HIPAA For Midwifery 101: Part 1 - The Basics by Brynne Potter, CPM The Basics: The biggest concerns we hear from midwives about their charts center around HIPAA. They wonder whether they need to comply, or more importantly how to do so in a way that retains the personal and flexible style of practice that is inherent to midwifery. As it s a 1,000 page law with numerous subsections and amendments, there is no such thing as a 10 Easy Steps to HIPAA Compliance article, but there is some basic information to help us all get a better understanding of what it is, why it matters, and how you can implement simple steps into your workflow to be more conscientious about HIPAA. HIPAA IN DEPTH For a comprehensive and technical definition of HIPAA, visit the government s Web site. http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html. You ll find everything you could possibly want to know and more. Just about any question you can think of can be answered in the FAQ section alone. The goal of this series of articles (yes, it s going to take more than one to cover HIPAA in the Midwives Workflow) is to give you the basics in a context that you can really relate to: what you do every day. What is HIPAA? HIPAA is an acronym for a federal law that pertains to the protection of personal health information. It stands for the Health Insurance Portability and Accountability Act. HIPAA is divided into two primary Rules or sections: Privacy and Security. Does every midwife have to comply? You might have noticed that the I in HIPAA stands for Insurance, not Information as most people assume. This is because HIPAA came about in response to the insurance industry moving toward modernization through electronic billing systems and the concern over intentional or accidental release of insurance related information. HIPAA calls providers who must comply covered entities and the definition of a covered entity relates almost entirely to providers and associates who deal with insurance billing. This effectively means that if you never bill insurance, don t have a lab account or an account with any other entity that bills insurance, then you can stop reading after you consider this: HIPAA has rapidly altered the standard of professional health care in this United States. Despite the loophole of insurance billing, all providers are assumed to be practicing in accordance with HIPAA. Though compliance may not be your favorite word, consider the word professional and know that these standards are only going to become more ingrained in our electronic culture.
The Rules: Privacy Privacy is the easy one to understand and, in many cases, is what you already do for ethical and professional reasons. You don t talk about your clients to others in the community and you remove all protected health information (PHI) when you have a case in peer review. What is PHI? PHI is defined by HIPAA as individually identifiable health information. If there is anything in the information that you store or send that can identify who that client is, it is PHI. The HIPAA Privacy Rule addresses issue of privacy in terms of both formal and informal situations. I could list various scenarios (and would be happy to try to answer your specific questions), but the simple thing to keep in mind is the first step you should take with your clients regarding privacy: Authorization Think of authorization as the Informed Disclosure of HIPAA. As you review your workflow and identify places where there is either a need (eg. insurance billing) or a routine (eg. group prenatal care, or a facebook page) that will expose personal health information, you need to put it in writing to your client and get their permission or authorization. Some examples of situations for which you should get prior authorization: Release of records to another provider (except for treatment purposes*) Release of records to an insurance company or billing service Birth announcements in print or Internet Birth data for research, education, or certification (that contains PHI) There are plenty more examples, but the point is that you need to be sure that you don t release any PHI without authorization in writing from your client. *There are exceptions for the authorization requirement. The primary exception that relates to midwives is when the release of records is for treatment purposes. The Privacy Rule allows health care providers to use or disclose protected health information for treatment purposes without the clients s authorization. This includes sharing the information to consult with other providers to treat or to refer the client. This means that you don t need to get a HIPAA release when you are transferring care in labor, or anytime, to share the chart with the receiving provider. If the client is no longer under your care and there is a records request, you do need a HIPAA release. It s under Privacy, but let s talk about Security Just so you don t embarrass yourself at any hip HIPAA parties, don t make the gaffe that I did of confusing the steps you need to take to protect your client s stored records as being part of the Security Rule. It s part of the Privacy Rule, silly! I ll mention the Security Rule later, but just so we re straight you need to take steps to ensure that all of your active and stored records are secure. This is the perfect moment for a lawyer joke, but I ll refrain for the sake of brevity (even the jokes go on and on ). Here s the simple truth: You need to have a policy that outlines your procedures for security. If you fail to follow your procedures or your procedures result in an unintentional failure to comply with your policies, then you need to tell on yourself via a disclosure. Got it? I ll try again, here s a basic summary of the security safeguards section of the Privacy Rule: Know where all of your charts are, keeping them locked up when you re not using them. If you have a practice that includes more than one person (yourself), write out some guidelines for how to keep
