A PRACTICAL GUIDE TO HIPAA COMPLIANCE
FOR A COMPLIANCE OR PRIVACY OFFICER OF A SMALL OR MEDIUM SIZED HEALTHCARE BUSINESS
TABLE OF CONTENTS
Business Associate Agreements and the Minimum Necessary Standard
5. What is PHI?
Securing your patients' PHI
Patients' Right of Access to their data
HHS Rule for better patient data access
Steps to HIPAA Compliance
Periodic risk assessments
Six common HIPAA violations
Breach notification and Incident Response Management
Can you afford a $50,000 fine for a HIPAA violation? The healthcare industry is extremely vulnerable to cyber attacks and data theft. According to the HIPAA enforcement rule, penalties can reach up to $1,500,000 per year per violation depending upon the type of HIPAA violation.
Look at some of the biggest HIPAA penalties enforced by the Office for Civil Rights:
In October 2018, Anthem Insurance pays OCR $16 Million in Record HIPAA Settlement after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
A Judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI (electronic Protected Health Information) of over 33,500 individuals.
Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI (Protected Health Information).
CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft status and had not been implemented.
One surprise inspection can expose a HIPAA violation and change your business forever. New legislation now allows patients in Connecticut to sue healthcare providers for privacy violations or PHI disclosure as well. You may say that your job as a healthcare provider is only to treat your patients, that you don't need to worry about Cybersecurity or technology. Bear in mind though - it is a fact that Cybersecurity issues can impact and have impacted patient care on several occasions! Protect the integrity of your business and your patients' private health information to avoid a HIPAA violation that could cost you money, respect and patients!
Understanding HIPAA and following the proper steps to comply can minimize your risk for a HIPAA violation.
You may understand that HIPAA violations can lead to fines, but you may also be wondering: What is a corrective action plan? Often, when the Office of Civil Rights (OCR) imposes a fine for a HIPAA violation, they also enforce a Corrective Action Plan with a strict timeline to correct underlying compliance problems and a goal to prevent breaches from recurring.
Covered Entities and Business Associates that handle PHI (Protected Health Information) are required to be HIPAA-compliant.
You may think that HIPAA does not apply to you, take a close look at the requirements to see if you need to comply.
Are you a healthcare provider, health plan or healthcare clearing house?
Health Care Providers like Doctors, Surgeons, Dentists, Psychologists, Podiatrists, Laboratory technicians, Optometrists, Hospitals, Clinics, Nursing homes, organizations in the life sciences field such as medical devices, biotechnology, Pharmacies, schools when they enroll students in health plans or have health clinics or providers, nonprofit organizations that provide some healthcare services, and even government agencies.
Health Plans like Health Insurance Companies, HMOs, Employer-Sponsored Health Plans, Government Programs like Medicare, Medicaid, Military and Veterans’ health programs.
Healthcare Clearing Houses. These are organizations that collect information from a healthcare entity, process the data in an industry-standard format and deliver it to another entity. Examples of clearinghouses include: Billing services, Community health management information systems.
Are you a vendor to a covered entity and have access to PHI to do your work?
"Business associate” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI.
Examples of business associates include: Data transmission providers, Data processing firms, Data storage or document shredding companies, Medical equipment companies, Consultants hired for audits, Electronic health information exchanges, External auditors or accountants, Medical transcription companies, Answering services, Data conversion and data analysis service providers, Law firms, Software vendors and consultants, Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing), ISPs, ASPs, Cloud vendors, Researchers (if performing HIPAA functions for a covered entity), etc.
4.a. Everything you need to know about Business Associate Agreements (BAAs)
Are you a Covered Entity and are working with business associates who have access to PHI?
It is an important best practice for every covered entity to have signed business associate agreements with your vendors who need access to protected health information (PHI) in order to do their jobs. A business associate agreement is a contract that defines the roles of covered entities and business associates when it comes to handling PHI. We recommend that you contact your lawyer for a business associate agreement as it is a legally binding document that lays out all the responsibilities of business associates regarding use, access, disclosure and destruction of PHI and the rules that the business associate must abide by with respect to training, breach notification, reporting, etc.
