Leon Rodriguez, JD: Hello. I'm Leon Rodriguez, Director of the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS). I'd like to welcome you to this program titled "HIPAA and You: Building a Culture of Compliance." Joining me today is Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health Information Technology (ONC). Welcome, Joy.

Joy Pritts, JD: Good to be here.

Mr Rodriguez: The goals of this program are to outline the responsibilities of covered entities and their business associates under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and provide strategies to build and maintain a culture of compliance with HIPAA. I'd like to take a few moments to tell you about what we do in the Office for Civil Rights and ask Joy to talk a little bit about the Office of the National Coordinator.

The Office for Civil Rights has the lead responsibility in the federal government for enforcing the nation's health information privacy laws that are known as "HIPAA." We conduct investigations of possible violations of those laws, and where there is a violation, we take enforcement action. We also prepare regulations and policies that guide how providers can follow these laws. Finally, we provide technical assistance and training to assist healthcare providers and their business associates in following the law. Joy, tell us what the Office of the National Coordinator does.

Ms Pritts: The Office of the National Coordinator was created by the Health Information Technology for Economic and Clinical Health (HITECH) Act to help encourage healthcare providers and hospitals to adopt electronic health records and also to share health information electronically. As we're expanding this use of electronic health information, we wanted to make sure to focus on privacy and security as really important topics. My office was created to help coordinate the efforts for developing policies for these new ways of storing and exchanging health information.

Mr Rodriguez: And of course, you came to HHS with a long background in the area of privacy and security, having been a law professor who concentrated in this area.

Ms Pritts: I know a lot about this area. I probably started before HIPAA was a rule.

Mr Rodriguez: Great to have you as a partner. Let's talk for a few minutes about the HIPAA Privacy Rule. The HIPAA Privacy Rule first became effective on April 14, 2003, for all but small health plans. Covered entities under the HIPAA Privacy Rule include doctors, clinics, hospitals, dentists, nursing homes, and pharmacies that transmit data electronically, as well as health plans and health clearinghouses.

Let's talk for a moment about "business associates." I know that that is part of what is changing now. Can you talk a little bit about what business associates are and what they do?

Ms Pritts: You have the core players in the healthcare field like the healthcare providers and the health plans. But they cannot do all their business themselves, so they often contract out with people or organizations called business associates. These are any persons or organizations who function on behalf of the covered entity in a way that involves the use or disclosure of identifiable health information. Some examples include people who do billing for healthcare providers, people who do the coding, and now we have more and more people who are involved in organizations becoming electronic health record vendors, where they actually might have to access information. Another area -- since there are a lot of efforts ongoing at the Centers for Medicare & Medicaid Services (CMS) to improve the quality of health care -- is people who do the analytics for providers.

Mr Rodriguez: Now you have sense of who is covered under the Health Information Privacy Rule. Let's talk about the goals of the Health Information Privacy Rule. Obviously there is a goal here to provide strong federal protections for privacy rights, and one of those, of course, is preserving quality health care. We believe that only when patients trust in the privacy and security of their health information will they communicate frankly with their healthcare providers. In fact, if patients do not trust in the privacy and security of their information, they may not go to the doctor at all, and that is bad for all of us. Now, I know that you are particularly focused on the adoption of new technologies in medical record keeping. Can you talk about how privacy and security laws affect that effort?

Ms Pritts: It is really important that people be able to trust the system -- that the right information is flowing to the right people at the right time -- and one of the ways you accomplish this is by making sure that you have the right rules and protections in place, as well as the ability to enforce against those who are not doing the things that they should be doing. In our office, we build privacy and security into all of our funding efforts to make sure that, as people are adopting electronic health records, they take privacy and security very seriously up front while they are building them into their systems.

Mr Rodriguez: Let's talk about the basics of what the Privacy Rule covers. First of all, one of the main concepts is what kind of information is covered under the privacy rule, and here we are talking about protected health information: information that relates to the treatment or diagnosis of disease.

