|June 6, 2013
THHS adheres to federal law when it comes to protected patient information
By B.L. Azure
Hi-Tech and HIPAA
• 1996 HIPAA Administrative Simplification
* Standards for administrative/financial transactions for efficiency/cost savings
* Standards for security and privacy to protect patient identifiable information
• 2009 Hi-Tech Act
* Standards for electronic records and data sharing in clinical setting, for quality reporting, and other population health purposes
* Subpart D for privacy protections and security for patient identifiable information
Covered entities must notify each affected individual of breach of “unsecured protected health information.”
Business associate must notify covered entity of breach
Notice to media if more than 500 people affected.
Notifications to be provided without unreasonable delay (but no later than within 60 days) of discovery of breach.
Notice to Secretary of breach and posting on HHS Website.
Compliance and Enforcement
• Any person or organization can file complaints with OCR (generally within 180 days)
• OCR may investigate complaints and may conduct compliance reviews
• Covered entity must provide OCR with access to records; subpoena authority
• OCR shall attempt to resolve noncompliance by informal means
• Every complaint received by OCR is reviewed and allegations analyzed.
• An investigation is launched when warranted by the facts and circumstances presented by the complaint.
• OCR investigations have resulted in changes in privacy practices and other corrective actions in over 7,861 cases since April 2003.
• Corrective action obtained by HHS from covered entities has resulted in systemic change that benefits all individuals they serve.
Most Common Complaints
• Impermissible use or disclosure of an individual’s identifiable health information
* Example of impermissible use: viewing your own PHI, that of a coworker or of a family member
* Example of impermissible disclosure: telling PHI from work to someone outside of work
• The compliance issues investigated most frequently are:
* The lack of adequate safeguards to protect identifiable health information
* Refusal or failure to provide the individual with access to or a copy of his/her records
• The compliance issues investigated most frequently are:
* The disclosure of more information than is minimally necessary to satisfy a particular request for information
* Failure to have the individual’s valid authorization for a disclosure that requires one
ST. IGNATIUS — Mum is the word when it comes to protected patient information at the Confederated Salish and Kootenai Tribes Tribal Health and Human Services Department. The zipped-lip approach on protected patient information is the law, a federal law entitled the Health Insurance Portability and Accountability Act (HIPAA) that applies to all health care providers and affiliated staff nationwide including THHS employees.
The 1996 federal law instituted health care administrative reforms that were phased in from 2000-2003 that among other things addressed the confidentiality of heath care patients.
Tribal Health Administrative Assistant for Personnel and Payroll and HIPAA Compliance Officer Shonda Bolen said that all of the approximately 130 THHS employees regardless of position are required to take the federally required HIPAA training course.
“We will complete the training of all Tribal Health employees by June 28th,” Bolen said. “After that all the (THHS) employees will be required to take annual training from here on out. There are significant fines for those who violate a patient’s confidentiality. Depending of the severity of the violation a THHS employee could lose their job.”
New (THHS) employees will be required to take the training as part of their initial orientation.
Tribal Health Director Kevin Howlett said HIPAA compliance is a paramount policy of THHS to ensure the privacy and security of each individual’s health care information in accordance to with the standards and requirements of the federal law.
“The absolute privacy of THHS patients is non-negotiable,” Howlett said. “It is a serious issue and all of our patients need to be aware of our compliance to the law. We will not tolerate violations of the law by our employees no matter their station within Tribal Health.”
Of major importance in the HIPAA legislation is the issue of data and transaction standardization and to ensure the security of the electronic transfer of patient information.
The federal mandate is key to ensure billing of third parties for services that health care providers — read Tribal Health and Human Services Department — provides to its patients.
The goal of the Administrative Simplification section of the bill was to save money. It was requested and supported by the health care industry because it standardized electronic transactions and required standard record formats, code sets, and identifiers.
However, the electronic standardization transactions portion increased the risk to the security and privacy of an individual’s identifiable health information via, among other things, computer hacking.
Consequently the law changes the way health care providers have to protect the privacy of a patient’s health information and contains security procedures that must be followed to protect the integrity of a patient’s health information.
The U.S. Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Bolen said Tribal Health patients who think the confidentiality of their protected health information has been violated should immediately contact her or Human Services Division Manager Nancy Vaughn to engage in the process of filing a complaint.
Tribal Health personnel found in violation of a patient’s protected health information can appeal the decision to the Indian Health Service or the U.S. Office of Civil Rights.
Folks not comfortable with contacting the local compliance folks can contact the U.S. Office of Civil Rights’ Equal Opportunity Specialist Karel Hadacek, J.D. at 303-844-7836, or email: Karel.Hadacek@HHS.gov
For more information on HIPAA and THHS compliance, contact Shonda Bolen at 745-3525, ext. 5032; or Nancy Vaughn at 745-3525, ext. 5097.
For more information on HIPAA, visit:
• Office of Civil Rights website: www.hhs.gov/ocr
• HIPAA privacy laws: www.hhs.gov/ocr/hipaa/
See Hi-Tech and HIPAA side bar for more information.