Set the Record Straight: Common HIPAA Compliance Misconceptions
Today we’re looking at some misconceptions surrounding the HIPAA law established in 1996. Previously, we discussed how the COVID-19 pandemic brought many of these misconceptions into focus, as celebrities and other individuals cited HIPAA as their reason for not disclosing their vaccination status.
The OCR responded to this by “emphasizing that HIPAA strictly applies to covered entities” and business associates. Individuals or organizations asking for vaccination status is not prohibited by HIPAA. However, if a covered entity were to improperly disclose your vaccination status to a third party, that would be considered a breach.
Two other things that have caused a lot of confusion surrounding HIPAA compliance are the subjects of interoperability and information blocking.
“Interoperability” is defined as “technology’s ability to enable the secure use and exchange of electronic health information.” Organizations pursue interoperability by streamlining clinical workflows and data sharing, and by improving a patient’s ability to access their protected data. This free flow of information, or “data liquidity” may seem to be in direct conflict with the more strict privacy and security standards set up by the HIPAA law. In fact, HIPAA supports this concept more than many providers realize.
While the Privacy and Security Rules do limit an organization’s use and disclosure of patient data, the safeguards included are designed to be flexible. The idea is to keep patient data safe, while also promoting easy access for patients, so that providers can provide the best patient care and protect the public health. Dianne Borque, member at law firm Mintz, explains: “HIPAA was drafted to protect PHI but also to facilitate exchanges of PHI among healthcare providers.” She goes on to point out that HIPAA takes into account three “exceptions” where information can be (properly) disclosed to a third party: for treatment, payment, and healthcare operations.
The Information Blocking Final Rule of 2020 appears to make data sharing practices still more complex. While HIPAA applies to protected health information (PHI), information blocking applies to electronic health information (EHI), which is more expansive. Basically, this rule requires parties to “quickly respond to any legitimate request to exchange EHI and eliminate known barriers to EHI exchange.”
This rule actually has a lot in common with the HIPAA Right of Access, but it’s possible to comply with the HIPAA access rule while still breaching the Information Blocking Rule. This is because the Information Blocking Rule requires more from a provider in terms of speed and execution. Additionally, attempting to go above and beyond in security precautions for HIPAA compliance can result in information blocking of EHI.
While HIPAA compliance is not entirely at odds with the Information Blocking Rule, it is still difficult for providers to interpret how they work together. We’ll likely have to wait and see how future enforcement actions define the relationship between the two.
If you have questions about your requirements, or about any of these common HIPAA misconceptions, reach out to your team at Medcurity.