Anesthesia Coding Alert

One expert’s perspective pulls the pieces together.

Much of the world’s focus — healthcare and otherwise — since early 2020 has been on the pandemic. The HHS Office for Civil Rights (OCR) enforcement has focused heavily on health equity, discrimination, and Right of Access violations. But that doesn’t mean other issues of concern from years past are no longer valid — especially HIPAA privacy and security, which can sometimes be difficult to understand.

Understand the Two Aspects of HIPAA Rules

It’s not surprising that many organizations are challenged to fully understand the HIPAA Privacy and Security Rules, says Melissa Dill, product management leader for the healthcare consulting practice at Crowe.

“I think there are always challenges with deeply understanding the actual HIPAA [Privacy] Rule,” Dill explains. “It is very complex. It has largely remained intact from its original implementation. There were related updates made to the HITECH Act in 2009, and now there are additional changes that were proposed in December of 2020. Often, it’s a lack of familiarity with the original HIPAA Rule, as well as the changes that have come since then.”

Covered entities (CEs) should keep in mind that there are two familiar parts to HIPAA, Dill says. “There’s the Privacy Rule, which tends to be more focused on the non-electronic and access aspects of an individual’s protected health information [PHI], and then there’s a Security Rule, which focuses on the electronic management of that individual’s information.”

Important: The HIPAA Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and circumvent violations. The rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning.

Another regulation of critical concern is the HIPAA Breach Notification Rule, which doesn’t always get as much attention as it should and is interwoven with the Privacy and Security Rules. This third rule focuses primarily on what organizations must do after a breach happens. Even though the Breach Notification Rule stipulates specific notification requirements post-breach, practices would be wise to review the mandates in their initial HIPAA compliance planning phases.

Why? OCR continues to view CEs and their business associates (BAs) with documented HIPAA compliance plans more favorably, and that includes having a detailed incident response scheme in place.

Take Violations of Every Size Seriously

When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. Dill points to common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records.”

She cautions, “Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation.”

Invest in Strong HIPAA Security

On the side of the Security Rule, physician practices must have the appropriate security measures in place to protect their systems, Dill advises. “Are they investing in the technology and resources to monitor compliance and protect electronic health records in their practice?” she asks.

If practices are investing in that technology and resources, they should confirm that they’re investing in the right tools that will protect them from breaches, or from cybersecurity incidents, Dill reminds. “Those have to be very seriously considered. All you have to do is go online and search ‘cybersecurity breaches in healthcare,’ and it will bring up a laundry list.”

Be Aware of HIPAA Penalties

If you thought HIPAA fines and audits are a thing of the past, think again. “They are very real,” Dill says. Last year “was a very busy year for the OCR to investigate these breaches, and there was one settlement in 2020 that was $6.85 million, which was the second-largest in history.”

In 2020, OCR publicized the following HIPAA violations, Dill says:

• A data breach stemming from a provider’s dispute with a business associate: $100,000 settlement;
• A health system employee stole a laptop: $1 million settlement;
• An insurance company had a HIPAA breach that impacted the private information of over 10 million people: $6.85 million fine;
• A medical practice’s electronic health record was hacked, exposing the information of over 200,000 people: $1.5 million fine;
• A multispecialty clinic refused to give a patient their medical records: $15,000 fine; and
• A physician services provider refused to give medical records to the parents of a minor: $10,000 fine.

“Many of these fines are for physician practices, and several are related to access to a person’s record,” Dill maintains. “And then there were times when something was lying around in the office and someone forgot there was private information included — those things are important to monitor.”