Health Information Compliance Alert

The Third Degree:

Reader Questions Answered

 HIPAA ON THE NET

Question: "If a patient wishes to have test results sent to him via e-mail and has signed a consent form for this communication with the understanding that our office does not encrypt the message, are we still permitted to send this information along to him? Do we have any other responsibilities under HIPAA in regard to this request?"
 
 - California subscriber

Answer: In this type of a situation it would be advisable to have the patient sign an authorization to disclose protected health information via e-mail, says Laura Scallion, president and CEO of AllSource Technical Solutions, Inc in Portland, OR. "The authorization should include language that clearly informs the patient that e-mail is not encrypted and the Internet is not secure. If the patient authorizes, it's permissible to send the results via e-mail," she notes.
 
Now, as far as when you should have the patient sign this authorization form, Scallion advises entities to provide it to the patient only upon request. "Some people still have no idea what to do or how to use e-mail, so if it's included at sign-in, they would be signing something they knew nothing about - it would cost more time involvement for the admitter in explanation of what they are signing," she says.
 
The Bottom Line: You are permitted to send non-encrypted documents containing PHI to patients via e-mail as long as you first obtain a signed authorization from the patient explaining that transmissions sent over the Internet have vulnerabilities or are not 100 percent secure (For a sample e-mail authorization form, see HICA, vol. 3, no. 8, page 59). 

 

CAN WE SHARE?

Question: One of our office employees moonlights at a long-term care facility. Under what circumstances can he share PHI with our staff about a patient he cared for at another other facility

 - Pennsylvania subscriber

Answer: Sharing PHI is "not appropriate unless it's particularly for treating the patient," Kirk Nahra, a partner in the D.C. office of Wiley Rein & Fielding, advises. If both facilities have an established treatment relationship with the patient, the employee could provide valuable information that would benefit all parties. However, if he is sharing the information simply because he is aware of it or for the purposes of gossip, that is inappropriate and violates the patient's privacy, he says

If the employee has information about misconduct or abuse of a patient, then he should address those concerns to his supervisor at the facility where the behavior is occurring - not staff at a separate facility - or, if necessary, to law enforcement. This disclosure is protected under HIPAA's whistleblower provision. But generally speaking, "there shouldn't be any communication unless it's for treatment purposes," says Margret Amatayakul of Schaumburg, IL's Margret AConsulting.

The Bottom Line: If your employee is sharing information about patients for reasons other than treatment, payment or health care operations, that behavior violates HIPAA and must be reported and corrected before it adversely affects your facility. Any whistleblowing should happen internally unless law enforcement must be involved.

 

HIPAA SELF-ENFORCEMENT

Question: What is the duty of a compliance officer whose organization refuses to enforce HIPAA compliance?
 
 - Maryland subscriber

Answer: Any employee who is concerned about HIPAA violations should go directly to their compliance officer, experts advise. HIPAA requires that entities develop and distribute a sanctions policy that includes "termination requirements if people fail to abide by the rules," reminds Stephen Bernstein, an attorney at McDermott Will & Emery in Boston, MA.
 
If a violation occurs outside the facility, the same rule applies. "If it's a business associate and we cannot get the problem resolved, our relationship with that business associate would end," explains Tracie Hanna, Privacy Coordinator for American Republic Insurance Company in Des Moines, IA.
 
Worst Case: If the violator is the compliance officer, don't be afraid to voice your reservations. "Go as high in the organization as you have to," encourages Michael Hubbard, an attorney in the Raleigh, NC office of Smith Anderson Blount Dorsett Mitchell & Jernigan. Compliance officers are not immune to HIPAA's regulations, Hanna stresses. "They don't have free rein to do what they want. If they're not abiding by the law, then they have to answer for that," she asserts. 
 
Suggestion: Develop a checks and balances system so that each employee is accountable for their actions, Hanna recommends. 
 
Example: "We have a HIPAA Steering Committee composed of several senior management members" that makes critical HIPAA decisions and ensures compliance, she confides.
 
The Bottom Line: The law's the law. Every employee must comply with HIPAA or face termination. "Failure to act [on noncompliance] is a liability and [the ramifications] can go all the way up to the CEO," Bernstein declares. Remember: If you don't follow your sanctions policy and mitigate noncompliance, HHS Office for Civil Rights can come in and penalize!