Can you keep a secret? Give your lab results a HIPAA privacy checkup. (Lab Management).The clinical lab industry is nearing one of the many HIPAA-compliance dates demanded of all covered entities. On April 14, privacy regulations take effect, whether or not laboratories are prepared. For those nearing completion of HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, privacy compliance plans, this will be just another busy day in their lives. For those frantically hurrying to meet the deadline, it looms like a dreadful specter. Regardless of a lab's status in this lengthy project, it is wise to conduct assessments to identify weak spots while time remains to make appropriate corrections. Things to remember for all methods of lab results delivery What are the common threads that will have to be considered in every method of communicating information about a patient? * Although there has been some dispute, lab results do fulfill the definition for Protected Health Information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. ). When talking about patients and their individual tests or test results, it doesn't get any more "PHI." * Labs are directed to make reasonable efforts to limit communications to the minimum amount necessary to accomplish the intention of the communication. Nonetheless, this "minimum necessary" directive does not apply when communicating to another healthcare provider for treatment, payment or when communicating to the individuals themselves. * CLIA CLIA Clinical Laboratory Improvement Amendments of 1988 Congressional legislation that promulgated quality assurance practices in clinical labs, and required them to measure performance at each step of the testing process from the beginning to the end-point of a limits disclosure of lab results to the people ordering tests, unless state law allows disclosure to patients, as well. Clearly, the most stringent of the two -- CLIA or state law -- will apply. It is the lab's responsibility to determine whether state law is contrary to or more stringent than HIPAA, and if so, adhere accordingly. * In every method of electronic communication, laboratory staff should document a single point in time when all "ownership" of the information, and its subsequent privacy, belongs to another party. It should be noted this is a liability issue. (See Figure 1 for point of transfer analysis.) A review of communication methods Verbal communication. This specifically refers to conversations between labs and physicians' offices, and applies to phone calls (regular and cell phones), pagers, voice mail and the answering machine. It includes calls made to a lab from physicians' offices to schedule lab work, calls made to request results and messages that must be left. It also includes labs' calls to physicians to report results, or to ask for clarification on an order, and includes any messages. The good news is that laboratorians are very private about the lab tests they conduct and the results that pass through their protective realm. Widespread "HIPAAnic" has made this even less of a problem. Nonetheless, there are some questions which have to be asked to make certain an unauthorized disclosure hasn't occurred. Any time there is a verbal communication, there is a risk. Because of this, it is crucial to have a method for confirming the identity of the person on the other end of the line. This brings to mind other issues. How will the integrity of the message be verified? What if there was a language barrier and the message wasn't clearly understood? If a message is left on an answering machine, how will confirmation of receipt (by the right person) be documented? The greatest risk with all verbal communication is that there is an unclear point of transfer. Some procedures can be established to facilitate an improved likelihood that verbal communication remains private. These include setting up caller ID A telephone company service that sends the caller's telephone number between the first and second ring of the call. If the calling number is not blocked, the calling number is displayed on the handset or base station of the called party. , as well as documenting privacy pass codes with each office. Another procedure would be to institute a mandatory call back when the identity of the other person is unclear. Strict adherence to established policies will be crucial, and the possibility for human error is implicit. Physical delivery. This applies to the use of couriers and mail for the delivery of specimens and results. Neither of these methods of communication will disappear as a result of HIPAA, but steps need to be taken to ensure patient privacy is maintained. Courier. Creation of HIPAA-compliant policies and then training in those policies will be critical with the use of couriers. If the courier is a third-party service, the training each employee undergoes undoubtedly comes from the courier company. When the courier service is acting on behalf of the lab, its employees will need to follow lab-mandated policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , in which they are trained and monitored by the lab, and must be well documented in the courier agreement. In addition to the training of couriers, visual access to results must be limited. Envelopes used for delivery should be sealed before they are given to the courier, and then documented that they are received unopened by an authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: physician's employee, signifying Signifyin' (slang) is an African-American rhetorical device featuring indirect communication or persuasion and the creating of new meanings for old words and signs. Signifying, in this sense, includes repetition and difference, implication and association, combining words and a successful receipt of the results. This may be the only option to confirm a point of transfer. Mail. From the lab's perspective, provisions are needed to ensure the lab results are addressed to the right person -- not only that the right result is going to the right office, but that there is confirmation that the addressee (communications) addressee - One to whom something is addressed. E.g. "The To, CC, and BCC headers list the addressees of the e-mail message". Normally an addressee will eventually be a recipient, unless there is a failure at some point (an e-mail "bounces") or the message is is the appropriate person to