ERP Software HIPAA Concerns for Health Care Providers

Transcription

1 Research Paper ERP Software HIPAA Concerns for Health Care Providers December 17, 2014 Updated 12/21/2014 Prepared by Tad W. Remington 1, CMA 1 LinkedIn, Tad W. Remington profile, remington/3/590/750

2 Providers Page 2 Today, most health care providers and providers of Enterprise Resource Planning (ERP) software are unknowingly putting themselves at risk of being fined and publically identified for violating the Standards for Privacy of Individually Identifiable Health Information ( Privacy Rule or Rule ) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). ERP software for health care providers most likely has overpayment transactions for patients and miscellaneous billing transactions that were not processed in the patient billing system. Organizations must educate and protect themselves against enforcement and penalties for noncompliance. The following is a summary of key elements of the Privacy Rule in the context of healthcare providers and ERP software providers; it is not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice. Who do the Rules apply to? The Privacy Rule establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ( HHS ) issued the Privacy Rule to implement the requirement of HIPAA. 2 The Privacy Rule standards address the use and disclosure of individuals health information called protected health information by organizations subject to the Privacy Rule called covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights ( OCR ) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. The Privacy Rule, as well as all the Administrative Simplification rules, apply to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the covered entities ). In addition to health care providers, business associates of these organizations are also covered entities under the Privacy Rule. A business associate is an organization that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of individually identifiable health information. If your ERP software might come in contact with PHI, they would be considered a business associate. A covered entity can be the business associate of another covered entity (e.g. Subcontractors, partners, and vendors of a health care provider s ERP software provider. These subcontractors and vendors may come in contact with PHI during the implementation and support of the ERP software and therefore become of business associate of the ERP software provider.). 3 2 Pub. L C.F.R

3 Providers Page 3 When a health care provider uses a contractor or other non workforce member (i.e. ERP software provider) to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement. In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. 4 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. What are the consequences of unauthorized use and disclosure of PHI? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the use and disclosure of an individual s health information called protected health information by covered entities, as well as standards for providing individuals with privacy rights to understand and control how their health information is used. The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. Consistent with the principles for achieving compliance provided in the Privacy Rule, OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution. These penalty provisions are explained below. Civil Money Penalties. 5 OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as whether the covered entity knew or should have known of the failure to comply, or whether the covered entity s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Violations occurring on or after 2/18/2009 Penalty Amount $100 to $50,000 or more per violation Calendar Year Cap $1,500,000 Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to oneyear imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule C.F.R (e), (e) C.F.R

4 Providers Page 4 What is PHI and how does it relate to the data in my ERP software? The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." 6 Individually identifiable health information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 7 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Given the above definition by the Privacy Rule the following types of data come under the Rule: overpayment transactions in your ERP software data such as patient refunds, refunds on overpayments made by insurance companies, reimbursement of collections on patient bills sent to collection agencies, patient bill reimbursement not billed through patient billing system, etc. The data may be in the form of data integrated from your patient billing system, manually entered, or document attachments supporting the transactions in your accounts receivable or accounts payable processing software and database. Data in your ERP software indicating patient name for miscellaneous billing or overpayment provides a reasonable basis to believe that health care by your organization was provided to the individual in the past. How does my organization minimize the risk of enforcement and penalties for noncompliance? Given the ease of which an individual can file a complaint with the Office for Civil Rights (OCR), ensuring your ERP software provider can help you comply with HIPAA Rules is financially beneficial given the penalties (see above). To file a complaint that causes the OCR to investigate your organization, an individual can simply follow three easy steps: 1. Be filed in writing, either electronically via the OCR Complaint Portal ( or on paper by mail, fax, or e mail (mailto:ocrcomplaint@hhs.gov?subject=filing%20a%20health%20information%20privacy%20c omplaint) ; 2. Name the covered entity or business associate involved and describe the acts or omissions the complainant believes violated the requirements of the Privacy, Security, or Breach Notification Rules; and 6 45 C.F.R C.F.R

5 Providers Page 5 3. Be filed within 180 days of when the complainant knew that the acts or omissions subject to complaint occurred. OCR may extend the 180 day period if the individual can show "good cause." Anyone can file a complaint alleging a violation of the Privacy, Security or Breach Notification Rules (e.g. patient, employee, former employee, vendor ). To see the wall of shame of organizations that have had breaches affecting 500 or more individuals please go to the website below. Pay attention to the breach type and locations. Analyze the flow of any PHI data that flows in or out of your ERP software. What breach types or locations do you need to be concerned about? Look at the thousands of companies with breaches listed at the site below along with the listed number individuals affected. Go back up to the penalty section above. Protect your organization by taking a few simple steps with your ERP software provider: 1. Make sure your ERP software provider has developed and implemented written privacy policies and procedures that are consistent with the Privacy Rule. 8 These policies are typically managed by the ERP software provider s HIPAA Compliance Officer. It is important that, when in contact with PHI while implementing or supporting your ERP software, your ERP provider s staff is trained on how to handle PHI. 2. Make sure your ERP software provider can provide you a signed HIPAA Business Associates Agreement (BAA). 3. Confirm with your ERP provider that any subcontractors or vendors involved with the implementation or support of your ERP software have signed a HIPAA BAA with your ERP software provider. 4. Confirm that your ERP software, whether hosted internally or by a hosting provider, will be able to encrypt the Data in Motion and the Data at Rest. 9 Data in Motion protection typically is accomplished by making sure any ERP data that might contain PHI is transmitted via virtual private network (VPN) or secured sockets layer (SSL). Data at Rest protection typically is accomplished by encrypting the database or files where PHI is located. 5. Confirm with your ERP provider that software to software integrations will safeguard data as described in 4 above. 6. Confirm with your ERP provider that data conversions will safeguard data as described in 4 above (e.g. patient refund history in Accounts Payable). 7. Confirm with your ERP provider if they are hosting and backing up your data that ERP data backups are both encrypted and physically stored in a secure place. 8. If your ERP provider is hosting your ERP software confirm that the server is protected from physical theft. 9. If your ERP software is not hosted by your ERP software provider make sure your hosting provider can also provide items 1 8 above C.F.R (i) C.F.R (c).

6 Providers Page 6 This is a summary of key elements of the Privacy Rule in the context of healthcare providers and ERP software providers, and not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice. For more information: I hope you have found this Research Paper on ERP Software HIPAA Concerns for Health Care Providers of value. Please send me your comments: Tad.Remington@InterDynBMI.com