Ms Pritts: But it is not just any information, is it, Leon? It has to be identifiable information.

Mr Rodriguez: Absolutely. That means that it actually has to be information that is connected to a patient and/or is connectable to a patient. If that information is removed, for example, for research purposes, then often that is no longer protected health information. There are specific requirements under the HIPAA law that explain how information needs to be de-identified in order to no longer be considered protected health information.

The next question is: what can covered entities do with the information they have? Would you talk about those rules?

Ms Pritts: Well, one of the things that people need to consider when they are thinking about how they are handling health information is who they are sharing it with and for what purpose. The Privacy Rule tells covered entities that they can share information for some really core reasons without the individual's express permission. For example, they can share information for treatment purposes. Most people expect that that is going to happen. For payment purposes. Otherwise, how is a doctor going to receive payment for the services that he or she has rendered? And for healthcare operations purposes. Those are some of the things that all of these organizations have to do to keep their businesses running. A healthcare organization covered entity can use health information and share it for all those purposes without the patient's express permission. For some other purposes, the Privacy Rule expressly states that you have to get the individual's express permission, and they call that an "authorization." For example, if somebody wants to request your information for life insurance purposes, the patient usually has to sign a paper -- an authorization form -- saying to the healthcare provider that you can share that information with a life insurance provider.

Mr Rodriguez: With respect to what covered entities can do with that information, we always need to talk about the concept of "minimum necessary," which is the idea that you may only use health information for what is necessary for accomplishing the purposes that you talked about. For example, if you are in a hospital, and you are in one part of the hospital, and you have nothing to do with a particular patient, you really should not be looking at or have access to the medical records of a patient who is not really covered by your department. Now, of course, that does not relate to all, for example, disclosures of health information. When are certain health disclosures not covered by the minimum necessary concept?

Ms Pritts: Because we want to make sure that health information is really available for purposes of treatment, it is hard to guess what another provider might need. The minimum necessary rule does not apply when you are sharing health information with another healthcare provider. We are not going to make any provider guess how much information that provider needs.

Mr Rodriguez: Right.

Ms Pritts: But neither are we expecting people to just check their common sense at the door, either. The rule requires people to use their common sense as to how they share information just in general.

Mr Rodriguez: One of the most important ideas to remember about HIPAA is that it really is all about common sense: what are appropriate uses of health information, what are appropriate ways to protect health information, and what are inappropriate ways within the real-world context of how health care is conducted in our country? Of course, the larger concept is that providers do have a responsibility to safeguard health information against inappropriate disclosures and uses, and we are going to talk about how you undertake those safeguards this afternoon.

One of the things that providers need to do is implement policies and procedures that talk about what are the appropriate uses and disclosures of health information and also what are the necessary protections for that information, so that people who should not have access to that information do not have access to that information.

Ms Pritts: And those policies and procedures are not supposed to be a once-and-done deal, either, are they? A lot of times, when organizations create policies, they put them all in a real nice notebook, put them on a shelf, and then never take them down and look at them again.

Mr Rodriguez: Right.

Ms Pritts: These are really meant to be policies that are evaluated from time to time to make sure for that new people coming in know about them, but also because they might change as time goes on.

Mr Rodriguez: It is not enough to just have policies and procedures. You really have to live by them and revisit them periodically.

Ms Pritts: Yes.

Mr Rodriguez: The other important thing to do is to train all of your staff that handles protected health information on what these requirements are. Can you talk about what that training might entail?

Ms Pritts: The training will be different for different members of your staff. It will really depend a lot on what they need access to the health information for and what their duties are. That training should explain to them what the limits are on the uses and disclosures of the information and how you would protect the information in general. For example, you do not want people in a hospital talking about patients by name loudly in the hallways when they can just move into an office to have that conversation. Again, there are a lot of common sense applications for training, but they do depend a lot on: one size does not fit all. In a small doctor's office, even though you only have a few people, you still might have a slightly different training mechanism for a nurse than you would have for the clerk at the front desk.

Mr Rodriguez: Just as with everything else, it is not a once-in-a-lifetime proposition. You need to keep training and retraining and make sure that all of your staff really understands and lives by these requirements. Another important activity is internal audits -- examining your systems, examining your records to make sure your privacy and security procedures are, in fact, being followed and that they are covering all of the issues that you might have in your practice.

Ms Pritts: What I think I hear you saying is that just like doctors would want to make sure that they are up to date on all of the newest medical technology and medicines, they also want to make sure that they are up to date on their privacy requirements and use what is appropriate at the time.

Mr Rodriguez: Thinking about the safeguards, it is not just about general procedures for how information is used or disclosed but also some basic steps to keep your information secure. For example, make sure that information is kept in locked cabinets and that your offices are locked when you leave at night. If information is maintained electronically, have passwords or other technologies to make sure that only people who should have access to that information in fact have that access. Through all of this, it is important to maintain a culture of compliance: every employee who actually touches health information should understand that it is his or her responsibility to maintain the privacy and security of that information.

Ms Pritts: We have heard from some healthcare organizations that they look at it very holistically. They treat the health information the same way that they would treat the patient -- when you have that feeling of care for patients and you want to engender trust in them so they trust that you will give them the right treatment. You also want to create that kind of a culture where they trust that you will treat their health information with equal respect.

Mr Rodriguez: Absolutely. That is something we have learned through the work that we do. Patients really do care and want to know that their providers care about these issues as well.

Let's talk in a little a bit of detail about what needs to go into policies and procedures. Maybe you can tell us about some of the different aspects of medical activity that need to be covered in your policies and procedures for privacy and security.

Ms Pritts: One of the things that providers need to do is look at their entire practice. They need to know what kind of health information they are collecting, where they are collecting it, who is collecting it, how they are storing it, and how they are maintaining it, making sure that it stays current and that somebody is able to access it or retrieve it. Some things that people would need to know are, obviously, who is in their organization, what those policies are, or who has access to what information. That is one of the key ones. Is there information that you need to protect at a higher level than other information? Maybe you deal with mental health or substance abuse information where there might be specific laws that say this information has to be protected higher. For that sort of thing, you would need to have procedures in place to make sure that you are affording those higher protections. I look at it as who, what, where, and why: what information you are collecting, where you are storing it, who you are sharing it with, and for what purpose? You have to look at the entire package.

Mr Rodriguez: Right. You need to think through everywhere that health information might be in your practice and every manner in which you might use it.

Ms Pritts: Some people actually map it out.

Mr Rodriguez: I think that is a very smart thing to do. It is the way to make sure that you really identify all the different places that health information might be, and often it might be in places that people may not realize. For example, these days, a lot of photocopiers have computer memories, and that means that health information may end up on a device without you realizing it. As a provider, you really need to think through all the different places health information might be.

That, of course, flows into your training, which, again, needs to be for all your employees. That training should be refreshed as time goes on, especially as employees' duties may change, and you always have to document it, because one of the things that is also a fact of life is that we do investigations. We do audits at the Office for Civil Rights, and one of the things we look for is documentation of the different privacy and security activities.

Ms Pritts: How would you document that? Do you have people sign in when you offer training to show that they have been there?

Mr Rodriguez: Certainly that is a critical part: to identify who was there. Another part of it is describing the curriculum that you utilize -- so you identify, really, what you train them on -- identifying the date when a training took place, and making sure that you really document in every way what occurred during the training.

The next step is then the self-audit and monitoring -- really examining your day-to-day operations on some sort of routine basis to make sure that you are covering all your privacy and security issues and that, in fact, you have not had impermissible uses and disclosures of health information. If you have, you then need to perhaps adapt your policies and procedures to make sure that those do not happen in the future.

Ms Pritts: Do you also have to take into account new organizations that you might be doing business with -- for example, if you change your billing service or something like that?

