Distinction between HIPAA, HHS & FDA Protection of Human Subjects Regulations

Apart from HIPAA Privacy Rule, there are other human subject regulatory requirements, which apply to most federally funded and to some privately funded research, to help ensure the privacy of subjects and the confidentiality of information. Much of the biomedical and behavioral research conducted in the United States is governed either by the rule entitled “Federal Policy for the Protection of Human Subjects” (also known as the “Common Rule,” which is codified for HHS at subpart A of Title 45 CFR Part 46) and/or the Food and Drug Administration’s (FDA) Protection of Human Subjects Regulations at Title 21 CFR Parts 50 and 56.3 FDA, a component of HHS, has additional human subject protection regulations, which apply to research involving products regulated by FDA.

The Privacy Rule does not replace or act in lieu of these human subject protection regulations which means that the researchers who are also (or who work for) covered entities may find themselves responsible for complying with multiple sets of regulations. There are some basic points of distinctions among the Privacy Rule, the HHS Protection of Human Subjects Regulations, and the FDA Protection of Human Subjects Regulations.

On the basis of their overall objectives, it can be said that The HHS Protection of Human Subjects Regulations are intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS. On the other hand, the FDA Protection of Human Subjects Regulations are intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction under 21 U.S.C. 355(i) and 21 U.S.C. 360g(j). And lastly, HIPAA Privacy Rule intends to establish a Federal floor of privacy protections for most individually identifiable health information by establishing conditions for its use and disclosure by certain health care providers, health plans, and health care clearing houses.

On the basis of applicability, it can be said that HHS Protection of Human Subjects Regulations applies to human subjects research conducted or supported by HHS. The FDA Protection of Human Subjects Regulations applies to research involving products regulated by FDA. Federal support is not necessary for FDA regulations to be applicable. When research subject to FDA jurisdiction is federally funded, both the HHS Protection of Human Subjects Regulations and the FDA Protection of Human Subjects Regulations apply. On the other hand, HIPAA Privacy Rule applies to HIPAA-defined covered entities, regardless of the source of funding.

HIPAA loopholes exposed by Wall Street Journal

This is one of the reports from the Wall Street Scrap Book- “Increasingly complex confidentiality issues” in federal medical privacy rules “are affecting patients and their insurance coverage.”

The reports also mention that complaints of privacy violations “have been piling up.” HHS received 23,896 complaints related to medical-privacy rules between April 2003 and Nov. 30, 2006. However, 75 per cent of these complaints were found to be without any violation and had to be closed, as said by an HHS spokesperson.

Since HIPAA was enacted in 2003, HHS has not charmed enforcement actions against any entity for violating the privacy rule. Let us consider the case of the attorney Patricia Galvin. Her notes from psychotherapy sessions at Stanford Hospital & Clinics were accessed by her insurer, UnumProvident, due to which she was denied disability benefits.

As published in the Journal, UnumProvident said the notes indicated that Galvin was not “too injured to work” after she was interested in a car fortune and applied as want-term disability leave. Galvin has filed a lawsuit against Stanford and UnumProvident with a view violating medical privacy laws, supply other issues, under the federal Robustness Guaranty Portability and Responsibility Accomplishment.

As per the HIPAA, there is provision for added protection for mental health records, but Stanford in court papers said that “psychotherapy notes that are kept together with the patient’s other medical records are not defined as ‘psychotherapy’ notes impaired HIPAA.” Peter Swire, a law professor at Ohio State University, said, “We’re three years into the enforcement of the rule, and they haven’t brought their first enforcement ambitiousness.” He added, “It sends the signal that the health system can give someone the brush-off this issue.”

Is the transition to HIPAA 5010 too demanding on hospitals?

The American Recovery and Reinvestment Act is acting tough on hospitals by requiring them to do many Herculean tasks at one go, some of them being converting to an EHR, transition to HIPAA 5010, coordinate vendor and health plan testing, train staff members on new technology and so on.

Among them the transition to HIPAA 5010 is perhaps the most demanding one because its compliance deadline is just about two years away that is Jan 1 2012. Even as it is a year ahead of the October 1, 2013 deadline for the ICD-10 cutover, the two terminal dates overlap enough so that both upgrades will have to be underway at the same time.

During its first national provider education call about HIPAA Version 5010, CMS provided an overview of the updated national code standard for billing software and answered several questions from providers, vendors, and other health information management and health information technology professionals.

It was said during the call that Medicare Administrative Contractors must be ready to use 5010 by January 1, 2011, thus giving providers one full year to coordinate testing efforts. The Medicare fee-for-service implementation of 5010 will include the following:

* Improved claims receipt, control, and balancing procedures
* Increased consistency of claims editing and error handling
* Improved efficiency for returning claims needing correction earlier in the process
* Improved assignment of claim numbers closer to the time of receipt.

What if your laptop containing PHI gets lost or stolen?

Just imagine this… A doctor’s laptop containing Personal Health Information of about 1,000 patients gets stolen or lost. What is to be done next?

