OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information
Part 1: How HIPAA affects electronic transfer of protected health information It is difficult to overestimate the impact that the Health Insurance Portability and Accountability Act (HIPAA) has had on healthcare organizations. Patients have no doubt benefited from its security and privacy provisions, but the HIPAA regulations have also posed significant challenges and risks for hospitals, insurers, medical practices, individual clinicians and a variety of related businesses. In order for an organization to meet those challenges and reduce the risk of penalties, it has to fully understand how the HIPAA law impacts the transfer of protected health information (PHI) during day-to-day operations. Establishing clear definitions A discussion of patient data transfer has to start with the HIPAA definition of PHI, which refers to any information held by a covered entity that concerns health status, provision of healthcare or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual s medical record or payment history. Originally a covered entity included healthcare clearinghouses, employer-sponsored health plans, health insurers and medical service providers that engage in certain transactions. HIPAA addresses two aspects of PHI management: data security and data privacy. The security component of the law applies specifically to electronic PHI and outlines a series of security safeguards to ensure that a patient s data is protected while in transit. The privacy component of HIPAA requires covered entities to disclose patients data within 30 days of their request for that data, whether in paper or electronic form. The law specifies how covered healthcare companies can use a patient s medical records, to whom they can disclose those records and when and how patients can have access to this data. The rules cover personally identifiable data in oral, electronic and written form. Privacy rules require a physician to get your permission to share your PHI even with other physicians. More specifically, the privacy rules allow patients to inspect and copy their PHI. The rules also require that employees be trained in the appropriate procedures needed to protect this information. Covered entities also need to establish procedures to ensure that only staffers with a legitimate reason for gaining access to PHI actually have access to it. In recent years, that requirement has sometimes been difficult to enforce as curious hospital staff have on occasion snooped into the records of celebrity patients when they had no business or clinical justification for viewing the information. Of course, hospitals are not the only healthcare-related entity that are accountable for the way they manager PHI. 2
Healthcare clearinghouses are equally accountable. The term includes any organization that takes health information from an entity, converts it into a different format and sends it to another entity for some sort of processing, according to Rebecca Herold, an expert on information security and privacy, at Rebecca Herold & Associates, LLC. Examples would include billing services and many financial institutions. The term medical service provider, on the other hand, would include not only hospitals and physician practices but pharmacies and contract research organizations, explained Herold. While HIPAA regulations present profound challenges for any organization responsible for handling PHI, these regulations only tell half the story. In 2010, the federal government put into effect a variety of related rules through implementation of the Health Information Technology for Economic and Clinical Health Act (HITECH). Now BAs must also comply with not only all the HIPAA Security Rule and HITECH Act requirements, but they must also comply with the Privacy Rule requirements applicable to their services. Rebecca Herold Herold & Associates, LLC Herold points out that the HITECH Act specifically addresses the security and privacy of electronically transmitted PHI. This second set of rules expands and clearly outlines the requirements that business associates (BAs) must meet to protect such data. The sanctions for non-compliance that used to only really apply to covered entities now also apply to BAs, said Herold. These sanctions, and BA responsibilities, were significantly expanded under the implementation of the Omnibus Rule on September 23, 2013. Now BAs must also comply with not only all the HIPAA Security Rule and HITECH Act requirements, but they must also comply with the Privacy Rule requirements applicable to their services. They must also ensure any subcontractors they use are also in compliance with all these requirements. Of course, that begs the question: What exactly is a BA? HIPAA defines it as a person or organization that performs some type of activity on behalf of a covered entity or provides a service to the covered entity in the provisioning of healthcare transactions, payments or operations that involves access to PHI, explained Herold. That would include transcription services, backup and archiving, even cloud services involving PHI. A Closer look at HITECH One of the principal goals of the HITECH Act is to foster the implementation of electronic health records among U.S. hospitals and medical practices. To that end, it has established a long list of regulations to establish what it refers to as Meaningful Use of EHRs in providing patient care. The program is being rolled out in three stages, with Stage 2 officially taking effect in 2014. The HITECH Act includes regulations on electronic exchange of PHI. In addition to specific criteria on how this data should be transmitted across covered entities, the 3