Many organizations offer standard Business Associate Agreements that they will sign. Examples are Electronic Health Record systems, secure email providers, secure file sharing/ file transfer companies, cloud backup services, secure fax providers, etc. Be sure to get a signed copy of this.
With so many critical systems moving to the cloud these days, be sure to keep an accurate inventory of all your vendors or business associates, especially those who have access to your PHI or ePHI, and maintain a file with all these business associate agreements so that you have them handy if needed at any time.
4.b. An explanation of "The Minimum Necessary" Standard, and how to use it
A key protection of the HIPAA Privacy Rule that relates to the disclosure of PHI
The Minimum Necessary Standard of the HIPAA Privacy Rule is based on the sound practice that PHI should not be disclosed unless it is necessary to carry out a particular function. A covered entity must take reasonable steps to limit the use and disclosure, and requests for protected health information. Only those who need access to PHI may receive such access, and even so, the PHI should be restricted to the minimum necessary information to carry out the job. For instance, if a healthcare provider's office is being cleaned by a janitorial company, then the provider must take reasonable precautions to ensure that no PHI is accidentally available for access by one of the janitorial staff.
Individually Identifiable Protected Health Information (PHI)
Very simply, any data that can identify an individual is considered individually identifiable protected health information (PHI).
There are 18 such identifiers that can identify an individual - these are:
3. Dates relating to an individual, e.g. date of birth, admission date, discharge date, date of death, etc.
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record or chart numbers
9. Health insurance numbers
10. Account numbers
11. Certificate/ license numbers
12. Vehicle serial numbers or license plate numbers
13. Device identifiers or serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers, including fingerprints, facial scan, voice prints and retinal scans.
17. Full face photographs
18. Any other unique identifying code.
HIPAA requires that if PHI is disclosed without authorization for purposes such as research, then it must be de-identified first. As long as the information is masked to the extent that it cannot identify specific individuals, it is not considered as PHI.
5.a.Are you securing your patients' PHI (Protected Health Information)?
|During a site walkthrough at a security risk assessment of a large hospital a couple of years ago, we found a bunch of CDs stashed in an open drawer on the hospital floor in the hallway. These CDs had patient names, date of birth and other PHI on them. They had discontinued the system using CDs and the data had been ported to the new system, so they had no use for these CDs. This was a breach just waiting to happen, fortunately, the hospital security staff took action immediately after these CDs were discovered and securely destroyed them.|
|On September 18, 2018, another hospital The University of Texas Health Science Center at Houston notified the Department of Health and Human Services of a breach affecting 500 patients, caused by theft of paper/ films.||On August 9, 2018, Anne Arundel Dermatology, P.A., a dermatology practice in Maryland, reported a breach to the Department of Health and Human Services, caused by the theft of paper/ films affecting over 1300 patients.|
All these examples go to show how valuable any form of PHI can be, even if it is stored on films, paper or CDs or any other form. It is every covered entity's responsibility to take all reasonable steps to secure your patients' PHI and to prevent the PHI from being disclosed accidentally or deliberately to any unauthorized personnel.
5.b.Patients' Right of Access to their data
HIPAA gives broad access rights to patients
The Office of Civil Rights (OCR) has published guidance on a patients' right to access their paper or electronic health data. Patients have the right to request a copy of their health records or to give consent to have their health records provided to someone else. This is all part of the process to empower patients to manage their health care.
A covered entity is required to honor the patient's request for a copy of his or her health records within a reasonable time such as 30 days. The covered entity may require that such a request be made on a signed request form. A reasonable fee may also be charged. If the patient does not receive the health records from the provider within a reasonable time of requesting it, the patient may choose to report this issue to the office's HIPAA Privacy Officer, or may escalate it to the Department of Health and Human Services.
If you are a patient and would like to access your health records, you may contact your doctor's office to do so. The law gives you the right to your health information.
HHS Rule for better patient data access
In February 2019, the Department of Health and Human Services (HHS) proposed a new rule focusing on a patient’s ability to access all of their Electronic Health Information at no cost. The new rule supports seamless and secure access, exchange and use of electronic health information (EHI).
