By Rob Portman, JD, and Amita Sanghvi, JD, September 03, 2012
With all of the energy that physicians are devoting to converting to electronic health records, negotiating the Physician Quality Reporting System incentive (soon-to-be-penalty) program, and avoiding Recovery Audit Contractor payment audits, there may be a tendency to overlook their obligations under HIPAA and the professionally and financially ruinous consequences of a data breach. This article will summarize physicians’ obligations under HIPAA and explain why several ounces of prevention in this area can save your practice.
The Office of Civil Rights (OCR) of the Department of Health and Human Services has issued voluminous regulations implementing HIPAA. The HIPAA Privacy Rule provides federal protections for the use and disclosure of individually identifiable patient information called “protected health information” (PHI) held by physicians, hospitals, and other “covered entities.” The basic premise of the Privacy Rule is that covered entities cannot use or disclose PHI without a HIPAA-compliant patient authorization unless one of many exceptions applies. The Privacy Rule also gives individuals an array of rights with respect to, among other things, access to and amendment of their PHI. The HIPAA Security Rule requires physical, technical, and administrative safeguards to protect against unintended uses or disclosures of PHI. More recently, OCR proposed regulations to implement the HIPAA requirements enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Final rules are expected to be issued any day now. [pagebreak]
Who must comply with HIPAA rules?
HIPAA covered entities include health plans, health care clearinghouses, and health care providers that transmit health information in electronic form with respect to certain transactions defined by OCR. Health care providers include physicians and physician practices, hospitals, clinics, nursing homes, and pharmacies. Covered transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under yet another HIPAA rule (the HIPAA Transactions and Code Set Rule). HIPAA applies to a health care provider whether it electronically transmits health information directly or uses a billing service to do so on its behalf.
HIPAA also extends to “Business Associates.” A Business Associate is a person or entity that performs certain functions on behalf of, or services to, a covered entity that involve the use or disclosure of PHI. Covered entities may disclosure PHI to a Business Associate only if a HIPAA-compliant Business Associate Agreement is in place between the parties.
What information is protected?
HIPAA only applies to uses or disclosures of PHI. PHI is individually identifiable health information that is transmitted or maintained in any form or medium, including electronic records, paper, or other hard copies of data, or oral transmission of information. It also must relate to an individual’s past, present, or future health or condition; the provision of health care services or equipment to the individual; or payment for the individual’s health care services or equipment. [pagebreak]
Use and disclosure of PHI
In general, a covered entity may not use or disclose protected health information, except either as the Privacy Rule permits, requires, or as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. Below are examples of each.
Required disclosure of PHI
A covered entity is required to disclose PHI when an individual (or the individual’s personal representative) requests access to or an accounting of disclosures of the individual’s PHI. A covered entity must also disclose PHI in response to a federal compliance investigation or review or enforcement action.
Allowed use and disclosure of PHI
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for a variety of purposes, including:
- to the individual (unless required for access or accounting of disclosures);
- for treatment, payment, and health care operations purposes (e.g., legal, accounting, peer review, quality improvement, etc.);
- for research if an institutional review board or privacy board provides a waiver of the patient authorization requirement;
- for certain public health-related purposes; and
- for law enforcement purposes or other civil judicial and administrative proceedings in certain defined circumstances. [pagebreak]
Authorized use and disclosure of PHI
A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. All authorizations must be in plain language, specifically describe the PHI to be used or disclosed, give the patient the right to revoke the authorization, include an expiration date, and meet certain other requirements.
In most instances of use and disclosure of a PHI, a covered entity must develop and implement policies and procedures to limit disclosure of PHI to the “minimum necessary” to accomplish the intended purpose. However, the minimum necessary requirement is not imposed in any of the following circumstances:
- disclosure to or a request by a health care provider for treatment;
- disclosure to an individual who is the subject of the information, or the individual’s personal representative;
- use or disclosure made pursuant to an authorization;
- disclosure to HHS for complaint investigation, compliance review or enforcement;
- use or disclosure that is required by law; or
- use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules. [pagebreak]
Other requirements of the Privacy Rule
The Privacy Rule allows a covered entity the flexibility to implement what works best for the covered entity’s size and needs. Nevertheless, each covered entity has several obligations to meet to safeguard PHI and generally comply with the Privacy Rule. For instance, a covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule; designate a privacy compliance officer; train its workforce; and maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI. Additionally, covered entities must provide a notice of privacy practices to its patients and enter into HIPAA-compliant agreements with vendors and third parties that act as their Business Associates.
Requirements of the Security Rule
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and Business Associates to assure the confidentiality, integrity, and availability of electronic protected health information (e-PHI). Specifically, covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit; identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure workforce compliance. [pagebreak]
Requirements of HITECH Act
HHS may impose civil monetary penalties on a covered entity for failure to comply with HIPAA. Civil penalties for violations of the HIPAA rules were recently increased by the HITECH Act to a range of $100-$50,000 per violation, with maximum penalties for identical violations in any year ranging from $25,000-$1.5 million. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000- $250,000 and up to 10 years imprisonment. In addition, the HITECH Act gives patients the right to access their PHI in electronic format. The Act also specifies breach standards and time limits (60 days from discovery) for notifying patients of unauthorized uses or disclosures of “unsecured PHI” (mainly PHI that is not properly encrypted). If more than 500 patient names are involved in a breach, the covered entity must notify OCR and its name will show up on the OCR website. The HITECH Act also applies certain HIPAA rules to Business Associates, including the requirements of the Security Rule and certain breach notification provisions. Prior to passage of the HITECH Act, Business Associates were only bound by their agreements with covered entities. [pagebreak]
Enforcement efforts on the rise
Over the past year, HIPAA enforcement has increased dramatically, and investigations are not limited to large hospitals or health insurance companies. A list of examples published by OCR at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples shows that the agency’s enforcement activities have reached small private practices. Most recently, OCR imposed a $100,000 fine on a five-physician practice in Phoenix for failure to implement adequate policies and procedures to protect patient information; to document that it trained employees on HIPAA Privacy and Security Rules; to identify a security official; and to obtain Business Associate agreements for its Internet-based email and scheduling services.
Thus, it is important that all covered entities, including physician practices of all sizes, be aware of HIPAA’s requirements and develop/revamp their policies and procedures accordingly. But HIPAA compliance must be more than a binder on a shelf or an electronic file. Staff must be trained and incentivized and other steps should be taken to make compliance a number-one priority and workplace norm. Nothing less than the financial viability and professional reputation of the practice is at stake.
HIPAA manuals available
The American Academy of Dermatology offers a pair of manuals to help members comply with the privacy and security rules of HIPAA. Visit https://www.aad.org/store/product/default.aspx?id=6379 to learn more or order them.