How to Safeguard Protected Health Information
Simple fixes can help practices meet the 'minimum necessary' standard under HIPAA.
Do not tell more than is necessary or authorized. That seems like a simple enough theory when it comes to protected health information (PHI). But the minimum necessary standard under HIPAA is the fifth most common compliance issue investigated by the Office for Civil Rights.
“One of the most common HIPAA violations, even today, is sending something to the wrong fax number or the wrong doctor,” said Neville Bilimoria, a partner in health law practice group of Duane Morris in Chicago. “It's all human error – it's not intentional – it's just people not paying attention to a fax number.”
Because the release of too much information often involves simple mistakes, it is frequently a simple fix that can correct this issue. Here are some tips for keeping a practice compliant with the minimum necessary standard.
Human errors and confusion with the minimum necessary requirement stem most frequently from the fact that personnel are not properly trained in this area, said Brand Barney, a security analyst for Security Metrics, headquartered in Orem, Utah.
“In HIPAA, this is really the belly of the beast,” Barney said. “It causes lots of confusion because of small, simple things that an entity can be doing, and should be doing, that they just fail completely to do.”
The entire staff should know they have a responsibility to protect patients' personal health information. They should all know what they can and cannot disclose and to whom they can disclose it. They should know that this part of HIPAA does not typically include other providers, the patient, or legally authorized representatives or the Department of Health and Human Services.
Bilimoria said offices should train staff on the flow of information. When information is given out, staff should monitor its movement to make sure it is in the hands of the patient, doctor, or any other entity to which it was supposed to go.
Staff should be trained on a biannual basis to refresh knowledge and remain compliant with the office's risk assessment plan. Each organization should have a HIPAA authorization form that is used when PHI is disclosed. Staff should also be aware they should be disclosing only what is on that authorization.
As part of its training, every office should have a listing of its routine disclosures, Barney said. Unusual requests may arise, but most practices should be able to compile a list of frequently recurring disclosures that can be used for reference.
Some common examples include disability requests, insurance companies' substantiation of care for payment, or a request from a patient to transfer records. This is a good place to explore business associate release of information as well.
There should also be a list of potential non-routine disclosures to guide staff when those occur. If somebody from the general public calls asking for information about a patient, what can be given out?
Along with potential non-routine scenarios, office staff should take steps to ensure they are disclosing the right amount of information. There should be a note that, when in doubt, default to the privacy officer and ask him or her for assistance.
“They have to understand what type of data they are allowed to give, and if we don't tell them, I find that minimum necessary becomes really foggy or vague really quick and they end up breaching it,” Barney said. “By nature, people are inclined to give out more than they should.”
The third tier of a plan to keep PHI secure is to make sure people only have access to what they are supposed to be seeing. Barney calls this role-based control and it will be slightly different for every practice.
Begin by breaking down information into multiple levels, depending upon the situation. Level 1 might be a janitor who is not allowed to see any PHI. Level 2 might be minimal access where people need information only to complete certain tasks or document actions. Level 3 may be greater access, and level 4, full access to all records. It would be the job of the security and privacy officer to draw up a chart and place all job classifications in their appropriate space.
When access levels are determined, controls should be set up in a computer so people are only able to access information at their level. Special attention should be paid when files are shared and multiple people are putting data into one area.
“If someone can see it, the odds are they might disclose it,” Barney said. “Not purposefully, but because it is possible, it can happen.”