According to the Office of the National Coordinator for Health IT (ONC), “The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications.”
The Center for Medicare and Medicaid Services (CMS) is also proposing changes to increase the seamless flow of health information, requiring that enrollees be provided with immediate electronic access to medical claims and other health information electronically by 2020.
With this new rule, if a patient asks for access to their electronic health record, and if it is not given to them electronically and for no cost, that will be considered “information blocking”, with penalties involved. Standardization in interoperability between systems will need to become the norm, thereby transforming the way healthcare data can be made available to patients.
HITECH and HIPAA are separate and unrelated laws, but they do reinforce each other in certain ways.
The Health Insurance Portability and Accountability Act (HIPAA), is a Federal legislation that was put into effect in 1996. This law requires the US Department of Health and Human Services (HHS) to develop and enforce national standards which protect the privacy and security of patients’ medical records and other personal health information (PHI). The most recent change to HIPAA was ratified in 2013 - this change is referred to as the “Final Omnibus” rule. This change to HIPAA now includes Enforcement and Civil Penalties for HIPAA violations.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. HITECH introduced the "Meaningful Use" program incentivizing healthcare organizations just like yours to maintain the Protected Health Information (PHI) of your patients in electronic format, rather than in paper files. HITECH empowered OCR to enforce the HIPAA privacy and security rules.
By downloading this HIPAA Compliance Flow Chart, get answers to questions like:
What should my HIPAA Compliance strategy look like?
Where do I need to start to get my organization HIPAA compliant?
Here are some steps that can help you on the path to HIPAA compliance.
7.a.Annual HIPAA Risk Assessment
Some people mistakenly believe that a HIPAA risk assessment is a one-time practice. Not only is it a recommended practice to conduct a risk analysis or assessment on an annual basis, but for some agencies and incentive programs, it is a requirement for attestation. Is it time to conduct your annual HIPAA risk assessment?
7.b. Annual HIPAA Training
The Federal Government has specific HIPAA (Health Insurance Portability and Accountability Act) requirements that include annual HIPAA training. According to the U.S. Department of Health and Human Services, as part of HIPAA Administrative Safeguards, all covered entities, must train on an annual basis, all workforce members regarding your security policies and procedures.
By Training your employees annually, you not only remain HIPAA Compliant, but also guarantee every staff member is following your policies and procedures. As a covered entity it is your responsibility to educate your employees about cyber risks that can affect your practice and clients.
Your team at all levels, should be knowledgeable on the value of medical data to criminals in the black market. They should know the risks to patients if their personal medical data is stolen. Annual HIPAA training regarding your institution’s policies and procedures keeps your staff up to date on HIPAA policies and procedures and security and privacy policies, including escalation procedures, contingency plans and reporting HIPAA Violations.
Choose a HIPAA training program that is engaging to ensure your employees understand the importance of demonstrating HIPAA compliance in their everyday jobs. Keep a record of Each training that is held and all attendees.
7.c. HIPAA Policies and Procedures
Are Policies and Procedures Required?
Policies and procedures are an important component of your security program for HIPAA Compliance. These policies explain to both your staff and patients what steps you will take to protect PHI, and how you will handle incidents such as a data breach.
According to the Privacy Rule all covered entities must adopt reasonable and appropriate policies and procedures to be in compliance. These policies and procedures must be maintained and updated until 6 years after the last effective date of the entity.
What should your HIPAA Policies and Procedures contain?
Your HIPAA Policies should contain security policies and privacy policies, and policies related to breach notification. One of the main purposes of maintaining and following HIPAA policies and procedures is to try and prevent breaches of PHI.
Security policies are rules or guidelines that your organization follows on a regular basis. For instance, as part of your HIPAA policies, you would have a password management policy, an encryption policy, a policy for email, a policy for data backups, a policy for disposal, and many more. All aspects of the HIPAA Security rule must be covered within your policies, specifically the administrative safeguards, technical safeguards and physical safeguards. Your HIPAA security policies must show what your organization is doing to protect your patients' Protected Health Information (PHI) and all accesses to it.
