Patient Privacy: When Following Just the HIPAA Privacy Rule Isn’t EnoughAlso: Know how to follow the EU GDPR and 42 CFR Part 2 to cover all your bases
If asked, chances are good that you would give patient privacy a rating of high importance to you and your practice. But prioritizing privacy rules and properly complying with them are not one and the same. And there are plenty to comply with.
Whether you’re an expert or newbie to healthcare compliance, a refresher on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule could probably do you a lot of good – especially since you may be responsible not only for complying with this law, but also with the other related laws. In his webinar “HIPAA Privacy Rule Primer: What the HIPAA Privacy Officer Needs to Know Today,” healthcare compliance advisor Jim Sheldon-Dean explains these intersecting laws, how exactly they relate to HIPAA, and when you need to comply with them.
42 CFR Part 2: Updates Still Lacking
One area where HIPAA compliance is not enough is substance abuse treatment. Substance abuse disorder (SUD) patients are covered under 42 CFR Part 2 (Part 2), Confidentiality of Substance Use Disorder Patient Records, a federal law that protects the rights of those seeking help for SUDs from federally assisted programs.
On March 21, 2017, updates to this law—the first in 30 years—went into effect. Groups such as the American Psychiatric Association (APA) have pointed out the flaws in the updates, which were intended to align 42 CFR Part 2 with the HIPAA Privacy Rule.
These updates include:
- Requirement of formal policies and procedures regarding the security of both electronic and paper records, and
- Clarified definition of protected health information (PHI).
It’s important to note that the 42 CFR updates do not require the same level of privacy as HIPAA; therefore, giving HIPAA’s laws precedence is a best practice.
HIPAA & GDPR: Get Explicit Consent
A second patient privacy law that intersects with the HIPAA Privacy Rule is the European Union General Data Protection Regulation (GDPR).
You might be asking, whether this law applies to U.S. entities? The short answer is: it depends. If you are fully HIPAA compliant, you should be mostly okay when it comes to GDPR. But there is one crucial caveat.
Where HIPAA and the GDPR diverge significantly is in terms of active, explicit consent. While HIPAA addresses consent, it does not specifically require explicit consent. The GDPR, however, does. So what does this mean for your entity?
When an EU-citizen patient comes through your facility, be sure to get their explicit consent to opt into any form of communication. Essentially, that consent must be specific, informed, and given freely. You can consult the complete GDPR consent guidelines to ensure full compliance.
Understand the Nuances of Consent
Also: This is a good time to update your knowledge on the different types of consumer consent. With that being a key differentiator between HIPAA and GDPR, you can’t afford to miss the nuances if you want to be compliant with both laws.
It can be confusing to know which laws to follow and how to continually and compliantly safeguard patient privacy. That’s why it’s important to get clarity on evolving rules.
Remember: Even the smallest of interactions can have a privacy rule implication, notes Jim Sheldon-Dean. For instance, sharing information with a patient’s family and friends, when they’re involved with the patient’s care, can open a can of worms. Learn how to handle numerous tricky—but common—scenarios in “HIPAA Privacy Rule Primer: What the HIPAA Privacy Officer Needs to Know Today .”