Zach Giammarco HIPAA Interview Q 1-5

0 CommentsFriday • May 10, 2013 • by VISION Marketing & Consulting

VISION Marketing & Consulting had the pleasure of interviewing Zach Giammarco, partner of Giammarco Law Office. Some of the main points he discussed were HIPAA changes, the HITECH Act, and legal issues that healthcare practices can avoid. He also gave advice to healthcare providers who are thinking about starting social marketing! We want to thank Zach for giving us the opportunity to ask him these questions!

ANSWER: Due to the increase of healthcare providers utilizing social media as a form of marketing, the American Medical Association (“AMA”) issued a press release in November 2010 addressing this very issue.  While some of the AMA’s recommendations are blatantly obvious (such as do not post identifiable patient information on Facebook), others are not so clear, including the following:

• When using the Internet for social marketing, providers should use privacy settings to safeguard personal information and content to the extent possible.  However, providers must realize that privacy settings are not absolute and, once information is on the Internet, it will most likely remain there permanently.

• Providers should routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and, to the extent possible, content posted about them by others, is accurate and appropriate.

• If providers interact with patients on the Internet, they must maintain appropriate boundaries of their relationship in accordance with their professional ethical guidelines just as they would in any other context.

While these AMA guidelines are written with physicians in mind, they can be universally applied to all healthcare fields.  The best advice I have for my clients is to use common sense and do not post anything that they would not want their overseeing Board to see.

VISION Marketing & Consulting -  When using social media in a medical practice, it is good to use common sense, however certain safeguards should not be overlooked such as understanding all information on the internet is most likely permanent, monitor your sites and maintain professional and ethical behavior when interacting online.

Did you miss questions 1-4? Check them out below!

QUESTION ONE:  What is the most common mistake healthcare providers make when dealing with HIPAA regulations?  What can they do to improve this?

ANSWER: Aside from misspelling HIPAA with two “P’s” instead of one, the most common mistake I come across is the failure to have proper safeguards in place when dealing with third party contractors, otherwise referred to as Business Associates by our good friend HIPAA.  Some healthcare providers are not aware that each Business Associate that may come into contact with confidential patient information must sign a Business Associate Agreement prior to performing any work for the provider.  For example, if an IT person comes in to fix even the most minor problem, it is extremely likely that he or she will come across or, at the very least, have access to confidential patient information.  Thus, this individual must execute a proper Business Associate Agreement so that all parties are on the same page when it comes to how that IT person should handle and/or disclose (if absolutely necessary) such patient information.  It is a good idea to have such an agreement on hand in the event the provider requires immediate services where a third party might come into contact with confidential patient information.  If this third party refuses to sign the Business Associate Agreement, hire someone that will because this is necessary to protect the provider.  Otherwise, this could end up in a huge mess down the road.  To obtain a current and comprehensive Business Associate Agreement, I recommend contacting a knowledgeable attorney rather than pulling just any form from the Internet.  This is especially true when considering the recent changes to HIPAA and HITECH.

VISION Marketing & Consulting – The information Mr. Giammarco has provided regarding HIPAA is very valuable to all our clients.  We make certain that all information is protected and we also recommend to our clients to look at their current agreements to ensure the are updated according to laws and changes.

QUESTION TWO:  On January 17, 2013, the U.S. Department of Health and Human Services announced the new HIPAA Final Omnibus Rule.  What is most important to know as a healthcare provider regarding these new regulations?

ANSWER: The Final Omnibus Rule makes significant changes to HIPAA by greatly enhancing patients’ privacy protections, providing individuals new rights to their health information and strengthening the government’s ability to enforce the law.  Because some of the largest breaches reported to the Department of Health and Humans Services derive from Business Associates, the Final Omnibus Rule expands many of the privacy safeguards and penalties to apply to covered entities’ Business Associates.  For example, penalties for noncompliance have been increased based on the level of negligence with a maximum penalty of $1.5 million per violation.

Although the Final Omnibus Rule became effective on March 26, 2013, covered entities and Business Associates will have until September 23, 2013 to comply with these changes, which includes updating their respective Business Associate Agreements.  I strongly encourage all healthcare providers to get in contact with their attorney to begin drafting a new Business Associate Agreement that works for that particular provider.  It is also important to have current Business Associates execute the updated agreement even if they already signed an old version.

Healthcare providers should also be aware that the Final Omnibus Rule expands individual rights in important ways.  Patients can now ask for a copy of their electronic medical record in an electronic form.  When individuals pay by cash, they can instruct their provider not to share information about their treatment with their health plan.  And, the rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, while prohibiting the sale of individuals’ health information without their permission.

A full copy of the rule can be found at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

VISION Marketing & Consulting – As electronic health records becomes more prevalent in all medical offices, providers should make sure their policies are in line with these new regulations.

QUESTION THREE:  What is HITECH and how does it impact healthcare practices?

