Be proactive to avoid HIPAA violations

April 24, 2014

Keeping patient data private has never been more important, and requires medical practices to navigate a web of mandates, analyses, and agreements.

When it was first introduced in 1996, the Health Insurance Portability and Accountability Act (HIPAA) aimed to make it easier for patients to transfer their health coverage from one carrier to another, and move their records from one physician to the next. But in recent years the focus has shifted almost exclusively to data privacy and security.

The timeline of this evolution is full of numerous milestones, additions, and modifications to the initial law. The latest, and perhaps the most sweeping, modifications to HIPAA come by way of the so-called HIPAA Omnibus Rule. The main message of the omnibus rule: data security must be taken seriously. And if it’s not, the consequences will be significant.

The original HIPAA language included “administrative simplification” provisions. These provisions required the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic healthcare transactions, unique identifiers for both patients and health plans, and security. While those standards were being developed, Congress recognized that the proliferation of electronic patient records was making it more difficult to keep these records private.

“Portability and privacy were conceptually linked hand-in-hand from the very beginning,” says Tim Adelman, JD, shareholder at the law firm LeClairRyan in Annapolis, Maryland.

Because health data was being stored electronically and providers and health plans were being asked to transport it from one health plan or provider to another, “one of the concerns was, how do we make sure this stuff stays private,” Adelman explains. As technology evolved, new ways of  storing, transmitting, and sharing data electronically were created, making secure portability of data more important than ever.

The importance of security
The HIPAA Privacy Rule, which went into effect in 2003, began to address those concerns by setting standards for protecting personal health information (PHI) maintained by covered entities (physicians, hospitals, healthcare organizations, health plans and clearinghouses.)

In 2005, the HIPAA Security Rule went into effect. It set standards for protecting the integrity and availability of protected health information stored electronically.

There wasn’t a strong mechanism in place to enforce the HIPAA privacy and security rules until 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed. Under HITECH, the 2006 HIPAA Enforcement Rule was modified to create guidelines for covered entities to notify patients and HHS when a breach occurs. It also created penalties of up to $1.5 million for HIPAA violations.

Next: The Omnibus Rule, building procedures & privacy policies

 

The Omnibus Rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement Rules by expanding patient rights and enforcement. It also strengthens the privacy and security rules, says Mick Coady, principal and co-leader of PwC’s health information, privacy and security practice.
For physicians, compliance requires attention to three areas:

  • privacy, security and notification policies

  • and procedures;

  • notice of privacy practices; and

  • business associate relationships.


In addition,  physicians must understand the revised definition of a breach.

Prior to the Omnibus Rule, if there was unauthorized access to protected health information (PHI), the covered entity was required to perform an assessment to determine whether the disclosure posed significant risk of harm to the individual. If so, it was classified as a reportable breach.

Under the Omnibus Rule, however, every unauthorized disclosure, access, use or acquisition of PHI is presumed to be a breach unless the covered entity can show a low probability that the PHI was compromised.

“One problem with this new definition is that the feds do not define what is meant by the term ‘compromised,’” says Stephen Rose, JD, chair of the healthcare practice for the Seattle-Washingtonbased law firm Garvey Schubert Barer. “Applying this standard, one is much more likely to find that an improper disclosure of PHI constitutes a breach.”

Building procedures
Because a healthcare organization’s policies and procedures are the foundation on which HIPAA compliance is built, this is likely the most difficult and time consuming aspect of all omnibus compliance activities.

Implementing these new policies and procedures into a medical practice requires:

  • updating privacy policies,

  • updating security policies,

  • creating a breach/incident log,

  • developing a process for providing patients with records,

  • updating incident response plans,

  • performing a risk assessment, and

  • training  employees

Update privacy policy
The revised policy should clarify how, when, and why data is used and shared, with a focus on:

  • The sale of PHI: Under the new rules, the sell of PHI is forbidden unless the patient gives expressed, written consent. This also includes PHI used for research if the covered entity stands to make a profit from the research.

  • Use of PHI for marketing activities:  This is only permitted without patient consent if  the physician does not profit from it, the communication is face-to-face, the product or service is a drug or biologic that the patient is already being prescribed, the promotion is geared toward general health and not a specific product or service, or the program or service is government-sponsored.

