Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability and Accountability Act (HIPAA). Consequences for noncompliance are increasingly burdensome and costly to the bottom line. Fortunately, medical practices and other healthcare firms can avoid future risks by following a series of practical steps for meeting HIPAA standards. Sweeping changes.......... 2 The high cost of noncompliance... 2 Exactly who must comply?... 2 Steps for meeting HIPAA standards... 3 Low compliance. High vulnerability... 5
HIPAA COMPLIANCE: EFFICIENT TOOLS TO FOLLOW THE RULES 2 Sweeping changes Anyone who has ever paid a visit to a doctor shares personal information that should not be disclosed without express permission. HIPAA was passed in 1996 to safeguard the privacy of medical records. The U.S. Department of Health and Human Services (HHS) is responsible for the administration and enforcement of HIPAA. Over the past 17 years, privacy rules have been updated, with the most sweeping changes announced this year. The high cost of noncompliance Healthcare businesses know that enforcement activities have increased in the past few years. The media reports more and more cases of security violations, and the cost of noncompliance can be staggering: CVS y and Rite Aid pharmacies were disposing individuals health information in industrial trash containers accessible to unauthorized persons. CVS settled for $2.25 million 1 and Rite Aid agreed to pay $1 million. 2 Massachusetts y General Hospital paid $1 million after a hospital employee accidentally left billing forms with private patient information on a seat in the subway. 3 Massachusetts y Eye and Ear Infirmary paid $1.5 million after a laptop computer containing unencrypted electronic information about patients was stolen. 4 Blue y Cross Blue Shield of Tennessee paid $1.5 million after 57 hard drives were stolen with unencrypted medical records of more than 1 million patients. 5 The y Hospice of North Idaho paid $50,000 after a laptop computer containing information of 441 patients was stolen. 6 Reported breaches in security can trigger an audit, which may reveal even more compliance problems. The primary cause of security breaches, according to a 2012 study performed by the Ponemon Institute, is a lost or stolen computing device, employee mistakes or unintentional actions, and third-party snafus by business associates or service vendors. Another major challenge for IT security is the increase in criminal attacks, which rose from 20 percent in 2010 to 33 percent in 2012. 7 Reported breaches in security can trigger an audit, which may reveal even more compliance problems. Exactly who must comply? The HHS Office for Civil Rights (OCR) is responsible for HIPAA compliance. Director Georgina Verdugo explains on the OCR website, To avoid enforcement penalties, [healthcare firms must implement] a robust compliance program [that] includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents. 8
HIPAA COMPLIANCE: EFFICIENT TOOLS TO FOLLOW THE RULES 3 Interestingly, there is no concrete list of protocols for HIPAA compliance; instead there are broad performance standards. Who must comply with these standards? Not just health insurance companies, hospitals, clinics and medical practices, but also their business associates. These include vendors of many types who have access to data backup clouds, billing services, staffing companies, accounting and legal services and even firms that undertake the HIPAA-required background investigations on potential employees. Essentially, this includes any organization that has access to private health information. The secure transfer of this information is permissible through business associate agreements and must adhere to all HIPAA statutory and regulatory requirements, explains Dr. Jeff Slepin, an emergency room physician who reviews medical records for quality of care and risk assessment at a national practice management company. I take precautions to assure that the clients transmit information securely and vice-versa in order to protect patient privacy. Steps for meeting HIPAA standards The following list highlights some practical steps you can take to ensure compliance, adhere to privacy protections, and train staff to understand and follow HIPAA rules: Risk y analysis and management plan Healthcare entities must prepare a written security plan that assesses and then addresses the potential risks and vulnerabilities of their record-keeping system. A security official must be identified in the security plan. Templates, compliance documentation kits and other products can be found on the Internet, but it is important to have experienced counsel review these documents to ensure that they comply with current regulations. Up-to-date y policies and procedures These should be reviewed and updated annually for HHS compliance, as well as whenever there are changes to computer equipment, software or physical facilities. Implementation of all HIPAA compliance activities should be carefully monitored and documented. Security y clearance for employees Companies must implement and document a security clearance program for all employees who have access to private medical information. New hires must be trained before beginning their jobs. Specific security clearance procedures must be in place for persons who use mobile devices with secure data. Those who have remote access to secure data must submit to background investigations prior to obtaining such access. (Many companies have been fined for not strictly adhering to this requirement.) Privacy y and security training programs for employees and contractors All employees, including managers, must be trained in security and privacy awareness and in the specific procedures necessary for handling private information. Training programs are also necessary for employees of business associates, as well as their subcontractors. Companies may offer their own online training programs or hire organizations that specialize in HIPAA training. Companies must implement and document a security clearance program for all employees who have access to private medical information.
