A breach or poor audit result can undo years of a physician’s hard work
Practices that send e-mail appointment reminders, upgrade their technology, or contract with third party vendors should beware. Absent proper protocols, such actions can expose providers to risk.
Indeed, compliance with the Health Insurance Portability and Accountability Act (HIPAA) is now far more complex than it was before regulators cracked down, delivering bigger fines and aggressive enforcement.
“I think many practices are looking at HIPAA as it used to be and enforcement as it used to be and we don’t live in that world anymore,” says Jeffrey Zeskind, MS, chief executive officer of HIPAA-Consultants.com, a privacy compliance consulting firm in Miami, Florida. “There are a lot of hospitals, clinics and medical groups out there hoping they don’t get any attention from the government and that’s foolhardy. In the event of an audit, good intentions aren’t enough.”
7 ways to prepare for 2016 HIPAA audits
Despite widespread awareness of the need to store and send sensitive patient data securely, physicians and practices run afoul of HIPAA rules on a regular basis, which opens the door to both civil and criminal penalties. Others invite formal complaints by failing to communicate with patients effectively and undertraining their staff.
Indeed, as more audits are conducted and penalties grow more severe, practices must put safeguards in place to protect not just their patients but themselves. To that end, it helps to explore the HIPAA mistakes that ensnare healthcare providers most often, but are easy to avoid.
Failure to keep current is first among the major HIPAA mistakes, says Robert Tennant, director of health information technology policy for the Medical Group Management Association in Englewood, Colorado.
For practices that have moved to an electronic health record in particular, he notes, the changes in data capture, storage and transmissions requirements have been significant.
“I would argue it’s an excellent time to review and update your privacy policies.”
HIPAA requires healthcare providers to develop and follow procedures that ensure the confidentiality and security of protected health information, or PHI. But the rules have changed dramatically since 1996 when they were first enacted by Congress. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, for example, not only toughened breach notification laws, but applied HIPAA standards to healthcare provider’s business associates (BAs), including software vendors, data analysts and claims processing firms.
To ensure compliance, providers must now generally get a signed business associate agreement from third-party vendors that process PHI. The contract should spell out explicitly how a BA should report and respond to a data breach, including those caused by a subcontractor.
More recently, the HIPAA omnibus rule of 2013 increased penalties for violations, strengthened enforcement strategies and gave patients the right to withhold information from their health plan if they pay for a test or procedure out of pocket. As a result, practices must now have processes in place to redact those documents in the event that a health plan requests a copy of that patient’s medical record, says Tennant.
Because the omnibus rule now permits patients to review and request copies of their electronic medical record, practices must also ensure that they are able to produce such records in the required 30-day time frame, and to do so in the format requested (PDF, Word file, etc.) “The bottom line here is that practices should review and update all of their policies and procedures every year to be sure they remain compliant,” says Tennant.
Under HIPAA, access to PHI is limited to those who need it to do their job. That includes clinical staff. (That standard does not apply to exchanges among providers for treatment purposes.)
According to Steven Waldren, MD, director of the American Academy of Family Physician’s Center for Health Information Technology, the most common HIPAA violations, he says, come from within. Indeed, a 2011 survey by data security firm Veriphyr, in Los Altos, California, found that more than 70% of the organizations studied experienced at least one breach of PHI during the previous 12 months, and that employees were responsible for a majority of them.
Some 35% viewed the health records of fellow employees and 27% accessed records of friends and relatives. All practices should require user authorization, and protect workstations with passwords and PIN (personal identification number) codes, that get changed regularly, to prevent unauthorized access, says Waldren.
Practices frequently become lax when it comes to verbal communication, says Michael Mirro, MD, a cardiologist in Ft. Wayne, Indiana, and past chair of the American College of Cardiology’s Informatics and Health IT Task Force.
“Conversations about patients in the office are not permitted where other patients and even staff can hear what you’re saying,” he says. “If someone in the waiting room overhears that Mrs. Jones has metastatic breast cancer, that’s a violation of her privacy, and in a smaller community where everyone knows each other that’s particularly not good.”
Oral communications, like any other, are subject to the “minimum necessary” standard. As such, practices should develop and implement policies that reasonably minimize the amount of PHI used, disclosed and requested. Specifically, a policy should identify the persons within the practice who require access to PHI to perform their jobs, the categories or types of PHI needed, and the times when it is appropriate to access that information.
Standard protocols are generally sufficient for regular or recurring requests, but non-routine disclosures and requests for PHI should be considered on a case-by-case basis.
Practices are considered non-compliant if they haven’t designated both a privacy and a security officer (who may be one and the same) among their current staff, a detail many smaller healthcare practices overlook.
Under HIPAA, the privacy officer-often the business manager-is responsible for overseeing all activities related to the development, implementation and maintenance of your practice’s privacy policies. Similarly, the security officer must take steps to protect patient data that is held or transferred in electronic form by establishing both technical and non-technical safeguards. The security officer also should help educate staff on any changes to HIPAA rules.
Security and privacy officers, however, need not work directly for your practice. They can be outside consultants, attorneys or other qualified third parties. Zeskind notes that contracts with third party officers should spell out the effective dates of their service and describe their job responsibilities in detail, including whether they will provide a full security risk analysis (SRA), corrective action plan, and customized policies and procedures. To protect themselves further still, practices should ensure that all consultants have errors and omission professional liability insurance in case they make a mistake, he says.
It’s worth noting that several organizations, including the Healthcare Information and Management Systems Society (HIMSS) and the American Medical Association, provide free privacy and security toolkits to help officers meet HIPAA compliance. The toolkits help explain the revised rules, provide guidance on best practices for updating their existing HIPAA policies and procedures, and contain templates of documents practices will need to update and distribute.