receive lab results in the first place. Ensuring that the physician demographic database is up to date will be critical. What's this? Protected Health Information (PHI) Individually identifiable in formation that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or media. From a legal perspective, both the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. Postal Service postal service, arrangements made by a government for the transmission of letters, packages, and periodicals, and for related services. Early courier systems for government use were organized in the Persian Empire under Cyrus, in the Roman Empire, and in medieval and United Parcel Service United Parcel Service, Inc. (NYSE: UPS), commonly referred to as UPS, is the world's largest package delivery company, delivering more than 15 million packages[1] a day to 6.1 million customers in over 200 countries and territories around the world. are considered to be conduits, but it is not clear who will own problems. If the service delivers to the wrong address, it is unclear which party is at fault. Is it the service for not fulfilling its duty, or the lab for not overseeing the process and acknowledging receipt of the report? As a final concern, in most offices, all mail is delivered to the front office, where an administrative person routinely opens the mail, then forwards it to the physician. Until a lab can confidently say the lab results have effectively been transferred in ownership to the physician's office, these are issues the lab will want to consider. Ultimately, unless some acknowledgement of receipt Acknowledgment of receipt (equivalent terms include avis de réception, advice of delivery, return receipt requested/required/wanted/demanded, ..., Rückschein, ricevuto di ritorno, can be documented, the point of transfer is unclear. Electronic hard copy -- results to remote teleprinter/fax, Teleprinters and faxes, two methods of producing an electonic hard copy of the lab result, are each defined as a point-to-point connection, which makes them "reasonably secure" without encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. . Keep in mind, however, that encryption is addressed fully in the security regulations of HIPAA, which remain in the draft mode as this is written. Because of this, there is a chance that some aspect of that component will be altered. If desired, encryption is still possible on most devices, although it will increase the cost of the equipment, and it will be more difficult to incorporate on a fax machine. Message authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. is another issue to consider with electronic hard copy, which is the ability to confirm that the message sent is the same message that has been received, and that it's been received in its entirety. Unfortunately, authenticating the message can be difficult on fax machines for numerous reasons. Most faxes used for remote reporting today are owned by the physician. In order to provide message authentication, some level of error correction will need to be employed. Unfortunately, most faxes do not default to an error-correction mode, which puts the fax in jeopardy for delivering inaccurate or perhaps incomplete data. Error-correction settings are inherent to teleprinters; however, the lab must ensure that only authorized persons authorized person Lab medicine A person–eg a physician, who orders tests and receives test results on persons for whom payment is sought under Medicare. See CLIA 88. receive reports and have access to health information. To accomplish this, a "lockbox Lockbox A collection and processing service provided to firms by banks, which collect payments from a dedicated postal box to which the firm directs its customers to send payment to. " can be established to which a code or key is required to access the encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science report. Finally, a lab could preprogram pre·pro·gram tr.v. pre·pro·grammed or pre·pro·gramed, pre·pro·gram·ming or pre·pro·gram·ing, pre·pro·grams To program in advance; preset. verified client dial-out numbers into its laboratory information system to ensure that only authorized people receive results. Once any of these electronic signals has been received, a lab could argue that responsibility for privacy of the patient's health information has been successfully transferred to the physician at that point. Orders and results. These applications refer to the software and associated systems that provide remote ordering and result reporting. There are two types of architectures available with these applications: * Thick-client systems -- where the patient data is stored locally. * Thin-client systems -- where patient data is stored on a remote or centrally located server. There are also two types of hosting models available with these systems: * Owned -- self-hosted/maintained. * Application service provider (ASP). Note that the inclusion of an ASP into the equation will provide a lab with a level of outsourcing for many of the network operations necessary for its deployment; however, a third party will now assume the responsibility for the point of transfer to the physician. Use of an ASP then becomes a matter of inserting another link into the established chain of trust. (See Figure 2 for an illustration of the point of transfer when an ASP is involved.) These applications should adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. the clinical transaction and code set requirements when finalized See finalization. and to the privacy and security standards as applicable. They must provide access controls; built-in audit trails -- providing a means for tracking PHI access; physical security of the data at rest; confirm message integrity -- ensuring the data is valid; encryption when deployed over public networks; and network controls. Conclusion and recommendations Ultimately, all delivery methods have vulnerabilities that should be addressed in order to ensure the privacy of lab results. It is important to remember that HIPAA remains more about processes than products. The following is a brief summary of the authors' recommendations: * Oral and physical methods will be the most challenging, because they leave the most room for human error. * Electronic solutions, by their nature, are better suited, keeping in mind that as technical controls increase, the risk of human error will be diminished. * Access controls can provide a positive acknowledgement of transfer of ownership. * Point(s) of transfer should be included in every Business Associate and Chain of Trust Agreement. Note: Clinical laboratory employees involved in the communication of PHI should take part in the tear-out privacy checkup check·up n. 1. An examination or inspection. 