information secure and make sure everyone follows them. Things like We will not leave pieces of paper with client s PHI lying around the office and Don t leave your charts in your car are good places to start. We ll talk more in a future post about security in your home or office and how to dispose of PHI. The Rules: Security The HIPAA Security Rule specifically relates to electronic transmission of PHI (ephi) for the purposes of transactions (ie. billing). If you contract with a billing service, then you are responsible for those electronic transactions that the billing service conducts on your behalf. There is not much else to say about this except to make sure your billing service is HIPAA compliant. So, that s the basic overview of HIPAA. If you know more now than you did before, that s great. Get ready to know more, because this was just the start of things to consider regarding HIPAA in your workflow HIPAA For Midwifery 101: Part 2 - Disclosures, Communication and Storage by Brynne Potter, CPM Imagine if in 1925 when Mary Breckinridge founded the Frontier Nurse Service, and pioneered nursemidwifery and rural healthcare in the US, she had to maintain HIPAA-compliance. Traveling on her horse caring for the women of Appalachia, obtaining written authorizations and informed disclosures would have been as foreign as the professionalized midwifery model she introduced. All reform brings challenges and contradictions. As any practicing midwife in the U.S. knows, we stand on the shoulders of those who came before us. As we work to move midwifery forward, we have to balance the need to modernize our profession without compromising the essential components of our model of care. One of the hallmarks of midwifery is the personal relationship we have with our clients. We are at times more than healthcare providers, we are mentors, connectors, and friends. Parity between the relationships and connections that come with being a community midwife and the rules and regulations that come along with professionalism doesn t have to hinder the inherent connections that we share with our clients and their families. The HIPAA Privacy and Security Rules are reforms that we as providers may find frustrating to integrate into our professional practices that are already constantly threatened by regulations that are not well suited to our model of care. If we try to keep in mind the good intentions (protection of the public) that are behind HIPAA, it makes it a little easier to take the effort to make these steps routine. Communication under HIPAA As I said in the first part of this 3 part series, HIPAA applies only to those providers and their business associates (or covered entities ) who engage in electronic transmission of protected health information (PHI). However, the actual law itself addresses rules for how ALL records are managed, including paper, fax, and oral transmission. HIPAA was not intended to hinder your ability to communicate with or about your clients. In fact, the intent is to encourage those necessary communications with clarity of purpose and awareness of boundaries. Think of HIPAA as a container for your communications and maybe it can help serve to organize your workflow.
Authorizations the fine print Anyone who has visited a health care provider in the last 5 years has probably signed a HIPAA authorization. There is not a single-use HIPAA authorization form that everyone has to use. That is because the idea is for you to actually write your own that tells your clients what you do with their PHI in your practice. There are some specific areas that need to be addressed in your general authorization at the onset of care, which HIPAA calls your Notice of Privacy Practices. This form can look like a bulleted list and here is what it should include: Situations that require no permission that are routine in your practice: Consultations or transfer of care Sharing a chart with a back up midwife Situations related to public benefit: reporting victims of abuse, neglect, domestic violence, legal procedings, national security, and law enforcement Situations where verbal or written consent is required: Disclose information to family or friends involved in client s care Public displays- bulletin boards, Web sites, Facebook Patient Rights (HIPAA requires that you inform your clients of their rights under the law) You clients have the right to: Request access and corrections to their record Request an accounting on how their information was used and who it was released to in the course of their care Request that all communications be confidential Complain about a perceived violation of privacy- to you, your practice s manager (if you have one), your licensing or certifying agency, or the government Now that you ve disclosed or gotten permission to communicate, there are some guidelines under HIPAA about how you communicate PHI in any situation. It s not about the messenger, it s about the message In our world of instant communication and rapidly changing technology, it is very difficult to create a standard for communication that is universal. The HIPAA rules are not intended to limit your use of speedy and convenient communication, the government primarily just wants you to think about what your are doing before you do it. This is highlighted by a phrase used in the law to describe the guidelines for disclosures: Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. 45 CFR 164.502(a) (1)(iii) In legal terms, reasonable measure and minimum necessary are something that the law didn t really want to define because it was recognized that what would be reasonable for one provider wouldn t be reasonable for another. Once the law is in place for awhile things like case law and community standards start to define these subjective terms. As individualized as midwifery practices are, community standard is hard to define for everyone. The basic idea is to apply these concepts to everything that you do with PHI, including sending information or allowing access to information in your office or work place.