Privacy policies are rules or guidelines that your organization follows as you establish and maintain a culture of privacy within your organization to protect your patients' privacy. For instance, you may have policies that dictate how, where, when and with whom patient information may be discussed, who has access to PHI, with whom you can share PHI with, and such topics related to the HIPAA Privacy Rule. If your office uses telemedicine to treat your patients, your security and privacy policies apply to all such interactions too.
Breach notification policies are rules or processes that your organization should follow in the event of a data breach. See the section below on breach notification for more information about reporting a breach and about incident management.
Procedures are detailed instructions on how your organization and staff need to implement your policies. For instance, a security policy may state that you will use anti-virus software, and that you will update it periodically. The corresponding procedure might talk about specific type or brand of anti-virus, frequency of update, who is responsible to maintain or troubleshoot issues, and such related items.
Review your Policies and Procedures regularly
Be sure to review your security and privacy policies and procedures at least once a year, and if your office undergoes any major change. Examples of major changes are a physical move, change of your EHR system, major re-organization of your office structure.
7.d. Maintaining a culture of privacy
Ensure that you instill and maintain a culture of privacy within your healthcare organization at all times. Employees and business associates must be trained and reminded periodically about the importance of patient privacy. All interactions with and about the patient must always be handled in confidence, while ensuring that only authorized personnel receive the patient's health information. Elements of this culture of privacy range from small actions such as not speaking about patients loudly in common areas, to modes of sharing information using electronic methods such as email, and to ensuring that patient consent forms are signed and maintained in your records.
7.e. Notice of Privacy Practices
A notice of privacy practices must be clearly displayed so that your patients can see and read it in your facility. This notice must also be displayed prominently on your website. Patients may also request a copy of these privacy practices at any time, so be prepared to provide a copy to any patient that requests it. Model notices of privacy practices are available for free download from the Health and Human Services (HHS) website.
It's not enough to do it once, you need to stay updated periodically
It is recommended that you review all your compliance requirements annually, at a minimum.
We suggest that you review your HIPAA compliance requirements at least once a year, and if your office undergoes any major change. Examples of major changes are a physical move, change of your EHR system, major re-organization of your office structure. If for any reason, you undergo an audit or if you are subject to a data breach and a subsequent OCR investigation, then it would be best if you could show the auditors your evidence of the last risk analysis having been completed within the last year.
HIPAA Risk Assessment for your office - Perform a risk assessment or risk analysis of your healthcare practice every year.
HIPAA Training - Train your staff at least every year. Many physicians and office managers believe that if they undergo HIPAA training once a year, that makes them HIPAA-compliant. This is a falsehood. HIPAA Training alone is not HIPAA compliance, it must be accompanied at least by your annual risk assessment and an annual review of your policies and procedures.
Six common HIPAA violations
1. Lack of Business Associate Agreements with vendors who have access to your PHI.
2. Loss or theft of unencrypted portable devices containing PHI.
3. Failure to complete an enterprise-wide risk analysis.
4. Insufficient physical safeguards or keeping PHI unlocked or easily accessible.
5. Lack of HIPAA Security and Privacy policies and procedures.
6. Delays in reporting breaches as per the Breach Notification Rule.
The Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR performs such enforcement actions by conducting reviews, by performing outreach and education activities, and by investigating complaints filed. If the investigation reveals that the covered entity or business associate was not in compliance, OCR may determine the following courses of action:
- Voluntary compliance
- Corrective Action Plans, and/or
- Resolution Agreements and Civil Monetary penalties
In 15 years from 2003-2018, OCR has levied almost $80 million dollars of fines for HIPAA Privacy Rule violations.
For criminal violations, OCR works in conjunction with the Department of Justice (DoJ).
Final Rules published in 2013, modifying the HIPAA Privacy, Security and Enforcement Rules, and changes to HITECH Act.
In 2013, HHS published the Final Omnibus Rule, where they announced changes to the HIPAA Privacy, Security and Enforcement Rules. Changes were made to the Breach Notification Rule as well, under the HITECH Act. A tiered structure was determined for levying civil monetary penalties.
Under the Omnibus Rule, business associates are independently responsible to the OCR for compliance with HIPAA Privacy, Security and Breach Notification rules. OCR may levy fines directly on business associates in the event of non-compliance.
