HIPAA and HITECH in 2013: What You Don’t Know Can Hurt You

  Let’s begin with the cautionary tale of Dr. Alexandra Thran, an emergency room physician who was fired from her job while working in Rhode Island (and reprimanded for unprofessional conduct by the state medical board) for posting information about a patient on Facebook. Even though she did not include the patient’s name, she was descriptive enough in what she wrote that others in the community could have identified the patient. Not many of us feel sympathy for a clinician who is this unprofessional, but she sadly represents a growing number of healthcare professionals who have gotten into trouble with inappropriate use of social media. The potential for breaching protected health information (PHI) in this “digital age” is greater than ever and has led to a dramatic increase in federal regulations surrounding electronic data. Many physicians and healthcare institutions believe the only professional legal trouble they are likely to face pertains to malpractice. However, it is increasingly likely that both clinicians and institutions will face civil (or even criminal) actions from the dramatic increase in governmental healthcare regulations designed to manage privacy and digital information.   Perhaps the biggest example is the expansion of HIPAA (Health Insurance Portability and Accountability Act of 1996) and the HITECH (Health Information Technology for Economic and Clinical Health Act of 2009). There are really three stories that converge here through these mandates. The main theme is HIPAA and its bigger, broader, more sweeping penalties written by the US Department of Health and Human Services (HHS) published Jan. 25; although, the compliance deadline for virtually every provision is Sept. 23. These provisions affect clinicians at many levels. Healthcare professionals incorporate social media into their daily lives just like everyone else and, like Thran, some forget their professional obligations to protect patient privacy. We will not discuss this important topic further except to emphasize that PHI is covered by the HITECH Act when it involves electronic communication. Thran was fined a mere $500 for her breach of patient confidentiality online — almost nothing compared to the fine that could have been levied under the HITECH Act, as you will read below. However, the themes of HIPAA and electronic communication converge in another related topic: mobile devices and data security.

Mobile Devices & Data Security

  Recent surveys of healthcare institutions confirm that 81% of these organizations permit employees and medical staff to use their own mobile devices (eg, smartphones or tablets) to connect to their networks or enterprise systems such as email. However, 54% of hospitals are not confident that these personally owned mobile devices are “secure.” It is not just the mobile devices that must be secured (since they can be used to transmit, copy, or otherwise compromise PHI); healthcare organizations also have to secure vast quantities of data that generally reside on a “computing cloud.” The 2012 Ponemon Study on Patient Privacy and Data Security revealed that 91% of hospitals are using cloud-based data services (meaning they do not store patient or administrative data on their own computer servers), but 47% are not confident the data hosted by these other data services are secure. They are right to be concerned, since 94% of healthcare organizations have had at least one data breach in the past two years and 45% had more than five incidents.1 The types of patient data lost or stolen most often are medical files and billing and insurance records. Remember, the data a hospital needs for billing purposes are exactly the data needed for identify theft (ie, patient name, social security number, date of birth, home address). Sadly, insider negligence is a common cause of data breach, often due to lost or stolen computing devices. However, criminal attacks are on the rise and may now be the most common cause of data breaches. From 2009-12, there were 495 reported data breaches that compromised 21.1 million medical records, each one affecting an average of 42,659 records. It took the institution an average of 68 days to notify the appropriate individuals or entities of the breach, and the estimated cost of coping with these breaches during that time frame was $4.1 billion. Hospitals and physician practices are the most-breached institutions in the US after governmental institutions — and the leading cause is theft, with PHI being the typical target. In 21% of cases, the breaches involved “business associates,” which we will have more to say about below.¹

HITECH Breaches: New Reporting Requirements

  Under the old HITECH rule, notifying patients of unauthorized accessed or utilization of their electronic PHI was only required if the use or access constituted a “breach,” which is defined as unauthorized use or access of electronic PHI that posed a “significant risk to the finances or reputation of the individual whose data was breached.” However, under the newly amended rule, any unauthorized use or disclosure of PHI will be presumed to be a breach, unless the “covered entity,” (ie, health plan and care providers) demonstrates that one or more exceptions apply. This significant change turns one of HITECH’s most important provisions on its head. Previously, providers could potentially avoid HITECH penalties and/or repercussions by simply reaching the (perhaps self-serving) conclusion that the unauthorized access and/or use of patient PHI did not constitute a breach. Today, however, those same covered entities must affirmatively establish an exception to the breach rule to avoid HITECH’s implications for unauthorized electronic PHI use. Some specific factors that can defeat the presumption of a HITECH breach include the nature and extent of the electronic PHI at issue, the identity of the unauthorized person who used or accessed the electronic PHI or to whom the disclosure was made, whether electronic PHI was actually viewed, and the extent to which the risk to patients from the unauthorized use or accessing of electronic PHI has been mitigated. Further, if the HITECH breach affects 500 or more individuals, HHS must be notified at the time the individuals are notified. Breaches affecting fewer than 500 individuals can be logged and reported to HHS on an annual basis. There are some exceptions to the breach notification. One, “safe harbor,” occurs if the PHI is encrypted or had been disposed of according to rules already detailed in HITECH, making encryption a very important part of an institution’s action plan for these new rules. The Security Rule reinforced by the HITECH Act requires covered entities and business associates (CFR §164.306) to have a security-management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.” The security standards include general requirements to ensure the confidentiality, integrity, and availability of all electronic PHI; protect against any reasonably anticipated threats to the security of such information; protect against any reasonably anticipated uses or disclosures; and ensure compliance with the law by the workforce. There must be physical safeguards for PHI (eg, locking office doors), but these do not substitute for technical safeguards (eg, passwords and encryption).

