The HIPAA Police Are Coming
Knowing who they are and what they want is all part of HIPAA compliance.
There is only one agency that will audit your healthcare organization for HIPAA compliance, but you might be surprised how many agencies will investigate you, and pile on the penalties, if your practice fails to protect the personal health information your patients have entrusted you with.
Compliance is the law, and preventing identity theft is part of good patient care. To get a handle on what HIPAA compliance means to your practice, let’s look at what the rules are, who is enforcing them, and why you should care.
HIPAA was enacted in 1996. In 2003, the Privacy Rule became effective, protecting all identifiable protected health information (PHI), whether verbal, written, or electronic.
PHI is patient information, including demographic information, relating to:
- The individual’s past, present, or future physical or mental health condition;
- The provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual; and
- That which identifies the individual, or could be used to identify the individual (e.g., name, address, birth date, Social Security number).
The Security Rule provides a framework for organizations seeking to protect electronic protected health information (ePHI). The Security Rule defines three types of data security safeguards: administrative, physical, and technical.
- Administrative safeguards include policies, procedures, and training.
- Physical safeguards relate to the locks, alarm systems, and other tools used to keep devices from being stolen, or from unauthorized people accessing patient information.
- Technical safeguards only make up approximately a quarter of the rules protecting data. They include passwords, network firewalls, anti-virus software, and backups.
HIPAA is a risk-based security framework. That means you first must identify the risks to your ePHI, and then determine how you will address them. This is where many practices fail to comply adequately with the regulations, possibly because fixing compliance issues can cost money and be inconvenient.
- A comprehensive and thorough security risk analysis, and the remediation of identified security issues.
- This is also a requirement for electronic health record (EHR) meaningful use incentive awards. Many HIPAA and meaningful use penalties refer to missing or inadequate risk analysis.
- Computers and servers accepting security patches and updates, and business class firewalls with current security subscriptions are required to protect networks against hackers.
- Older equipment doesn’t qualify, even if it still works. For example, a non-profit mental health clinic paid a $150,000 fine for using unsupported equipment.
- Business-class secure email and secure texting services.
- Free email from Google, Yahoo!, and your Internet service provider are not confidential and do not meet the compliance requirements. Texting through your cell phone’s service is not secure or compliant. A five-doctor cardiac practice paid $100,000 for using free email.
- Unique user logins and security passwords.
- Systems that automatically lock screens and require a password to log back in.
- Encrypted data.
- Several organizations have each paid over $1.5 million for lost, unencrypted hard drives and laptops.
- Offsite data backups and the ability to recover data after a disaster.
- Prohibiting the use of consumer-grade solutions that do not offer compliant security, such as free Dropbox, Google Drive, and consumer data backup solutions.
A security risk analysis requires an understanding of information technology (IT) security. While there are do-it-yourself tools available, healthcare organizations that use them may not know what is really happening under the skin of their networks. They do things to secure data, but there is evidence that it isn’t working or has never happened.
The FBI has warned healthcare organizations, “The biggest vulnerability (to the protection of health data) was the perception of IT healthcare professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.”
Many healthcare providers think they just need the risk analysis document. HIPAA requires ongoing risk prevention. The Office of the National Coordinator for Health Information Technology (ONC) — the principal federal entity charged with overseeing the administration’s health IT efforts — says, “To comply with HIPAA, you must continue to review, correct or modify, and update security protections.”
If you are participating in EHR meaningful use, you’re likely to be audited and may have to return overpayments, or face charges of Medicare fraud if you falsely attest that you have performed a security risk analysis and remediation. Do-it-yourself risk analysis checklists may fail the audit, and you could potentially risk losing your incentive payments and face reduced Medicare/Medicaid payments, moving forward. According to the ONC, “Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Business associates are individuals and companies that provide services to healthcare organizations that may come in contact with their PHI and ePHI. Examples include shredding companies, EHR software vendors, IT companies, lawyers defending malpractice suits, accountants, billing companies, etc. Even document storage companies, data centers, and cloud vendors are business associates.
Business associates must sign special confidentiality agreements and, since the 2013 HIPAA Omnibus Final Rule, implement full HIPAA compliance programs. If a business associate causes a data breach of patient records, they can be fined, and so can the healthcare organization that hired them. If a business associate causes a breach, they must notify the healthcare organization, who then must notify its patients.
Who Are the “HIPAA Police?”
The Office for Civil Rights (OCR) enforces HIPAA compliance and investigates data breach complaints. OCR has started a new round of audits to assess HIPAA compliance. Many data breach cases are settled with corrective action plans, while others incur million-dollar fines. Breaches of more than 500 records are publicized on the OCR “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information,” also known as the HIPAA “Wall of Shame.”
Mental health and substance abuse treatment information is protected by other federal laws, and is enforced by the Substance Abuse and Mental Health Services Administration.
The Federal Trade Commission (FTC) investigates healthcare breaches because patients’ names, birth dates, Social Security numbers, and other personally identifiable information are covered under consumer protection laws. The FTC once placed a business on a 20-year monitored compliance program for allowing a security breach while acting as a business associate to two Minnesota hospital systems.
Forty-seven states, plus Washington, D.C. and Puerto Rico, have laws protecting data. Some provide additional protections to medical information, while others focus on protecting driver’s license information, Social Security numbers, and credit card and banking info. State attorneys generally are authorized to enforce HIPAA, and many have taken action independent of federal regulators. In Puerto Rico, a health plan was fined $6.8 million for a data breach. The Massachusetts attorney general successfully penalized a Rhode Island hospital for breaching Massachusetts residents’ information. In the same case where the FTC placed a business on a 20-year compliance program, the Minnesota attorney general banned the company from doing business in his state for two years.
Become Familiar with Patient Security
The HIPAA Security Rule can apply to protecting all types of data. You must have IT staff or an outsourced IT provider working diligently on security — not just keeping networks up and data backed up. You should have a security risk analysis done by a certified professional, just as you would want a diagnosis of a serious illness done by a board-certified specialist.
You need to identify all of the regulations that apply to your organization. Even with a good risk analysis and risk management plan, you should also have a comprehensive plan in the event of a data breach. Like professional coders, there are certified professionals who offer these services. While you are focusing on ICD-10 and other challenges, these professionals can lighten the load for the security and protection of your data, and your compliance with federal and state laws.
FBI Cyber Division Private Industry Notification, (U) Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, April 8, 2014: https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf
HealthIT.gov, Security Risk Assessment, Top 10 Myths of Security Risk Analysis: www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
HHS OCR, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
U.S. Department of Health & Human Services: www.hhs.gov/ocr, www.samhsa.gov/
Federal Trade Commission: www.ftc.gov
Mike Semel, founder of Semel Consulting (www.semelconsulting.com), is a security and compliance specialist with over 35 years’ experience in IT and over 12 years in compliance. He has served as the chief information officer for a hospital and a K-12 school district. Semel has conducted hundreds of risk analyses and compliance assessments for organizations of many types and sizes, including medical practices, hospitals, government agencies, non-profits, and business associates. He can be reached at firstname.lastname@example.org.