Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).
In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.
For primary care and other physicians in private practice, compliance will mean:
conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;
reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;
ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);
modifying the practice’s electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;
having the ability to send patients their health information in an electronic format;
reviewing your contracts with any vendors that have access to your practice’s PHI; and
updating your practice’s notice of privacy practices.
Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.
The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunization records to schools without obtaining formal authorization from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.
The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.
The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Among other provisions, the HITECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalized the rules with adoption of the omnibus rule.
Growth in EHRs drive changes
Driving many of the changes in the omnibus rule is the proliferation of EHRs and the accompanying digitization of patient information, says Jeffrey J. Cain, MD, FAAFP, president of the American Academy of Family Physicians (AAFP).
“The [original] HIPAA legislation is 15 years old now and was enacted at a time when EHRs were nothing more than a gleam in Microsoft’s eye, but now everyone’s using them, and the rules were seen to be in need of tightening up,” he says.
Angela Dinh Rose, director of health information management excellence for the American Health Information Management Association, says, “HITECH was a huge factor in pushing the adoption of health information technology, so along with that, Congress saw the need for improved privacy and security practices to protect patient information now that so much of it is becoming electronic.”
According to a study of breaches reported on the HHS Web site by Kaufman Rossin & Co., an accounting and consulting firm based in Miami, Florida, the number of individuals affected by data breaches doubled from 2010 to 2011, even though the number of entities involved in a breach declined (see “Summary of health breach information reported to HHS, 2010 to 2011,” below). The largest cause of breaches was theft (53%), followed by unauthorized access (20%) and loss (14%).
New rules for data breaches
The changes likely to have the greatest effect on medical practices are those concerning how PHI should be secured and kept private and what practices must do in case of a breach—meaning the PHI is lost, stolen, or otherwise made available to someone who should not have it. Why? Whereas before the omnibus rule, breaches only had to be reported if they involved a “significant risk of harm,” now the presumption is that virtually any unauthorized disclosure of PHI may be a breach, unless the practice can demonstrate a low probability that the information has been compromised, explains Kenneth Rashbaum, JD, a health law attorney with Rashbaum Associates in New York, New York.
“These changes are a big deal because the standard [of what constitutes a reportable breach] is much lower, and as a result there’s now a presumption of harm to the patient by virtue of the breah by the entity that made the disclosures,” Rashbaum says.
Given the new standard, the most important action practices can take to protect themselves against penalties, experts emphasize, is to encrypt patient data, both within the practice itself and when they are taken outside the practice in a laptop computer, smartphone, or other portable device. Why? “In the [omnibus] rule now, they’re defining a breach as the loss of unsecured PHI,” explains Juli A. Ochs, CPA, healthcare engagement director for the consulting and accounting firm CliftonLarsonAllen LLP. “So anything that renders the data ‘unusable, unreadable, or undecipherable’ is now not considered a breach.” (See “Encrypting your patient’s health information” below for suggestions on how to encrypt data in a way that meets HHS requirements.)
Determining risk of harm
Whenever a breach does occur, it is presumed to be reportable to HHS unless the practice can demonstrate a low risk of probability that the PHI will be compromised, meaning that anyone will be harmed as a result. Demonstrating the risk contains four components:
The nature and extent of the data involved. “Was the information just a list of patients? Did it include identifying data like Social Security numbers or other financial information? Were there intimate medical or psychotherapy records? Those are the types of questions that need to be asked,” says Aldo Leiva, JD, a data security and privacy attorney in Coral Gables, Florida.
The unauthorized person who used the PHI or to whom it was disclosed (something you can’t know if the breach resulted from a device being lost or stolen).
Whether the PHI was actually acquired or viewed.
The extent to which the risk has been mitigated after the fact. An example, Leiva says, might be having a contractor to whom the PHI accidentally was sent sign a non-disclosure agreement.
In addition, the rule requires practices to notify patients whose PHI has been breached within 60 days of discovery of the breach. If the breach affects more than 500 patients, then HHS and the local news media must be notified within the same 60-day timeframe. Practices must keep a log of all breaches regardless of the number of patients affected, and they must submit the log annually to HHS.
Another requirement of the rule is that practices and other covered entities conduct a risk analysis. The purpose of the exercise is to discover where the practice might be vulnerable to having its patient information lost or stolen—through theft of a laptop computer on which data are stored, for example—and putting in place policies and procedures to reduce those vulnerabilities.
