Health Insurance Portability and Accountability Act (HIPAA)

HIPAA resources

1. HIPAA compliance 
2. Notice of Privacy Practices
3. Business Associates agreement
4. HIPAA & electronic communications
5. Security Rule
6. Breaches & notifications
7. Practice Visitors and Observers

HIPAA background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacted various privacy and security protections related to patient health information. The majority of health care providers, including doctors of optometry, are required to comply with HIPAA. Since HIPAA became law, there have been a number of regulations issued that govern how health care providers must protect the privacy of the patients they treat. Included below are resources and information to assist doctors in complying with HIPAA.

The HIPAA Privacy and Security Rules are federal law. The privacy rule gives individuals rights over their health information, and sets rules and limits on who can look at and receive health information. The security rule delineates safeguards to protect health information in electronic form and helps to ensure that electronic protected health information is secure.

Individuals, organizations and agencies that meet the definition of a "covered entity" must comply with HIPAA. A doctor of optometry is considered a "covered entity" if he/she transmits any information in an electronic form in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard. For example, submitting an electronic claim to Medicare or
another payer is such a transaction.

Updated HIPAA regulations were issued in January 2013. Changes made by the new regulations account for various changes in health care practices, including the increased use of electronic health records. The majority of the provisions in the updated HIPAA regulations have a compliance deadline of September 23, 2013.

HIPAA compliance

The US Department of Health and Human Services has numerous resources on privacy, security, breach notifications, and patients’ rights.  The AOA has also provided the HIPAA Security Regulation Compliance Manual which gives a step-by-step overview to help you understand the compliance process. However, these resources are not intended as legal advice. You should always consult legal counsel and HIPAA compliance experts when implementing compliance policies and to ensure that your practice fully complies with all federal, state, and local laws. 

Privacy Rule

Patient rights: Under the Privacy Rule, patients have the rights to:

• Request a copy of their medical records.
• Request erroneous information is corrected.
• Know with whom health information is shared.
• Know why PHI has been shared.
• Determine how they are contacted.
• Object to certain disclosures.

Covered entities subject to HIPAA: The vast majority of optometry practices and doctors of optometry are covered entities and subject to HIPAA. You are a covered entity if you are a provider who electronically transmits (e.g., fax or email) health information related to financial or administrative activities, such as:

• Claims and encounter information.
• Payment and remittance advice.
• Claims status.
• Eligibility.
• Enrollment and disenrollment.
• Referrals and authorizations.
• Coordination of benefits.
• "Other transactions" established by HHS.

*Examples of entities that are not considered to be covered entities are: Life insurers, employers, workers compensation carriers, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices.

**In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Protected health information (PHI): PHI is individually identifiable health information that identifies the individual or can be used to identify the individual. PHI must be protected in any form or media (electronic, paper or oral). Data that is commonly considered PHI includes:

• Name.
• Address.
• Birth date.
• Social Security Number.
• Facial Image.

Disclosures: Generally, a patient's PHI must be protected and cannot be released to other parties without the patient's consent. However, practices can disclose PHI if the patient authorizes the disclosure or if disclosure is permitted/required by the privacy rule. Disclosures are required by the privacy rule if the patient requests the disclosure or if your practice is under audit by the HHS. Practices are permitted to disclose PHI without written patient authorization when the PHI is disclosed:

