Hipaa Compliance: Hospitals Need A Review Board

should hospitals have a hippa review board

The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996, to protect patients' private health information and prevent inappropriate disclosures that could cause harm to their insurability, employability, and privacy. With over 100,000 complaints of HIPAA violations received by the US Department of Health and Human Services, it is clear that hospitals need to take this issue seriously to avoid civil and criminal prosecutions. While HIPAA has improved the efficiency of the healthcare system by standardizing transactions, it has also restricted research capabilities and affected patient follow-ups. Therefore, the question arises: should hospitals have a dedicated HIPAA review board to ensure compliance and address any potential conflicts between patient privacy and research requirements?

Characteristics Values
Purpose To ensure compliance with HIPAA, which stands for the Health Insurance Portability and Accountability Act
HIPAA's Focus Preventing inappropriate disclosures of patients' protected health information (PHI) that could harm their insurability, employability, and/or privacy
Applicability Research involving medical records or creating, using, or disclosing PHI; not all research is subject to HIPAA regulations
Waivers Can be granted by IRBs and Privacy Boards, but IRBs can also review and alter informed consent requirements
Retention of Documentation IRBs/Privacy Boards must retain writings/documentation for six years from the date of creation or last effect
Training and Education Should cover regulatory background, purpose, principles, and key provisions of HIPAA
Enforcement Violations can result in civil and criminal prosecutions, with penalties including jail time and financial awards

shunhospital

Privacy Rule compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191, was enacted on August 21, 1996. The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information. This information is collectively referred to as "protected health information" (PHI).

The Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. It applies to health plans, health care clearinghouses, and healthcare providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the use and disclosure of such information without an individual's authorization.

Covered entities are responsible for determining the minimum amount of information reasonably needed to fulfill a request. In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request.

The Privacy Rule permits covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, and the Centers for Disease Control and Prevention, as well as state and local public health departments, for public health purposes.

HIPAA authorizations used for research or other disclosures must comply with the requirements of the Rule, regardless of whether they are created by the covered entity or a third party. The covered entity is ultimately responsible for ensuring all authorization forms are valid.

shunhospital

Informed consent is a process in which a healthcare professional educates a patient about the risks, benefits, and alternatives to a given procedure or intervention. This process occurs when communication between a patient and physician results in the patient's authorization or agreement to undergo a specific medical intervention. The history of informed consent in medicine is rooted in a broader evolution of ethical practices and legal standards surrounding patient autonomy.

Informed consent must be legally effective and prospectively obtained. HHS regulations at 45 CFR 46.116 and 45 CFR 46.117 describe the informed consent requirements. The informed consent process is the critical communication link between the prospective human subject and an investigator, beginning with the initial approach of an investigator to the potential subject and continuing until the completion of the research study. For most research, informed consent is documented using a written document that provides key information regarding the research. The consent form is intended, in part, to provide information for the potential subject's current and future reference and to document the interaction between the subject and the investigator. However, even if a signed consent form is required, it alone does not constitute an adequate consent process. The consent process and its documentation should be revised when deficiencies in its accuracy or completeness are noted, when new information about reasonably foreseeable risks and potential benefits become available, or when there are changes in the research that may impact the subject's willingness to continue participation.

In some cases, it might be possible to obtain consent from a legally authorized representative (e.g., in the case of decisionally incapacitated individuals). In certain emergency circumstances, the Secretarial waiver of informed consent under 45 CFR 46.101(i) may be applicable. It should be noted that if the research is regulated by the FDA, the Secretarial waiver permits the research to be conducted under a comparable provision.

The consent process must respect the patient's decision-making ability and adhere to the individual hospital rules for clinical studies. Adherence to ethical standards in study design and execution is typically monitored by an Institutional Review Board (IRB). The IRB was established in the United States in 1974 under the National Research Act, which introduced regulations for human research in response to unethical practices, such as those observed in the Tuskegee syphilis experiments. Ethical and safe research standards have been an area of federal and presidential interest since then, with the development of many organizations and task forces dedicated to this topic alone.

Evolving medical conditions, such as the COVID-19 pandemic, can necessitate updates to consent forms to reflect new risks, treatment protocols, and uncertainties related to the condition. For example, consent forms may need to include specific information about infection risks, changes in hospital procedures, or the potential impact of the virus on treatment outcomes. Keeping consent forms current ensures that patients are fully informed about the latest developments and can make well-informed decisions in light of changing health circumstances.

shunhospital

Research protocol reviews

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects patients from inappropriate disclosures of their protected health information (PHI). This includes any health information that has the 18 elements identified by HIPAA. The Privacy Rule, a component of HIPAA, requires that all HIPAA authorizations, including those used for research purposes, comply with the requirements established in 45 CFR §164.508.

HIPAA authorizations used for research must comply with the Privacy Rule, regardless of whether they are created by the covered entity or a third party. The covered entity is ultimately responsible for ensuring all authorization forms are valid. However, the Common Rule does require Institutional Review Board (IRB) review and approval of HIPAA authorizations if the authorization language is integrated into the informed consent document for human subjects research. IRBs are responsible for reviewing research protocols and ensuring compliance with ethical standards, including the protection of human subjects.