law requires organizations to self-report data breaches that affect 500 or more individuals to the Department of Health and Human Services, the media and individuals who have been affected by said breach. Ignoring this requirement can result not only in large financial penalties, but criminal penalties, including jail time. HIPAA and HITECH regulations also require covered entities to protect against any reasonably anticipated threats to the security or integrity of PHI, explained Herold. Similarly the rules require covered entities to establish breach response plans. That includes an assessment for the probability that the PHI was compromised. The following four factors must be considered in assessing the probability of compromise: n The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; n The unauthorized person who used the PHI or to whom the disclosure was made; n Whether the PHI was actually acquired or viewed; and n The extent to which the risk of harm to the affected individuals has been mitigated. Covered entities would then need to notify the involved insureds and/or patients about the breach based upon that probability. HIPAA and HITECH regulations also require covered entities to protect against any reasonably anticipated threats to the security or integrity of PHI. Herold All these rules and regulations are enforced by the federal Office of Civil Rights, which is part of the Department of Health and Human Services, and also by state attorneys general offices. The Federal Trade Commission also gets into the act because it enforces HIPAA and HITECH for non-covered entities and non-business associates that possess repositories of patient information in personal health records. Examples include online personal health records and applications or devices that track health information like blood pressure or exercise and upload them into a personal health record. Lastly MU and HIPAA regulations include security requirements that apply to the movement of PHI sent by fax transmission. How rules apply to fax transmissions Inherent risks involved in transmitting PHI over the Internet require providers to encrypt this data to reduce the threat of interception by unauthorized users. But unlike the Internet, where everything is basically interceptable, to intercept a fax phone call, one would have to have a phone connection at the premises that the document is being sent from or sent to. Thus the difference between Internet and phone technology makes the latter mode of transmission inherently less risky, at least from a technological perspective. 4
HIPAA rules also govern the physical protection of PHI. In situations where any sort of paper document containing patient data exists, the Department of Health and Human Services expects covered entities to apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure, according to the agency s web site. For example, the HIPAA regulations allow a laboratory to fax a patient s medical test results to a physician, and allow a physician to fax a copy of a patient s medical record to a specialist. But HHS makes it clear that when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. In situations where any sort of paper document containing patient data exists, the DHHS expects covered entities to apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. U.S. Department of Health and Human Services However, if a fax containing PHI is sent to a nurse s station in a hospital and the nurse is not physically present to immediately retrieve the document as it comes in, the HIPAA rules will likely have been violated. Some healthcare providers are coping with this data threat by putting all their fax machines in a locked room and only giving authorized staffers access to the room. Unfortunately that approach defeats the convenience of fax technology, which traditionally has offered easy, immediate access to paper documents that in the past took days to arrive from the post office. Clearly, the privacy and security rules spelled out by HIPAA, HITECH and Meaningful Use have created a series of challenges and risks for healthcare organizations. Exploring the consequences of not adequately protecting PHI and finding costeffective ways to protect it will be the topics of parts 2 and 3 in our Keeping Data in Motion series. About OpenText OpenText is the leader in Enterprise Information Management (EIM). EIM enables organizations to grow the business, lower costs of operations, and reduce information governance and security related risks. OpenText focuses on the key drivers of business success to improve business insight, strengthen business impact, accelerate process velocity, address information governance and provide security. OpenText Information Exchange solutions help organizations integrate and extend their information exchange systems and processes in order to improve their efficiency, decrease security risk, and lower their transaction cost for internal and external information exchange. For more information visit: faxsolutions.opentext.com. Produced in partnership with HIMSS Media www.himssmedia.com 2013 5