Q&A on medical record privacy and security

May 11, 2022

by Tanya Babitch, Assistant Vice President of Risk Management, and
Robin Desrocher, Director, Risk Management

Answers to your questions about HIPAA, the Texas Medical Records Privacy Act, and other rules that govern medical record privacy and security.

Are some physician practices exempt from complying with HIPAA?

Under HIPAA, the definition of “covered entities” did exclude a few physicians. However, the Texas Medical Records Privacy Act now applies to anyone in Texas who creates or maintains medical records. Physicians may want to seek the advice of an attorney who specializes in HIPAA to determine if they are exempt from the federal law.

Am I required to conduct a risk analysis and how often must it be repeated?

All practices that are required to meet the HIPAA Security Rule are required to conduct a risk analysis. “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule,” according to the HHS.gov Guidance on Risk Analysis.

Generally speaking, if you bill electronically, have electronic records, or maintain records in an electronic format you are required to conduct a risk analysis. Additionally, you are required to re-assess your risk and vulnerabilities any time you make significant changes to your network or system.

For practices participating in the CMS Merit-based Incentive Payment System (MIPS) program , a security risk analysis is required.

Additionally, if a HIPAA breach or complaint is investigated by the OCR, investigators will ask to see the results of all risk assessments performed, as well as any plan developed to address the risks and vulnerabilities discovered.

TMLT staff are available to conduct a risk analysis for your practice. Please contact our Cyber Consulting Services Department at cyber@tmlt.org

What are the requirements for training staff on privacy and security?

Under HIPAA, covered entities are required to train staff and repeat training when changes are made in the practice. Texas has much more stringent requirements. All new employees must be trained by the 90th day of employment; employees must be retrained whenever there is a change in the law that affects their job as it relates to access to patient’s personal health information (PHI). Training should be done as soon as possible and is required by the first anniversary of the effective date of the law and the employee must sign an acknowledgment of training.

Are business associate agreements required?

A Business Associate Agreement (BAA) is a contract between a healthcare provider and an individual or organization that will access, transmit, or store Protected Health Information (PHI) as part of its services for the provider. Under HIPAA, HITECH, the HIPAA Omnibus Rule, business associate agreements or contracts are required to clearly outline the responsibilities of the business associate. Under the Omnibus Rule, there are more requirements for business associates and their subcontractors. Covered entities should review their business associate agreements for compliance. For more information, please see the HHS website.

What should I do if I have a breach of protected health information?

If you are a TMLT policyholder, report the incident to TMLT by calling 800-580-8658. It is important to report a breach as soon as possible, as timely reporting is a requirement for coverage. In the event of a ransomware attack, we recommend that you report it as soon as it is discovered. This will allow us to help with your response.

Do not allow IT to erase or wipe any server or hard drives in an effort to begin data recovery. This can destroy valuable evidence.

Depending on the number of records affected, you will have patient notification requirements. Generally, all breaches must be reported to the affected patient(s) within 60 days and must be reported to the U.S. Secretary of Health and Human Services.

Updated May 11, 2022.