Sending information: The first reasonable measure to consider when sending info is make sure you are sending the message to the right person. Confirm the address, phone or fax number For written information (mail, email, fax), include a cover letter or signature with a instructions for the recipient to contact you and destroy the contents if they are not the intended recipient The second reasonable measure is to send the minimum information necessary to achieve the goal of the communication. A great example would be that when you need to leave a voice mail for your client about their recent lab report, you can just ask them to call you back rather than leaving the details about the report on a machine that others might overhear. Storage and Access to information in your office In large practices, there is usually a privacy/security officer who is in charge of drafting policies and training everyone else. If it s just you and some students, you are your own privacy officer! Most of the reasonable safeguards HIPAA requires that you take in your workplace have to do with basic professional conduct and common sense -for instance: Speak quietly when discussing a client in public areas of your office so that you aren t overheard by family members or people in the waiting room Don t have incidental conversations among your colleagues that are not necessary for treatment keep it on a need-to-know basis Isolate or lock file cabinets or records rooms The basic idea is to take a look around your practice and notice the places where you are already taking care to ensure confidentiality and get a little more formal about it. The process will likely show you areas or habits that you hadn t thought about before that could probably improve your practice while also increasing your HIPAA-compliance. HIPAA For Midwifery 101: Part 3 - The Security Rule- Keeping Electronic Info Safe by Brynne Potter, CPM This last article in our 3 part series on HIPAA Privacy and Security is going to focus on the Security Rule and how it relates to a typical midwife workflow. As we said in our article on The Basics of the HIPAA Rules, most of the safeguards midwives need to take are based on common sense and professional practice standards. Most HIPAA blunders occur when we start using electronic tools like email for health care and communication, which most of our typical young and tech-savvy clients seem to embrace. HIPAA Security Rule defined: The rule establishes national standards to protect individuals electronic personal health information (ephi) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Health Information Privacy, US Dept. Health and Human Services
Paper Charting? You still might have ephi to keep secure Even if you are charting on paper, if you keep any amount of PHI (protected health information, or any information that could identify a client) in an electronic format, like files or email on your computer or contacts in your phone, the HIPAA requirements for protection of that information fall under the Security Rule. The Rule outlines specific safeguards that everyone needs to take in their practice, whether large or small, to ensure the security of your client s PHI. Number 1 HIPAA Security Breach: Theft of Your Laptop I recently attended a workshop on HIPAA privacy and security issues, held at the HIMSS11 conference, by Adam Greene, JD, MPH, senior health IT and privacy specialist with the Office for Civil Rights at the Department of Health and Human Services. As a representative of the government entity charged with processing complaints regarding HIPAA breach incidents and enforcement, Greene presented some interesting data about common HIPAA mistakes. Over 65% of HIPAA Security breaches are due to theft or loss of a laptop or other computer. The best way to avoid having your laptop stolen is to NEVER leave it in your car. For homebirth midwives who often need to drive around with their birth bags at the ready, keep your laptop and your charts (whether paper or electronic) with you or in your office under lock and key. Since the penalties for not ensuring this simple safeguard range from $100 minimun -$50,000 maximun per incident, it certainly pays to be cautious with PHI. Securing Devices in your Home or Office Now that you are making sure that you are keeping your valuable electronic devices secure from theft or loss, you should also consider the HIPAA guidelines created by the Center for Medicaid Services on Security for the Small Provider. The following is a quick summary of the areas that are most relevant to a midwife workflow. Some of the guidelines are required [R] and some are addressable [A], which means that you aren t required to implement the standard unless you have the reasonable and appropriate means to do it. Reasonable and appropriate are terms that are intended to allow you to take into consideration things like the size of your practice, capabilities of your existing systems, and the cost of implementing new ones. Secret Passwords [R] The best way to restrict access to PHI on your computer or portable device is through a unique password or other authentication process to access your email, files, and contacts. This is done on a computer or laptop by setting up a user account. On a cellphone there is generally only one account and you just need to set up a password that is required in order to do anything but answer incoming calls. These unique passwords also add a layer of security if these devices are lost or stolen because the entire device would need to be wiped clean in order for someone to use it again if they don t know your password. Automatic Shutoff [A] This is a feature that you probably already have on your computer. It is what makes your computer go to sleep or turn itself off after a specified amount of time and then requires a password in order to wake it back up. Many of us turn this feature off on our personal computers because it is cumbersome. However, if you have any PHI stored on your computer, you need to turn it back on. Adam Greene defined addressable this way if you have the feature available in your system, but choose not to use it, then it would be a violation of the guidelines under HIPAA. Back up of Data [A] We ve all experienced the dreaded hard drive meltdown. Losing your own information to a system failure is bad enough, but what if you had client records stored on a computer that cannot be recovered? While it is a very good practice to keep your electronic files stored on a back up hard drive, those hard
