HIPAA stands for the Health Insurance Portability and Accountability Act, which first appeared in 1996. Initially, HIPAA’s vagueness made if confusing and most small and medium-sized medical entities saw it as voluntary because there was little enforcement through the Department of Health & Human Services (HHS). [Also, don’t call it HIPPA or confuse it with a HIPPO.]
HIPAA’s lack of enforcement changed thirteen years later when the U.S. Congress passed the HITECH Act (Health Information Technology for Economic and Clinical Health) as part of the 2009 American Recovery and Reinvestment Act. This act added “teeth” to the legislation by empowering the Office of Civil Rights (OCR) to enforce HIPAA’s policies with a minimum penalty of $50,000. It also stated that “a medical entity’s reasonable lack of knowledge of a violation…is no longer accepted.” Ouch!
In 2013, HIPAA’s reach extended by requiring Business Associates (BAs) to comply with HIPAA and be directly responsible for data breaches. This change meant IT firms like ours are legally liable for protecting our clients’ data. From that point on, any company that touches or has access to patient data, whether they are a healthcare provider or not, must comply with HIPAA regulations or accept the consequences. Yes, we are legally obligated to protect your patient data and if we do not, we face steep fines ourselves.
Why should you care about HIPAA?
You are legally responsible for HIPAA and even though the law had little “bite” initially, enforcement is increasing, and that bite got a lot tougher.
The graph to the right shows a steady increase in complaints from 2004 to 2008. In 2009, the number of complaints dropped with the creation of more stringent laws and moving enforcement to the Office of Civil Rights (OCR). In just one year, the number of complaints was back to normal, and they continued to rise more and more each year. In July of 2013 (noted in the graph by the red star), the Office of Civil Rights added a web portal to their website so the public could easily submit complaints. The number of complaints skyrocketed with the accessibility of reporting complaints. Although the 2015 and 2016 numbers are not public yet, OCR expects them to rise to 24,434 and 28,099 respectively (shown in red on chart).
Besides the number of complaints rising, the percentage of investigations with violations is also on the rise! This second chart shows the percentage of investigations that had violations, which dropped from a low of 83% in 2010 to an all-time high of 96% in 2014. That means only 4% of investigations had no violation.
Add to that, OCR considers their work up to 2015 a pilot program and plans to expand their auditing function. In 2016, they received a 9.15% budget increase and 100% of it is allocated to HIPAA Privacy, Security, and Breach Notification Rule Audit Program. Although they collected over $8,000,000 in 2014, the program is just starting to ramp up!
Because the number of complaints, the percentage of violations found, and OCR’s workforce is all increasing, you should be concerned about HIPAA if you are a medical entity or a business that works with medical entities. Don’t think Louisiana is immune to this either. The HHS website lists 28,410 individuals were affected by just three breaches from September 2015-August 2016 due to theft and hacking/IT incident!
While I cannot say they are “coming for you;” I will strongly urge you to prepare for an audit. Remember, not knowing is no longer accepted.
Who Needs to Care about HIPAA?
Any business that creates, stores, edits, or transfers Protected Health Information (PHI) must comply with HIPAA regulations. HIPAA defines PHI as:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of any individual,
or the past, present, or future payment for the provision of health care to an individual.
This data includes any identifier of the patient including treatment, diagnosis, and payment information. ePHI is just the electronic version of PHI, known as Electronic Protected Health Information.
HIPAA breaks businesses into two categories; you are either a Covered Entity (CE) or a Business Associate (BA).
- Covered Entities (CEs) includes health plans, clearinghouses, and providers (doctors, clinics, psychologists, dentists, chiropractors, nursing and hospice homes, and pharmacies).
- Business Associates (BAs) includes a much more expansive list, and HIPAA defines it as any company that comes into contact with PHI or ePHI. A Business Associate may be an IT firm (like My IT), shredding company, document storage company, attorney, accountants, collection agencies, EMR (Electronic Medical Record) companies, data centers, transcriptionists, and many more.
HIPAA also requires all CEs to have a BA Agreement (called a BAA for short) with each Business Associate they work with directly. If you are a Covered Entity, and you do not have a BAA with your IT firm, then your IT firm is putting you and your PHI at risk, and OCR can severely fine you for it.
Because most healthcare businesses now have over 80% of their patient data electronically, your IT team (whether that is an internal IT department or an outsourced IT firm) must understand HIPAA and they should advise you on protecting yourself. Even if an IT firm has multiple medical clients, don’t assume they understand HIPAA. Not requiring a BAA to do business with them is the first sign that they are completely clueless about HIPAA.
What Really is HIPAA?
Let’s dig in further. HIPAA, as it stands today, is made up of 3 main aspects: Privacy, Security, & Breach Notification.
HIPAA Privacy Rule
Congress updated HIPAA in 2003 [date required for compliance, not the date the law passed] by defining what is PHI (Protected Health Information) explicitly and what privacy regulations medical entities must comply with these regulations. This ruling gave patients specific rights in regards to their medical records, created civil and criminal penalties for violations, and required all Covered Entities to provide a Notice of Privacy Practices (NPP) to patients. It also required all Covered Entities and most Business Associates to have a Privacy Officer.
Your Privacy Officer must know all of HIPAA’s Privacy Rules, be to a go-to person in your organization for privacy questions (including having a method to ask questions anonymously), and be responsible for your organization’s privacy policies. Your Privacy Officer must make sure the organization follows these privacy policies and this role is part of his/her job description and evaluation.