Mr Rodriguez: Absolutely. We talked before about business associates. Business associates are individuals who assist you in the function of your practice and who may, as a result, receive protected health information. You need to enter into what is called a "business associate agreement," which requires that business associate to follow a number of the same safeguards that you need to follow in order to protect your patient's health information. In fact, if they violate that business associate agreement, then you are responsible to do something about that. Any time you change who you are using for various purposes, you need to enter into a new business associate agreement, and you need to take steps to make sure that they're in fact following the terms of that business associate agreement.

Ms Pritts: What happens if you change your practice a little bit. Say you are a small provider and you decide to join a big health network because you want to participate as an accountable care organization or something of that nature. Would that change your policies any?

Mr Rodriguez: It just might. I mean, any time you do something like that, you need to think about: is the way that you both use and maintain health information changed by these new relationships? If it is, you do need to adapt your policies and procedures and, where appropriate, your business associate agreements accordingly.

When we talk about safeguards, we are talking about 3 different kinds of safeguards. The first is administrative, which we have talked about: policies and procedures that make sure that health information is used the way it should be and is protected. The next is physical. When we talk about physical safeguards, what are some examples of that?

Ms Pritts: Some of them are pretty basic. You should have a lock on your door to your office so that people are not just coming in and stealing your medical records or your computers, which might have medical records on them. Sometimes theft can be an issue of equipment that has medical record information on it -- not that people are looking for the records necessarily but the equipment itself is valuable. You should also, for example -- if you have a computer screen that is up, you do not want it to be physically visible to everybody in the waiting room. That would not necessarily be a good thing. It would not be a good thing at all, actually.

Mr Rodriguez: You put it in a location where only people who need to see that information --

Ms Pritts: Exactly. You do not have to do a major renovation of an office in order to make sure that you are physically protecting the information. You do not want to have boxes of files sitting out in the waiting room. Some of this, again, is common sense as to how you would want to really protect the information and make sure you have appropriate physical safeguards in place.

Mr Rodriguez: Finally, there are the technical safeguards, which relate primarily to electronically maintained information. An example of those electronic safeguards is having password protection for your computers. In fact, the gold standard is having encryption for electronically maintained information. There are a number of other issues, but these are some of the key technical issues that you need to look at.

We mentioned monitoring. You need to have reports when you detect deficiencies. If there are specific incidents that either you become aware of or that you learn about through your patients or employees, you need to have reports of those incidents.

Ms Pritts: Do you have to file those reports with anyone?

Mr Rodriguez: You do not, except in certain circumstances: if you become aware of a significant -- what we call a "breach," which is an impermissible use or disclosure to a third party. Many other incident reports are just things that you really need to investigate internally and take corrective action internally. We have significant technical assistance, which I will discuss a little bit later, that explains when you need to do one and when you need to do the other. You also have to have disciplinary policies, because your employees need to understand that part of their job is, in fact, to keep this information safe. Could you talk a little bit about how those employee sanctions might work?

Ms Pritts: If you catch somebody who is snooping through other people's medical records, for example, that is inappropriate behavior and that individual should have some sort of sanction attached to that behavior. We know some hospital administrators who feel very strongly that that sort of behavior is cause for firing the employee, but all of those kinds of disciplinary action should be made really clear up front so that they act as a deterrent to people to even engage in the behavior. If you are a small provider and you say to people, "You are my staff, and if I ever catch you cruising through the electronic health records looking for your friends and family, that is it; there will not be a second chance," it is much less likely that you would have somebody engaging in that behavior, because they know what the consequences will be.

Mr Rodriguez: This takes us to a term that is not in the HIPAA rules themselves, but is a term that providers really, really need to think about: the concept of a "culture of compliance." I want to repeat it again: a culture of compliance. That means that everybody has to see themselves as responsible for the privacy and security of health information. You have talked about leadership. You have talked about how that has to come from the top. Employers need to make clear to their employees that this is something that they take seriously, including in their disciplinary policies and, of course, their training policies. It is something that really needs to flow down to all the employees who handle health information. What are some ways to make sure that they get that it is really important that they protect this information?

