It’s a New Year – How’s Your HIPAA Compliance?
2021 marks the 25th anniversary of the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. With regulations developed by the U.S. Department of Health and Human Services (HHS), and implemented and enforced by its Office for Civil Rights (OCR), HIPAA enables the standardized protection of health information.1 Because you work with protected health information (PHI) – like other health care providers, health care clearinghouses, health plans, and their business associates – you are required as “covered entities” to comply with HIPAA regulations.
Many rheumatologists may already have robust HIPAA compliance programs, while some are still formulating theirs. Still, others are not sure how HIPAA applies to them and what to do to avoid violations. Let’s take a quick look at some HIPAA basics, along with best practices to help you ensure compliance, and how you can prevent common violations caused by human error.
What’s Protected and Why
HIPAA was created to keep PHI private and to penalize those who do not. It protects written, printed, spoken, or electronic data (no matter the size), as well as its transmission both within and outside health care facilities. HIPAA has five primary components:
• Privacy Rule
• Security Rule
• Transactions and Code Sets Rule
• Unique Identifiers Rule
• Enforcement Rule2
HIPAA is fundamentally about privacy and security. The Standards for Privacy of Individually Identifiable Health Information, or Privacy Rule, was designed to safeguard the health information of individuals and their well-being, but also to allow the medical community to use the PHI necessary for top-quality health care. It requires a balancing act, and is not always easy to decipher. Essentially, the Privacy Rule applies to health care providers of all sizes who transmit PHI electronically for transactions like claims, benefit eligibility inquiries, and referral authorization requests. The rule regulates these transactions, whether you make them yourself
or use a billing service or other third party, and preempts state laws. What if you fail to comply? HHS may fine you civilly and criminally.
From an administrative standpoint, you must create and execute your own written policies compatible with the Privacy Rule, and choose an employee to be your privacy official to implement the policies, supply information and manage any complaints. You must also offer workforce training, violation mitigation, data safeguards, and complaint procedures, along with maintaining all records and documentation for at least six years.4
The Security Standards for the Protection of Electronic Protected Health Information, aka Security Rule, does just as its name says: provides security standards for PHI stored or transmitted electronically – also known as e-PHI, a subset of information covered by the Privacy Rule. Since many of you use little or no paper, and now rely on computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, you must protect the privacy of your patients’ health information from increased security risks as it moves about in these applications. Adopting new technologies makes your practice more efficient and mobile, but those advances can’t occur at the expense of individual confidentiality.
The Security Rule calls for you to protect e-PHI with “reasonable and appropriate administrative, technical, and physical safeguards.” Since there are medical practices of all sizes, you must analyze your own needs – and create a compliance plan – based on the following factors:
• Your practice size, complexity and capabilities
• Your technical, hardware, and software infrastructure
• The costs of security measures, and
• The likelihood and the possible impact of potential risks to e-PHI
The rule also mandates that you don’t change or destroy any e-PHI without authorization and that patients can access and use their information on demand.5
Incorporating Best Practices Makes Compliance Easier
Understanding and sufficiently complying with HIPAA sounds overwhelming, especially for a small practice. But according to Arielle Van Peursem, security compliance consultant for United Rheumatology’s new partner Medcurity, you can ease the path to compliance by adopting some specific best practices:
• Perform a regular Security Risk Analysis (SRA)
• Implement an active Risk Management Process
• Develop Policies and Procedures specifying how patient data is protected
• Obtain and keep signed Business Associate Agreements (BAAs)
• Train employees annually
• Keep all documentation relating to these practices and other aspects of your HIPAA compliance program
More good news: thanks to our alliance with Medcurity, your membership enables you to use its tools and guidance to help you initiate these practices more quickly and thoroughly, or add to what you already have. Medcurity has a platform that covers everything from SRAs (and audit-ready reports) to customizable Policies and Procedures, and BAA examples to HIPAA training courses. With decades of experience in healthcare, technology, and compliance, Medcurity understands the complexity of HIPAA and how to make it easier for practices like yours to manage its requirements.
To Err is Human, to Err Less Keeps You Compliant
No matter how many electronic safeguards you enact to comply with HIPAA, violations often still occur due to human error. As Arielle Van Peursem points out, “Citations are commonly issued when, for example, devices containing PHI are lost or stolen, patients’ photos are shared on social media, unauthorized employees access records out of curiosity, or medical records are mishandled.”
Further elaborating on her observation, a Verizon study reported in Health IT Security, showed a year-to-year increase in security violations in the healthcare industry due to physical theft or loss. The research found that 32 percent of reported security events resulted from stolen assets (usually laptops taken from work or a vehicle), 23 percent from the misuse of privilege (primarily by internal employees), and 22 percent due to miscellaneous errors such as
inappropriately publishing information, sending PHI to the wrong person, or disposing of devices or documents incorrectly.
So how do you reduce HIPAA-related human error in your practice? HIPAA Journal recommends these steps:
• Make employees feel comfortable about immediately reporting mistakes or potential violations, either their own or others’
• Train staff on problem areas, policy and procedure updates, and the consequences they face when rules aren’t followed
• Identify and quickly correct bad practices before they become ingrained
• Adopt processes that automate compliance wherever possible
• Set up alerts and alarms to rapidly identify breaches
• Conduct regular internal audits to proactively identify and address non-compliance
• Embrace a practice-wide mantra, “If you’re not sure, don’t do it and get advice.”7
Take Advantage of Our HIPAA Series and Resources
We hope you’ve found some valuable nuggets of information that will improve your HIPAA compliance this year and beyond. Our next installment in this series will focus on the importance of encryption, including best practices and security alternatives. In the meantime, if you have questions or need help implementing HIPAA rules and regulations, contact us today. HIPAA compliance is NOT optional, so begin 2021 right by taking the necessary action to protect your practice and your pat ients.
It’s a New Year – How’s Your HIPAA Compliance?