David Harlow: Don't rely on outdated HIPAA training materials

Despite the looming reality that the U.S. Department of Health & Human Services Office for Civil Rights will be auditing healthcare providers for HIPAA compliance starting this fall, privacy issues continue to persist throughout the industry. For instance, in the month of January alone, more than 70 health data breach incidents affecting more than 500 individuals were added to HHS' infamous "wall of shame."

What are providers to do? During a recent FierceHealthcare webinar, "Three things you must know about the new HIPAA rules," David Harlow (pictured), a Boston-based health attorney and author of HealthBlawg, and Dena Boggan, HIPAA privacy and security officer at St. Dominic Hospital in Jackson, Miss., shared their experiences and expertise with attendees regarding internal policies, training staff and business associates, among other topics.

"The new rules call for fines at an astronomical level," Harlow, a FierceHealthIT Editorial Advisory Board member, said during his presentation. "This could [have] a devastating impact on an organization both in terms of the financial impact in terms of fines and the PR impact in terms of having to go public with a large breach."

What follows are answers by Harlow to follow-up questions from attendees that dive deeper into the legal ramifications of the rule.

Question: Any suggestions on the legal minimum requirement to train employees annually? They groan when they must review the same information every year, even when we present it in a different fashion.

Harlow: There are numerous online training programs as well as live presenters available. As long as the required content is adequately covered, and testing and recordkeeping requirements are met, there is no reason to rely on repeated viewings of the same old videos in the vault. In fact, given the dynamic nature of the field, the same old videos will not adequately cover the required material--the Omnibus Rule has certainly spiced things up in 2013, and the Accounting of Disclosures rule (once it is finalized) will also add some interest. Once OCR's enforcement priorities under the Omnibus Rule come into clearer focus, additional tweaks to training will be required as well.

Question: What are the best HIPAA compliant online file-sharing sites for a mostly mobile home health care company?

Harlow: HIPAA compliance for a mobile workforce will depend on at least four key elements--workforce training, a mobile device policy, an email and other communications policy, and cloud computing resources and policies--all as part of a robust set of HIPAA policies and procedures. There are numerous cloud hosting providers that will enter into a Business Associate Agreement (BAA) with customers--the Omnibus Rule has even brought Google (for Google Apps customers) and Amazon (for AWS customers) to the table on this front (because if they had not developed their own BAAs, the Omnibus Rule would have imposed its own set of standard BAA provisions) and many other cloud hosting providers are built on top of Amazon's infrastructure.

Individual service reviews are beyond the scope of this Q&A, but the point is that there are many good choices out there, and the key is to find the service that can support your data needs best as well as your HIPAA compliance needs.

Question: Do these rules prohibit nurses caring for patients from accessing physician progress notes or other information in the chart that is not entered by nursing?

Harlow: This question refers to the "minimum necessary" standard, which requires, in principle, that only the minimum necessary protected health information (PHI) should be shared. The standard does not prohibit such access, but appropriate role-based access policies may create limits on such access. It is important to note that the minimum necessary standard does not apply to disclosure of PHI from one health care provider to another for treatment purposes, but that it does apply to sharing within the workforce of a health care provider. Here is one of the official answers to frequently asked questions (FAQ) on the OCR website:

"Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements."

"Uses of protected health information for treatment are not exempt from the minimum necessary standard. However, the Privacy Rule provides the covered entity with substantial discretion with respect to how it implements the minimum necessary standard, and appropriately and reasonably limits access to identifiable health information within the covered entity. The Rule recognizes that the covered entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the covered entity may develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes."

The questions and answers have been edited for content and clarity.