The Privacy Rule was modified prohibiting health plans from using or disclosing genetic information for underwriting purposes, under the Genetic Information Nondiscrimination Act (GINA).
Business Associate Agreements and Notices of Privacy Practices were required to be updated to reflect the new requirements of the Omnibus Rule.
The Omnibus Rule also expanded patients rights to get access to their electronic medical data.
10.a. Breach Notification
In addition to the Privacy Rule and Security Rule, providers are also subject to the HIPAA Breach Notification Rule. Covered entities should notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI. Please note the key word here - "unsecured". If the lost or stolen data is properly encrypted, the Office of Civil Rights (OCR), a department within Health and Human Services (HHS), does not consider such lost data as a breach.
In the event of a data breach of unsecured PHI, the covered entity must report the breach as soon as possible to the affected individuals. How do you report a breach of unsecured PHI? HHS must be notified no later than 60 days of the discovery of a breach. If the breach occurred at a business associate's premises or the data was breached by a business associate, then the business associate must notify the covered entity of such a breach. All this should also be clearly specified in the business associate agreement that the covered entity should have signed with the business associate. The business associate is jointly liable for the security and privacy of PHI with the covered entity and must take this responsibility seriously. There have been incidents where OCR has instituted enforcement actions against business associates.
It is a useful practice to have an incident response plan that covers all sorts of disasters and adverse incidents that might occur to a healthcare practice, including a data breach. A data breach could also occur due to a hacking incident like ransomware, not just a loss of equipment or storage drives. A breach could even occur accidentally. In all such cases, since the timelines for breach notification are stringent and tight, a detailed incident response plan could come in very handy to a healthcare office whether its an individual doctor's practice, or a medical service organization, or a group of hospitals or health plans. An incident response plan should highlight the detailed steps that the covered entity staff should take when an incident occurs, including who is responsible, timeline, if someone external such as an attorney should be contacted, phone numbers, addresses, and more.
While it is not necessary to use a known framework, using a tried-and-tested framework makes the compliance process more standard and easier to implement.
Cybersecurity and HIPAA compliance go hand in hand as mitigating a healthcare office against Cybersecurity risks is a key part of HIPAA compliance. A security risk assessment or analysis is a baseline requirement from OCR and other enforcement organizations.
Many organizations are using standard proven Cybersecurity and IT frameworks as part of the process of getting compliant with HIPAA. The advantage of using a known framework is that partners, customers and agencies can now be satisfied that you have performed a comprehensive assessment of your risks in alignment with a tried and tested framework. Examples of such frameworks are:
- NIST-CSF (National Institute of Standards and Technology Cyber Security Framework)
- HITRUST CSF (Health Information Trust Alliance Common Security Framework)
- ISO/ IEC 27001 (International Organization for Standardization and the International Electrotechnical Commission - 27001 Standards)
MACRA (Medicare Access and CHIP Reauthorization Act) is the regulation that came out in 2017 changing how physicians will be paid. The Merit-based Incentive Payment System (MIPS) under MACRA moves away from the previous fee-for-service payment system to a performance-based payment adjustment. This means that instead of simply receiving a payment from Medicare and Medicaid for providing service, your payments will be linked to patient outcomes or the quality of care provided.
MACRA/MIPS and HIPAA are closely tied together. A key piece of this is the importance of performing an annual HIPAA Security Risk Analysis. By completing an annual HIPAA security risk analysis, you can receive larger reimbursements for your medicare billing under MACRA/MIPS. In order to adhere with MIPS requirements, an attestation for the security risk assessment and proof to show compliance is required. This security risk assessment must include all devices (Including Medical Devices), connecting interfaces, and other systems involved in creating, storing, transmitting, and receiving patient data. You must file an Evidence of Compliance report and keep it on file for 6 years in order to meet the MIPS compliance requirement. This report must include dates, user and computer information, and other source material to support your compliance activities
What are the consequences? If you do not conduct and properly document your Security Risk Assessment and remediation plan for risks identified, it'll cost you! Aside from not receiving a reimbursement at all, you may receive a bad score for MIPS reimbursement overall.