Protecting Health Information After Roe – Part 2: Steps for Healthcare Providers | Mintz – Perspectives on Health Care
State laws that restrict or criminalize abortions will require vast amounts of health information to enforce, putting further strain on health care providers caught in the middle of competing obligations to their patients and caregivers. regulatory and law enforcement authorities who lawfully request this information.
In this second of our two-part blog series on protecting health information, post deerwe discuss legal and practical strategies healthcare providers can adopt to protect their patient information.
Official RPS requests
As previously noted, there are a number of provisions under HIPAA that allow healthcare providers to disclose protected health information (or “PHI”) to regulatory or law enforcement authorities. However, these HIPAA provisions are not unlimited and there are requirements that must be met before a vendor can disclose PHI. If a government request does not meet the criteria, the provider is not obligated to respond and, in fact, risks violating HIPAA if it responds to a request outside the parameters of the rule.
The table below outlines examples of HIPAA provisions that allow PHI to be disclosed to regulatory authorities and questions vendors should ask to ensure that any disclosure complies with HIPAA requirements.
Informal RPS requests
As state abortion bans come into effect, providers are also likely to receive informal requests for PHI from regulatory authorities, law enforcement and others. HIPAA does not allow disclosure of PHI in response to an informal request, even if the person making the request appears to have some sort of authority, such as uniform or agency credentials. Improper disclosure is a violation of HIPAA.
Suppliers should educate staff and ensure employees understand that there is a difference between legitimate PSR requests and informal requests that may seem official. Employees must understand the importance of not being threatened or intimidated to provide PSR. Providers should have policies and procedures for directing third-party PSR requests to a single point of contact within the organization, such as a privacy officer, who is qualified to assess them or who has access to the support needed to assess them. It is important that staff understand what to do when a so-called “authority” comes into the office to make requests.
In some states, pressure from authorities or laws encouraging individuals to report illegal abortions may increase the risk of employees being spied on, in violation of HIPAA and state law. Accordingly, providers should regularly check staff members’ access to PSRs to ensure that access is authorized and to identify and address instances of espionage. Providers should inform staff members of ongoing auditing activities as well as the consequences of breaching patient privacy to deter eavesdropping.
Finally, in our last blog post, we discussed the rights under HIPAA that patients can use to protect their PHI as much as possible. Providers should take steps to educate patients about their rights and make it easier for them to understand and exercise those rights, especially patients who are younger or have other difficult circumstances. A provider’s notice of HIPAA privacy practices provides an excellent basis for discussion of patient rights. Providers could consider developing forms to make it easier for patients to exercise these rights.
Pay attention to details
As noted above, providers must take positive protective measures to deter (and identify) “snooping” on medical records. It is difficult for practices to keep up with advances in technology and ever-increasing amounts and sources of data. Spy mitigation has always been important to avoid HIPAA violations, but in states that ban abortion, protecting patients is now even more critical.
Here are some steps to help mitigate spying.
- Take stock of the data. The first step in data security is to understand where the data resides within the organization and why you have it. By doing so, organizations gain a clear understanding of who should access what and why. For example, email systems should never be used as a “storage” location for patient data.
- Set up data tracking software – and talk to your employees about it. With the sheer amount of data and patient records handled by a typical practice, automation is a necessity. This type of technology can identify unusual access behavior (such as access time and other key details).
- Communicate policies and train employees. Transparency about the monitoring procedures in place reaffirms a culture of privacy and also reinforces that privacy breaches – regardless of the law – are unacceptable and that offenders will be identified.
To repeat: email is not document storage. Now is a good time to review your email practices and how your staff uses email. Email should not be used to store documents containing RPS or even for calendaring services for firm administration. Generally, free and Internet-based webmail services (Gmail, Hotmail, AOL) are not secure for the transmission of PHI, either in an email attachment or in the body of an email. email itself. The OCR has imposed penalties on providers for failing to take steps to protect PHI and for using Internet-based email and calendar services. Using secure services like patient portals for transmitting PHI or treatment-related communications reduces the documentation you have on hand.
HHS: When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
JAMA: Effectiveness of Email Warning in Reducing Unauthorized Access by Hospital Employees to Protected Health Information