1 Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
2 Table of Contents Understanding HIPAA Privacy and Security... 1 What Has Changed? ) The Privacy Rule ) The Security Rule ) Breach Notification Rule ) Compliance deadlines ) Government audits... 5 Do the New Rules Apply to Your Practice?... 6 What Actions Should You Take First?... 7 How Can You Evaluate Your IT Provider?... 8 How Can You Identify Significant Risks? ) Failure to comply ) Failure to protect ephi Who Do You Ask for Trusted Advice?... 13
3 What Has Changed? HIPAA the Health Insurance Portability and Accountability Act HIPAA, the Health Insurance Portability and Accountability Act, has been updated with sweeping changes resulting from the HITECH Act (Health Information Technology for Economic and Clinical Health), enacted as part of the American Recovery and Reinvestment Act of The HITECH Act defined HIPAA Privacy, Security, and Breach Notification Rules with which nearly all physicians must comply. These new rules, if not followed, can result in serious financial penalties and criminal prosecution. The Department of Health and Human Services Office of Civil Rights enforcement performs audits of physician s practices and may assess fines as high as $1.5 million, even in cases where no harm has resulted from the loss of protected health information. In addition, many states have additional requirements above and beyond those the federal government has established. Starting in September 2013, those states attorney generals are now charged with the responsibility to bring criminal prosecutions. These new requirements fall into three major compliance areas: 1) The Privacy Rule The Privacy Rule restricts the use and disclosure of an individual s protected health information (PHI). Both the physician s practice (e.g. the covered entity, or CE) and any business associate (BA) of that physician s practice are each responsible for adhering to the HIPAA HITECH requirements. Business associates include anyone hired by the physician or practice with access to patient PHI, including IT consultants, billing services, accountants, attorneys, or anyone else with access to the information and data.
4 Patient protected health information (PHI) can be either electronic, paper, or oral, and relates to the past, present, or future physical or mental health of an individual, the health care services related to an individual, or the payment for those health care services. With the HITECH requirements, patients now have individual rights to access their own PHI, restrict disclosures, request amendments or an accounting of disclosures, and a right to complain without retaliation. 2) The Security Rule The Security Rule requires physician practices to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ephi). ephi refers to all individually identifiable health information that a physician practice or business associate creates, receives, maintains, or transmits in electronic form, including data at rest and data in transit. The Security Rule does not apply to PHI transmitted orally or in paper form. 3) Breach Notification Rule If patient electronic protected health information is breached, the physician practices must notify affected individuals. If more than 500 patient records are breached, the physician practice must report the situation to the U.S. Department of Health and Human Services (HHS) and the local media. The federal government requires reporting of breaches within 30 days, but many states have more restrictive time limits, with some states requiring a breach notification and report within five days of the actual data breach.
5 Now that you have a better understanding of the new requirements, let s consider two other areas of concern: compliance deadlines and government audits. 4) Compliance deadlines Additional changes to the HITECH Act were adopted in the recent HIPAA Omnibus Rule. The HIPAA Omnibus Rule requires that all physician practices (e.g. covered entities) must update their HIPAA policies and procedures and otherwise implement the changes required by these regulations no later than the September 23, 2013 compliance deadline. Most physician offices may have a HIPAA compliance plan, but those existing plans may not meet the new standards based on the requirements and rule changes mandated by the HIPAA Omnibus Rule and the HITECH Act. Every physician s office will be well served to review and evaluate his or her HIPAA compliance plan in light of these more stringent requirements. 5) Government audits The HHS Office of Civil Rights (OCR), the federal agency with the responsibility to oversee the HIPAA privacy, security, and breach notification requirements, has created a comprehensive audit program protocol with 170 audit areas. Seventy-nine of these audit areas refer to the Security Rule, which emphasizes administrative, physical, and technical safeguards. First on the list of the audit program protocol is the key activity, Conduct Risk Assessment. A Security Rule Risk Assessment is the key element in preparing for a government audit.
6 Do the New Rules Apply to Your Practice? HHS has developed a tool to help physicians understand whether or not these new requirements apply to their practice. Simply stated, if you or your practice furnishes, bills, or receives payment for health care in the normal course of business, and you or your practice transmits (sends) any covered transactions electronically, then you or your practice is a covered entity. This means the new privacy, security, and breach requirements mandated by the HHS Omnibus Rule and the HITECH Act apply to you or your practice.
