Your FAQs, Answered by Amanda Hepper



We recently asked our community to send us their HIPAA compliance questions for our President, Amanda Hepper to answer in our May webinar. We wanted to make sure that everyone can benefit of this valuable information, so we’ve included the questions and answers below!


Q - If there is a breach in a healthcare organization, what are the fines and penalties that could hit the HIPAA Security Officer personally as opposed to the organization as a whole?

A - “First of all, I want to thank those of you that are Security Officers. I know many of you probably have Security Officer added to another title that you already have.

“Penalties for HIPAA violations can be issued by two entities: the Department of Health and Human Services Office of Civil Rights (the OCR), and by state attorneys general. The OCR, if they do an investigation after a breach has occurred, they may issue a penalty in settlement. State attorneys general may issue fines as well. These are usually issued to organizations.

“Civil penalties can be issued to any person who is discovered to have violated HIPAA rules in an intentional and negligent way. Jail terms for HIPAA violations are rare, but there have been cases where violations by employees have resulted in financial penalties. So, unless an employee, [such as] the Security Officer, knowingly and intentionally breached protected health information, they would not be the target of the fines and penalties.”


Q - Can we release any medical information without a patient's written consent (if we get a call from a medical facility stating they need their records urgently for continuation of care or if a patient calls us - but does not provide written authorization)? What is considered information blocking?

A - “In general, a covered entity may use or disclose PHI for treatment, payment, and operations (also known as TPO) without obtaining an individual's written permission. According to Health and Human Services, treatment is the ‘provision, coordination, or management of healthcare and related services’ for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Of course, an exception to this exists concerning psychotherapy notes.

“According to [HHS] when an individual is incapacitated, in an emergency situation, or not available, a covered entity generally may make such disclosures, if the provider determines through his or her professional judgment that such action is in the best interest of the individual. So it is a judgment call, and the providers would be the best ones to make that.

“Information blocking is anything that interferes with, prevents or discourages access/exchange use of electronic health information. It was defined by the Cures Act.

“Physicians can experience information blocking when trying to access patient records from other providers, connecting their electronic health records to local HIEs, migrating from one EHR to another, or when linking their EHRs with a clinical data registry. Patients can also experience information blocking when they're trying to gain access to their medical records and are met with resistance.

“In summary, you can release medical information if it's in the patient's best interest in an emergency situation. Written authorization would not be necessary if the provider deemed that that was appropriate.”


Q - What are the most common [HIPAA compliance] mistakes, and how can I avoid them?

A - “One of the first mistakes is not doing a Security Risk Analysis. We recommend doing them annually, and it is required that you do one after significant changes such as a move to a new EHR or adding a new location.

“[Number two,] not working the remediation plan.

“Then not having policies in place that really act as a foundation for your compliance program - that are specific to your organization. You need to be able to do what they say, and then you need to collect evidence that you're doing what they say. All three of those elements: having the policies, doing what they say, and having evidence that you're doing it, are key to a healthy HIPAA compliance program.

“You want to create a culture of compliance, and that is done through annual training as well as ongoing training. You want to make sure that you are managing your Business Associates, and that you have a Business Associate Agreement with each of them. Do not share any protected health information with a business associate until you have a fully executed BAA in place.

“[Lastly,] healthcare is one of the top hacking and ransomware targets, so you want to assess your networks and technical vulnerabilities.”


We hope you found these answers helpful! If you have further questions you want answered, we are always happy to talk! You can reach us here