• To the patient: A covered entity may disclose PHI to the individual who is the subject of the information.
• For treatment, payment, and health care operations: A covered entity may use and disclose PHI for its own treatment, payment, and health care operations activities. A covered entity also may disclose PHI for the treatment activities of any health care provider; the payment activities of another covered entity; and, of any health care provider or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection, and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship.
• When the patient has the opportunity to agree or object: Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce or object. Where the individual is incapacitated, an emergency patient, or is not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
• When the disclosure incident to an otherwise permitted use and disclosure: The privacy rule does not require that every risk of an incidental use or disclosure of PHI be eliminated. A use or disclosure of this information that occurs because of, or as "incident to," an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the privacy rule, and the information being shared was limited to the "minimum necessary," as required by the privacy rule. See additional guidance on Incidental Uses and Disclosures.
• For public interest and benefit activities: The privacy rule permits use and disclosure of PHI, without an individual's authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public
  interest need for this information.
• For research public health purposes (limited): "Research" is any systematic investigation designed to develop or contribute to generalizable knowledge. The privacy rule permits a covered entity to use and disclose PHI for research purposes, without an individual's authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals' authorization for the use or disclosure of PHI about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any PHI from the covered entity, and that PHI for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the PHI of decedents, that the PHI sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals' authorization, a limited data set of PHI for research purposes (see discussion below). See additional guidance on research and NIH's publication of "Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule."
• Serious threat to health or safety: Covered entities may disclose PHI that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
• Essential government functions: An authorization is not required to use or disclose PHI for certain essential government functions. Such functions include assuring proper execution of a military mission; conducting intelligence and national security activities that are authorized by law; providing protective services to the U.S. President; making medical suitability determinations for U.S. State Department employees; protecting the health and safety of inmates or employees in a correctional institution; and, determining eligibility for or conducting enrollment in certain government benefit programs.
• Workers' compensation: Covered entities may disclose PHI as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses. See additional guidance on Workers' Compensation.

Security Rule

The HIPAA Security Rule requires administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of PHI. Electronic PHI (ePHI) is individually identifiable health information created, received, maintained or transmitted in electronic form. The general requirements of the security rule include:

• Ensuring the confidentiality, integrity, and availability of all ePHI.
• Identifying and protecting against reasonably-anticipated threats to the security or integrity of the information.
• Protecting against reasonably anticipated, impermissible uses or disclosures.
• Ensuring compliance by your workforce.

Security risk analysis: To help ensure that ePHI is secure, HIPAA requires that covered entities perform a security risk analysis and management process, including, but not limited to:

• Evaluating the likelihood and impact of potential risks to ePHI.
• Implementing appropriate security measures to address the risks identified in the risk analysis.
• Documenting the chosen security measures.
• Maintaining continuous, reasonable, and appropriate security protections.

The HHS has provided a security risk assessment tool and resources and guidance for assessing and implementing appropriate safeguards. Administrative safeguards include, but are not limited to:

• Security management process: A covered entity must identify and analyze potential risks to ePHI (e.g., security risk analysis), and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
• Security personnel: A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
• Information access management: Consistent with the privacy rule standard limiting uses and disclosures of PHI to the "minimum necessary," the security rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient's role (role-based access).
• Workforce training and management: A covered entity must provide for appropriate authorization and supervision of workforce members who work with ePHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
• Evaluation: A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the security rule.

Physical safeguards include:

• Facility access and control: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
• Workstation and device security: A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of ePHI.

Technical safeguards include:

• Access control: A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI.
• Audit controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
• Integrity controls: A covered entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
• Transmission security: A covered entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.

Breach Notifications

HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is  presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. Doctors of optometry must take an active role in evaluating the severity of improper use or disclosure of PHI by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold.

Notification of breach: If a breach occurs, covered entities may always begin the breach notification process without conducting a formal risk assessment. To report a breach to HHS, doctors of optometry must go to the HHS’s Breach Notification Portal.

Timing: Once a covered entity knows or by reasonable diligence should have known (referred to as the “date of discovery”) that a breach of PHI has occurred, the entity has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following the date of discovery, even if upon discovery the entity was unsure as to whether PHI had been compromised.

These notices must include:

• A brief description of the breach and type of information involved in the breach.
• The steps affected individuals should take to protect themselves from potential harm.
• A brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches.
• Contact information for your practice (or business associate, as applicable).

If you have insufficient or out-of-date contact information for 10 or more individuals, you must provide substitute individual notice by either posting the notice on your practice's home page for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. These notices must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If you have insufficient or out-of-date contact information for fewer than 10 individuals, then you can provide substitute notice by an alternative written form, by telephone, or other means.

