ICD-10-CM & HIPAA: Not Such Strange Bedfellows

With implementation of ICD-10 on Oct.1, 2015, the obvious question for many wound care clinicians is, “How does ICD-10 impact my HIPAA practices?” Find out here.

The use of ICD-10 (Clinical Modification and Procedure Coding System) applies to all covered entities (CEs), which include healthcare providers, health plans, and healthcare clearinghouses. HIPAA affects virtually any practice or organization that transmits electronic health information. With implementation of ICD-10 on Oct.1, 2015, the obvious question for many wound care clinicians is: “How does ICD-10 impact my HIPAA practices?” Generally speaking, there are typically no simple answers where HIPAA is concerned. With regard to ICD-10, the impact of HIPAA is both complex and straightforward. The reality is even when HIPAA is simple, simplicity is still relative!  

The change to ICD-10 impacts every transaction sent to electronic payment partners.  As of Oct.1, all transactions must now comply with an updated HIPAA transition set (Version 5010). Any transactions submitted that do not comply with the 5010 specifications will be rejected. This can impact one’s practice by creating coding and billing backlogs, cash flow delays, increased claims rejection, and denials. This can then lead to payer contracts and/or market share arrangements shifting due to poor quality ratings or high costs, affecting one’s bottom line. Additionally, inaccuracy in clinical coding creates distorted or misinterpreted information about patient care, resulting in faulty investment decisions.

There is good news: This is not anything you should need to worry about. Addressing the changes on the HIPAA transaction sets is purely a technical issue that hopefully has been addressed behind the scenes within your electronic health record (EHR) system. For small practices using clearinghouses, they also will have completed the required changes well before the final implementation deadline for ICD-10 passed. It is probably a good idea to confirm this, but you will know quickly if your vendors have not complied, as you see your payments rejected.  The responsibility is on them to address this change. But … there is one thing to be aware of as part of the ICD-10 transition that needs to be revisited for HIPAA compliance, especially for those who procrastinated the transition to the very end and are now scrambling to “catch up.” We are talking about your relationship with your business associates (BAs). In the context of ICD-10, these will be your EHR provider, your billing company, and potentially any consultants aiding your transition efforts and/or training efforts regarding ICD-10 transition. Consider that each of these individuals/organizations will fill the definition of a BA:

• “A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of (or provides services to) a covered entity.”

To conduct their activities for you, BAs will need access to your electronic PHI (ePHI), thus fitting the BA definition. The compliance issue is failing to address all requirements needed for a regulatory compliant BA relationship. This includes making sure one has a current, correct business associate agreement (BAA).  

Consider these examples of deficient BAs:

• A debt-collection agency that contracted with University of Chicago Physicians Group had to notify nearly 1,400 patients that their PHI, insurance data, and Social Security numbers had been compromised after being accessible to viewers online.

• The Indiana Family and Social Services Administration had 187,533 breaches of PHI that resulted in clients receiving personal and private documents belonging to other clients. The cause? A local contractor made a computer-programming error to a document-management system.

• Some 277,000 patient records containing names, addresses, dates of birth, medical record numbers, clinical information, health insurance information, and, in some cases, Social Security numbers were found in various public locations belonging to Texas Health of Fort Worth. 

• Texas Health had contracted with a Toronto-based company to destroy confidential patient information, but the microfilms containing the information were not actually destroyed (as had been agreed upon in the contract). Instead, a local resident found a portion of the microfiche in a nearby park. Additionally, three other sheets of microfiche were found in two other public areas.

In a recent study, 59% of BAs reported a data breach in the last two years that involved the loss or theft of patient data.¹ Additionally, 29% experienced two breaches or more.¹ An analysis of the numbers reported directly from the U.S. Department of Health and Human Services shows that BAs overall have been involved in about 22% of the more than 1,400 breaches reported from September 2009 through August 2015 — affecting about 22.5 million individuals. For 2015, the percentage of breaches involving BAs has risen to almost 30% of the total reported.

Why should you care? Well, aside from having your name and/or business being associated with a major breach, a significant (and largely unnoticed) change has occurred with the implementation of the HIPAA Omnibus Final Rules in 2013. As a covered entity, one may be on the hook for liabilities, read fines, and penalties, as well as all civil liabilities for the action of one’s BAs. Prior to the final rules, the regulations explicitly exempted a CE from the liability of actions of their BAs. In the final rule, this exemption was eliminated.

The Code of Federal Regulations (CFR) 160.402(c) once read: (in part) “Violation attributed to a CE or BA. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless: 1) The agent is a BA of the CE; 2) The CE has complied, with respect to such BA, with the applicable requirements of §§164.308(b) and §164.502(e) of this subchapter; and 3) The covered entity did not: (i) Know of a pattern of activity or practice of the BA and (ii) Fail to act as required by §§164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.”

The CFR now reads: (in part) Violation attributed to a CE or BA. “1) [The] CE is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the CE, including a workforce member or BA, acting within the scope of the agency. 2) [The] BA is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the BA, including a workforce member or subcontractor, acting within the scope of the agency.”

Basically, the current rule has adopted the federal common law of agency and eliminates the exception excusing CEs for liability based on actions of their agents who are BAs. Under the new rules, covered entities may, in certain circumstances, be held liable for actions of BA agents. Whether one as a CE will be liable for the BA’s actions or whether the BA is liable for the actions of its agents will now be determined on a fact-specific basis.

Such factors include “the right or authority of a covered entity to control the BA’s conduct in the course of performing a service on behalf of the covered entity; time, place, and purpose of the BA’s conduct; whether the BA agent engaged in a course of conduct subject to a CE’s control; whether the BA agent’s conduct is commonly done by the BA to accomplish the service performed on behalf of the CE; and whether or not the CE reasonably expected the BA agent would engage in the conduct in question.”

Perfecting the BA/CE Relationship

What is one to do with this new limitation on being insulated from the actions of BAs (and their subcontractors)? As the title of this column suggests, clinicians need to cast watchful eyes on whom they associate with. It’s no longer sufficient to go through the motions of signing a BAA. As of Sept. 23, everyone should have updated their BAAs to accommodate changes required by the omnibus final rules. 

One other item to consider: HIPAA’s security standards for CEs include the requirement to “… protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy rules.” Given that BAs account for around 30% of all breaches, they pose a reasonably anticipated risk to ePHI. As such, it’s impingent for the healthcare practice to minimize this risk to an acceptable level. In order to be protected within the context of one’s relationship with BAs, let’s start with what is required for an adequate BA relationship. The BAA must meet regulation requirements and the CE must perform required due diligence for BAs. To be protected, CEs must conduct due diligence on BAs.

As first steps to conduct this due diligence, at a minimum:

• Request a copy of your BAs’ most current security-risk assessment and remediation plan. 

• Request a copy of your BAs’ HIPAA master manual or policies and procedures manual.

• Request a sample of your BAs’ training logs.

• Request a copy of your BAs’ vulnerability scan for their networks.

If these are available, and in good order, CEs can avoid being surprised by the actions of a BA and, in the event of a breach, make an affirmative defense to mitigate potential liability. If one cannot gather this information there’s a decision to make in finding ways to mitigate inherent risks while working with the BA who is not complying with HIPAA regulatory requirements.

With the implementation of ICD-10 and the advent of BAs helping CEs with compliance and assisting in rollout, BAs will be seeing ePHI. Failure to take BA relationships seriously, and instead making them a rote signing of the BAA, risks an expensive surprise. 

Reference

1. 5th Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute.