August 2017

HIPAA Challenges: Privacy Concerns Complicate X-ray Silver Mining
By David Holtzman, JD, CIPP
For The Record
Vol. 29 No. 8 P. 8

The digital revolution that has brought extensive HIT use has tremendous promise to improve the efficiency, cost-effectiveness, quality, and safety of medical care delivery. The development of computed radiography has transformed radiological imaging, with the practice largely replacing analog screen film radiology and the associated use of silver emulsoid film in most radiographic applications.

As health care organizations transform their medical record systems into digital environments, they are presented with challenges in storing and disposing of paper and analog health records. These issues are compounded when the decisions involve X-ray films containing silver emulsoid, which carries value. Health care organizations can choose among several available processes to reclaim the silver and recycle or destroy the film base.

Whatever reclamation method is selected, providers must ensure that throughout the process the patient information captured in the analog image is kept confidential while the underlying film base is made unreadable or indecipherable.

Keeping patient information confidential is the keystone of every health care provider. If patients don't trust the organization to keep personal and medical information private, they are less likely to choose it for their health care needs or not fully disclose all of the information needed for sound clinical decision making. For these reasons, health care practices must carefully consider how medical records are disposed, including when recycling and reclaiming silver from X-ray films containing protected health information (PHI). Failure to do so could result in significant ramifications, including HIPAA violations.

Privacy Rule Basics
The HIPAA Privacy Rule requires covered entities (CEs) to safeguard PHI in any form from unauthorized disclosure. CEs subject to the rule include most health plans, health care clearinghouses, and providers that engage in certain electronic transactions such as filing claims and checking patient eligibility with Medicare, Medicaid, and private carriers.

Contractors or vendors providing a service or performing a function for a HIPAA-covered provider are themselves required to safeguard PHI in any form from unauthorized disclosure. Under HIPAA, a business associate (BA) is any entity that creates, receives, maintains, or transmits PHI on behalf of a CE or their BAs, or any entity that provides services to or for the CE involving the use or disclosure of PHI.

HIPAA requires CEs and BAs to enter into contracts to ensure the BA will appropriately safeguard PHI. The BA agreement (BAA) serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI, based on the relationship with the contractor and the activities or services being performed by the BA. A BA is directly liable under HIPAA, and in some cases criminal law, for unauthorized uses and disclosures of PHI.

Health care organizations must also consider any state or professional obligations for maintaining patient health records. The Privacy Rule does not include a requirement for medical record retention, an item typically covered by state law. Occasionally state law requirements can be complex.

If there is no state law, a medical board may provide a policy or recommendation. For example, California state law sets the requirements for how long treatment records must be maintained. There is some variation by the type of facility creating the record and the type of record.

Basically, the treatment records of a hospital or a clinic must be maintained for seven years after the date of last treatment encounter. However, for children, the record must be maintained from the date of the last encounter until the person attains the age of 19 or for seven years, whichever is longer. For example, for a child who is 8 years old at the end of treatment, the record must be maintained for 11 years. For a child who is 14 at the end of treatment, the record must be maintained for seven years.

Requirements for Handling PHI
In general, health care organizations hire a vendor to process and dispose of analog X-ray film. Handing over the X-ray to the contractor means it has been provided access to a patient record containing PHI. Under HIPAA, when a CE hires a BA to process or dispose of PHI, it must enter into a BAA.

To safeguard patient privacy, PHI in patient records such as X-ray film may be disposed by "shredding, burning, pulping, or pulverizing the records so that the PHI is unreadable or indecipherable and cannot be reconstructed." The BA may pick up the records from the CE, dispose of them, and then deposit them into a landfill or other appropriate area. CEs may also maintain PHI for disposal in a secure area until it is picked up by a disposal vendor for destruction.

Failure to handle PHI in compliance with HIPAA can result in penalties and corrective action plans to ensure future compliance with the privacy standards. In 2016, a North Carolina orthopedic practice entered into a resolution agreement with the Office for Civil Rights in which it paid $750,000 to settle claims it had violated the HIPAA Privacy Rule when it hired a company to convert X-rays into electronic media, which then enabled the vendor to harvest the silver from the X-rays. The health care provider violated the HIPAA requirements by not entering into a BAA with its service provider to ensure the patient information on the X-rays was safeguarded from unauthorized disclosure.

Vendor Trustworthiness
Health care providers face numerous challenges in managing business partner relationships. As HIPAA-covered entities, they must identify every vendor, contractor, and supplier that will handle or have access to PHI. Health care organizations recognize that ensuring the confidentiality of their PHI means having a vendor management program in place to monitor and enforce the promises to safeguard data made by their contractors and vendors.

Health care organizations can increase confidence in their vendor relationships by being selective and vigilant when embarking on new BA relationships. Careful vetting during the vendor selection process is a recommended method to obtain assurances that a BA is protecting the confidentiality of PHI. To start the vetting process, health care providers can require prospective vendors to complete an information questionnaire to gauge what policies and processes they have in place to safeguard PHI from unauthorized disclosure. Obtaining this information will enable health care organizations to assess the maturity of the vendor's program. Undertaking this review prior to contracting can provide clues to potential gaps and compliance issues that should help the CE determine whether the vendor is a suitable candidate with which to enter into a BAA.

Effective vendor management requires building strong BAAs with both new and existing vendors. First, an airtight BAA should hold the BA accountable in the event of a breach. This can be achieved by having an incident management plan in place that sets forth the duties of the parties in the event of a breach, requiring a tighter schedule for breach notification (24 to 48 hours after becoming aware of the incident) and requesting indemnification provisions to cover the costs of breach notification. Also, a predetermined plan for handling PHI when the business relationship terminates must be established.

Health care organizations choosing to reclaim silver emulsion from X-ray films must craft a carefully planned approach that prioritizes patient privacy and includes a thorough vetting of potential contractors.

— David Holtzman, JD, CIPP, is vice president of compliance strategies at CynergisTek.