THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

Transcription

1 THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

2 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] ii CONTENTS OVERVIEW...1 KEEPING UP WITH HIPAA...2 ELECTRONIC HEALTH RECORDS (EHR) ADVANCEMENTS...3 FUTURE OF HEALTHCARE INDUSTRY...5 ACHIEVING AND MAINTAINING COMPLIANCE...5 CONCLUSION...7

3 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 1 OVERVIEW With the healthcare industry evolving at a rapid pace, staying informed regarding new rules and regulations, as well as changes and updates to current laws, is of the utmost importance for organizations subject to the Health Insurance Portability and Accountability Act (HIPAA). Organizations subject to HIPAA, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HITECH Act include: Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearinghouses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers

4 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 2 Keeping Up With HIPAA Originally passed in 1996, HIPAA has now been around for 18 years, and while many in the industry were skeptical when it was first introduced, recent adjustments to the act have given HIPAA serious teeth. Changes and Amendments There have been many changes and additions made to HIPAA since it was originally signed into law in As such, staying up to date with HIPAA is essential to ensuring that your organization is following all requirements to maintain compliance. Hosting Providers in Healthcare As of late 2013, all hosting providers who are maintaining protected health information on behalf of covered entities became subject to HIPAA. They are now considered business associates, whether or not they actually view the information they hold. HIPAA Omnibus Rule The Omnibus Final Rule, which took effect on March 26, 2013, outlines changes for covered entities and business associates. This rule now makes business associates and subcontractors of business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rule requirements. Simply put, the Omnibus Rule puts liability on the provider. Under the old rule, providers were innocent until proven guilty when a breach occurred. However, with the passing of the Omnibus Rule, providers are presumed guilty and will have to prove their innocence. It s predicted that this will open the doors for more enforcement action. All covered physician practices were required to have updated their HIPAA policies and procedures regarding the Omnibus Rule and implemented accordingly by September 23, 2013.

5 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 3 Cloud Computing Under HIPAA regulations, healthcare providers can store Protected Health Information (PHI) in the cloud, and cloud computing can accommodate to meet their needs. With access to the cloud, worrying about unexpected changes that might occur within your organization is unnecessary resources can easily change depending on increased or decreased demand. When employing a cloud computing solution, cloud service providers (CSPs) can often provide a level of data security that healthcare providers could not achieve on their own. The healthcare provider must be confident that the CSP is committed to protecting information with at least the same diligence that they would be obligated to exercise if they were doing it themselves. 1 Electronic Health Records (EHR) Advancements The HITECH Act was signed into law to encourage physicians and hospitals to use Electronic Health Records (EHR). When the law was first enacted, physicians and hospitals were eligible to receive financial incentives for demonstrating Meaningful Use of EHR. In late 2013, it became clear that throughout Stages 1 and 2 of the process, nine in 10 eligible hospitals and eight in 10 eligible professionals had begun the process of registering for either the Medicare or Medicaid EHR Incentive Program. The Medicare EHR Incentive Program began in 2011, through which eligible healthcare providers are offered financial incentives for adopting, implementing, upgrading or demonstrating Meaningful Use of EHR. The incentive payments will continue through 2016, and this (2014) will be the last year to begin participation in the program. Beginning in 2015, penalties may be assessed to healthcare providers who fail to demonstrate Meaningful Use. The Medicaid EHR Incentive Program s incentive payments will continue through 2021, however the last year that an eligible healthcare professional can begin participation in the program will be Stage 3 of the programs is set to begin in 2017 and will be available to providers who have been in Stage 2 for at least two years. In theory, analysis of data from Stage 2 will improve Stage 3 s outcomes. Stage 3 s advanced outcomes will ideally include: Improved quality, safety and efficiency, leading to improve health outcomes Decision support for national high-priority conditions Patient access to self-management tools Access to comprehensive patient data through patient-centered HIE Improved overall population health

