HIPAA Security Standards: What Rheumatologists Need to Know

The privacy and security of patient health information (PHI) is a top priority for patients and their families, as well as healthcare providers and the government. Federal laws require many of the key people and organizations that handle health information to have policies and security safeguards in place to protect their organization and the health information of every patient—whether it is stored on paper or electronically.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules are the main federal laws that protect PHI. The Privacy Rule is very specific and gives rights to everyone with respect to their health information, and also sets limits on how health information can be used and shared with others. The Security Rule sets instructions for how health information must be kept secure with administrative, technical and physical safeguards. The Breach Notification Rules require covered entities to notify affected individuals, the Secretary of Health and Human Services (HHS), as well as the media in some cases if there is a breach of a patient’s unsecured PHI.

The majority of the privacy requirements were in place from 2005, and with the advancement of electronic transactions in healthcare management, there has been an increased level of federal laws and regulations on health information privacy. The liability of protecting PHI extends beyond the walls of every physician practice. The HIPAA security standards require physicians to protect the confidentiality, integrity and availability of a patient’s medical information with policies and procedures. The new regulations advise physician practices to reevaluate and update their HIPAA compliance plans regularly to verify they are meeting federal requirements.

In 2013, the final omnibus rule enhanced the patient privacy protections and provided new rights for individual health information as well as strengthened the government’s ability to enforce the law and apply penalties. The updates required all covered entities to update their HIPAA policies and procedures and implement the changes required by these regulations no later than the Sept. 23, 2013, compliance date. Medicare defines a covered entity in the HIPAA Rule as all health plans, healthcare clearinghouses and healthcare providers who submit PHI electronically (ePHI).

To avoid penalties and fines, practices will need to assess any security risks and vulnerability of patient information, because this is at the core of practice compliance. It is vital for rheumatology practices to add administrative safeguards to protect against any liability. Some of these safeguards include the following:

• Appoint one security officer—this person can be the office manager or practice administrator and may also be the privacy officer;
• Establish policies for the appropriate use of, physical attributes of and security for workstations that access ePHI;
• Train staff on security issues that are scaled to your organization. It is a requirement for covered entities to have ongoing training for their staff on security and compliance matters—a single session once every five years will not be sufficient. Additionally, “business associates” must be aware of security policies, although your practice is not under an obligation to train the associates. HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (e.g., billing company, transcriber, coding company).”¹ A member of your staff is not considered a business associate;
• Create a tracking system for any security “incidents,” and document policies and procedures for dealing with incidents. Resulting harm must be mitigated;
• Create a plan for emergencies that may damage systems with ePHI. This includes provisions for data backup, a recovery plan and a way to continue critical business processes for the protection of the security of ePHI during any emergency services; and
• Have periodic evaluations of security preparedness that will be conducted both internally and externally.

The HIPAA security standards may seem like a far-reaching piece of legislation dating as far back as 1996, but it should not be taken lightly, because there have been breaches across the board from hospitals, health plans and physician practices. The Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and they have created a privacy and security audit program from all covered entities and business associates. The OCR auditors will be looking to see if your HIPAA policies and procedures meet the latest privacy and security criteria. The Office of Inspector General, who oversees the OCR, has indicated that no one is exempt from a potential OCR privacy and security audit in the coming year.

There are both civil and criminal penalties associated with violating the HIPAA rules. For civil penalties, there are four tiers of violations: 1) The offender did not know it violated the provision; 2) the violation was due to reasonable cause and not willful neglect; 3) the violation was due to willful neglect but was corrected; and 4) the violation was due to willful neglect and was not corrected.

Each tier has different penalties, and the penalties increase significantly for each violation, with a maximum annual penalty of $1.5 million. On the other hand, individuals who knowingly violate the HIPAA rules may also be subject to criminal penalties that range from a fine of no more than $50,000 and/or imprisonment for not more than one year. If the offense is committed under false pretenses, an individual can be fined up to $100,000 and/or imprisoned for up to five years. More severe penalties apply if the offense is committed with the intent to sell, transfer or use the health information for commercial advantage, personal gain or malicious harm. In such cases, monetary penalties may be as high as $250,000, with possible imprisonment for up to 10 years.

It’s important to protect yourself from any unnecessary liability by avoiding any violation of PHI. This compliance measure requires that policies and procedures be created and implemented. Like everything else, documentation is a major part of the compliance battle and all compliance activities must be documented and retained for six years.

The HIPAA compliance updates and guidelines have been in place for the past few years, and understanding the rules and the risks will allow you and your staff to plan and prepare for any threats. For questions on HIPAA rules or compliance training, contact Antanya Chung, ACR director of practice management, at [email protected] or 404-633-377 x818.

Reference

1. U.S. Department of Health & Human Services. Business Associates. 2003 April 3.