ANSWER: HITECH is the Health Information Technology for Economic and Clinical Health Act, which first became effective February 18, 2010 as part of the American Recovery and Reinvestment Act of 2009.  The objectives of HITECH are to:

• Develop standards for the electronic exchange of healthcare information;
• Establish incentives to encourage doctors and hospitals to digitize their medical records;
• Save the government approximately $10 billion, presumably as the product of the digitization efforts; and
• Strengthen privacy and security to guard protected health information.

Specifically, Subtitle D of HITECH addresses the privacy and security concerns associated with the electronic transmission of health information.  I typically explain it to my healthcare clients as an “offshoot” of HIPAA that addresses the electronic transmission of health information.

It is extremely important for all healthcare providers to be aware of the requirements set forth in HITECH, especially considering the majority of patient information is now electronically transmitted at one point or another.  Prior to HITECH, all responsibility for data breaches originating from a Business Associate fell on the covered entity.  HITECH changed this to make Business Associates liable for their breaches – provided a proper Business Associate Agreement was in place.  Interestingly, a 2009 survey sponsored by the Healthcare Information and Management Systems Society found that more than thirty percent (30%) of Business Associates surveyed were not aware that HIPAA privacy and security requirements had been extended to cover their organizations pursuant to HITECH.  Hopefully, that figure has decreased in the past four years, but it is important to verify that your Business Associates are knowledgeable about HITECH.

In addition, HITECH expanded the scope of HIPAA to (i) mandate public notification of data breaches containing protected health information; (ii) require stricter compliance and accounting for electronic protected health information requests; and (iii) add responsibility for managing protected health information handled by Business Associates, as previously mentioned.

Because it is impossible to explain all the “ins” and “outs” of HITECH, I encourage providers to either contact their attorney or, if they really have a lot of time on their hands, review the full text of HITECH at the following site:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html

VISION Marketing & Consulting – HIPAA was in effect with paper medical records, and now we are finding that the HITECH act pays closer attention to ensuring privacy with electronic transferring of information.

QUESTION FOUR:  What would be three legal issues you would caution healthcare practices about to avoid any risk? 

ANSWER:

Legal Issue 1. Healthcare providers should be extremely cautious when communicating with patients via mobile devices, including phones or tablets.  A 2011 survey performed by QuantiaMD estimates that one in four physicians are “super mobile” users who leverage both smartphones and tablets in their practices.  If you are one of these providers, it is important to know that the use of mobile devices to exchange protected health information automatically triggers the HIPAA security rule.  This poses a unique risk to providers because mobile devices may not restrict user access to data through the use of encryption software or authentication features.  Also, mobile devices store such information either within the computer’s onboard memory or within a SIM card or another memory chip.  Because mobile devices are extremely vulnerably to loss or theft, it is important for providers to enact technical safeguards, including the following: installing and regularly updating malware, installing firewalls where appropriate, applying encryption to electronic protected health information and ensuring mobile devices use secure, encrypted Hypertext Transfer Protocol (“HTTP”) similar to that used by banking and financial institutions.  If such safeguards are in place, the chances of breaching the HIPAA security rule are greatly reduced in the event the mobile device is lost or stolen.

Legal Issue 2.  If there is any doubt whether a third party contractor is considered a Business Associate pursuant to HIPAA or HITECH, contact your attorney.  If you cannot get a hold of your attorney, have the individual or entity sign a Business Associate Agreement just to be safe.  Generally speaking, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of personal health information.  Business Associates typically work on behalf of, or provide services to, a HIPAA covered entity.  Keep in mind that a covered entity’s workforce is not considered a Business Associate.  Common Business Associates include accountants, consultants, pharmacies, payers (i.e., health insurance providers), laboratories, e-health record software vendors, RHIOs (Regional Health Information Organizations and HIEs (Health Information Exchanges).

Legal Issue 3.  This sounds like a no-brainer, but providers must be informed about and follow all regulations contained in HIPAA, HITECH and the recent Final Omnibus Rule.  I say this because enforcement of HIPAA violations has increased in the past couple years and will continue increasing in 2013 according to Leon Rodriguez, the Director of the U.S. Department of Health and Human Service’s Office for Civil Rights, which is the department responsible for enforcing HIPAA and HITECH regulations.  Otherwise, breaches could easily result in substantial monetary and criminal penalties.

VISION Marketing & Consulting – The three basic recommendations, although simple, are very important in your medical practice.  In summary, be cautious when using mobile devices, error on the side of caution when dealing with Business Associate Agreements, and make sure your HIPAA and HITECH policies are up to date.

The answers provided in this article were provided by:

Zachary D. Giammarco

GIAMMARCO LAW OFFICE PLLC

3910 S. Alma School Road, Suite 5

Chandler, Arizona 85248

http://giammarcolaw.com/

(480) 722-0103 – Phone

(480) 722-0106 – Fax

Zach@GLawAZ.com

Legal Disclaimer:  All information provided in this article is for informational purposes only and, therefore, does not constitute legal advice or create an attorney-client relationship.  Due to the complexity of HIPAA, HITECH and any amendments thereto, you should consult a competent attorney for individual advice before acting upon any of the information provided in this article.