Media: For breaches that affect more than 500 residents of a state or jurisdiction, you must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include:

• A brief description of the breach and type of information involved in the breach.
• The steps affected individuals should take to protect themselves from potential harm.
• A brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches.
• Contact information for your practice (or business associate, as applicable).

Notification by a business associate: While you are ultimately responsible for ensuring that your impacted patients are notified of breaches by your business associates, you can delegate this responsibility to the business associate. When delegating this responsibility, you should consider who is in the best position to provide notice to the individual. This may depend on various circumstances, such as the functions the business associate performs and who has the relationship with the individual.

When a breach occurs by a business associate, the business associate must notify you without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the identification of each individual affected by the breach as well as any other available information need to for proper notification to the affected individuals.

Notice of Privacy Practices

Notices of Privacy Practices (NPPs) informs patients of how to use and disclose PHI, your legal duties to protect their PHI, their rights to their PHI, how they can exercise these rights, how to file complaints, a point of contact for more information and how to file complaints with your practice. Practices must provide NPPs to patients and obtain a written acknowledgment of receipt. Please see the ONC’s Model Privacy Notice and their additional context and guidance on privacy notices.

When must you provide NPPs?

• At the beginning of the treatment relationship: The NPPs must be provided by the date that a service is first provided. In an emergency situation, notice should be provided as soon as possible after the emergency treatment. After providing notice, you should make a good faith effort to obtain a written acknowledgment of receipt of the notice. If the receipt of acknowledgment cannot be obtained, you should document your efforts to obtain written acknowledgment and the reasons why you couldn't obtain it.
• At the office: Your practice's treatment facilities should display the NPPs in a clear and prominent location where patients are able to read the notice. If requested, the NPPs should be made available for patients to take with them. Whenever the NPPs are revised, the new NPPs should be displayed and made available upon request by the effective date of the revisions.
• On practice's website: If your practice maintains a web site that provides information about its services or benefits, then its NPPs must be prominently posted and made available through that web site. Practices without a webpage do not need to post their NPPs online.
• Upon patient's request.

Providing NPPs through email: The notice requirements described above can be satisfied through email if your patient agrees to electronic notice. When the first service is electronically delivered to the patient, you must provide electronic notice automatically and contemporaneously in response to the patient's first request for service. If you know that the email delivery has failed, a paper copy of the notice must be provided to the patient. At any point, a patient who has agreed to an electronic notice has the right to demand a paper copy of the notice or withdraw his/her electronic agreement.

Changing and updating your NPP: You are not required to resend NPPs when changing your privacy policies (e.g., if your privacy officer contact information changes). However, before the changes in new privacy policies take effect, your updated NPPs must be:

• Posted prominently in your office.
• Available upon request by the patient.
• Posted on your webpage (if you have a webpage).

Written acknowledgment of receipt: After initially providing your NPPs to the patient, you should make reasonable attempts to obtain a receipt from the patient that acknowledges they received the NPPs. The NPPs should include a short form for patients to sign as a written acknowledgment that they received your NPPs. If the receipt of acknowledgment cannot be obtained, document your efforts to obtain the acknowledgment and the reasons why it couldn't be obtained.

Business Associates agreement

HIPAA requires that you obtain assurances that your business associates will appropriately safeguard your patients' PHI it receives or creates on your behalf.

Business associate: A "business associate" is a person or organization:

• Who is not an employee or part of your workforce; and,
• Performs certain functions for your practices that involve the use or disclosure of PHI. These functions include, but are not limited to:
  • Claims processing.
  • Data analysis.
  • Utilization review.
  • Billing.

Examples of business associates include:

• A third-party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to PHI.
• An attorney whose legal services to a health plan involve access to PHI.
• A consultant that performs utilization reviews for a hospital.
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist that provides transcription services to a physician.

