Complying with HIPAA: Avoid financial penalties by following these steps

The financial penalties for not securing protected health information (PHI) have become greater, and the risks for violation more numerous, under the final Health Insurance Portability and Accountability Act (HIPAA) omnibus rule that went into effect Sept. 23. The rule greatly modifies and implements the Health Information Technology for Economic and Clinical Health (HITECH) Act by adding protections for stronger security of PHI, especially as it relates to electronic communications.

In the 1990s, PHI mostly was communicated on paper. Electronic communication was not yet widely embraced, and texting was not available. Today, it’s a different story. Electronic communication is affordable, efficient and perhaps one of the fastest ways to transmit information. It’s so fully accepted in daily life that many people, including those within the healthcare industry, now rely on electronic communication for business purposes.

In 2003, HIPAA addressed the increased need for protecting electronic PHI through security standards also known as “the security rule.” By 2005, the regulation established administrative safeguards to ensure that covered entities “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the security rule] for the covered entity or business associate.” This step was an important one in ensuring that the security rule actually was implemented and actively administered.

WHAT THE STANDARDS COVER

The administrative standards cover:

• access authorization,
• security awareness and training,
• periodic security updates,
• protection from malicious software,
• log-in monitoring,
• password management,
• security incident procedures,
• contingency plans,
• data backup plans,
• disaster recovery plans,
• emergency mode operation plans,
• maintenance records,
• workstation use and
• device and media controls.

As technology continues to advance, healthcare providers and other covered entities must stay abreast of new security challenges. As such, organizations must understand and follow the technical safeguards to ensure that the transmission of PHI is secure and encrypted.

Under the 2013 HIPAA omnibus rules, breach notification requirements have changed significantly with regard to unsecured/unencrypted electronic health information. Covered entities now are required to have policies in place to disclose non-allowable uses of PHI, procedures to identify the risks associated with unauthorized uses and processes to determine whether a reportable breach has occurred. As these requirements relate to email, facilities must be aware of the inherent risks associated with the use of some email platforms.

FREE EMAIL ISSUES

Many facilities, especially those of small to mid-sized organizations, encourage employees to use their personal or generic email accounts to communicate with staff, healthcare providers, business associates, residents and family members. These email accounts typically are available at no cost and seem to do the job. Are they encrypted and HIPAA-compliant, however?

In June, a Google attorney filing a legal brief in an effort to have a class-action data-mining lawsuit dismissed cited the 1979 Supreme Court case Smith v. Maryland and said that those sending or receiving email messages via its service—at least those without Gmail accounts sending messages to those with Gmail accounts—should not expect their messages to remain private. In fact, Google has had a standard practice of reviewing the content of every email that passes through its server since its inception in 2004, according to an Aug. 15 Los Angeles Times article by Jon Healey.

Unfortunately, this practice is not limited to Gmail. It also is a standard practice of most “free” email programs, such as Yahoo, Hotmail and AOL.

AVOIDING VIOLATIONS

Before 2009, the fines for HIPAA violations were $100 per violation and $25,000 for identical violations during a calendar year. The new monetary penalties are significantly higher (see table, “Monetary penalties for HIPAA violations”). A healthcare facility can take basic steps to protect itself, its employees and business associates from being at risk of violating the new HIPAA regulations, however. The best strategies to avoid fines involve corporate compliance programs, quality assurance performance improvement (QAPI) programs and overall policies and procedures.

• Corporate compliance programs. Ensure that the organization’s corporate compliance program is current and actively implemented and includes the newest requirements of the HIPAA omnibus rules. For instance, add “security officer” to the corporate compliance officer title and duties. Include HIPAA, information technology (IT) and electronic documentation audits to the compliance audits. Also, create procedures for frequent evaluations of online and electronic communications safety and security, and incorporate those procedures into the compliance program.
• QAPI. Use the protections provided by the effective use of a QAPI program. For instance, have all new HIPAA policies approved by the QAPI committee, develop QAPI studies to verify the safety of all electronic documents and communications, and document every study, actions taken, and all staff training related to the safety and security of electronic communications.
• Policies and procedures. Ensure that all new policies and procedures now required through the HIPAA omnibus rule are created and implemented. For instance, review how access is granted to electronic PHI, protect electronic PHI of the clearinghouse from unauthorized access by the larger organization, and terminate access to electronic PHI when employment is terminated. Also, guard against, detect and report malicious software, and monitor log-in attempts and report discrepancies. Additionally, create, change and safeguard passwords, and review how security incidents are addressed. Respond to an emergency or other occurrence (for example, fire, vandalism, system failure or natural disaster) that may damage systems containing electronic PHI, and know how to continue critical business processes while operating in emergency mode. Retrieve exact copies of electronically PHI when the power fails, and know how lost data are restored.

ADDITIONAL POLICIES

In addition to these new mandated policies, facilities can minimize their risk by having policies in place that are supported by both their corporate compliance and QAPI committees. Such policies should cover social media, email, electronic devices, text messages and companywide training.

• Social media. Employees should not post anything—whether positive or negative—to social media accounts regarding a facility, its policies, residents, staff and similar topics. Controlling what is published via social media is critical.
• Email. Any information transmitted electronically should be done only via an encrypted, facility-provided email environment.
• Electronic devices. Any electronic device used to transmit PHI must be approved for safety by the IT and QAPI committees.
• Text messages. Because text messages are not normally protected and/or encrypted, a facility should have strict policies that prohibit the use of text messages to transmit any PHI.
• Companywide training. Training should be an ongoing education series taught by external educators well-versed in current compliance standards, not infrequent gatherings of staff members under the guise of in-service sessions. A facility’s compliance program should incorporate a list of required training to ensure that employees complete it.

OVERSIGHT CRUCIAL

HIPAA has been in place since 1996. It has been updated several times, although none of the changes has been as significant as 2013’s omnibus rule. Many of the most recent modifications seem to reiterate previous rulings, but this time, the proper administration and implementation of PHI protection and the ramifications of noncompliance are very significant.

Of course patient, resident and employee information should be protected and secure. With the ongoing advances in electronic communication, however, all too often what is thought to be a secure form of communication easily can be breached. Ensuring adherence to HIPAA requires healthcare providers to be familiar with current legislation, have fully executable corporate compliance programs and be able to respond quickly and appropriately to privacy incidents. For additional information, see www.hhs.gov/ocr/privacy/.

The author is a former owner and operator of two skilled nursing facilities (SNFs). He now is a consultant for Priority Healthcare LLC, a corporate compliance firm that works with SNFs and residential/assisted living facilities. He may be reached at egonzalez@priority-healthcare.com.