Access to patients’ medical records under HIPAA

According to federal law, the patients have the right to have a copy of most of their medical records including doctors’ notes, medical test results, lab reports and billing information. HIPAA also states that the patients as well as the parents and guardians of them can seek these records. Caregivers may be able to access records if the patient has provided written permission to the provider.

Healthcare providers are required to keep most adult medical records for six years or more. However, the period varies by the state where the records are stored. In most states, children’s records must be kept for three to 10 years beyond age 18 or 21.

Providers are required to share any notes or records they have created themselves, or any test results for which they have copies. They are also required to share any information provided to them about you by another doctor if that information was used for the diagnosis and/or treatment being discussed with you.

Diagnostic lab test records, for such tests as blood tests, CT scans, x-rays, mammograms or others, should be requested from the doctor who ordered them, or your primary care physician. In most states, the lab will not provide them to you directly.

If you seek hospital records or records from any other medical facility, you’ll want to request them directly from that facility.

However, access to some records may be denied, usually related to mental health records. If a provider believes that letting you look at your medical records can endanger your physical health, your request may be refused. However, this denial cannot be just on the basis that it could upset you, unless they believe that upset will lead to an attempt to physically harm yourself. If you are refused, the provider must make that clear, in writing.

HIPAA and HITECH compliance while using Blackberry mobile services

When you use blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI), you must abide by the HIPAA and HITECH laws. While using Blackberry devices, you can read ePHI-containing email over POP or IMAP as long as your email provider supports secure, SSL-enabled POP and IMAP connections, and can ensure that the Blackberry will not be permitted to make insecure connections to POP or IMAP services for youHowever, sending emails is not recommended as all email sent from a Blackberry device goes to the Blackberry server and then out over the Internet from there. The Blackberry servers that send the email messages may send them insecurely over the Internet — there is no way to ensure transport email encryption for messages sent from a Blackberry device.

When you setup a Blackberry for reading email from a POP or IMAP account, the Blackberry does not actually give you the choices of POP or IMAP or of security or no security.  All you can do is enter your server name.  Then, Blackberry tries to auto-detect how you can connect and auto-configures itself.

The best way to configure your Blackberry and to ensure that only the secure service that you want is chosen (and stays chosen) is to turn off the other options, if possible. I.e. if you would like to use Secure IMAP, then turn off POP altogether and turn off insecure IMAP.  The result is that Blackberry can only pick the service that you need, and cannot “accidentally” choose something else.

With the new HITECH provisions of HIPAA, any entity covered by HIPAA that does business with another organization who will have access to or control the flow of ePHI for the HIPAA-covered entity, should have a HIPAA Business Associate Agreement (BAA) with that business partner.  Among other things, this BAA would require the business partner to themselves meet the administrative, technical, and physical safeguards required by HIPAA and to take responsibility for the security of any ePHI in their possession.

Electronic medical records on the sale need to be protected

There are many serious issues concerning to update and running of Medical records in America and one of them is selling out of Medical health records as preserved in digital form as well as in preserved in hard copies. As Medical health records provides very relevant and key information to researchers and despite all government regulations research groups lobbies very hard to have access to that very important data despite being regulations under Health Insurance Portability and Accountability Act (HIPAA) to protect patients the researchers get very  broad access rights to health care records under HIPAA. The rules are too loose out there and one can have an easy and prompt access to them after a bit manipulation to data.

As in US all medical records would go digital by 2014 under the provision of President Obama’s economic stimulus package. Under the provisions of Obama’s economic stimulus package there is a provision that physicians can store patient data in the cloud. To boost the security of data as further enacted by the provisions of Stimulus Package, the US congress has passed the Health Information Technology for Economic and Clinical Health (HITECH) Act alongside the stimulus, that is for issuing security to those records that are going to be digital. The 2009 stimulus bill also offers financial incentives for companies that create electronic records.

This has led health care agencies to search for the companies which help them to store and collect electronic data.  A report last week emerged in Texas watchdog publication called the Austin Bulldog stated that, the Texas Department of State Health Services (DSHS) is in process of selling de-identified patient data to person who says that it is useful for research.  However, de-identification process is not as robust as it should be as it means changing some of the digits in the pateint’s zip code yet the dates of the hospital visit, and providing an age range instead of patients’ actual age. However, most of records still include diagnoses, gender, address, billing information, and information about patients’ next of kin.  Hence, there is too much force upon the agencies regulating HIPAA to get over this problem and protect the privacy of patient’s data.

Safety issues at risk with chat transcripts of sensitive medical information

Doctors and healthcare centers as well as pharmacists have started using chats these days to get closer to their customers. However, the preservation of these chat discussions of super-sensitive patient medical history may prove a very serious threat to that security.

In the eyes of HIPAA and lawyers for consumers whose data may get accessed, it won’t make much of a difference who said the protected data. They will assume that a retail conversation-in this case, a patient-to-pharmacist conversation-will be protected as well as any sensitive medical data.

