HIPAA Security Standards: What Rheumatologists Need to Know

The privacy and security of patient health information (PHI) is a top priority for patients and their families, as well as healthcare providers and the government. Federal laws require many of the key people and organizations that handle health information to have policies and security safeguards in place to protect their organization and the health information of every patient—whether it is stored on paper or electronically.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules are the main federal laws that protect PHI. The Privacy Rule is very specific and gives rights to everyone with respect to their health information, and also sets limits on how health information can be used and shared with others. The Security Rule sets instructions for how health information must be kept secure with administrative, technical and physical safeguards. The Breach Notification Rules require covered entities to notify affected individuals, the Secretary of Health and Human Services (HHS), as well as the media in some cases if there is a breach of a patient’s unsecured PHI.

The majority of the privacy requirements were in place from 2005, and with the advancement of electronic transactions in healthcare management, there has been an increased level of federal laws and regulations on health information privacy. The liability of protecting PHI extends beyond the walls of every physician practice. The HIPAA security standards require physicians to protect the confidentiality, integrity and availability of a patient’s medical information with policies and procedures. The new regulations advise physician practices to reevaluate and update their HIPAA compliance plans regularly to verify they are meeting federal requirements.

In 2013, the final omnibus rule enhanced the patient privacy protections and provided new rights for individual health information as well as strengthened the government’s ability to enforce the law and apply penalties. The updates required all covered entities to update their HIPAA policies and procedures and implement the changes required by these regulations no later than the Sept. 23, 2013, compliance date. Medicare defines a covered entity in the HIPAA Rule as all health plans, healthcare clearinghouses and healthcare providers who submit PHI electronically (ePHI).

To avoid penalties and fines, practices will need to assess any security risks and vulnerability of patient information, because this is at the core of practice compliance. It is vital for rheumatology practices to add administrative safeguards to protect against any liability. Some of these safeguards include the following:

• Appoint one security officer—this person can be the office manager or practice administrator and may also be the privacy officer;
• Establish policies for the appropriate use of, physical attributes of and security for workstations that access ePHI;
• Train staff on security issues that are scaled to your organization. It is a requirement for covered entities to have ongoing training for their staff on security and compliance matters—a single session once every five years will not be sufficient. Additionally, “business associates” must be aware of security policies, although your practice is not under an obligation to train the associates. HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (e.g., billing company, transcriber, coding company).”¹ A member of your staff is not considered a business associate;
• Create a tracking system for any security “incidents,” and document policies and procedures for dealing with incidents. Resulting harm must be mitigated;
• Create a plan for emergencies that may damage systems with ePHI. This includes provisions for data backup, a recovery plan and a way to continue critical business processes for the protection of the security of ePHI during any emergency services; and
• Have periodic evaluations of security preparedness that will be conducted both internally and externally.

The HIPAA security standards may seem like a far-reaching piece of legislation dating as far back as 1996, but it should not be taken lightly, because there have been breaches across the board from hospitals, health plans and physician practices. The Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and they have created a privacy and security audit program from all covered entities and business associates. The OCR auditors will be looking to see if your HIPAA policies and procedures meet the latest privacy and security criteria. The Office of Inspector General, who oversees the OCR, has indicated that no one is exempt from a potential OCR privacy and security audit in the coming year.