“People get overwhelmed by this, because they think it needs to be a formal process,” Ochs says, “but it can be just everyone in the practice sitting down to talk about where are we vulnerable, assessing the risk of each vulnerability, deciding how to address it, and then documenting that they’ve gone through the process.”
In addition, practices should appoint a privacy and security officer with the responsibility for making sure the practice has policies and procedures for complying with the rules and that staff members are trained in them. Practices can—and often do—assign the responsibilities to a current employee rather than hire someone new, Ochs says. “The main thing is just that it’s assigned,” she adds.
Violators of the privacy and security rules will be fined in amounts ranging from $100 to $50,000 per violation (see “HIPAA rule violation categories and penalty amounts”). The maximum a practice or other covered entity can be fined in a year is $1.5 million.
Relations with business associates
After changes to the PHI security and breach notification rules, the omnibus rule changes of greatest interest to practices are those affecting their relationships with “business associates,” vendors that have access to a practice’s PHI. Such vendors are now directly responsible to HHS for securing and guarding the privacy of PHI in the same way that practices are, and they are subject to the same penalties.
“Before [the omnibus rule], physicians and medical organizations might be protecting patient data the way they were supposed to, but their third-party providers were not obligated except under the terms of their contract with the providers,” notes Jorge Rey, CISA, CISM, director of security and compliance for Kaufman, Rossin & Co. “Now the rules say that if you have access to patient healthcare-related information, you need to comply with all the privacy requirements.” The rule also puts subcontractors to practice vendors under HHS jurisdiction.
The increased responsibility of business associates does not let doctors off the hook entirely. That’s because even if the business associate loses PHI or has it stolen, the medical practice ultimately is responsible for notifying affected patients and reporting the breach to HHS.
Leiva notes that many health information technology (HIT) vendors and consultants include boilerplate language in their contracts absolving them from liability for data loss. Consequently, he advises reviewing all contracts with HIT vendors to ensure that their wording conforms with the omnibus rules governing relations between covered entities and their business associates. (A sample business associate agreement is available from the government at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/...)
Greater patient control
The third part of the omnibus rule affecting doctors’ practices concerns patients’ rights related to their own health information.
The rules gives patients the right to:
obtain copies of their health information in an electronic format within 30 days of requesting it, with one 30-day extension permitted, and
instruct his or her doctor not to share information about a test or treatment for which the patient has paid out-of-pocket with his or her insurance company.
In addition, the rule requires practices to update their notice-of-privacy practices (NPPs) to reflect the changes to patients’ rights included in the omnibus rule and requires sending the updated NPP to all patients and posting it prominently in the practice and on the practice’s Web site.
Complying with the changes likely will be challenging for doctors due to the limitations of EHR systems. “EHRs were designed so that you could share information easily between healthcare providers and insurance providers,” notes the AAFP’s Cain. “Now we have this law saying that if a patient pays cash, the condition won’t be revealed to insurance providers, which is problematic for the way most EHRs are built.”
The design of EHRs also makes it difficult to share information with individuals who don’t have EHRs, Cain notes. “That’s going to be a problem and something the vendors will have to help us with,” he says.
In the meantime, possible alternatives include joining a private health information exchange network or a one of the regional or statewide networks many states are establishing. Regional extension centers and state and local medical societies are good sources of information about health information exchange networks.
Doctors should ask their EHR vendors about a timetable for implementing a function that allows them to meet the requirement by the September 23 deadline, advises Lisa Gallagher, CISM, vice president of technology solutions for the Healthcare Information and Management Systems Society. If a vendor won’t be ready to provide such a feature, then the practice will have to still find a way to meet the requirement, maybe through a different way of recording the patient’s data until the function is available, Gallagher says.
“Sometimes regulatory requirements are misaligned,” she adds. “What’s happened here is the requirement for the provider to do something, and the requirement hasn’t made its way down to the vendor. But the important thing for everyone to realize is that HHS has said this requirement is going into effect and you have to meet it.”
Cain says that most AAFP members understand the need to provide patients with greater control over who can see their information and the need to guard confidentiality generally. Nevertheless, “it does add another layer of administrative complexity to managing an office practice,” he says.
“All the rules are well-intentioned, but they may interact in ways that aren’t understood when they are developed,” Cain adds. “The law of unintended consequences is challenging for office-based physicians.”