Compliance:
Look Beyond HIPAA to Protect Health Information and Technology
Published on Wed May 16, 2018
Don't forget your employees health information must remain confidential, too.
Although the HIPAA Privacy and Security Rules and HITECH requirements certainly keep you busy enough in your privacy and security compliance efforts, these aren't the only laws and requirements that your practice needs to pay attention to.
Take a look at the various acts, laws, and regulations that your practice is likely subject to from securing protected health information (PHI) to ensuring your employees medical data is kept private to managing your health IT.
Know These Regulations That Govern Health Records
Some laws and frameworks recognize that particular health conditions may put individuals at risk for discrimination or harm based on that condition. Federal and some state laws require special treatment and handling of information relating to alcohol and drug abuse, genetics, domestic violence, mental health, and HIV/AIDS.
Applicable federal laws include:
- Alcohol and Drug Abuse Patient Records Privacy Law. The Confidentiality of Substance Use Disorder Patient Records section 42 CFR Part 2 was recently updated to address the opioid problems plaguing the nation. Information about how this impacts patients' data can be found at www.samhsa.gov/health-information-technology/laws-regulations-guidelines.
- Family Educational Rights and Privacy Act (FERPA). This primarily addresses the confidentiality of students' health records that relate to educational settings. Minors have certain protections under this law as well. Read the policy standards at www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf.
- Americans with Disabilities Act (ADA). The ADA protects workers' rights to keep their health and health records private, avoiding persecution and discrimination. It also protects children and parents for similar reasons. You can find out about the myriad of health information protections under the ADA at www.ada.gov.
- Public Health Service Act (PHSA). Under Title X of this act, family planning confidentiality is protected by the law. Children are given specific health record protections with the PHSA. Read the most recent updates at https://fas.org/sgp/crs/misc/RL33644.pdf.
- Genetic Information Nondiscrimination Act (GINA). This law expands on HIPAA and "protects individuals against discrimination based on their genetic information in health coverage and in employment," maintains HHS guidance. There are two sections of GINA; Title I "prohibits discrimination based on genetic information in health coverage" while "Title II of GINA prohibits discrimination based on genetic information in employment," explains HHS. View the guidelines of the GINA final rule at www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html.
- Medicare Conditions of Participation (CoP). Under Section 485.60 of Medicare's CoP guidance, CMS outlines the who, what, where, when, and why of clinical recordkeeping to participate in its federal health programs and explains how to safeguard PHI. See the CoP guidance at https://www.gpo.gov/fdsys/pkg/CFR-2011-title42-vol5/pdf/CFR-2011-title42-vol5-part485.pdf.
- Occupational Safety and Health Act of 1970 (OSHA): The act and the agency, which uses the same acronym, regulate workplace injuries and legal issues, often utilizing PHI and regulating it. The OSHA standards most relevant to physician practices are: bloodborne pathogens; hazardous chemicals; exit routes; electrical; reporting occupational injuries and illness (state law); and ionizing radiation (if you have machines like X-ray). You can read OSHA's "Compliance Assistance Quick Start for Health Care" at www.osha.gov/dcsp/compliance_assistance/quickstarts/health_care/; OSHA guidelines about standards most relevant to physician practices at www.osha.gov/Publications/osha3187.pdf; and HIPAA and OSHA at www.osha.gov/Publications/OSHA-factsheet-HIPPA-whistle.pdf.
Review Regulations That Impact HIT
The modernization of healthcare has included significant enhancements to technology over the last two decades that promote workflow efficiency and patient safety. The combination of federal mandates, EHRs, mobility, and the internet have pushed this Electronic Health Information Exchange (HIE) to the forefront of healthcare, making it nearly impossible to practice medicine without technological tools. However, cyber crime focused on harnessing PHI for unlawful use has exploded, and providers continue to struggle to keep ahead of the mayhem.
Despite the added risks, the feds maintain a steady increase of pro-technology requirements to encourage safe practices, better communications between providers and patients, and quality care. HHS and its subsidiaries regulate health IT through the HIPAA Security Rule as well as these laws:
- 21st Century Cures Act. This law went into effect in 2017 and concerns medical research and interoperability. It also homes in on HIPAA privacy issues, substance abuse, and mental health. The Cures Act hopes to modernize healthcare by increasing data sharing, social media and EHR use, and improving other health IT interchanges while keeping privacy in mind. Review the Cures Act at www.congress.gov/bill/114th-congress/house-bill/34.
- Affordable Care Act (ACA). Despite many alterations and rollbacks of the ACA over the last year or so, it still proposes to "establish comprehensive health care insurance reforms that aim to increase access to health care, improve quality and lower health care costs, and provide new consumer protections," according to HHS Office of the National Coordinator for Health Information Technology (ONC) guidance. Read more about the ACA at www.hhs.gov/healthcare/about-the-aca/index.html.
- The Medicare Access & CHIP Reauthorization Act of 2015 (MACRA). Under this Act, CMS reimagined Medicare reimbursement, putting quality and value first. First with Advancing Care Information (ACI) and now with the rebranded Promoting Interoperability (PI) as its technical » » reporting component, the agency continues to push CEHRT and HIT coordination to enhance Part B beneficiaries' experiences. See the most recent PI guidance at www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html?redirect=/ehrincentiveprograms.
- Food and Drug Administration Safety and Innovation Act (FDASIA). For Section 618 of FDASIA, HHS, ONC, FDA, and Federal Communications Commission (FCC) leaders created "a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication," notes ONC guidance. You can take a look at FDASIA at www.fda.gov/RegulatoryInformation/LawsEnforcedbyFDA/SignificantAmendmentstotheFDCAct/FDASIA/default.htm and read the leaders report at www.healthit.gov/sites/default/files/fdasiahealthitreport_final.pdf.