MyHIPAA Guide Documentation & Consulting

Ask about our breach response & audit preparation services

 

Are you protecting privacy to the best of your ability?  MyHIPAA Guide can help you be sure. 

MyHIPAA Guide helps HIPAA-covered organizations understand what they need to do on a daily basis. Subscribers gain access to a comprehensive, human-centered HIPAA program.  Our templates, forms and other materials are the most user friendly you can find on the market.  Plus, we can work with you personally to help you turn privacy protections into good business and elevated integrity within your organization. And at the end of the day, it's all about upholding the trust of those who entrust their care your care.  Our success is when people feel great about protecting privacy -- because it's the right thing to do.


Diane Evans of MyHIPAAGuide.com – News and Rules for HIPAA ComplianceSincerely,

Diane Evans
Publisher

About Diane Evans

Our mission is to deliver meaningful information and user-friendly tools to help you achieve and maintain HIPAA compliance and uphold confidentiality for those you serve.


  • Subscription with Consult



    Unlimited phone & email consultation on HIPAA processes

    Everything you need to complete Privacy & Security Policies

    Risk Assessment instruction and templates

    An annual compliance work plan

    We hold your hand through everything!

FAQ

Here are answers to questions we have received from readers.  When we're not sure, we ask the experts at the U.S. Office for Civil Rights (OCR).  Answers coming from OCR officials are indicated as such.

What are CMS standards/requirements for compliant electronic signatures?  Answer below is from U.S. Office for Civil Rights:

HIPAA doesn’t mandate a standard for e-signatures and CMS has not defined a HIPAA standard for e-signatures. However, the CMS Program Integrity office has policy requirements regarding signatures for provider enrollment and for medical review of Medicare fee-for-service claims.  It can be found at PIM Chapter 3 section 3.3.2.4 at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c03.pdf.  In addition, The CMS electronic signature requirements are specific to the signing of the 855 enrollment form. CMS offers a “how to guide” which explains who is allowed to e-sign an enrollment application, available here: https://www.cms.gov/Medicare/.../E-SignatureHowToGuide.pdf

The National Institute of Standards & Technology (NIST) is also a resource for entities looking for industry best practices and especially with respect to IT security and privacy standards. NIST develops the standards that apply to federal agencies and NIST standards are considered the “gold standard”; they are typically used as a yardstick for private industry as well the federal agencies they are designed for. So, when CMS implements applications that use e-signature capabilities, as a federal agency we must follow NIST guidance.

In 2013, NIST published The Federal Information Processing Standards Publication 186-4 (FIPS 186-4), Digital Signature Standard, which identifies the three techniques for generating digital signatures approved by NIST:

1.       The Digital Signature Algorithm (DSA)

2.       The RSA digital signature algorithm.

3.       The Elliptic Curve Digital Signature Algorithm (ECDSA).

These algorithms allow an entity to authenticate the (1) integrity of signed data and (2) the identity of the signatory; and the person signing “owns” a “pair of keys” (one public and one private) that authenticates  their signature. A digital signature algorithm includes a signature generation process and a signature verification process. The signature is generated by the signer using a public key; and the authenticity of the signature is verified using the private key (that must be kept confidential). 

Finally, Adobe electronic signature is part of the Federal Electronic Signature in Global and National Commerce Act that was passed in 2000, https://www.gpo.gov/fdsys/pkg/PLAW-106publ229/pdf/PLAW-106publ229.pdf.  It is widely accepted nationally, and is mirrored by a similar international law.  There are 47 states that have adopted laws for e-signatures, so you may wish to investigate where a provider is located to see whether there is a state law that applies.

How do organizations serving the ID population meet the HIPAA requirement for meaningful consent for the release of patient information? Answer below is from U.S. Office for Civil Rights:

According to the Developmental Disabilities Assistance and Bill of Rights Act of 1999, the United States Congress has found that “Disability is a natural part of the human experience that does not diminish the right of individuals with developmental disabilities to enjoy the opportunity to live independently, enjoy self-determination, make choices, contribute to society, and experience full integration and inclusion in the economic, political, social, cultural, and educational mainstream of American society.” 

With limited exceptions, the HIPAA Privacy Rule requires an individual’s written authorization before his or her protected health information can be used or disclosed.  A covered entity must obtain the individual's authorization, unless the disclosure is otherwise permitted by another provision of the Privacy Rule or in circumstances where the individual has a legal personal representative, which is a matter of state law (in such circumstances, authorization required by the Rule will be sought from the legal personal representative).

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.  By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

When patients are asked to make consent decisions, the Department encourages providers, HIEs, and other health IT implementers to help patients make the consent decision meaningful.  HHS has issued in-depth guidance on this topic: https://www.healthit.gov/sites/default/files/choicemodelfinal032610.pdf.  Additional resources on educating patients about their consent options, who may release their information and how, and the significance of the consent choice may be found at:  https://www.healthit.gov/providers-professionals/patient-education-and-engagement.  Finally, you may find the Office of the National Coordinator for Health Information Technology’s Consent Toolkit at https://www.healthit.gov/providers-professionals/econsent-toolkit which includes practical implementation tips for Meaningful Consent and the eConsent Trial Project, an open-source, web-based application, called Story Engine, to develop and present its interactive, electronic patient education material.

How much can doctors charge for providing copies of health records to patients?

Here is a link to federal goverment information of how doctors may calculate fees for copies of patient records:
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee

What are the guidelines for emailing with patients?

In a federal-government published paper titled Electronic Communications Fact Sheet (available on MyHIPAA Guide; search by report title): Page 2 addresses email communications, and includes links with additional information.
Also:  In ts Guide to Privacy and Security of Electronic Health Information, the U.S. Department of Health and Human Services says you must accommodate reasonable requests by patients to receive communications from you by the means or at the locations they specify.  For those who prefer email communications, you may send unencrypted emails.  (Report is available to subscribers on MyHIPAA Guide; seach by report title, and see Page 24)

Page 5634
of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”

The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.

Also, be aware of this provision on Page 5634 of the Privacy Rule:

“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

This is language you might want to just lift and include in a consent form. 

The third document I've attached --titled Patient Rights to Protected Health Information -- addresses the rules noted above.  This document is only 2 pages, and can also give you some language for a consent form.

On Page 74 of the Security Policy Template on our website, be aware of this:

Depending on content, e-mail messages between clinicians and between
patients and clinicians and documents transmitted by e-mail may be
considered records and are subject to this policy. If an e-mail message would
be considered a record based on its content, the retention period for that email
message would be the same for similar content in any other format.
The originator/sender of the e-mail message (or the recipient of a message if
the sender is outside Organization) is the person responsible for retaining the
message if that message is considered a record. Users must save e-mail
messages in a manner consistent with departmental procedures for retaining
other information of similar content. Users should be aware of Messaging
Policies that establish disposal schedules for e-mail and manage their e-mail
accordingly.

Note: MyHIPAA Guide subscribers may request sample forms for email consent.

 

 

 

 

"Seriously the best money I ever spent! MyHIPAA Guide made this cumbersome process painless and easy to complete."

–Gina Kerman, Executive Director
Rose-Mary Center, Cleveland, OH

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    • Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Peek inside the guide

This presentation will quickly show you the most important tools available to subscribers.

Login

Site Search

Member Access