drives can also be corrupted, lost, or stolen. Fire and other natural disasters are things that may be unlikely, but can create a real problem for both electronic and paper file storage. Under HIPAA, and possibly your state licensing laws, you are responsible for ensuring that your client s records is readily available. The time frames for availability are usually defined under state law and can range anywhere from 5 to 18 years. The best way to ensure access to back up records is you keep it on the web cloud. This may sound counter-intuitive since you can t see this cloud, but it actually means that you can access it from any computer with a unique login. So if your computer is damaged or stolen, it doesn t matter because your PHI data is not stored on it. You just buy a new computer and access your account again with no stress. There are many commercial cloud storage systems available for low cost. Because you are storing ephi, you need to make sure that the system uses standard security protocols when you are uploading and downloading your data and that they keep your data secure on their servers. Most Electronic Health Record (EHR) and Practice Management Systems can handle this kind of data storage for you as part of the package. Encryption [A] By it s very definition, encryption is hard to understand because its all about making your text or data hard for other people to understand unless they have the secret code or authorization to do so. Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. If this sounds like a bad spy movie all of a sudden, it s because electronic espionage is exactly what encryption is designed to protect against. The reality is that most hackers who are looking to get at PHI are looking for big caches of data for resell or identity theft. Simple direct email back and forth between you and your client is not likely to be hacked, but it is the right of your client to refuse to allow any exchange of information that is not encrypted. Because the cost of encryption, especially for paper based practices who do little ephi exchange, is so high it is not a requirement of all covered entities to send all ephi via encrypted format. However, if you have any Business Associates (Insurance Biller, EHR or Practice Management Software) they also need to ensure that both the stored data and the sent data on your behalf is encrypted. This is something that is handled by the software vendor, and you should make sure that they are handling your practice data in compliance with HIPAA. Contracts with your Business Associates [R] HIPAA requires that you make sure your Business Associates are handling PHI properly on your behalf by having a Business Associate Contract. Most of us have clicked Yes, I have read the Terms and Conditions and Privacy Policy button when we sign up for anything online from a hotel room to a Netflix account. These forms have become so standard that many of us don t really read them. It is important to understand that you are responsible for the actions taken on your behalf and therefore, I recommend that you read all Terms and Conditions with any vendors you choose to work with in your practice. Disposal [R] Whether you are transitioning from paper to electronic charting, or just need to toss out mail or other forms that include PHI, you need to address disposal of that information as part of HIPAA security. 21% of security breaches (the second largest HIPAA complaint) happen with improper disposal of paper based PHI.
You can t just toss PHI into the landfill or recycle it. You first need to shred or otherwise alter it to a point where no information is retrievable. The simplest way to incorporate this into your workflow is to buy a quality shredder and shred-as-you-go. Don t let the paper pile up. Not only is it then vulnerable to loss or theft, but you are just causing a quick task to build up to a burdensome one. That shredded paper can now be recycled or used in your garden as extra mulch! Making Security Part of Your Workflow We ve talked a lot in this series about the importance of analyzing your workflow. As I outlined last month in All midwives have a workflow, what s yours?, workflow is how you do things in your practice. Ideally, your workflow makes sense and can be articulated to others. If you have a workflow written out or as you take the time to write it out now that you know about it, you can use the opportunity to really look at how you do things in your practice and decide if things might need some tweaking. During the process you can meet two more HIPAA Security Rule requirements. A Risk Analysis [R] Doing a risk analysis is required by all covered entities. Though the frequency is not specified, if you ve never done one at all then the frequency is as soon as possible. The process involves reviewing your workflow and then adding some special thought to the places where you might be at risk of exposing PHI. A Risk Management Plan is something like your practice guidelines or protocols for routine midwifery care. Risk Management Plan [R] After conducting the risk analysis, you then need to draft a plan that includes the steps you are taking to maximize security in your practice. This is something like your practice guidelines or protocols for routine midwifery care. The plan should include how your practice addresses everything that we have talked about here as well as a Facility Security Plan [A], which includes who has keys to the office files and other access to PHI, and a Sanction Policy [R] which refers to how you will handle violations of the plan by any of your staff. We never said this was easy, but hopefully this series has made it a little bit clearer how to maintain HIPAA compliance in your practice. While you don t need new software to be HIPAA compliant, considering options for workflow support that is also helping you to achieve HIPAA compliance is what Private Practice hopes to achieve. ABOUT THE AUTHOR Brynne Potter is a Certified Professional Midwife (CPM) who has worked in the field of midwifery since 1991. She is a member of the North American Registry of Midwives (NARM) Board of Directors and a founding partner of Mountain View Midwives, a midwifery practice in Charlottesville, VA. Brynne is also one of the founders of Private Practice, makers of practice management software for midwives. Disclosure: These articles are an attempt to provide information about HIPAA to midwives and related parties who are struggling to understand and integrate HIPAA-compliance. They are meant to support, not supplant, any previous understanding that you may have about HIPAA and should not be considered the first or the last word on HIPAA-compliance.