6 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 4 Additional Rules and Regulations In addition to HIPAA, the HITECH Act and the American Recovery and Reinvestment Act, healthcare organizations are subject to many other rules, regulations and laws, including the Clinical Laboratory Improvement Act (CLIA). When organizations work with TRICARE, the healthcare program serving uniformed service members, retirees and their families worldwide, they are required to support the civilian and DoD requirements FISMA and DIACAP. Clinical Laboratory Improvement Amendments In early 2014, a final rule was added to the Clinical Laboratory Improvement Act (CLIA), which allows both patients and their designees to access their completed lab results when requested. Under the rule, CLIA-covered labs must provide patients with copies of their lab test results within 30 days of receiving a request. This final rule also amends HIPAA by removing the exemptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that gives individuals the right of access to their protected health information. 3 While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients privacy. Federal Information Security Management Act (FISMA) FISMA recognizes the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, FISMA, requires each federal system to undergo a certification and accreditation process that certifies federal systems have implemented the minimum security controls and processes to protect the confidentiality, integrity and availability of government data. This applies to healthcare organizations working with TRICARE due to the nature of patient data that they have access to. DoD Information Assurance Certification and Accreditation Process (DIACAP) This United States Department of Defense (DoD) process ensures that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system s life cycle. This process applies to healthcare organizations working with TRICARE due to the risk involved and nature of patient data. Healthcare organizations that have this certification can work with Federal Government organizations since they incorporate the appropriate levels of security and encryption of data. 3

7 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 5 The Future of the Healthcare Industry The healthcare industry continues to grow with over 14 million people employed in the industry in the United States, there s no sign of it slowing down. The continuously advancing technology industry offers a wide range of opportunities for innovation in healthcare, from tracking vital signs on mobile devices and sending test results out for almost immediate processing, to telemedicine. With increased use of technology in the healthcare industry also comes increased risk. Things that used to be done by actual people, like hand-delivering specimens to a lab and collecting results to bring back to patients, are now done with the help of, or solely by, computers. With more data out of people s hands, there is a higher risk of that data getting into the wrong hands, causing security and/ or privacy violations. Risk becomes especially high with advancements like telemedicine, which is subject to the same HIPAA regulations as conventional medicine. Telemedicine providers are required to keep their patients medical records confidential and need to take the same precautions with electronic medical records and files as they would with paper documents. Additionally, telemedicine providers need to consider that not all products are HIPAA-compliant. The HIPAA Omnibus Final Rule requires that all healthcare providers have a Business Associate Agreement (BAA) in place. So, if the product that a telemedicine provider wants to use has a privacy policy that doesn t mention a BAA, that product is not compliant. 4 Achieving and Maintaining Compliance As the industry continues to advance, risk will continue to be present. Protecting the privacy of patients electronic health information (ephi) is crucial health care providers will need to carefully choose a good CSP that has a history of keeping PHI secure and is familiar with what is required of business associates under HIPAA. Keeping patient data secure is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. Ensuring compliance will help your organization avoid the severe ramifications of noncompliance. The American Recovery and Reinvestment Act of 2009 established both civil and criminal penalties for failing to comply with HIPAA. 4

8 [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations ] 6 The tiered structure of civil penalties is as follows: HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect $100/violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million Credit: American Medical Association Criminal penalties are dealt with as follows: Violation Fine Covered entities whom knowingly obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations Offenses committed under false pretenses Offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm $100/violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations Credit: American Medical Association

9 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 7 Conclusion Choosing the right cloud operator and hosting provider can help healthcare organizations lower risk, ensure security and privacy of patient data and achieve and maintain compliance. With more than a decade of experience delivering cloud services and managed hosting solutions to covered entities, including healthcare providers, insurance and health plan clearinghouses and their business associates, Carpathia is a trusted cloud operator whose delivery model is oriented around delivering secure and reliable solutions that map our obligations to HIPAA s Security and Privacy Rules. In addition, when appropriate, Carpathia enters into Business Associate Agreements (BAAs). Our data center footprint spans the globe, providing comprehensive solutions available across networks, servers and/or storage equipment. In addition, our 64,000 sq. ft., 7.3 MW IBX Vault data center in Dulles, VA is among the most connected and secure in the industry. Our data centers provide the ideal environments healthcare organizations need to keep patient data safe and secure. Carpathia s comprehensive, compliant cloud computing and hosting solutions enable our customers to be confident that they are able to comply with HIPAA/HITECH obligations. Carpathia is a trusted cloud operator and leading provider of cloud services and managed hosting, providing secure, reliable and compliant IT infrastructure and management for some of the world s most demanding enterprises and federal agencies. Carpathia s cloud platform delivers solutions for every stage of the cloud journey, empowering organizations to meet their unique security and compliance requirements. Carpathia s experienced customer care team and innovative data center facilities provide 24x7 global support to ensure optimum performance and reliability. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds expectations. Contact Carpathia at , or visit for more information Atlantic Boulevard Suite 500 Dulles, VA /