Identifying “Business Associates” Related to PHI

  By law, the HIPAA Privacy Rule applies only to covered entities; however, most healthcare providers cannot carry out all of their healthcare functions without using the services of other businesses. The Privacy Rule allows covered entities to disclose PHI to their “business associates” if they obtain assurances that the associate will safeguard the information. For example, business associates cannot use PHI for their own business purposes (eg, directly re-selling data). Much of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors.    (For more information about business associates, visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). Any facility conducting wound care likely has several agreements with business associates; for example, if electronic health records (EHRs) are used that makes the EHR provider a “business associate” of the facility. Subcontractors of business associates are now considered business associates if they create, receive, maintain, or transmit PHI. It is important to know that just because there isn’t a formal contract between the parties doesn’t mean they are not “business associates.”

When Patients Want Copies of PHI

  The final rules confirm that individuals have a right to request copies of PHI in any form they choose, provided PHI is “readily producible” in that format. If the PHI requested is maintained electronically in one or more designated record sets, the covered entity will be required to produce an electronic copy of PHI if the individual requests it. Although individuals are entitled to request PHI in any form they choose (within reason) for practical purposes, patients are likely to accept PHI in whatever readable format is suggested by the covered entity. Wound care providers should be ready to make suggestions to avoid an unreasonable request by the individual, so begin to decide now how you would like to provide electronic copies of PHI.

Investigations and Fines

  HHS is required to conduct compliance reviews and investigate complaints when a “preliminary review of the facts” suggests a violation due to “willful neglect” by the covered entity or business associate. The agency no longer has the option to disregard certain reported security breaches and individual complaints. This means there will be many more compliance reviews and complaint investigations. Providers can also expect to see more formal investigations and settlement orders, since informal resolution is no longer mandatory. In cases of a HITECH breach, there often will have been at least two violations: an impermissible use or disclosure of PHI (the HITECH violation) and a safeguards violation (the potential HIPAA Security Rule violation). Violations are counted “based on the nature of the … obligation to act or not act.” New factors have been added to the way penalties are calculated, including the number of people affected by the violation and potential harm to their reputations. The agency states that penalties will be separately tallied on a per-person and a per-day basis. HHS retains the authority to charge for multiple violations related to a single event. Even though the maximum annual cap of $1.5 million is applied on a “per-provision” basis, it can still be multiplied several times over depending on the number of provisions violated. For example, violations of two different provisions could result in a total annual cap of $3 million, and violations of three provisions could result in a total annual cap of $4.5 million.   Even though it is not completely clear how HHS will tally the proposed monetary penalties, it is clear that the totals will be much larger than was possible prior to the HITECH Act. If a violation is discovered, the provider must correct it promptly and in no more than 30 days. Delaying past 30 days will foreclose certain defenses that could decrease monetary penalty amounts.

What Does Everything Mean?

  We’ve discussed that HHS is now required to conduct compliance reviews and investigate complaints, during which they will always requests copies of HIPAA policies in these reviews. So, the time has come for all wound care providers to update their HIPAA policy books. The nature of healthcare privacy has changed. Under the new 2013 regulations, one’s Notice of Privacy Practices must change to address key situations involving access to PHI. Is it OK to leave your work computer in the back seat of your car? How do you deal with the proliferation of mobile devices in your organization? Your staff will need to be trained again about PHI, about using mobile devices in the work environment, and about protecting shared data. Any business that doesn’t have a social media policy will need to create one. Are your networks secured? Do you have antivirus software in place? Is “data at rest” adequately protected, and are encryption schemes used for data on laptops or mobile devices? The Federal government means business, and there are no more excuses for not understanding the latest HIPAA rules related to privacy and security. Caroline E. Fife is co-editor of TWC; medical director at the Wound and Hyperbaric Clinic, St. Luke’s Hospital, The Woodlands, TX; and chief medical officer at Intellicure Inc. Kevin W. Yankowsky is a partner at Fulbright & Jaworski LLP, health law/health litigation department, Houston, TX.

Reference

1. Third annual benchmark study on patient privacy and data security. Ponemon Institute. December 2012. Accessible online at www2.idexpertscorp.com/ponemon2012.