Learning Legal Best Practices and Documentation
Whether or not it is convenient, HIT technicians must deal with legal issues. You need to make sure you are covered for all possible legal issues, so if any issues come up you will be prepared. Best practices and documentation need to be established for HIT technicians because of the necessity to be prepared for a legal issue. For example, HIT technicians are responsible for having the ability to audit all PHI accessed. With the ability to audit activity in information systems, if someone in the hospital violates HIPAA by viewing a patient’s record they should not, the IS can track who accessed the e-PHI that was violated. As another example, when you depend on a vendor to support the equipment in the lab, a contract with the vendor is needed to know the time frame the vendor has to reply to repair needs. If the vendor is slow to respond to your repair requests, you have the contract to remind the vendor of its agreements with consequences to not meeting the commitments outlined.
Hospitals and healthcare providers must use legal best practices to protect themselves from unwarranted lawsuits. Waivers of liability are forms used by healthcare entities to be protected from being inappropriately responsible or sued for harm or debt. An example of a waiver of liability relates to Medicare. Medicare has a law that states healthcare providers are only responsible for providing services that are reasonable and necessary for a patient’s health. However if a patient wants further healthcare, the patient can sign a waiver of liability to receive services not covered by Medicare if he agrees to pay out-of-pocket for the expense of the extra services.
HIPAA requires that when a covered entity requires the services of a person, company, or organization outside the organization, the covered entity must enter into contracts with these third parties. The purpose of this business associate agreement (BAA) is to establish rules for safeguarding e-PHI. Third parties need access to e-PHI to fulfill obligations to a covered entity. For example, a vendor needs access to data that might contain e-PHI to research a bug that needs to be fixed with the next update to an IS.
Access allowed to business associates must be limited to the minimum amount of access required to perform necessary functions and activities of the job. This access is controlled by role-based access. This access must have the ability to be audited for activity of the business associates, the same as how auditing abilities are required for internal e-PHI activity.
For example, third parties need a BAA to access e-PHI data to perform the following functions:
- Insurance claims processing
- Data analysis
- Quality assurance
- Private practice office management
Covered entities often require third-party assistance with operations; for example, a software vendor might be contracted to support software and provide regular updates and bug fixes. It is recommended to have a service-level agreement (SLA). An SLA, much like a BAA, establishes how information is to be shared and used. It also sets expectations for service provided so everyone is on the same page and understanding.
In the previous example, a covered entity might use an IS vendor to support that IS and provide updates for bug fixes. The covered entity needs an SLA with the vendor. The SLA establishes the security protocols for the electronic transfer of e-PHI to the company as needed to resolve problems. The SLA also covers the protocol to reset passwords to access the software. The SLA establishes the support protocol, such as if users should call the vendor directly when an issue arises or if the users at a covered entity must go through the IT department to receive support from the vendor.
However, sometimes covered entities need to ensure that personnel and departments within their facility understand the rules regarding access to sensitive information. A memorandum of understanding (MOU) establishes a mutual understanding with personnel or departments that wouldn’t normally have access to sensitive information. For example, cafeteria workers might see PHI occasionally as they prepare meals for patients with special dietary needs. An MOU is needed to make sure the cafeteria workers understand the HIPAA rules about patient privacy.