HIPAA Compliance for Pediatricians
HIPAA compliance for pediatricians is complicated by the provisions of the Privacy Rule relating to personal representatives of minors and the data sharing requirements of the 21st Century Cures Act Interoperability Final Rule.
Most pediatricians – or the organizations they work for – are Covered Entities under HIPAA if they transmit health information electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has developed standards. These transactions include (but are not limited to):
- Payment and remittance advice
- Claims status
- Coordination of benefits
- Claims and encounter information
- Enrollment and disenrollment
- Referrals and authorizations
Additionally, pediatricians who do not qualify as Covered Entities may still be required to comply with the HIPAA Privacy, Security, and Breach Notification Rules if they provide a service for or on behalf of a pediatric office that does qualify as a Covered Entity. In such cases, the pediatrician is a Business Associate of the pediatric office under HIPAA.
The Privacy, Security, and Breach Notification Rules that apply in pediatrics are the same as apply to any HIPAA Covered Entity. However, HIPAA compliance for pediatricians is complicated by the provisions of the Privacy Rule relating to personal representatives of minors and the data sharing requirements of the 21st Century Cures Act Interoperability Final Rule.
Privacy Rule HIPAA Compliance for Pediatricians
The Privacy Rule has the objective of protecting the privacy of individually identifiable health information and any additional “common identifier” information maintained in the same designated record set. To achieve this objective, the Privacy Rule requires Covered Entities to implement safeguards against impermissible uses and disclosures of Protected Health Information.
This is where HIPAA compliance for pediatricians starts getting complicated because, rather than just having the Protected Health Information of one patient in a designated record set, a child´s designated record set may include individually identifiable health information relating to parents and other family members which can only be used or disclosed in certain circumstances.
Additionally, in most cases parents are the personal representatives of minor children. Where exceptions exist, these are due to state laws authorizing alternative guardianship. Under the Privacy Rule, personal representatives have to be treated the same as minor children with respect to uses and disclosures of Protected Health Information and patients´ rights.
However, contrary to the required uses and disclosures to an individual stipulated by the Privacy Rule, pediatricians do not have to provide access to a child´s Protected Health Information if the pediatrician reasonably believes the child “is subject to domestic violence, abuse, or neglect by the [parent] or doing so would otherwise endanger the individual”.
Security Rule HIPAA Compliance for Pediatric Offices
With regards to disclosing Protected Health Information in electronic form (ePHI), the Security Rule requires pediatric offices to implement administrative, physical, and technical safeguards to mitigate risks to the confidentiality, integrity, and availability of ePHI. However, these safeguards do not always align with the requirements of the 21st Century Cures Act Interoperability Final Rule.
This can complicate Security Rule HIPAA compliance for pediatric offices if, for example, the EHR technology available to a pediatric office does not support the level of data segmentation necessary to adhere to the Information Blocking provisions of the Interoperability Final Rule – which may be relevant when a parent´s health information is in the same designated record set as their child´s.
Although the provisions of the Interoperability Final Rule allow for an “Infeasibility Exception” that enables pediatricians to deny patient access requests under the 21st Century Cures Act, this exception does not apply to HIPAA. Therefore, it may be the case that:
- A pediatric office denies a personal representative access to a child´s ePHI in compliance with the 21stCentury Cures Act, but in violation of HIPAA, or
- A pediatric office provides more than the minimum necessary ePHI to comply with HIPAA but violates the Information Blocking provisions of the Interoperability Final Rule.
As in most conflicts between HIPAA and another federal or state law, HIPAA would prevail. In this case, the pediatric office would not be violating HIPAA by providing more than the minimum necessary ePHI because the disclosure is made to the personal representative of the child – a permissible disclosure subject to the “violence, abuse, and neglect” exceptions mentioned above.
Breach Notification HIPAA Compliance and Pediatrics
The Breach Notification Rule applies to all Covered Entities and Business Associates equally and doesn´t distinguish between pediatrics and other health care disciplines. However, it can be harder for pediatric offices to determine whether a disclosure of ePHI constitutes a breach if the disclosure was made to somebody whom it was believed had a right to access the information.
The safest option in these circumstances is to report the disclosure of ePHI to HHS´ Office of Civil Rights as if it were a breach and let HHS´ Office for Civil Rights make the decision. If following this course of action, it is important that the circumstances of the disclosure and the policies put in place to prevent impermissible disclosures are documented and available for inspection.
It is also important that pediatricians and pediatric offices develop policies for providing access to ePHI on request (including accountings of disclosures) and document rationales for when ePHI will not be disclosed to personal representatives. These should include the procedures for report violence, abuse, and neglect to the appropriate authorities or law enforcement officials.
In conclusion, it was mentioned at the start of this article that HIPAA compliance for pediatricians is complicated; and, if your pediatric practice, office, or department is experiencing challenges with HIPAA compliance, you are advised to seek specialist help from a compliance expert.