To avoid such threat, pharmacists could opt for an approach where live chat retailers will have no access to patient medical records and will instead only react to what the customer chooses to share during the exchange. However, once those customer-shared thoughts are preserved in the chat transcript text file, they can be later accessed.

Some chains like Walgreens are allowing its pharmacists to access full pharmacy histories for all customers, but they’re not supposed to reveal anything until the patient has verified identity by answering questions. According to Walgreens spokesperson Jim Cohn, the live chat sessions are encrypted. But given that the consumer has to be able to read the answers, it’s unclear how secure those communications could be. Even if we assume, however, that they are fully secure, it’s unclear how secure the transcripts of those chat sessions will be.

Whatever be the procedure adopted by the chains, chats are always a threat to patients sensitive medical information as the information stays in the system and could be leaked either through backups, chat transcripts, cyber thefts and search engine spiders. All of the security in the world will be made meaningless by the weak link. If not properly handled, chat transcripts of sensitive discussions might be just that.

How to write a Notice of Information Practices and Privacy Statement?

HIPAA applies to all medical and mental health service providers. It requires that all persons you collect medical information from either directly or indirectly (such as by filling a prescription) be notified of their rights to privacy and receive a “Notice of Privacy Practices” which is sometimes also called “Notice of Information Practices.”

The statement must tell your patient clients what you do with their information and it either must be signed by the patient, or the patient must sign on a HIPAA consent form that they have received a copy of your privacy practices prior to signing a HIPAA consent form.

Here is a sample HIPAA privacy practices statement for your guidance, but before you use it, you should also revise this document to detail your own privacy policies and have an attorney review it to make sure it meets the legal requirements of your own business before using it.

Notice of Information Practices and Privacy Statement for ABC Healthcare Services

123, ABC Lane,

City, Country, Code

Telephone Number

Email Address

How Your Information is collected by us:

ABC Healthcare Services and its employees and volunteers collect data through a variety of means including but not necessarily limited to letters, phone calls, emails, voice mails, and from the submission of applications that is either required by law, or necessary to process applications or other requests for assistance through our organization.

What is NOT done with your information:

Information about your financial situation and medical conditions and care that you provide to us in writing, via email, on the phone (including information left on voice mails), contained in or attached to applications, or directly or indirectly given to us, is held in strictest confidence.

We do not give out, exchange, barter, rent, sell, lend, or disseminate any information about applicants or clients who apply for or actually receive our services that is considered patient confidential, is restricted by law, or has been specifically restricted by a patient/client in a signed HIPAA consent form.

How your information IS USED:

Information is only used as is reasonably necessary to process your application or to provide you with health or counseling services which may require communication between ABC Healthcare Services and health care providers, medical product or service providers, pharmacies, insurance companies, and other providers necessary to: verify your medical information is accurate; determine the type of medical supplies or any health care services you need including, but not limited to; or to obtain or purchase any type of medical supplies, devices, medications, insurance,

If you apply or attempt to apply to receive assistance through us and provide information with the intent or purpose of fraud or that results in either an actual crime of fraud for any reason including willful or un-willful acts of negligence whether intended or not, or in any way demonstrates or indicates attempted fraud, your non-medical information can be given to legal authorities including police, investigators, courts, and/or attorneys or other legal professionals, as well as any other information as permitted by law.

Information NOT Collected by us:

We do not use cookies on our website to collect date from our site visitors. We do not collect information about site visitors except for one hit counter on the main index page ( that simply records the number of visitors and no other data. We do use some affiliate programs that may or may not capture traffic date through our site.

Limited Right to Use Non-Identifying Personal Information from Biographies, Letters, Notes, and Other Sources: Any pictures, stories, letters, biographies, correspondence, or thank you notes sent to us become the exclusive property of ABC Healthcare Services. We reserve the right to use non-identifying information about our clients (those who receive services or goods from or through us) for fundraising and promotional purposes that are directly related to our mission.

Clients will not be compensated for use of this information and no identifying information (photos, addresses, phone numbers, contact information, last names or uniquely identifiable names) will be used without client’s express advance permission.

You may specifically request that NO information be used whatsoever for promotional purposes, but you must identify any requested restrictions in writing.

We respect your right to privacy and assure you no identifying information or photos that you send to us will ever be publicly used without your direct or indirect consent.

Revision Date: 01/09/2010

Getting yourself insured against security breach or privacy loss

If you are in healthcare industry managing PHI, then a single security breach can cost millions. With the large numbers of patients or insured customers, the potential cost of a breach can be very high. In such a case, you should opt for network security or privacy loss insurance. What started with just a few specialist insurers, like Lloyds of London, has gone up with more than 15 companies offering coverage for security breaches, as well as brokers who can help you find the right coverage.

Insurance against security breaches covers two main areas. First-party coverage protects you against the direct costs suffered by your business, including potential fines, productivity loss, financial damage and even PR expenses. Third-party coverage protects you against costs incurred for damage to third parties, such as virus damage or identity. Healthcare and insurance companies are buying these policies to cover the residual risk of a breach that reveals HIPAA protected information.