Privacy Boards or IRBs functioning as Privacy Boards may grant waivers of the research authorization requirement. A Privacy Board is constituted solely to review research protocols and grant waivers under HIPAA. An IRB may also grant waivers under HIPAA, but only an IRB can review research protocols and waive or alter informed consent requirements. Privacy Boards focus on subjects' privacy, while IRBs focus more broadly on subjects' welfare.

To establish a Privacy Board, it must include members from varying backgrounds with appropriate professional competency to review the effect of the research protocol on individuals' privacy rights and related interests. IRBs and Privacy Boards must retain any writings or documentation required by this policy for six years from the date of creation or the date when it was last in effect.

HIPAA restrictions on research have made it more challenging to perform chart-based retrospective studies and evaluate patients prospectively for follow-up. Additionally, HIPAA has hindered efforts to locate missing persons, as hospitals are reluctant to reveal patient identities due to privacy concerns. Nevertheless, HIPAA is crucial for protecting patient privacy and has led to civil and criminal prosecutions for violations.

Hospital Car Seat Checks: What to Expect

You may want to see also

shunhospital

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement HIPAA's requirements. The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule, including healthcare providers and insurance companies. These entities are referred to as "covered entities".

The HIPAA Privacy Rule gives individuals the right to understand and control how their health information is used. It protects individual health information while allowing necessary access to promote high-quality healthcare and protect the public's health. For example, it allows covered entities to disclose PHI to the individual and for public interest and benefit activities, such as reporting diseases or injuries, child abuse, birth, or death.

The HIPAA Security Rule protects specific information covered by the Privacy Rule. It includes standards for electronic health information and simplifies the administration of health insurance to combat waste, fraud, and abuse. It also promotes the use of medical savings accounts and improves access to long-term care services and coverage.

HIPAA authorizations, including those used for research purposes, must comply with the requirements established in 45 CFR §164.508. While the covered entity is ultimately responsible for ensuring all authorization forms are valid, Institutional Review Boards (IRBs) are required to review and approve HIPAA authorizations only if the authorization language is integrated into the informed consent document for human subjects research. This requirement is in accordance with the Common Rule and the HHS regulations at 45 CFR 46.117(a).

In conclusion, HIPAA helps to protect patient privacy and improve the efficiency and effectiveness of the healthcare system. Hospitals and other covered entities must comply with HIPAA's requirements to ensure the privacy and security of patient information. While IRBs are not required to review all HIPAA authorizations, they play a crucial role in ensuring the validity of authorizations used in human subjects research.

shunhospital

Civil and criminal prosecutions

Civil penalties for HIPAA violations can be substantial, ranging from $141 to $2,134,831 per violation, depending on the level of culpability. These civil monetary penalties (CMPs) are determined based on a tiered structure, with the secretary of the Department of Health and Human Services (HHS) having the discretion to set the amount based on the nature and extent of the violation and the resulting harm. Civil penalties can be issued by HHS's Office for Civil Rights, State Attorneys General, and the Federal Trade Commission. In addition to financial penalties, corrective action plans may be required to address compliance deficiencies and bring policies and procedures up to HIPAA standards.

Criminal violations of HIPAA are handled by the Department of Justice (DOJ) and can result in significant fines and imprisonment. There are different levels of severity for criminal violations. Individuals who “knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations can face a fine of up to $50,000 and up to one year in prison. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine and up to five years in prison. The most severe offenses, such as those committed with the intent to sell or use protected health information for commercial advantage or malicious harm, can result in fines of up to $250,000 and imprisonment of up to ten years.

The line between civil and criminal liability can be blurry, as individuals who knowingly obtain or use protected health information for unauthorized purposes may be found criminally liable under the criminal enforcement provision of the Social Security Act. However, the DOJ has interpreted the “knowingly" element broadly, requiring only knowledge of the actions that constitute an offense, not specific knowledge that the actions violate HIPAA. This interpretation allows for a wider net of criminal prosecutions.

The potential for civil and criminal prosecutions underscores the importance of HIPAA compliance in hospitals and other healthcare entities. While prosecutions may not be the primary focus of a HIPAA review board, awareness of the potential legal consequences can help guide the board's efforts in ensuring compliance and protecting patient information.

Frequently asked questions

HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted on August 21, 1996. It protects patients' personal health information (PHI) and prevents inappropriate disclosures that could impact their insurability, employability, and privacy.

An IRB reviews research protocols and can grant waivers or alterations to HIPAA requirements under certain circumstances. IRBs focus on subjects' welfare and ensuring compliance with the Common Rule.

A Privacy Board is solely dedicated to reviewing research protocols and granting waivers under HIPAA regulations. Its primary concern is subjects' privacy rights and interests, whereas IRBs have a broader scope.

There is no explicit mention of hospitals being required to have a dedicated HIPAA review board. However, IRBs and Privacy Boards are responsible for ensuring HIPAA compliance in research protocols and granting waivers or alterations when necessary.

Violations of HIPAA can result in civil and criminal prosecutions. Hospitals and individuals can be held accountable for wrongful disclosures of patient information, leading to fines or even jail time. Regular HIPAA training and privacy measures are essential to prevent such breaches.

Written by
Reviewed by

Explore related products

Share this post
Print
Did this article help you?

Leave a comment