The first issue which comes to the mind in this scenario is that PHI should never be stored in a laptop in the first place. The correct practice would be to use EMR to store all the patient information on the server and in any case, PHI should never be stored in a laptop.

If, however, it does happen, then the advancement in technology these days comes to immediate aid. As soon as your laptop gets stolen you need to report it stolen and then the authorities start the process of tracking down your laptop (in the same way as they track stolen cars). Then if your laptop ever gets connected to a network, it will call back to the main center and receive the command to wipe out the laptop.

It will also give the authorities the information about where it was connected so the police can possibly recover the stolen laptop as well. This is the beauty of technology these days and an increasing number of companies are allowing this facility on their laptops these days.

Adhering to HIPAA as a medical transcriptionist working from home

In order to have a good reputation as a medical transcriptionist, you not only need to have a quality work record, you are also to be reliable enough for keeping confidential all the medical data that pass your hands.

Medical transcriptionists working in a medical transcription company usually adheres to the Health Insurance Portability and Accountability Act (HIPAA) standards, but if you are working from home, you must follow certain steps keep medical records secure and confidential.

Firstly, keep your office in a private place out of the reach of family and friends so that all the medical data – the voice recordings and the transcribed information – are beyond anyone’s reach.

Protect your medical transcription work on the computer with passwords and keep your anti-virus software updated. Again, keep the firewall on whenever you are connected to a network and when sending files to your client, make sure the files are transmitted over a secure computer network.

Encrypt e–mails that contain queries and information on the medical records. Lastly, back-up your medical transcription work periodically on an external drive.

Parental access to child’s medical records as per HIPAA

The HIPAA Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. However, the exceptions to this when the parent would not be the minor’s personal representative under the Privacy Rule are:

When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law;
When the minor obtains care at the direction of a court or a person appointed by the court; and
When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

However, even in these exceptional situations, if the State or other applicable law requires or permits parental access, the parent may have access to the medical records of the minor related to this treatment. All the same if the State or any other law denies such access, parental access would be denied. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.

Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

Difference between consent & authorization under the HIPAA Privacy Rule

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.

Filing a complaint with OCR – HIPAA

One can file a complaint with OCR if he/she believes that a covered entity violated health information privacy rights or committed another violation of the Privacy Rule. OCR can investigate complaints against covered entities related to the Privacy Rule. Under the Privacy Rule an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

The rules which the complaint must follow are:

  • The complaint must be filed in writing, either on paper or electronically, by mail, fax, or email.
  • It should contain the name of the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy Rule.
  • The complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. There is no need to sign the complaint and consent forms if sent by email because submission by email represents your signature.

Cloud storage and HIPAA compliance

Cloud computing reduces reliance on internal resources, cuts down on manpower requirements, and keeps you free from administration and fixing problems.

However, the fact that the botheration is on someone else with the implementation of cloud backup may not be an idea liked by all. To start with, the compliance officer, who must ensure that all data storage, backup, and archiving strategies are in line with the many different regulations and internal policies that govern how data is stored and for how long.

Ensuring compliance that relates to data storage is hard enough when storage is internal, but when using a cloud system, you’re relying on the provider. If you’re in healthcare for example, your internal strategies revolve around HIPAA, but if you’re a cloud provider, technically you’re not bound by the regulation. Because of these regulations, you will typically have to have a long-term data retention policy.

However, online backup services have often failed to meet long-term commitments. There have been several online backup services, including those run by very large companies such as Hewlett-Packard which have been unable to meet long-term storage strategies.

Another factor to be considered is who has the access to data and how is it governed. Compliance with HIPAA and other regulations call for strict access controls to be in place.

To sum up, when opting for cloud storage, one must always take in consideration the compliance legislation such as HIPAA or Sarbanes-Oxley and opt for in-house management if there seems to be any doubt.

Adhering to HIPAA regulations is important

Privacy to personal information is the right if any individual at any part of the globe. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to prevent unauthorized access to patient information, and it is something by which all medical-related businesses should abide.

HIPAA is to be abided by all ‘covered entities’ and the term includes:

  • Hospitals and clinics
  • Insurance Companies dealing with health and medical policies
  • Private Practices – General practitioners and specialists, dentists, chiropractors, etc.
  • Psychiatrists and Psychologists
  • Medical Billing Centers and Collection Agencies

Whether you have two people or two hundred working in the office which deals with medical health records, the security of patient information is important. It’s imperative for all employees to make sure sensitive data is not compromised and exposed to unauthorized people.

The medical information which is considered personal and private and which is not to be disclosed by healthcare centers as recognized by Federal law include and are not limited to:

  • Prescription Information
  • Medical History Records
  • Appointment Logs
  • Phone and Voice Mail Message Notes
  • Insurance Forms and Claims
  • Billing Information

While adhering to HIPAA rules, you need to destroy all the patient information which is outdated or no longer necessary. The destruction of records must be done in accordance to HIPAA regulations and it says that every sticky note, every printout needs to be shredded thoroughly. Simply throwing away papers does not guarantee security – as any unscrupulous person could sift through the garbage and have access to credit card numbers and addresses. One could also hire a professional to destroy documents.