The most-important word throughout the HIPAA framework is “reasonable.” Privacy and security practices that might be reasonable for a rural dental practice with a small staff would not be reasonable for a billion-dollar insurance company with thousands of employees (and vice versa, of course).
Thinking about HIPAA should be similar to thinking about any other important part of your practice. Consider that it is second nature to care about your patients in matters of hygiene, function, and aesthetics, as well as your staff's training and supervision. With only a moment's reflection, though, you realize you also care just as much about the risk of your harming a patient by careless office management— fumbling with charts, sloppy billing practices, and the like. Your professionalism is measured both by technical skill as well as by responsible practice management, which mainly means paying attention.
HIPAA is not a single, rigid set of monolithic forms and robotic routines. You simply must balance your freedom to practice as you please against your responsibility to your patients' privacy and security interests.
The price you pay for flexibility in how you run your practice is nothing more than doing what any prudent person in your circumstances would do to protect patients' privacy and security. So, a specialist group in a city with a large staff that relies heavily on technology should be expected do more to protect patient privacy and security than a solo practitioner with one assistant and paper charts in a rural area. The following simple-sounding problem can illustrate how to approach most HIPAA issues so that the solution is common-sense, balanced, defensible, and effective (and “reasonable”).
Is your landlord a business associate (a BA)? (If so, of course, you should have a BA agreement with your landlord. If not, your landlord should acknowledge in the lease that you have confidential Protected Health Information (PHI) on site and that you, as tenant, restrict the landlord's access to that PHI; you should have other safeguards in place as well, such as prohibiting liens on patient files and allowing termination without penalty if the landlord violates HIPAA-related restrictions in the lease.)
Factors that bear on the question of whether the landlord is a BA primarily center on the landlord's right to access parts of the leased premises that have PHI. If, for example, the landlord reserves the right to enter any part of the premises without notice (to inspect the property or effect repairs, for example), then the landlord will more likely to be regarded as a business associate by the HHS's Office of Civil Rights (OCR), which enforces HIPAA.
If, however, the landlord acknowledges the presence of PHI, agrees not to access PHI, agrees to enter the premises only on prior notice and the tenant's consent, only during office hours, and only when accompanied by a representative of the tenant, then the tenant has a better argument for not having a BA agreement. You should have compensating controls to protect the PHI, such as adequate training that addresses landlord access and appropriate written policies and practices. For example, if the landlord reserves the right to access the premises after office hours, then written polices and practices that include locking filing cabinets that contain patient charts or other PHI would provide a defensible response to an OCR inquiry.
The scenarios are limitless, but the principles are the same. Be prepared to show (in writing) you have thought about your patients' PHI and taken reasonable steps to protect it.Note:
1 Shareholder and Director, Gill Ragon Owen, P.A., Attorneys – www.gill-law.com/drake-mann – CoDirector, Data Security and Privacy Group – Certified Information Privacy Manager, Certified Information Privacy Technologist, Certified Information Privacy Professional/US (International Association of Privacy Professionals); Advanced Professional (Cloud Industry Forum).