Business Associates do not include:

• Your employees/workforce.
• Any organization/person that does not use your patients' PHI.
• Postal Service or certain private curriers.
• Other providers involved in treating your patients.
• Substitute doctor or patients' doctors from other practices.
• Contracted insurance companies.
• Laboratories—glasses or contact lenses.
• Third party discussions regarding sale of practice.
• Janitorial services who do not have access to PHI.

Business Associates agreement: For each of your business associates, you are required to obtain an agreement that requires them to appropriately safeguard your patients' PHI that they receive or create on your behalf. All business associates agreements must contain the following assurances:

• Permissions to use and disclose PHI: Establish the permitted and required uses and disclosures of PHI by the business associate.
• Limits to the use and disclosure of PHI: Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
• Safeguards to protect PHI: Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI.
• Reports of breaches and violations: Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI.
• Require disclosure of PHI when needed: Require the business associate to disclose PHI as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings.
• Comply to the privacy rule: To the extent the business associate is to carry out a covered entity's obligation under the privacy rule, require the business associate to comply with the requirements applicable to the obligation.
• Provide records during audits: Require the business associate to make available to HHS its internal practices, books and records relating to the use and disclosure of PHI received from, or created, or received, by the business associate on behalf of the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule.
• Destroy PHI after contract termination: At termination of the contract, if feasible, require the business associate to return or destroy all PHI received from, or created, or received, by the business associate on behalf of the covered entity.
• Agreement applies to business associate's subcontractors: Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information.
• Contract will be terminated if violated: Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

HIPAA and electronic communications

HIPAA allows health care providers to communicate electronically, such as through email or fax, providing that reasonable safeguards are used. What is reasonable depends on the type of mode of communication used. Ultimately, the patient can object electronic communications and request alternative forms of communications, providing the patient's requests are reasonable. You should also use security and safeguards when using mobile devices to store or communicate electronic PHI (ePHI).

Email: The security rule does not prohibit using unencrypted email to send PHI. However, reasonable safeguards should always be applied. Examples of reasonable safeguards include, but are not limited to:

• Limiting the amount or type of information disclosed through the unencrypted e-mail.
• Checking the email address for accuracy before sending.
• Sending an email alert to the patient for address confirmation prior to sending the message.

Mobile devices: Mobile devices can also be used for the purposes of treatment and patient communication, providing that proper safeguards are used to secure PHI. The HHS has suggested the following as examples of typical safeguards for mobile devices:

• Use a password or other user authentication.
• Install and enable encryption.
• Install and activate remote wiping and/or remote disabling.
• Disable and do not install or use file sharing applications.
• Install and enable a firewall.
• Install and enable security software.
• Keep your security software up to date.
• Research mobile applications (apps) before downloading.
• Maintain physical control.
• Use adequate security to send or receive health information over public Wi-Fi networks.
• Delete all stored health information before discarding or reusing the mobile device.

The type of safeguards that your practice needs will depend on your devices, modes of communications, vendors, and many other factors. The HHS has provided the following guidances to help secure electronic communication and mobile devices:

• Mobile devices: Know the risks
• Guidelines for Managing the Security of Mobile Devices in the Enterprise
• Guidance on Disposing of Electronic Devices and Media
• HIPAA-proofing Your Smart Phone or Mobile Device

The AOA recommends that its members consult legal and privacy compliance experts to ensure that their electronic communications and mobile devices comply with all federal, state and local laws.

Practice Visitors and Observers

Physicians are responsible for ensuring that practice visitors and observers – such as students or medical device vendor representatives, understand the practice’s obligations regarding patient privacy. For any visitor who is not either a practice employee or business associate, it is essential for purpose of HIPAA compliance that patients are given the choice whether to allow the visitor to observe their care. Doctors have an ethical obligation as well to grant the patient’s discretion regarding the presence any non-necessary personnel present during the delivery of care. This information and the accompanying acknowledgment form [Form in PDF] may be used to help your practice employees ensure compliance with your legal obligations.