HIPAA COMPLIANCE: EFFICIENT TOOLS TO FOLLOW THE RULES 4 Physical y security of workstations, computers and mobile devices Access to electronic and written records should be limited. Employees should receive the minimum amount of information necessary to perform their jobs. Policies and procedures should specify how the job is to be performed and executed, the physical attributes of the work environment, the specific workstation(s) that can be used to access protected health information and how access is restricted to authorized users. Any off-site use of portable devices must be carefully controlled. There should be physical and electronic locking mechanisms for unattended laptops and other mobile devices, as well as for desktop computers. Data y encryption and virus protection Data encryption for electronic Protected Health Information (PHI) should be considered mandatory and used on all computers and laptops, USB drives, tablets and any other devices. The American Medical Association (AMA) advises doctors, even those with small practices, to use encrypted data. If a hacker gets into a doctor s system and there is a breach of unsecured PHI, the doctor must inform HHS, his or her patients and possibly even the media. If, however, the data is encrypted, patients do not have to be informed. 9 (More information about how encryption works and how to choose and install encryption software is available on the AMA website.) Virus protection should also be considered mandatory, given increasing cyber security threats. Dell SecureWorks reported in a 2012 training webinar that the healthcare industry is a growing target for hackers due to the low level of industry data security. Employee email accounts and social networking accounts can be the source of attacks. An IT specialist knowledgeable about HIPAA standards should manage both data encryption and virus protection solutions. Business y associate and subcontractor agreements and contracts Contracts with business associates, as well as contracts between business associates and subcontractors who have functions involving private health information, must include signed, written agreements that meet HIPAA standards. Healthcare attorney William Maruca of Fox Rothschild LLP advises his clients that subcontractor agreements may need extra attention, since many business associates may have been unaware of their obligations to assure compliance by their subcontractors. 10 An attorney familiar with HIPAA should review all such contracts. Verification y of adherence For compliance purposes, there must be documented evidence of adherence to the policies and procedures outlined in a company s privacy and security management plan. Someone has to check that physical locks are in place, that electronic lockdowns are functioning, that data is encrypted, and that employees are knowledgeable about security procedures and following them. The American Medical Association advises doctors, even those with small practices, to use encrypted data.
HIPAA COMPLIANCE: EFFICIENT TOOLS TO FOLLOW THE RULES 5 Low compliance. High vulnerability. The rate of HIPAA compliance remains shockingly low. In spite of the potential for heavy fines, the breadth of consumer knowledge and the ease of filing consumer complaints, healthcare companies are not strictly adhering to HIPAA performance standards. The 2012 Ponemon study showed that among 80 hospitals and clinics surveyed, 94 percent reported at least one security breach in the past two years. The study estimated that only half of all healthcare companies have a security manager and only half use encrypted data on portable devices. 11 The reality? Chances are quite high that your healthcare company is vulnerable to a security breach. Promoting information privacy and risk management should not just be about compliance. Information security needs to be an integrated component of IT, facilities management, human resources, vendor contracting, accounting and financial management, and patient/ client communications. Employees at all levels should be encouraged to contribute to risk assessment and risk management. Employees at all levels should be encouraged to contribute to risk assessment and risk management. Creating and maintaining a company-wide culture where all workers are aware of the importance of safeguarding electronic personal health information and alert to potential security breaches is probably the most important step you can take to improve your company s HIPAA compliance practice. 1 U.S. Department of Health and Human Services. CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case. hhs.gov/ news/press/2009pres/02/20090218a.html. 2 U.S. Department of Health and Human Services. Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case. hhs.gov/news/ press/2010pres/07/20100727a.html. 3 U.S. Department of Health and Human Services. Massachusetts General Hospital Settles Potential HIPAA Violations. hhs.gov/news/ press/2011pres/02/20110224b.html. 4 U.S. Department of Health and Human Services. Massachusetts Provider Settles HIPAA Case for $1.5 Million. hhs.gov/news/ press/2012pres/09/20120917a.html. 5 U.S. Department of Health and Human Services. HHS Settles HIPAA Case With BCBST for $1.5 Million. hhs.gov/news/ press/2012pres/03/20120313a.html. 6 U.S. Department of Health and Human Services. HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients. hhs.gov/ news/press/2013pres/01/20130102a.html. 7 Third Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, independently conducted by Ponemon Institute LLC. ponemon.org/library/third-annual-patient-privacy-data-security-study. 8 U.S. Department of Health and Human Services. Massachusetts General Hospital Settles Potential HIPAA Violations. hhs.gov/ocr/privacy/ hipaa/enforcement/examples/massgeneralra.html. 9 American Medical Association. HIPAA Security Rule: Frequently Asked Questions Regarding Encryption of Personal Health Information. ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf. 10 Maruca, W. Urgent Verify Your Business Associate and Subcontractor Agreements by This Friday 1/25/13 to Qualify for Extension. hipaahealthlaw.foxrothschild.com/articles/business-associates/. 11 Third Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, independently conducted by Ponemon Institute LLC. ponemon.org/library/third-annual-patient-privacy-data-security-study. This article is for informational purposes only. Please consult your tax advisor, as neither Bank of America, its affiliates, nor their employees provide legal, accounting and tax advice. Bank of America Merrill Lynch is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ( Investment Banking Affiliates ), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured May Lose Value Are Not Bank Guaranteed. 2014 Bank of America Corporation 09-14-0447.D