When going for this type of insurance, you need to first figure out how much coverage is needed. The potential loss depends on the number of records of sensitive data, the regulatory framework and the company’s existing security infrastructure. Coverage can be secured for a few thousand dollars, offering protection against losses in the $1 million to $5 million range. Special policies can be tailored for more coverage.

What are HIPAA transactions and code set standards?

The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.

A “transaction” is an electronic business document. Each of the HIPAA standard transactions has a name, a number, and a business or administrative use. Those of importance in a medical practice are listed below:

Claim/encounter (X12 837)

For submitting claim to health plan, insurer, or other payer

Eligibility inquiry and response (X12 270 and 271)

For inquiring of a health plan the status of a patient’s eligibility for benefits and details regarding the types of services covered, and for receiving information in response from the health plan or payer.

Claim status inquiry and response (X12 276 and 277)

For inquiring about and monitoring outstanding claims (where is the claim?  Why haven’t you paid us?) and for receiving information in response from the health plan or payer.  Claims status codes are now standardized for all payers.

Referrals and prior authorizations (X12 278)

For obtaining referrals and authorizations accurately and quickly, and for receiving prior authorization responses from the payer or utilization management organization (UMO) used by a payer.

Health care payment and remittance advice (X12 835)

For replacing paper EOB/EOPs and explaining all adjustment data from payers.  Also, permits auto-posting of payments to accounts receivable system.

Health claims attachments (proposed) (X12 275)

For sending detailed clinical information in support of claims, in response to payment denials, and other similar uses.

The purpose of the HIPAA standards is to simplify the processes and decrease the costs associated with the payment for health care services. The savings to payers, physicians and other providers could be enormous, but only if there is collaboration between all parties involved.

Is your Email system HIPAA compliant?

With the advent of internet email has emerged as a communication solution and more and more patients are looking to communicate with their healthcare providers via email. Some healthcare practitioners do however feel that emailing their patients equates to working for free, but some clinics have already adopted charging for email consultations.

It is possible for clinics to shift towards a digital medical office while remaining financially solid. Rights management software tools have become a reality for the small and medium business office.

With any medical advance, the side affects of a solution or cure, must also be considered. While email is beneficial time-wise and financially, there are also cons to using this tool – many HIPAA related. According to the Health Privacy Project’s 2005 study, 70% of Americans are concerned that personal health information (PHI) could be disclosed as a result of weak data security.

Currently, healthcare organizations are required to provide a disclosure statement when communication is sent to their patients. With the advent of phishing, malware, and spyware, the unintended recipient could possibly spread a patients PHI like a virus; using or selling data to any number of damaging sites.

Under HIPAA, facilities not compliant to protecting their patient’s PHI face stiff penalties. PHI includes and is not limited to:

* Patient’s address, phone number
* Treating Hospital/Clinic number assigned the patient
* Patient’s date of birth/ SSN
* Patients legal next of kin/guardian and their telephone number
* Patient’s insurance information (pre-certification/ DSHS/ Medicare)
* Anticipated Admission date and time

HIPAA email is regarded as anything that contains any information relating to your medical records. They can be anything from your address or phone number, date of birth, social security number, next of kin, insurance information administrative or otherwise and even your admission information for any medical visits or stays.

It isn’t only clinics, hospitals or doctors that are subject to this.  Your employer is too if you have a health or medical plan.  Companies who handle this kind of information have to have an information storage strategy that complies with HIPAA and many other pieces of legislation.  Many companies handle this in-house with their existing staff and infrastructure.

While some companies handle this in house, others outsource this burden to companies like Archive Compliance who will take care of their secure storage for them.  Companies like this have to demonstrate that their storage and retrieval methods are secure to be able to remain in business.

Privacy Rule exception in case of using the PHI of a deceased subject

The Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ protected health information (PHI) in the course of that research. Among other exceptions to this rule, one exception is for the use of decedents’ PHI, after filing an appropriate certification.

When you wish to use the PHI of any deceased subject, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents, (2) you can document the death of each individual if asked to do so, and (3) the PHI is necessary to the research purposes.

The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals.

You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.

Filing a complaint with OCR for HIPAA violation

You know that a covered entity has violated or tampered with your PHI under HIPAA. But what are you supposed to do next? To redress your grievances, you have to file a complaint with the Office for Civil Rights (OCR). OCR is the authority entitled to receive and investigate complaints against covered entities related to the Privacy Rule.

The complaints to the Office for Civil Rights must:

1. Be filed in writing, either on paper or electronically;

2. Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;

3. It must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”

The violation for which the complaint is filed must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.

OCR has ten regional offices, and each regional office covers certain states. Complaints should be sent to the attention off the appropriate OCR Regional Manager.

You can submit your complaint in any written format but the complaint should include the following information:

1. Your name, full address, home and work telephone numbers, email address.

2. If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

3. Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.

4. Briefly describe what happened.  How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?

5. Any other relevant information.

The Privacy Rule prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint with the Office for Civil Rights. You should notify OCR immediately in the event of any retaliatory action.