Emergency Preparedness Best Practices

Emergency Preparedness Best Practices

In the wake of two damaging hurricanes, the topic of emergency preparedness is at the top of mind for many Covered Entities and Business Associates. The goal of emergency preparedness is to ensure electronic protected health information (ePHI) is secure, and the confidentiality, integrity, and availability of ePHI is not jeopardized both during and after an emergency.

Effective emergency preparedness consists of having a contingency plan which includes a data backup plan, disaster recovery plan, and emergency mode operation plan.  The disaster recovery plan ensures that you have accurate backups of the ePHI, while the disaster recover plan is how you recover from those backups.  The emergency mode operation plan outlines how ePHI will remain secured during the course of the emergency.  While not specifically required, your organization should consider testing your contingency plan and revise it as necessary.

When thinking about putting you plan together, you can follow a seven step process,

  1. Assess your situation;

  2. Identify risks;

  3. Formulate an action plan;

  4. Decide if and when to activate your plan;

  5. Communicate the plan;

  6. Test the plan; and

  7. Treat the plan as an evolving process.

While this process is linear, these steps can take considerable time to finalize.  If you don’t have a contingency plan in place now, you should begin the process to develop and implement one as soon as possible.

Can I Send Patient Information To…?

Can I Send Patient Information To…?

One of the most common questions I hear is, “Can I send patient information to…” with a plethora of situations and organizations completing that sentence.  Not only is this one of the most common questions, but it is also one of the most fundamental from a patient privacy perspective. I encourage everyone to analyze their unique environment and create a reference guide that captures typical disclosures for your organization.  Include when disclosure is appropriate, inappropriate, and when the Privacy Officer should be consulted.

The reference guide should be developed by analyzing the three types of disclosures of Protected Health Information (“PHI”),

  • Required Disclosures:  The instances in which the PHI must be disclosed include,

    • To individuals when requested for access or an accounting of disclosures; and

    • To the Secretary of U.S. Department of Health and Human Services when conducting a compliance investigation, review, or enforcement action.

  • Permitted Disclosures:  These are situations in which the PHI may be disclosed without the patient’s consent, but you are under no obligation to disclose at all.  Permitted disclosures include,

    • For treatment, payment, and healthcare operations to another covered entity or a business associate with whom you have an executed business associate agreement;

    • With the opportunity to agree or object:  Examples include inclusion in a facility directory, and to family, friends, or others involved in the patient’s care or payment for care;

    • Use or disclosure incidental to a disclosure that is otherwise permitted;

    • Public interest and benefit activities, including when required by statute, regulation or court order, for public health activities, victims of abuse, neglect or domestic violence, for health oversight activities, for law enforcement purposes, and several others (find the full list here); and

    • In a limited data set, which is data set which has specified direct identifiers removed for research, operations or public health purposes.

  • Authorized Disclosures:  Authorized disclosures include any disclosure that is not required or permitted.  These disclosures can only be made pursuant to a patient’s authorization.  Patient’s have wide deference in deciding what disclosures to authorize and duly authorized disclosures must be made unless it will bring harm to the patient.  Authorization must include specific items, such as,

    • Be in plain language;

    • Be specific about the information to be disclosed;

    • Identify who is disclosing and receiving;

    • Include a time or event for expiration; and

    • Permit the authorization to be revoked in writing.

While the healthcare industry becomes more complex by the day, all disclosures will still fit into one of these three categories. If it is not permitted or required, it must be authorized by the patient.  By placing typical disclosures within your organization into one of these three categories, you will be able to answer the question of whether you may send the patient information or not. For any atypical disclosures, that do not fit neatly into one of these groups, consult your Privacy Officer for the final determination.

Breach Notification Requirements

Breach Notification Requirements

Most people in the industry believe HIPAA requires notification of a breach to the federal government and affected individuals within 60 days of discovery (unless preempted by state requirements). However, HIPAA’s breach notification timeline is actually “without unreasonable delay,” but not longer than 60 days after the breach was discovered.

Therefore, 60 days is the absolute maximum amount of time permitted, but a shorter timeframe might be reasonable, and thus, ‘required.’

This can be a challenging requirement to comply with, as what is really required is highly fact specific.  There is little – if any – formal guidance to assist in determining what type of delay might be reasonable and what might be unreasonable.  The best tactic is to not focus on the 60 day aspect, but to do a swift and efficient incident investigation and breach determination.  To do so within the 60 day window, and to notify the respective regulators and affected individuals within that timeframe, would eliminate any question whether the notification was reasonable or not. The worst case would be to have been able to effectuate notice sooner, but instead notice was delayed until closer to the 60 day ceiling.  That would seemingly be an unreasonable delay, and could result in increased penalties.

Breach notification is never a pleasant situation, especially not for those potentially affected.  HIPAA is drafted to provide timely notification to those affected, while still allowing flexibility to conduct a thorough and proper investigation.  While HIPAA may allow up to 60 days for notification, a shorter timeframe is often reasonable most appropriate.

Does Your Marketing Meet HIPAA Requirements?

Does Your Marketing Meet HIPAA Requirements?

Despite our best efforts, it is sometimes hard to keep all HIPAA requirements in mind at all times. One that seems to slip through the cracks is HIPAA provisions on marketing. In fact, these are not specifically outlined in HIPAA, but rather an extension of the Privacy Rule and permitted, required, and authorized disclosures.  When putting together marketing materials, keep in mind the following,

  • Are you using a patient’s full face picture or other picture that could identify the person in your marketing materials?  This includes pamphlets, business cards, websites, and even pictures in your office. If you are, then you should ensure that you have a specific authorization from the individual to use their picture for your marketing purposes. If you want to work around this requirement, simply use stock photos in your advertisements.

  • Are you using a patient’s testimonial, with their name attached, for marketing purposes? If you are, you also need to have a specific authorization from the patient to use their name associated with testimonial. If you want to work around this requirement, just take names off testimonials and ensure nothing quoted is identifiable.

  • There is some debate about whether simply having pictures of patients up around your office, as is typical in pediatrics practices, requires an authorization. Best practice is to have a patient execute an authorization before putting any picture of them in your office.

Keep in mind, HIPAA does not preclude you from using pictures or testimonials in your marketing materials. However, HIPAA does require that a patient authorize the use of their picture, name, or anything identifiable, in marketing. Assuming patient’s execute, simply having an authorization included with all other new patient documentation should pave the way for you using pictures and names in marketing materials.