HIPAA contains thousands of pages of many restrictions with more detail than the average non-IT person understands. We all have experienced the bank notifications where businesses we do business with have exposed our financial data due to lack of security to detect malware that a vicious person(s) installed to capture data. This is what HIPAA is trying to prevent on the healthcare side whether that information is verbal or electronic. It is my goal is to make the federal rules as simple as possible and meaningful enough for providers to check their processes from this article.
HIPAA Privacy has been required since 2003. As you may recall, this is when the privacy notice of uses came out, access to billing systems needed passwords, the release and authorization became more strict, consent for care were required, along with restricted access to patient information based on job type. Privacy addressed what healthcare businesses could do with Protected Health Information (PHI) which is limited to Treatment, Payment and Operations unless the provider has specific permission from the patient. The privacy notice has changed and can be downloaded from the OCR website at http://www.hhs.gov/ocr/privacy/
HITECH Review and Update
HITECH Security provisions have been required since 2009. This expanded the privacy provisions greatly. What many providers do not understand, since they are very similar language, is the security provisions apply to ALL electronic means of communicating, storage and access to PHI. Many providers believe that since they have an EMR this is taken care of by the software vendor. I want to help providers understand the risk related to the security provision.
Do you text patient name and information for surgery schedules?
Do you text the physician at the hospital to see a patient while he is there?
Do you text clinical partners or company associates who may be taking call with patient information?
Do you access PHI via a mobile device, of any kind?
Do you or your staff download accounts receivable reports to your PC’s, email those reports? Many A/R reports contain PHI and if your PCs or mobile devices are not encrypted, that is a risk.
Do you email patients? IF you do not have a secure email system for your business, this could be a violation.
Are you performing via an independent IT consultant and audit of your IT network, PCs, and mobile devices? This is required.
The Omnibus Rule was effective September 2013 and in short expands all the requirements of a Covered Entity (Healthcare Provider) to the Business Associate (BA) or contractors. Now all BA or contractors that have access to, whether they use it or not, are required to meet all the same requirements which include but are not limited to:
Privacy and Security Policies
Annual IT Audit of the network and devices
Internal controls and monitoring, such as restricting access based on need
Storing data on encrypted drives
A breach occurs when PHI is sent to the wrong person, disclosed to someone outside of treatment, payment and operations without an authorization, PC or mobile device that is NOT encrypted is stolen and contains PHI, to name a few. If a breach impacts less than 500 patients, you must track and notify OCR within 60 days of the end of the year. If greater than 500 patient records, you must notify OCR within 60 days of the breach.
This is something I strongly recommend all providers look into. The costs of a breach are substantial, even if the penalties have not been as substantial as they could be up to this point. Keep in mind the costs of a breach include patient notification, an attorney, paying for monitoring, and much more. Compliance/Breach Insurance cost is minimal compared to the legal fees and corrective action process that is required whether it is a billing/coding compliance issue or a HIPAA breach. Keep in mind if your medical malpractice policy has any compliance insurance at all it is minimal $25-$50K, which in an investigation is used up quickly. There are some providers that have professional liability insurance which has zero compliance insurance. Considering the cases I work on, if providers would have had any compliance insurance, it would have prevented financial destruction.
As you can see, the requirements have been out for a few years and all the webinars I have attended in 2014 indicate, The Office for Civil Rights (OCR) and Health and Human Services (HHS) are looking to reduce the “pass” for not having the provisions fully implemented. Based on what I am seeing, the willingness to negotiate is diminishing across many government sectors.
The costs of HIPAA breach: What should you do?
Assess when the last time your HIPAA Privacy and Security Program was updated, if all policies and forms have not been revised since 2013.
Assess what your staff is doing and ensure it is compliant with HIPAA.
Find an outsourced IT Provider that is experiences in IT Network Audits for HIPAA purposes. I am being very specific here because there are many IT providers with different experience and specialties just like physicians. If you are having a baby, you don’t want to see a ENT, right? In addition, get multiple proposals and compare apples to apples.
HIPAA has become an ugly hippo that has serious teeth for fines, penalties and notification costs. Don’t wait, perform your assessment now and reduce your risk of breach, ensure compliance and reduce potential penalties.
There are thousands of pages of legislation regarding these rules; hopefully, this made it simple enough to identify where you may have exposure to reduce your business risks. Keep in mind many states have their own privacy rules, such as Texas which passed House Bill 300 back in 2012. The provider will need to implement the stricter of the two policies, which may be pieces of state and pieces of federal rules to make your policies and training accurate for your organization.
Angela Miller, CMC, CHC, President of Medical Auditing Solutions LLC, has over 19 years in billing and collections and healthcare compliance program. Ms. Miller is happy to answer any questions at Angela@MedicalAuditingSolutions.com.