HIPAA Privacy: A New Era of Awareness and Enforcement
By David Behinfar, JD, LLM, CHC, CIPP
It has been over seven years since the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule became effective for most covered entities. As public awareness of health care privacy issues has increased since 2003, efforts at privacy rule enforcement also have accelerated. One consequence is that it is much easier for health care workers—including coders—to find themselves in a privacy officer’s crosshairs.
Before I share my advice on how to avoid the wrath of your friendly local privacy officer, let’s discuss factors leading to greater awareness and enforcement of the HIPAA Privacy Rule.
Privacy Rules in the Limelight
1. The Office of Civil Rights (OCR), which is responsible for oversight and enforcement of the Privacy Rule and, as of Aug. 3, 2009, the HIPAA Security Rule (see www.hhs.gov/news/press/2009pres/08/20090803a.html), is now an experienced and established regulatory oversight agency. The OCR is skilled at processing patient privacy complaints, of which it has handled more that 43,000 since April 2003 (www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html).
OCR also has begun to impose serious corrective actions upon covered entities. For instance, OCR recently (July 16, 2008) entered into a resolution agreement with Providence Health & Services, imposing a three-year corrective action plan and fines (referred to by OCR as a “resolution amount”) in the amount of $100,000 (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/providenceresolutionagreement.html). A similar agreement with CVS Pharmacy, Inc. (July 16, 2009) included a fine that totaled a whopping $2.25 million (www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html). The OCR’s experience and willingness to fine covered entities demonstrates a changed environment for privacy enforcement.
2. State attorneys general (AG) now have a stake in enforcing the HIPAA Privacy Rule. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 allows state attorneys general to enforce the HIPAA Privacy Rule—with authority to institute fines up to $25,000, plus attorney’s fees.
Connecticut State Attorney General Richard Blumenthal is the first AG to exercise this option. In January 2010, Blumenthal filed suit against a health insurer for failing to secure 44,000 patient records and promptly notify patients of this breach, and in March he filed a second investigation against a physician for allegedly improperly accessing more than 1,000 patient records (www.ct.gov/ag/cwp/view.asp?A=2341&Q=453918 and www.ct.gov/ag/cwp/view.asp?A=2341&Q=457882).
3. A greater number of people now understand their specific privacy rights. When I first began educating our physicians and staff on the HIPAA Privacy Rule in April 2003, this was a new topic for my audience. Since 2003, however, thousands of health care workers across the country have repeated their privacy training annually. I’ve also encountered many individuals in other professions (legal, law enforcement, insurance, business) who in conversations clearly indicate their knowledge of HIPAA Privacy.
The reporting of numerous privacy breaches by the media has made the public more aware of how covered entities’ failure to protect information can harm patients. Many states have had some form of security breach notification law in place for years (see www.crowell.com/pdf/SecurityBreachTable.pdf), resulting in written notification to patients of these privacy/security breaches involving their information. Now, there is an added layer of federal legislation that also requires the notification to patients of certain breaches involving patient information (see www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html). As part of this new federal breach notification rule, covered entities must report all of their privacy breaches to the U.S. Department of Health & Human Services (HHS) annually. Privacy breaches involving 500 or more patients also must be reported “without unreasonable delay” and are posted on the HHS website in a running tab format (www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html).
Greater awareness of privacy rights isn’t a bad thing. With a more experienced government regulator, state AGs who are incentivized to enforce the HIPAA Privacy Rules, a smarter public, and patients barraged with notices of privacy breaches, privacy professionals have become better at what they do to manage privacy compliance efforts at their institutions.
HIPAA Compliance for Coders
What are the lessons for a coder? In my experience, these three stand out as the easiest to implement and most important:
Lesson No. 1: If you use a portable electronic computing device or media (laptop, thumb drive, USB drive, flash drive, external hard drive, etc.) for any work involving patient information, make sure your device is encrypted. This is probably the most serious and potentially costly privacy/security violation.
Every health care institution across the country has (or should have) a policy in place requiring any portable electronic computing or media device that stores, transmits, or creates patient information be encrypted. On the HHS website listing large (500+) breaches, more than 70 percent of the breaches listed thus far (through June 2) are due to a “theft” or “loss” of patient information—most of which involve a stolen or lost portable electronic computing or media device.
If you use an un-encrypted portable electronic computing or media device for patient care-related activities, call your privacy officer and ask him or her to explain the encryption requirements of your institution. Follow up to be sure you meet the requirements.
Lesson No. 2: Unauthorized access of a patient’s record is another cardinal privacy rule that should not be broken. Do not access patient information on electronic systems (or paper charts, for that matter) for any patient whose records you are not authorized to access for legitimate business purposes.
Accessing the records of a public figure or athlete without a “business” need-to-know is an obvious fatal error in judgment. The business need-to-know basis for accessing patient records also extends to accessing records of your family, co-workers, and friends. “Same last name” audits are, in fact, a popular audit focus. For instance, if your last name is Klammerstein, and I as a privacy officer pull your name for a random audit and see you accessed the account of three other Klammersteins on our electronic medical record (EMR) system, my alarm bells will start ringing. Another target is an access into an account of a co-worker or even someone who appeared in the local media (e.g., people injured on a nearby major interstate highway or children who were injured in a tragic accident that was reported on the local news).
There are great advancements in auditing tools as part of EMR systems, so much of the data can be collected and sorted in just a few clicks. As such, it is in your best interest to assume your activities will be monitored whenever you are accessing patient information.
Lesson No. 3: Encrypt your e-mails to people outside your institution if they contain patient information. Once again, learn your institution’s policies. If you are e-mailing patient information in spreadsheets or attachments, or including it in the body of an e-mail to parties outside of your institution, your institution may require you to send those e-mails in encrypted format. Failure to encrypt an e-mail containing patient information to a third party may be considered a privacy breach, requiring notice to all affected patients whose information was included in the e-mail. A transmission across the internet in an unencrypted format is perceived as an apparent risk because there’s a chance the e-mail may be intercepted during transmission.
Important Lessons Learned
If you carefully consider and learn from these lessons, you will greatly diminish the likelihood your privacy officer will call you into his or her office to discuss employment termination for violating your institution’s privacy policies. Of course, there are other privacy policies with which you will need to be familiar; but in the world of coding, the three aforementioned lessons are likely to be the most important in protecting your livelihood.
David Behinfar, JD, LLM, CHC, CIPP, is the privacy manager at the University of Florida Health Science Center, Jacksonville.