New rules make it more important than ever to be proactive in ensuring compliance
The final “Omnibus” Health Insurance Portability and Accountability Act (HIPAA) rule announced earlier this year includes numerous provisions that, if violated, could result in a medical practice being fined thousands of dollars. Fortunately, there are steps doctors can take to ensure both that they are compliant with HIPAA and to protect themselves financially if they are not.
Although the original HIPAA legislation, passed in 1996, affect many aspects of medical practices, the primary focus of the Omnibus rule is on strengthening HIPAA’s privacy and security protections for patients’ protected health information (PHI). That’s because the Omnibus rule revisions stem from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, explains Robert Tennant, MA, senior policy adviser for the Medical Group Management Association-American College of Medical Practice Executives (MGMA-ACMPE.)
“The HITECH Act was the same legislation that included the billions of dollars of incentives to providers to adopt electronic health records (EHRs),” Tennant says. “The argument at the time was, if we’re going to be storing and transmitting patients’ data electronically, we need to ensure to a greater extent the privacy and security of that data.”
“Electronic health data is fundamentally different from paper [data] both because there’s more of it, and because it’s easier to lose and to alter inadvertently. That’s why HHS (the U.S. Department of Health and Human Services) is so adamant about enforcement,” adds Kenneth Rashbaum, JD, a health law attorney with Rashbaum Associates in New York, New York.
The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA privacy and security rules, which it does by investigating complaints and conducting compliance reviews-audits-of businesses and organizations covered by the rules. OCR has posted case examples and resolution agreements on its Web site. OCR also posts cases involving breaches of unsecured PHI affecting 500 or more individuals. (See “Resources and additional information,” page 00). The latter is sometimes referred to as the “wall of shame” by practice consultants and information technology (IT) security experts, Tennant says.
So what can you do to keep your practice off the “wall of shame”? The short answer is, be proactive. “As they say in sports, the best defense is a good offense,” Tennant says. “That’s why we are encouraging our members to be really aggressive in taking the necessary steps to prevent that breach from occurring in the first place.”
Although it is possible to hire a security expert to conduct a “soup to nuts” security risk assessment, the cost is usually prohibitive for a small medical practice. Tennant recommends instead that physicians use the wide variety of resources-many of them free-available through the government and professional societies and organizations to identify the steps they need to take to make their practices HIPAA-compliant. (See “HIPAA resources and further information.”)
Broadly speaking, those steps fall into two categories. The first is safeguarding patients’ PHI so that it is not lost, stolen, or otherwise subject to unauthorized access. In this, the biggest vulnerability most practices face comes from mobile devices such as smartphones, laptop computers, and tablets (“anything that can store electronic information and is easily picked up and carried,” Tennant says) because they are so easily lost or stolen.
Fortunately, a solution to the problem is readily available in the form of encryption software. In fact, Tennant says, under the HIPAA rules a lost or stolen mobile device is not treated as a breach as long as the PHI on it is encrypted. The software is relatively inexpensive and available at most places computers are sold. “It’s a very reasonable step for a practice to take. There’s really no excuse not to do this,” Tennant says.
Beyond encryption software and other electronic protections such as firewalls, practices need to establish written policies and procedures describing how it safeguards PHI what remedial steps it will take if a breach occurs. Auditors look for results of HIPAA security assessments and concrete steps such as the appointment of an information security officer. In addition, “they’ve been looking for proof of implementation of policies and procedures. So it’s not enough just to have the written documents, you have to prove that you’ve actually put them into practice,” Rashbaum says.
A key element in the implementation process is making sure that staff members are trained in security measures. Angela Dinh Rose, director of health information management for the American Health Information Management Association, suggests ending HIPAA training sessions with a quiz, and putting the results in employees’ files as proof that they’ve received the training.
Staff training may have the additional benefit of defusing patient concern over a privacy issue before it goes any further. A patient with such a concern likely will first speak to the practice receptionist or other front-office staff person. The staff member needs to treat the complaint seriously, Tennant says, and have the patient speak with the office manager or privacy officer.
“Patients who feel they have not had their grievance addressed are the ones most likely to lodge a complaint with the government,” Tennant says. “It’s better to deal with the issue internally, and maybe issue an apology if appropriate, and of course identify and correct the problem.”
The second major area of vulnerability for many practices lies in relations with business associates-vendors and service providers-with access to patient PHI. These can range from billers and coders, to document shredders, and now health information exchanges. Under the new HIPAA rules such business associates are considered covered entities, meaning they are responsible for securing and guarding PHI in the same way that practices are-and are subject to the same penalties for violations.
The extent of a medical practice’s liability in case of a breach caused by a business associate has not yet been established, but Rashbaum recommends reviewing contracts with vendors that have PHI access to ensure it has all the elements HIPAA requires. (For sample business associate contract provisions, see “HIPAA resources and further information.”)
Vendors that service multiple physician practices may have standard agreements that they ask their customers to sign. An attorney should review any agreement to ensure HIPAA compliance before signing, Tennant says. Better yet, he adds, try to have the vendor sign your agreement and let them incur the cost of a lawyer’s time.
Of course, even putting all the right safeguards in place can’t guarantee that a breach won’t occur or that a practice won’t be fined after an audit. For such cases, insurance companies have recently started offering cyber insurance policies. Coverage under such policies varies depending on the type of business says Dean Sorensen, chief executive officer of Sorensen Informatics, Inc. in Lombard, Illinois, and a licensed insurance agent. For small medical practices, he adds, the coverage areas to look for are:
Policies currently are offered through the Beazley Group, The Hartford, The Travelers Insurance Group, and Zurich Insurance Group. Costs generally range from about $400 to $1000 annually, Sorensen says, depending on the size of the practice and what is covered.
As with most other forms of insurance, obtaining a cyber insurance policy requires underwriting, usually in the form of a data security checklist. “Basically it’s saying ‘I’ve done the following things to make my data secure. I have these procedures in place, I have these applications in place,’” Sorensen explains.
Even though the underwriting process is time-consuming, it also benefits the practice by forcing it to look at all its security measures. “They might see they’re focusing on the wrong kinds of things, or overlooking something as simple as not locking the door at night,” Sorensen says. It also helps ensure that the practice’s security measures are HIPAA-compliant, since there is considerable overlap between commercial underwriting and HIPAA security requirements.
Although it’s not covered by HIPAA, Sorensen also recommends practices take steps to ensure they are following payment card industry-data security standard (PCI-DSS) when storing, processing, or transmitting patient credit/debit card information. “The actual breach of the credit card information is not PHI, but if there’s a breach on the PCI-DSS side, it shows someone can get into my system, which means I have exposure on the HIPAA side as well,” Sorensen says.
Here are links to resources and additional information doctors and practice managers can use to ensure they are in compliance with Health Insurance Portability and Accountability Act (HIPAA) rules:
The complete text of the HIPAA Omnibus Rule is available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
The Office for Civil Rights’ (OCR) sample provisions for a HIPAA-compliant business associate’s agreement can be viewed at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
OCR’s guide to conducting a risk analysis is at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
The definition of what is considered a “covered entity” under HIPAA can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
A comprehensive “HIPAA Security Rule Toolkit” prepared by the National Institute of Standards and Technologies (NIST) is available at: http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf
The NIST “Guide for conducting risk assessments” is available at: http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf
OCR’s list of breaches affecting 500 or more individuals can be viewed at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html
A detailed description of OCR’s HIPAA enforcement policy, along with enforcement-related data, enforcement highlights, and case examples and resolution agreements can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html