Medical practices must also secure their digital devices. Laptops get hacked. Smartphones get stolen, and tablets go missing. These things happen, but if they happen on an unsecured device and PHI is involved, the provider can land in hot water. Such offenses can result in hefty fines, depending upon the degree of negligence involved.
The easy way around that is to ensure that all company-owned devices and mobile devices are encrypted to prevent unauthorized access. That way, even if your device is lost or stolen, it won’t be considered a HIPAA privacy breach. “Encryption is your ‘get out of jail free’ card,” says Tennant, noting that this is an area where most practices still fall short. “We strongly recommend that mobile technology either not contain PHI or if it must that it be encrypted.”
Encryption is the process of converting data into an unreadable format by the use of algorithms. HIPAA has long required that data in transit be encrypted, but now requires the same security controls for data at “rest,” too–meaning data stored on their server, computer databases and flash drives.
It’s not technically difficult and costs less than $100 a year to encrypt a hard disk, but many practices prefer to hire an IT specialist. “It’s fine to use a consultant, but make sure they’re well-vetted,” says Zeskind. “To save money, many small firms go with Uncle Bob, who knows how to put together a network, but knows nothing of security and privacy.”
Email and text messaging are a major source of HIPAA violations. Email messages sent to patients, says Mirro, should never contain personal health information. They may, however, notify patients that a message awaits them in the practice’s secure portal.
Before hitting send, however, keep in mind that employers have the right to read any email sent or received from a work email account. A seemingly benign message from an oncology center that confirms the patient’s (employee’s) appointment may be enough information to compromise their employment, says Mirro.
Practices should never send PHI via email in response to a patient’s request, because the patient’s identity cannot be confirmed. “My nurse or I always reply, ‘I will call you,’ so we can be sure we’re actually talking to the patient and not someone who jumped onto their email,” says Mirro.
Providers should ensure that e-mail contains the minimum amount of information needed, should verify the e-mail address of the recipient, and confirm that the patient wants to receive emails from their office.
Text messages, while efficient, are more problematic still. Nurses who text status updates on patients to doctors are violating HIPAA rules. So, too, is the physician who sends protected patient information to other doctors via an unsecured service–doubly so if they peck out a message where others can see. HIPAA-secure messaging exists through vendors such as Doximity and
TigerText, which also enable users to remotely delete text messages in the event they are sent to the wrong person or a mobile device is lost or stolen.
HIPAA security rules require healthcare organizations to conduct a security risk assessment (SRA) to ensure compliance with administrative, physical, and technical safeguards. Some practices, however, perform the assessment once and consider it done.
That’s a mistake.
The rules require healthcare organizations to conduct an SRA at least annually, and more often if they’ve upgraded their technology, executed a spinoff, or otherwise exposed their practice new potential risks. Waldren says practices must perform an assessment annually, update their procedures for maintaining security, identify any security risks found, and document what steps they have taken to mitigate those risks.
“The number one mistake I hear is not fulfilling the documentation requirements for security audits and failing to update it on an annual basis,” says Waldren, noting those documents can simply indicate that nothing has changed, but it must still be put in writing.
Practices must also train all workforce members, including employees, independent contractors, volunteers, and student interns and document that to cover themselves in the event of an audit, says Zeskind.
Health plans and covered healthcare providers are required to develop and distribute to patients a notice of privacy practices, or NPP. The NPP is a document that explains in clear, user-friendly language patients’ rights to their personal health information and the privacy practices of your office-or at least it should.
Specifically, the NPP should describe the types of disclosures that HIPAA Privacy Rules permit the practice to make without authorization, including treatment, payment and healthcare operations, along with at least one example of each. And it should describe each of the other purposes for which the practice is permitted or required to use or disclose PHI without the patient’s authorization, including family members involved in the patient’s treatment or payment for care, to avoid serious threat of harm to the patient, or to a relevant business associate.
“A lot of practices simply copied something off the Internet and produced it for their patients, but they literally have not reviewed it since they created it more than 10 years ago,” says Tennant. If your practice now offers the option of receiving appointment reminders via text message, for example, the NPP should be revised to communicate the risks to patients. It should also give them the right to opt out of receiving messages from your office via email or text.
Practices that don’t have a written process in place for handling privacy complaints are setting themselves up for problems.
“Everyone needs to be trained on HIPAA, but the staff at your front desk who deal with patients specifically need to know what to do if a patient comes forward and says, ‘I think my information was disclosed inappropriately,’” says Tennant.
Such patients should be taken directly to the privacy officer so their concerns can be addressed promptly. “Don’t shoo them away, or tell them you’ll have a manager get back to them,” he says. “Those are the patients who are most likely to lodge an official complaint (with the Office of Civil Rights) and a lot of these issues can be resolved simply by good communication between the practice and the patient.”
Most states have their own privacy laws that deal with PHI, and some have sharper teeth even than HIPAA.
Practices that do business in multiple states must ensure their policies comply with all relevant rules. HIPAA does not preempt state laws that are more restrictive. Where such rules differ, the one that benefits patients the most supersedes, says Zeskind.
“The bottom line is, if you’re going to do training, or have an auditor come in and check for compliance and security risks, you should address all state and federal privacy rules together,” he says.
Any state laws are more restrictive than HIPAA must be noted in the NPP document. To protect their practice in the event of an audit, employers should err on the side of complying with both federal and state rules. Regular staff training on all relevant privacy rules is a must, says Zeskind.