The HIPAA Privacy Rule’s Safe Harbor verbiage defined the 18 elements of Protected Health Information (PHI & ePHI) that must be de-identified or encrypted before sharing that data:
HIPAA Security Rule
Two years after Congress passed the Privacy Rule, they put the Security Rule in place. It defined ePHI (Electronic Protected Health Information) and protected it from loss and unauthorized access. The Security Rule also requires Covered Entities and most Business Associates to name a Security Officer, which can be the same person as the Privacy Officer.
Like the Privacy Officer, the Security Officer, must have this role as part of his/her job description and be evaluated on it. The Security Officer must oversee the implementation of the Security Rule, be responsible for training the company, and makes sure the organization follows security rules.
The Security Rule requires Covered Entities to ensure the confidentiality, integrity, and availability of all the ePHI they create, maintain, or transmit. Moreover, to identify and protect against reasonably anticipated threats to the security and integrity of the info as well as protect it against reasonably anticipated, impermissible use or disclosures. Of course, it also required that the entity ensure workforce compliance of all HIPAA Security Rules.
HIPAA notes three types of Security Safeguards:
- Physical safeguards – how you secure your building and devices
- Electronic Safeguards – how you secure your connectivity and access
- Administrative – how you implement policies and train your workforce
Luckily, HIPAA is flexible when it comes to security. While not knowing is not acceptable, they do take into consideration:
- Your size, complexity, and capabilities,
- Your technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to ePHI
This flexibility means they do not hold a single medical provider to the same standards as a large hospital or insurance company. HIPAA does require that CEs review and modify their security measures to continually protect ePHI since the technology environment is ever changing. You can not leave your plan from 2012 untouched for ten years. Make sure you document your plan, changes, and future plans well and do regular assessments to show continual improvement.
HIPAA’s Breach Notification Rule
HIPAA defines a breach as any time that PHI or ePHI is out of the control of an authorized person contracted by the Covered Entity or Business Associate. This occurrence includes any time PHI is used or viewed inappropriately, even if it appears to be a simple mistake like giving the wrong folder to a patient or leaving a voicemail on the wrong phone. In both incidents, a person not authorized to do so viewed protected patient data.
When a breach occurs, you should use a 4-Factor Assessment to determine if you need to notify people, which includes:
- Look at the nature and extent of the PHI/ePHI
- Evaluate the unauthorized person
- Was it actually viewed/acquired?
- The extent to which the risk was mitigated
HIPAA requires you to have a written breach response plan and policy, which identifies a response team with a team leader and lists your steps to carry out a notification. Your plan must include offering credit monitoring for those affected, as well as a toll-free phone number for information and questions that is listed on your website. As the covered entity, you must notify the affected individuals within 60 days of the incident. (Business Associates do not notify affected individuals, just Covered Entities.)
You also must report all breaches to HHS (Department of Health & Human Services), but the urgency varies on the magnitude. If the breach affects less than 500 individuals, you must report the breach within 60 days of the end of the year [basically, by March 1]. If the breach involves over 500 individuals, you must notify HHS within 60 days, and you must issue a press release to the local media outlets.
Notifying the media will deal a major blow to your organization’s reputation, and you can expect a fine from OCR (Office of Civil Rights). That fine can be up to $1.5 million per incident, per year [remember neglect and not knowing is not acceptable]. You will also incur legal fees, the cost of implementing your breach notification plan and the time spent dealing with the breach. Needless to say, it is better to be proactive and preventative when it comes to protecting PHI.
Congress created the Meaningful Use plan as part of the American Recovery and Reinvestment Act of 2009 to provide financial incentives to healthcare providers to implement Electronic Medical Records (EMR) systems. The plan specifies three main components:
- The use of a certified EHR in a meaningful manner.
- The electronic exchange of health information to improve the quality of health care.
- The use of certified EHR technology to submit clinical quality and other measurements.
The legislation also requires every medical practice and hospital that used the Meaningful Use tax credit to do risk assessments! These assessments must include noting the location and storage of all ePHI, how it moves within and in & out of the organization, and it must identify all security vulnerabilities to both PHI and ePHI. Secondly, you must manage your risk to your ePHI’s confidentiality, integrity, and availability. You need to identify how you will protect your PHI from any reasonably possible threat and identify how you will eliminate, avoid, or minimize those risks.
The scary part is that most organizations are not compliant with these rulings and the HHS knows it. Based on their website, in 2013, 60.6% of office-based physicians in Louisiana have NOT met the criteria for meaningful use of electronic health records! Not meeting the requirements for a federal tax credit is not good.
Our Role in HIPAA
Most people do not think of an IT firm when they think of HIPAA. Obviously, most people think of doctors, hospitals, and patient records. Because so much of PHI is now electronic, or ePHI, IT firms must be prepared to help their medical clients and to protect themselves.
As a Business Associates, especially because we have access to your ePHI by having a server and workstation passwords, we must be compliant with HIPAA too. We are required to have HIPAA risk assessments, have HIPAA specific policies and procedures, and we must train our workforce in HIPAA as well. Most importantly, we must deliver HIPAA compliant services and assist our clients with their HIPAA compliance. Since many of our medical clients do not understand network security and do not have the tools required to secure patient data, we have been educating them on HIPAA and have become an advocate for protecting PHI.
This is obviously a long post because HIPAA is a big deal with many intricacies. This post is also just the tip of the iceberg. Some key takeaways for you whether you are a medical practice or a business that works with medical clients:
- Be proactive and plan for audits
- Regular assessments are a must
- Identify your compliance officers, train them and have them train your team
- Document what you have done and what you plan to do
In the end, you need to create a culture of compliance within your organization.