  • Disclosure to health plans: Procedures paid for entirely out-of-pocket can no longer be disclosed to health plans without patient consent.

  • Use of PHI for fundraising: Practices that participate in fundraising must provide a clear opportunity for patients to opt out of receiving fundraising communication.

Next: More tips, including how to perform a risk assessment

 

Update security policy
It’s easy to find templates for privacy policies, but more difficult to find security policy templates, says Daniel Gottlieb, JD, partner in the Chicago-based law firm of McDermott Will & Emery. This is because the law sets security standards that are very broad. And the way those standards are implemented is dependent on the specific technology in place at each practice, he says.

Gottlieb advises clients to be specific when drafting security policies and procedures. It’s one thing to say the practice backs up data, but to be in compliance, they must say how often they back it up, where it is backed up and how long it is retained. The same goes for document destruction.

Creating a breach log
Breaches affecting more than 500 individuals must be reported to HHS and the media immediately. But those affecting fewer than 500 need to be documented for reporting on an annual basis.

Each breach incident needs to include documentation of the remedial steps taken after the incident.

Providing patient records
Physicians now have only 30 days to respond to a patient’s request for his or her records. The records must be provided in electronic form unless the patient specifies otherwise.

PwC’s Coady says practices should review the functionality of their electronic health record systems for the ability to respond to patient requests for records.

Update incident response plan
Each practice should have a written policy detailing how a breach incident is handled. This plan should include the process of verifying the incident was a breach as well as the plan for notification.

Performing a risk assessment
A common response heard by risk managers asking to see a practice’s risk assessment is “What’s that?” says Robin Diamond, MSN, JD, senior vice president and chief patient safety officer with The Doctors Company, a malpractice insurance carrier.

A proper risk analysis will look at all of the places where data are captured, stored, moved and shared. It must identify the ways in which the data could fall into the wrong hands and the processes in place to prevent that from happening. The biggest challenge practices face with HIPAA compliance, is that much of the analysis relies on technical expertise, Diamond says.

Next: Training, notices & business associates

 

Workforce training
Practices need to document that every employee has received training on the privacy and security policies and procedures within the past year.

Notice of privacy practices
Under the Omnibus Rule, an organization’s notice of privacy practices (NPP) also need to be updated to reflect the changes made to the practice’s privacy polices. The NPP is the document that explains the law to patients and what the practice’s obligations are under the law. The notice must include:

  • The circumstances under which the covered entity can use or disclose PHI. This must reflect the new rules regarding marketing and fundraising activities, the sell of PHI and disclosure to insurers.

  • An explanation of the patient’s rights and how those rights can be exercised.

  • An explanation of the covered entity’s legal obligations.

  • A contact person who can provide additional information to the patient.

Business associates
One positive development for physicians coming out of the Omnibus Rule, is that they now share the liability for data breaches with their business associates, says Jorge Rey, CISA, CISM, director of information security and compliance with the audit department for Kaufman, Rossin & Company, a Miami, Florida-based accounting firm.

A practice must first identify all of its business associates. Contractors who do not come in contact with PHI are not considered, for purposes of HIPAA, to be business associates. A business associate agreement (BAA) should be drafted for each one who falls under the definition.

The agreements spell out the obligations of the BAs, and their subcontractors, to abide by HIPAA rules, which they weren’t required to do before the omnibus rule. If the BA is responsible for a breach, the notification responsibilities can be fully delegated to them. But Adelman suggests practices retain that responsibility themselves.

“The business associate determines there was a breach and they give notice to the patients,” Adelman says. “The problem with that is, what if it wasn’t a breach and they give notice? Say it was my accounting firm. Do I really want my accounting firm telling my patients they accidentally disclosed all this information and it’s out there?”

He suggests that covered entities include in their BAAs that in the case of an incident, the business associate works with the covered entity to determine if it was a reportable breach. If so, the BA and covered entity determine-together-the message to the patients. The BA can take full responsibility of the cost of notification, however.

HIPAA had long been a set of rules without teeth, so many practices didn’t take it seriously. Diamond says patient attitudes have made it important for practices to comply.
“Consumers know more about the vulnerability of their information and are demanding protection of privacy,” she says.