7 What Actions Should You Take First? The following five-step guide is provided to help you streamline and prioritize your HIPAA compliance activities. 1) Assign responsibility for HIPAA compliance as a role namely a HIPAA Privacy and Security Officer. Assure this individual has received updated training on the new requirements, including the HHS Omnibus Rule and HITECH Act privacy, security, and breach rules. 2) Identify any state-mandated requirements that supersede federal rules in the areas of privacy, security, and breach notification. Pay special attention to breach notification timeframes. 3) Evaluate which of your business associates has access to your inventory systems that hold or transfer electronic protected health information (ephi) by enlisting an IT professional to perform a network scan. This is the foundation from which to make risk judgments. 4) Perform a HIPAA Privacy Rule Risk Assessment and a HIPAA Security Rule Risk Assessment. Use the results of these assessments as the basis for the HIPAA Compliance Risk Mitigation Plan. 5) Determine whether all of the business associates identified in this five-step process are HIPAA compliant; if not, replace with business associates that are HIPAA compliant. Execute new business associate agreements (BAAs) with existing and/or new business associates
8 How Can You Evaluate Your IT Provider? Since the primary focus of the HITECH Act requirements is electronic protected health information (ephi), you will need to evaluate your current information technology support provider and determine whether or not that IT provider can meet the new requirements. The HHS Omnibus Rule and HITECH Act placed new privacy, security, and breach notification requirements on business associates with access to electronic protected health information. Since electronic data is at the core of many of these new requirements, it is imperative that your IT provider understands the changes and also provide the support your practice will need. Direct these questions toward an officer or owner of your IT service provider: Does your IT firm have a well-trained HIPAA Privacy and Security Officer that is aware of the Omnibus Rule changes? Has your IT firm recently completed a HIPAA Security Rule Risk Assessment? What were the results of your assessment, and what is your company focused on improving? What types of written policies and procedures do you have to protect the administrative, technical, and physical security of user accounts and data access? Is your staff routinely provided with HIPAA awareness and training programs? Do you have business associate agreements with your vendors, suppliers, and subcontractors? These questions are designed to demonstrate whether your IT service provider understands their regulatory obligations and is committed to your practice. Being HIPAA compliant means your IT provider complies with HIPAA requirements for privacy, security, and
9 breach notification and has taken steps to assure the privacy and security of ephi throughout the entire IT infrastructure. A relationship with your IT service provider based on competence and integrity has never been more critical for excellent patient care. Protecting your patient s electronic protected health information requires that your IT provider be as committed to HIPAA compliance as you and your practice.
10 How Can You Identify Significant Risks? With the new Omnibus Rule and HITECH Act privacy, security, and breach notification requirements, the significant risks to your practice can be divided into several areas. 1) First, ask these questions of your practice before deciding whether you might be facing a failure to comply or failure to protect ephi. a. Have you completed a privacy and security risk assessment in the last year? b. Are copies of this and previous assessments kept for six years? c. Have all service providers executed a BAA with your practice? d. Are old computers stored in a closet? e. Is there an older version of a practice management or electronic health record (EHR) application maintained online to aid in looking up old information? f. Does anyone use a laptop or tablet that is not encrypted to access or download ephi? g. Are providers given remote access to systems? h. Can be used to send or receive messages containing ephi? i. Are passwords kept secret and changed on a frequent basis? j. Are tapes or other storage devices stored in secure vaults at the practice? 2) Failure to comply Changes to the Omnibus Rule specifically removed ignorance as a possible excuse or defense against civil and criminal penalties. The HHS Wall of Shame lists those organizations with ephi data breaches affecting 500 or more individuals. The list is filled with health care organizations of all shapes and sizes. The following table shows the types of penalties that may be assessed when a physician or practice fails to comply.
11 HIPAA Violation Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA Individual knew, or by exercising reasonable diligence would have known of the violation, but did not act with willful neglect HIPAA violation due to willful neglect but violation is corrected HIPAA violation due to willful neglect but violation is not corrected Penalty Amount (per violation) $100- $50,000 $1,000 - $50,000 Annual Maximum Penalty $1.5M $1.5M $10,000 - $1.5M $50,000 $50,000 $1.5M In addition to civil monetary penalties, criminal penalties may apply, including imprisonment of up to one year for those covered entities and specific individuals that knowingly obtain or disclose individually identifiable protected health information. These criminal penalties may extend to the directors, employees, or officers of a covered entity. These civil and criminal penalties should cause any covered entity, physician, or corporate officer to recognize the immediate need to follow the HIPAA privacy, security, and breach notification requirements. 3) Failure to protect ephi The greatest risk for a physician or practice is the failure to protect ephi from unauthorized access and large-scale data breach. Many physician practices never stop to consider the various methods a bad actor could use to access ephi during the course of the normal delivery of health care services. Regardless of the policies, procedures, awareness, and training that a practice may use, there is still an absolute need to
12 protect against the unauthorized access, copying, and transmission of ephi by member of the physician s team. In many common situations, ephi can be inadvertently lost. The following table shows some of the situations you will need to protect against in order to protect ephi. How do you protect against Unauthorized copying of ephi by staff? Copy and transmission of ephi over the Internet from the practice office to an unauthorized address? Upload of ephi to an unauthorized cloud storage location? Access of ephi when a laptop or other device is stolen? Comments All it takes is one disgruntled employee and a USB drive to cause a data breach. Staff may send ephi to a private address. How long before your data is on Facebook? What happens when senior staff copies data to an unauthorized cloud storage location and the data is hacked? Laptops are routinely lost or stolen. With ephi, this can be the shortest path to a massive data breach. Protecting ephi requires more than policies and procedures it requires diligence and technical infrastructure designed to keep the data safe. It takes the proper combination of user access control, device management, data encryption, firewall and network security, and strong systems and network management to protect ephi.
13 Who Do You Ask for Trusted Advice? In his book The Speed of Trust: The One Thing That Changes Everything, Stephen M. R. Covey defines trust in the business sphere as pertaining to both character and competence or what a business stands for, what its strengths are, and what results it produces. CMIT Solutions adheres to that motto, bringing expert care and dedication to the protection of ephi and management of underlying IT systems and networks. We understand the Omnibus Rule and the HITECH Act requirements and stand ready to provide the technical expertise you need to meet the challenge.