures in accordance with §164.528;
(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.”

Over the past few years I’ve done over 100 BA security and privacy program reviews for a couple of HIPAA CEs. I found the following within an overwhelmingly large number of these BAs:
1) The information security and privacy officers to whom I spoke while doing the reviews indicated that since they, themselves, were not HIPAA CEs that they did not need to know or follow the HIPAA requirements.
2) They also did not even know the terms within the BA agreement by which they were bound.
3) Initially did not allow me to review their information security and privacy policies to ensure they were in compliance with § 164.504 (e)(2)(ii)(H), but after some persistence and discussion with their lawyers, armed with statements from the HHS, they provided me with access to their documents.
Upon review of the BAs’ policies, procedures, BA agreements, and other associated PHI protection practices, I found a very large number were not in compliance with the BA agreements, and an alarmingly large number had absolutely no documented information security policies, no documented DR/BC plans, and other significant security and privacy vulnerabilities.
I enjoyed this little exercise! Sometime in the future I’ll provide some other little known facts about not only HIPAA, but also other laws, regulations and industry standards.

Tags: , , , , , , , , , , ,

Leave a Reply