Phase 2 HIPAA Audits and Secure Disclosure of Patient Information

May 26, 2016 | Health Services

I. Department of Health and Human Services Commences Phase 2 of HIPAA Audit Program

As part of its efforts to minimize risks to consumers created by the increased use of health information technology, and as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the U.S. Department of Health and Human Services (“HHS”) has begun Phase 2 of its audits of covered entities and business associates to ensure compliance with the HIPAA Privacy, Security and Breach Notification Rules (the “HIPAA Rules”). The audits present HSS with an opportunity to evaluate mechanisms for compliance, select best practices, identify risks and vulnerabilities, and prevent compliance issues before breaches occur.

Phase 1 of the HIPAA Audit Program was initiated back in 2011, during which time HSS developed a protocol for measuring the compliance efforts of covered entities and business associates. During Phase 2, HSS will review the policies and procedures that have been implemented by covered entities and business associates to meet the standards and specifications of the HIPAA Rules. Auditees will be randomly selected from an auditee pool identified by HHS, excluding entities that have an open complaint investigation or who are undergoing a compliance review.

Initially, HHS will conduct a desk audit of selected entities which are scheduled to be completed by the end of December 2016. Thereafter, HHS will conduct more comprehensive onsite audits. Desk auditees may be subject to a subsequent onsite audit.  All onsite audits will take place over three to five days and auditees will have ten business days to review the results of the audit and respond in writing to the auditor. A final audit report for each entity will be completed within thirty business days after the auditee’s response. HSS will use the results of the audits in determining what type of technical assistance should be developed and what types of corrective action would be most appropriate. If an audit reveals a serious compliance issue, HSS may initiate a compliance review to further investigate the issue.

II. Ban on Texting Patient Orders has Been Lifted

In the beginning of May 2016, the Joint Commission announced that it was lifting its ban on the transmission of patient care orders via text messages, effective immediately, as long as certain standards are met. The original ban was put in place due to concerns that mobile devices did not have the technology needed to keep patient information safe and secure.  However, the Joint Commission conducted research on secure text message platforms and concluded that with the introduction of new technology the concerns were no longer warranted.

Thus, texting patient information is permissible as long as it is done on a secure text messaging platform with the following capabilities:

  1. Secure sign-on process;
  2. Encrypted messaging;
  3. Delivery and read receipts;
  4. Date and time stamps;
  5. Customized message retention time frames; and
  6. Specified contact list for individuals authorized to receive and record orders.

In addition, policies must be implemented by healthcare organizations that specify how orders should be transmitted and require that all messages be dated, time, confirmed and authenticated by the ordering physician. Procedures must also be put in place on how text orders will be documented and included in medical records. The Joint Commission has suggested that organizations do the following:

  1. Develop an attestation documenting the capabilities of secure text messaging platform;
  2. Define when text orders are or are not appropriate;
  3. Monitor how frequently texting is used for orders;
  4. Assess compliance with texting policies and procedures;
  5. Develop a risk-management strategy and perform a risk assessment; and
  6. Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures.

III.  Guidance Issued on Charging Patients a Flat Fee for Copies of Medical Records

In response to questions raised by several covered entities, HSS has issued guidance at the beginning of 2016 for healthcare providers and health plans regarding patients’ right to obtain copies of their protected health information upon request. HSS hopes that the guidance will resolve confusion over the allowable charges for such copies.

In particular, the guidance states that covered entities may charge patients for copies of their medical records in one of three ways: (i) the actual cost of providing the copies; (ii) the average cost of labor plus postage, paper, CD or USB drive; or (iii) a flat fee for electronic records. If a covered entity opts to charge a flat fee it cannot exceed $6.50 per copy. If, on the other hand, a covered entity chooses to use the average cost method of calculating the copier fee and a patient makes an unusual or uncommon request, the covered entity may include an additional charge as necessary to account for the actual cost of honoring such request. The guidance also reminds providers that patients must always be advised in advance of the approximate cost of obtaining copies of their medical records and the fees charged must be reasonable.






Related Publications


Legal updates and news delivered to your inbox