Ms Pritts: A good starting point is when the leadership has the right attitude, because you can treat privacy and security as being another thing we have to do or you can treat it as being part of our business -- this is part of the way we respect our patients -- and be very positive and encouraging about it.

Mr Rodriguez: Right.

Ms Pritts: You also have to train everybody in the office and do periodic check-ups and see how people are doing. We have seen people use things like Post-it^® notes when somebody left the computer on too long. They have a series of bright neon colored Post-it^® notes that they stick on a computer that say, basically, "You should have turned this computer off." There are little things that you can do on a regular basis to let people know that this is just how we do business. We watch privacy and security on a daily basis.

Mr Rodriguez: Right. That is important in a culture of compliance and, of course, consistency in the message that this is something that is an everyday thing, something that the healthcare provider is always thinking about, always taking steps to improve.

Of course, there is an enforcement mechanism here that I want to talk about for a moment. With the HITECH Act of 2009, which is part of what created a lot of the infrastructure for the electronic health record, there was also an increase in the HIPAA penalty for violations of different provisions, and we have discussed a lot of those provisions here today. Penalties can get up to $1.5 million per violation per year. It is a very serious issue that providers need to be thinking about, and not only does the Office for Civil Rights have jurisdiction in this area, but also the states' attorneys general, all 50 of them and the ones in the territories, can also pursue civil actions against providers under the HIPAA statute.

Of course, there are resources that are available to providers to make sure that they understand what they are supposed to be doing to comply with HIPAA. For example, the Office for Civil Rights has extensive resources on our Website, http://www.hhs.gov/ocr. We have regional offices that are available to assist healthcare providers in making sure that they are doing everything they need to do and, of course, I know that the Office of the National Coordinator has extensive resources as well.

Ms Pritts: Our office is trying to help providers adopt electronic health records, particularly those who are just starting in that area. We have Regional Extension Centers that are available to assist those providers in developing their electronic health record systems -- in particular to address their privacy and security needs as they are adopting.

Mr Rodriguez: Overall, between ONC and OCR and the states' attorneys general, we really are getting a lot of information out there to help providers of all types understand what they need to do to comply with the law.

We had talked before about incidents and possible impermissible uses and disclosures. Since HITECH, one of the new requirements is the requirement to report breaches. Those are situations where there is an impermissible use or disclosure, which, in fact, creates a risk of harm to patients. It could be financial harm, because their financial information is exposed, or reputational harm, because very personal details about those individuals are now exposed. In those cases, providers need to, at minimum, advise both my office -- the Office for Civil Rights -- and their patients of the impermissible use or disclosure. If it is a breach greater than that that affects more than 500 patients, they need to notify the news media as well. We investigate all the ones that are larger than 500. We then do a review to see what steps the entity has taken. You want to remedy the immediate causes of that breach. But, generally, we review everything that a provider is doing in order to follow the privacy and security laws.

Ms Pritts: Those breach reports have proved to be very useful in identifying where some of the vulnerabilities in the system are. For example, we were able to read those breach reports and figure out that encryption of mobile devices or other kinds of devices is one of the areas that might be useful for people to look at.

Mr Rodriguez: Absolutely, and, in fact, I think our next Medscape seminar is going to be talking exactly about that -- about specific, required security measures that providers should take when they are protecting electronic information.

That is just about all for today. We just want to remind everybody that OCR expects all healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.

Thank you, Joy, for joining me today in talking to providers about these important requirements under HIPAA. To wrap up, we want to remind everybody that OCR expects all healthcare providers to really maintain that culture of compliance -- to have in place a carefully designed, delivered, and monitored HIPAA compliance program that is a living, breathing thing -- that they are consistent about it, and that they really make sure that all of their employees adopt and understand it.

I really thank you for joining me today to talk about these important things. Thank you so much for joining us today.

You may now take the CME post test by clicking on the Earn CME credit link. Please also take a moment to complete the program evaluation that follows.