2. A general physical examination. checkup See Yearly checkup. . References and recommended reading: (1.) Centers for Medicare & Medicaid Services (CMS (1) See content management system and color management system. (2) (Conversational Monitor System) Software that provides interactive communications for IBM's VM operating system. ). Available at www.cms.gov/ hipaa/hipaa2/default.asp (2.) Office of the Assistant Secretary for Planning & Evaluation -- Administrative Simplification. Available at http://aspe.os.dhhs.gov/admnsimp/ (3.) Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (DHHS) Office of Civil Rights. Available at www.hhs.gov/ocr/hipaa/ (4.) Clinical Laboratory Management Association. Available at www.clma.orgpubmain.cfm?section=rellinks (5.) AHIMA AHIMA American Health Information Management Association (Chicago, IL) Health Information and Management Association. Available at www.ahima.org (6.) AMC (Advanced Mezzanine Card) See AdvancedTCA. General Policy and Management Guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. . Available at www.aamc.org/ members/girl/gasp/generalcategories.pdf (7.) AMC HIPAA Privacy Guidelines. Available at www.aamc.org/members/gir/ gasp/privacycategories.pdf (8.) Associate of Medical Colleges. Available at www.aamc.org/advocacy/hipaa/ start.htm (9.) DHHS-Privacy Quiz Available at www.regreform.hhs.gov/HIPAAQUIZ_0204171/sld001.htm RELATED ARTICLE: HIPAA Privacy Checkup Privacy checkup -- Verbal communication * When calling a physician's office about a lab result, how do we know we have the right person on the other end of the line? * What if they call us? * When there are language barriers, how do we confirm the message is delivered/understood? * How do we document our conversations about lab results? * What policies are in place for phone vs. casual personal conversation? * Can we clearly identify the point when the privacy of a patient's verbal lab result belongs to the physician? What is that point? Privacy checkup -- Couriers * How do we limit visual access to specimen information? * How do we train couriers on their responsibility to patient privacy? * Do/should our couriers sign agreements? * If couriers are outsourced, are they our responsibility/ liability? * How do we ensure that results actually get delivered? * How do we document compliance with policy? * Can we clearly identify the point when the privacy of a patient's couriered lab result belongs to the physician? What is that point? Privacy checkup -- Mail * How do we confirm we are sending information to the right office and address? * How do we know that the person opening the mail is an authorized representative of the physician? * How often do we audit records? Both physician and patient databases? * Whose fault is it if the mail is delivered incorrectly? * How do we cover liability if mail is delivered incorrectly? * Can we clearly identify the point when the privacy of a patient's mailed lab result belongs to the physician? What is that point? Privacy checkup -- Electronic hard copy * Do we need/have encryption? * How do we authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. a fax message, or make certain that the entire message has been delivered free of errors? * How do we enroll/certify fax/printer numbers? * How do we confirm that the right people read lab reports once they have printed out on the fax machine or the printer? * Who is responsible for the location of fax/printer in the physician's office? * Can we clearly identify the point when the privacy of a fax or printer lab result belongs to the physician? What is that point? * Does the answer change if the equipment is owned by the lab or by the physician? Privacy check up -- Applications for orders and results * Where does the order/result data reside, and have we documented who is responsible for maintaining that privacy? * How do we protect against inadvertent abuse? * Is the ASP also a clearinghouse? What does that mean? * What are the boundaries of responsibility to business partners and clients? Nancy J. Ham is president and chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. of ProxyMed Inc., a provider of healthcare connectivity services based in Fort Lauderdale Fort Lauderdale (lô`dərdāl), residential, commercial, and resort city (1990 pop. 149,377), seat of Broward co., SE Fla., on the Atlantic coast; settled around a fort built (c.1837) in the Seminole War, inc. 1911. , FL. Jeffrey F. Boothe is a partner in the Washington, D.C. office of Holland and Knight LLR LLR Lunar Laser Ranging LLR Log-Likelihood Ratio LLR Loan Loss Reserve LLR Low Level Radiation LLR Looks Like Rain (song) LLR Local Linear Regression LLR Lessons Learned Report LLR Load-Limiting Resistor Mr. Boothe represented the Clinical Laboratory Management Association (CLMA) as part of the Negotiated Rulemaking Negotiated rulemaking is a process in American administrative law in which an advisory committee made up of disparate interest groups negotiates the terms of an administrative rule and proposes it to an agency. Committee, aiding in the formation of the HIPAA regulations. He has also represented clients on matters involving Medicare reimbursement Reimbursement Payment made to someone for out-of-pocket expenses has incurred. , federal healthcare fraud and abuse, medical device coverage and reimbursement, and data privacy and data security. He is a member of the American Health American Health Inc. is a company that manufactures health supplements. It is located in Holbrook, New York. One of its products is labeled the "Chewable Original Papaya Enzyme" with the attached registered trademark, "The 'After Meal Supplement'". Lawyers Association and the District of Columbia District of Columbia, federal district (2000 pop. 572,059, a 5.7% decrease in population since the 1990 census), 69 sq mi (179 sq km), on the east bank of the Potomac River, coextensive with the city of Washington, D.C. (the capital of the United States). Bar Association. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion