The upgrade to the HIPAA transaction 5010 standard was announced in tandem with the January 2009 final rule mandating the upgrade to ICD-10-CM and -PCS. The 5010 standard is necessary to support ICD-10.

According to a timeline published in the final rule, by the end of 2010 covered entities should have completed internal testing and can send and receive compliant transactions (”level 1″ testing). In January 2011 they begin testing with trading partners and move into production (level 2). The compliance date for all covered entities is January 2012, one year in advance of the ICD-10 deadline.

Read more in the current issue of AHIMA ICD-TEN newsletter.

After learning her son sought care at the hospital, the woman, a health unit coordinator at St. Francis Hospital for 30 years, accessed his records eight times in one year in hopes of learning his current address or when he was next scheduled for an appointment. The mother acknowledged that her actions were inappropriate, but said she accessed her son’s records to find out whether he was okay after one of his friends was murdered in 2007.

The woman was unable to contact her son because his medical records listed her residence as his home address and listed no appointments. However, after someone saw her son enter a residence, the woman sent him a birthday card to that address. The son, who is in his mid-20s, then filed a complaint with the hospital alleging she must have gotten the address through his confidential medical records, which prompted the investigation and her firing.

The woman’s union, the Wisconsin Federation of Nurses and Health Care Professionals, appealed the firing. Arbitrator Coleen Burns of the Wisconsin Employment Relations Commission changed the discipline from a firing to a suspension and ordered the woman reinstated.

Burns noted in her ruling that illegally accessing his medical records was not justified. She called it “egregious misconduct” that was an aberration from her otherwise positive record.

Hospital lawyer Stacie Andritsch said the employee had resumed employment at the hospital, which will not appeal the decision.

Tell us what you think. Was the punishment excessive? Should the woman have been reinstated?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process.

What Did HIPAA Change?

“The problem is a lot of people don’t really understand how HIPAA operates in collaboration with the existing state regulatory framework that they live in…” says Barry Herrin, JD, FACHE, a partner with the Atlanta-based law firm Smith Moore Leatherwood LLP. “HIPAA is not the bad guy here.”

HIPAA did not create a new rule, Herrin says, and in instances where it does prevent someone from accessing patient records, generally speaking, it is reinforcing existing state laws on how deceased patient matters are handled.

HIPAA leaves it up to states to determine who qualifies as a deceased patient’s personal representative-the person who has legal rights to access another’s medical record. This is clear cut when a patient has signed a HIPAA release or named an executor to his or her estate. But when a patient dies without doing either, HIPAA defaults to state law to determine the hierarchy of rights to that person’s estate and health records.

The privacy rule states that people have the same privacy rights in death as they do in life. But it also requires that healthcare facilities must release medical records to those people either appointed by the patient or who are deemed a personal representative by state law. Because of this, Herrin says that HIPAA law can actually help authorized individuals access deceased patient’s medical records.

HIPAA also requires a covered entity to verify the identity of a person requesting protected health information as well as their authority to such access. Just because someone is related to a deceased patient does not mean they have a right to their record. “There is a difference between identity and status,” Herrin says. “You have to verify both.”

Though HIPAA federalized this requirement, the act of authenticating requestors of protected health information was being done in many facilities long before HIPAA was passed. Aurora Healthcare, based in Milwaukee, WI, updated their information release policies to include specific language about verification following HIPAA implementation. But the rule did not change their practices significantly, says Peg Schmidt, RHIA, Aurora’s chief privacy officer.

Varying State Laws

State laws can get complicated regarding who has rights to access or authorize the release of a person’s record after death.

In Utah, pre-HIPAA policy was to follow a hierarchal next-of-kin list regarding who had authorization to a deceased patient’s record. But after HIPAA was implemented, some providers felt they needed clearer direction from the state on whether it was still legal to discuss a deceased patient’s medical care with his or her spouse, says Mary Thomason, MSA, RHIA, CHPS, CISSP, privacy compliance consultant with Intermountain Healthcare, based in Salt Lake City. Because of this, Utah legislators passed specific state laws to define exactly who qualifies as the personal representative of a deceased patient.

The executor has first rights to the patient’s records. But if no executor was named, the patient’s spouse or adult child can become the deceased’s personal representative. Proving status as a personal representative requires that a person must receive a letter of appointment from a probate court.

Even though the law is relatively clear, Thomason’s facility has had to deny records requests in the past and deal with disputes. A common dispute occurs when adult siblings want to deny record access to brothers and sisters. “In that case we basically say, ‘Hey, we are not the court. Go back to the probate court and find out who gets the letter of appointment to represent the estate, and that is the person we will deal with,’” Thomason says.

The situation in Wisconsin is more complicated. In Wisconsin, different laws govern the release of records for behavioral health records and general medical records.

With behavioral health records, access rights first go to the executor of the estate. If there is no executor, the patient’s spouse has sole rights of access. If there is no spouse or executor, a “responsible member of the patient’s family” comes next, Schmidt explains.

With the general record, the patient’s personal representative and spouse or domestic partner share access rights equally. “None is higher than the other, none can cancel out the other’s authority,” Schmidt says. If those individuals do not exist, then the personal representative is defined as any adult member of the deceased patient’s immediate family, such as children, parents, grandchildren, siblings, and even spouses of siblings.

All share equal rights to the record. Discretion is left up to the healthcare staff handling the request to decide if record requestors meet state law requirements as a personal representative. No one official document is required for access.

Common Disputes

With so many people authorized to access the record in Wisconsin, verification issues can arise. At Aurora Healthcare, the burden of proof lies with the requestor. Providing that proof is not always easy, and it can lead to people being denied access.

“The verification of some of these situations becomes a little difficult,” Schmidt says. “They have to prove their relationship to the deceased, and that is not always easy for them to do.”

A spouse can present a marriage certificate, but brothers and sisters lack comparable documents that show their relationship to the deceased. “They have to be able to just prove their standing in the family and their relationship to that person any way that they feel they can,” she says. It is up to staff to decide whether someone has provided adequate proof that they are authorized to access a deceased patient’s record.

“These are just things that you do to the best of your ability,” Schmidt says. “You are always looking for that comfort feeling of ‘this feels right’ or ‘this doesn’t.’ And sometimes that is all you are left with.”

Wisconsin state law leaves the potential that legally authorized individuals could be denied deceased patients health records due to their inability to prove their authorization. However, Schmidt says the law has worked well at her facility, and she hasn’t encountered many problems with verification.

People become upset when they feel entitled to the patient’s medical record even though state law blocks their access, Thomason says. In most state law, a healthcare agent for a patient loses authority after the patient dies. If that agent was not named as an executor to the deceased patient’s estate, and is not related to the deceased, then that person is denied access, even though they most likely would feel entitled to the records.

Another common situation occurs when a patient dies and the spouse breaks all contact with the deceased’s immediate family, Schmidt says. The deceased’s siblings would not have authorization to access the records because the spouse holds all rights of access. “If the spouse really has moved on, the immediate family probably feels they have a right to that patient’s record, and technically they do not,” Schmidt says. “Those situations get hard.”

In July Wisconsin legislators amended state confidentially laws to allow domestic partners the same authority over a patient’s records as a spouse. However, the change was only for general records, and it did not affect laws governing behavioral health medical records-an oversight Schmidt says could lead to some problems.

But the change will still help with a number of situations. “Somebody who took care of someone for 20 years and suddenly loses all authority, and the family steps in and kicks them out,” she says, “we have seen that. So I think it will help some people.”

Preventing Ambiguity

The most direct way for facilities to prevent record access disputes is to require patients to sign release of information authorizations or name their personal representative upon their admittance, Herrin says. Many healthcare facilities only ask patients for the name of someone they can contact in an emergency or the person who is the responsible party on their account. These questions do not identify who may legally access their medical records.

If a patient has not declared an executor or personal representative, Herrin recommends that a patient advocate or other staff member assist in filling out the proper paper work. A HIPAA authorization form specifically identifies who can access their medical records before and after their death. This form should be filled out during or just after patient registration.

Federal law requires hospitals to ask admitted patients if they have an advance directive. Many facilities merely ask patients if they have an executor of their estate or have assigned a durable power of attorney, but they do not collect the actual advance directive documents, Herrin says. Requiring that these documents be included in the medical record on the front end can save hours of arguing if disputes arise later.

“It is that kind of preparation that HIPAA specifically allowed that people are not taking advantage of,” Herrin says. “They are treating HIPAA as a shield, instead of a sword.”

Best Practices

Unless state law dictates otherwise, healthcare facilities should require that requesters present a court-authorized document showing they have authority to see the record. A hospital is not a court, and staff should not have the responsibly of determining who has first authorization rights.

“Why should the hospital spend all its time and resources hiring a lawyer to fight this fight [between people over records],” Herrin says. “Just tell them, ‘Look, whatever court of whatever county handles disputes about who is in charge. You all go fight about it there and tell me who won.’”

HIM professionals in general err on the conservative side when releasing medical information, Schmidt says. “We are trying to err on protecting that person’s privacy, and [we] just try to make that judgment call thinking in terms of the best interest of the patient as a human being,” she says.

There are varying reasons why patients may not want family members to access their records after death. A common reason for privacy, Herrin says, is when a person is dying from a “catastrophic disease” such as HIV and does not want family members or others to know. The patient deliberately shielded his or her health information from them while alive, and that decision must be protected after death. Release of information staff should not be tempted to simply release a record rather than deal with irate requestors, Herrin says.

“If it is your medical information or your mother’s, and something happens to you or her, do you want everybody in your family poking around in that stuff?” Herrin says. “If the answer to that question is no, then you can’t be mad at HIPAA for making a person go and become the personal representative of a deceased patient’s estate. Because that is precisely what it is intended to do-to stop people from poking around in your stuff.”

Thomason can see how facilities that do not have ample access to legal council could restrict their policies rather than break the law by issuing records to an unauthorized person. But ignorance of the law is not an excuse, she says.

HIM professionals responding to a release of information request have a duty to explain why a record request is denied, Schmidt says. Aurora Healthcare keeps the state’s hierarchical chart of authority on hand for staff to reference. Facilities can also keep a sample copy of a valid court document to show requestors how to become a personal representative or executor, Thomason says.

“Part of our role is to educate the requestor on the true facts of why they can or can’t [access the record] or what the rules are,” Schmidt says. “I would sure hope we never see someone just give an outright ‘Well, it is HIPAA.’ Because that is never really the answer, directly.”

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS.

Individuals filed 8,526 privacy complaints with OCR in 2008. This is up 4 percent from the previous year, and up 23 percent since 2004, the first full year of the rule.

OCR reviews all complaints, but not all require investigation. In 2008 the office resolved 9,280 complaints, of which 36 percent warranted an investigation. Of those, 2,210 resulted in corrective action. No violation was found in the remaining 1,163 cases.

This breakdown largely reflects past history. Since 2005 approximately one-third of complaints have required investigation. Approximately two-thirds of investigations have resulted in corrective action.

Common Complaint

Improper use and disclosure of protected health information has been the leading compliance violation since 2004. The following three issues have not changed, either. They are, in order: lack of safeguards for protected health information, lack of patient access, and use or disclosure of more than the minimum necessary information. The fifth spot has alternated among issues related to amendments, notices, mitigation, and authorization.

Private practices lead the list of covered entity types that have been required to take corrective action. General hospitals follow.

The law singles out covered entities that maintain PHI in electronic health records, requiring them to account for disclosures of PHI made even for purposes of treatment, payment, and healthcare operations—actions exempted under HIPAA. Under the new law, covered entities must be able to provide disclosures dating back three years from the patient request.

ARRA also requires that covered entities account for the disclosures of their business associates, or require them to make their own accounting. Business associates must respond to individual requests made directly to them.

The secretary of Health and Human Services is charged with determining what information patients may request and covered entities and business associates must provide.

Early Warning for EHR Systems

Covered entities currently using EHR systems have until January 1, 2014, to comply. Existing systems will need to be adapted to meet the new requirement, since few were likely designed to account for disclosures this finely.

Covered entities that purchase EHR systems dating from the first of this year must be compliant as of January 1, 2011. Systems purchased after that date must be capable of compliance right out of the box.

That means covered entities in the market for EHR systems now must get assurance from vendors that the systems will be able to meet the new disclosure criteria.

The secretary’s regulations are required no later than August.

After the initial trumpet of ARRA’s wake up call, something of a lull is ensuing. The industry is chewing over the published legislation while waiting on the details that will come in interim rules.

ARRA plays largely off HIPAA, which makes this lull a good time to brush up on the HIPAA security rule. A strong working knowledge of the rule will help organizations interpret and implement the new ARRA provisions. It’s been six years since the final rule was published, and it never did get the kind of attention that the privacy rule received.

AHIMA’s policy and governance team offered an analysis of the HIPAA security final rule upon its publication back in February 2003. The article offers a good place start.

AHIMA’s Body of Knowledge library is also rich with subsequent articles on interpreting and working with the rule (requires AHIMA member log in). The Department of Health and Human Services offers guidance and links.

Maybe not.

The behavior would seem to fly in the face of the HIPAA privacy rule, but virtually all public schools and most private and public postsecondary institutions are covered by a different federal law.

The Family Educational Rights and Privacy Act, or FERPA, regulates the privacy of students’ education records. These can include student health records if the institution chooses to classify them as such. The HIPAA privacy rule does not apply to records covered by FERPA.

It’s a complicated intersection of federal law, and the Department of Health and Human Services and the Department of Education have issued guidance to help schools navigate it. See “When FERPA and HIPAA Collide” in the Winter 2009 issue of AHIMA’s Academic Advisor e-newsletter.

There are two overviews on the AHIMA site: the first on the general provisions of the legislation and the second specifically dedicated to the privacy provisions.

A third review identifies the reports and other submissions the law require from the Department of Health and Human Services and other federal agencies, some of which are due beginning next month.

Provisions in the law will be put into effect over the course of the next two years, with regulations, guidance, and reports still to come. AHIMA offers additional analysis and comments on industry matters at its Advocacy and Public Policy Center.

That’s just one of the taglines attached to Sharp Healthcare’s HIPAA education modules. Photos from the age of hip—the late 1960s and early 1970s—permeate the online HIPAA training modules. Musicians Jimi Hendrix and Bob Dylan and era-TV icons like the Get Smart cast mingle with privacy requirements and confidentiality factoids.

The hip-themed training is just one theme in a series of HIPAA privacy, security, and confidentiality training modules at the San Diego-based facility.

The incorporation of a new theme each year assures that Sharp’s staff of 12,000 employees learn more than how to fall asleep during training, says Paul Belton, RHIA, Sharp’s vice president of corporate compliance and creator of the unique training programs.

“All this is to just try and keep this fresh,” Belton says. “You come up with something that would be tasteful and flavorful to them to [avoid] the dry and boring education modules that are so typical.”

Keeping a facility’s HIPAA education program interesting year after year can be a challenge for privacy officers. They must develop interesting, comprehensive programs that stick for new employees as well as fresh refresher programs for current staff.

Follow up with “Privacy Rounds”

Andrea Thomas-Lloyd, RHIA, CHPS, MBA, CPHIMS, used AHIMA’s 2008 Health Information Privacy and Security (HIPS) Week to reintroduce HIPAA and other privacy regulations to the staff at Lancaster General. The senior director of information management and privacy at the Lancaster, PA-based healthcare organization, Thomas-Lloyd handed out compliance tip sheets with water bottles at her major facilities during HIPS week. She offered prizes for correctly completed privacy regulation quizzes. Within two days, 1,100 people had taken the quiz, and five people with correct answers were randomly selected to receive VISA gift cards.

Many privacy officers would like to conduct in-person training sessions, but the cost and time involved in visiting every department and facility to provide training can make that goal unrealistic. While Lancaster General’s employees complete their orientation and annual reminder training online, in January 2008 Thomas-Lloyd began supplementing that training with personal visits to three different departments each month.

During the “privacy rounds” Thomas-Lloyd discusses privacy regulations, addresses classic privacy bloopers like unprotected laptops, and fields questions from staff. The rounds, which are also conducted by Lancaster General’s full-time privacy analyst, freshen up the HIPAA training and bring the employees personal stories of why HIPAA regulations are important to follow.

“It is really a sort of grassroots effort to, one, develop awareness that there is a privacy official and a privacy department they can contact,” Thomas-Lloyd says, “and two, to try and address any questions and concerns that they have while we are there… It has to be personal for them to understand it.”

Make It Personal

Know your audience, advises Staci Coy, RHIA, CHPS, CCS, the HIM director and privacy officer at Willamette Valley Medical Center, based in McMinnville, OR. Go beyond Powerpoint slides. If your audience is full of emergency room nurses, she says, talk about the privacy implications of law enforcement officers following patients into the ER. Customize presentations to the particular audience and tell HIPAA violation horror stories to keep them alert.

“The housekeepers, they don’t think that they come in contact with [protected health information],” she says. “I have to make sure that they know how they can help prevent [privacy violations].”

Cartoons also liven up HIPAA education at Willamette Valley Medical Center. Coy created HIPAA the Hippo as a lighthearted representation of the regulations on the informational HIPAA posters that are displayed during her 600-employee organization’s annual education day.

Add Variety

Belton’s training modules have changed themes every year since the privacy rule took effect in 2003. In the past he has weaved privacy, security, and compliance rules through themes like Star Wars and American pride. This year’s theme, “The Art of Compliance,” juxtaposes classic works of art with HIPAA training materials.

The “Get Hip with HIPAA” training program is comprised of six increasingly detailed training modules, which must be completed by all new employees within 30 days of their hire. A person’s position with the company determines how many of training modules they must complete. For variety, each level contains a different motif in the late ’60s and early ’70s, from popular musicians to TV shows to era toys.

Staff reaction to the training has been very positive, Belton says, and he encourages other privacy officers to get creative with their programs.

“The material seems to be a little bit easier when you have a theme to run with,” he says.

Chris Dimick (chris.dimick@ahima.org) is staff writer at the Journal of AHIMA.

Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas.

US District Judge Susan Weber Wright advised Smith during the sentencing on how she should spend her community service hours. “The judge suggested she educate others on the consequences of violating the Health Insurance Portability and Accountability Act,” Beck said.

While working as a licensed practical nurse at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR, Smith accessed an unidentified patient’s medical record on November 28, 2006. Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against him or her in “an upcoming legal proceeding,” according to an Eastern District of Arkansas US Attorney press release.

Upon discovery of the HIPAA breach, NEAC fired Smith, and in December 2007 a federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Eventually one criminal count was dropped against Smith, as well as charges against her husband, in exchange for her guilty plea to one remaining count on April 15, 2008. NEAC was not charged in connection with the case.

Smith faced a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years.

The Arkansas State Board of Nursing will review a complaint filed against Smith on Feb. 11, when they will decide if her nursing license will be suspended or revoked, according to Arkansas State Board of Nursing Executive Director Faith Fields. Smith’s nursing license is currently expired.

The case is a reminder of the consequences for breaking HIPAA privacy protections, said Eastern District of Arkansas US Attorney Jane Duke, after Smith’s guilty plea.

“What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” Duke stated. “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA.”

Chris Dimick (chris.dimick@ahima.org) is staff writer at the Journal of AHIMA.