Under the Health Insurance Portability and Accountability Act, a hospital's covered entities and business associates must be diligent about privacy and security compliance measures to safeguard patients from the misuse of their protected healthcare information. But those obligations, and the price of noncompliance, are changing. Without adequate policies, procedures and education, covered entities and business associates run the risk of damaging publicity, lawsuits and financial penalties that can exceed millions of dollars. Third-party review by an objective, experienced and nationally recognized organization is an effective approach for identifying policy and procedural gaps to continuously improve data protection and reduce the risk of breach.
Increased liability
Earlier this year, the federal government published the new HITECH Omnibus final rule, which raises the stakes on safeguarding PHI. For example, the final rule requires business associates and subcontractors to ensure the confidentiality, integrity and availability of electronic PHI. In turn, covered entities can be liable for the actions of business associates depending upon the nature of the contractual relationship. The final rule also adopts the tiered structure and higher civil monetary penalties for violations introduced by the HITECH Act in 2009. With potentially greater liability and higher costs for violations, it's critical to ensure privacy and security measures protect patients and hospital business.
Remember, the federal HIPAA rules are a minimum standard. State laws can be even more stringent. For example, Texas enacted a state law that became effective last September.1 The Texas state law applies to additional types of entities, and all covered entities must train employees on HIPAA and state privacy laws within 60 days of hire as well as every two years thereafter.2 California also has a state law, the Confidentiality of Medical Information Act3 that allows an individual the right to pursue private action in the case of a protected medical information breach. Penalties can quickly accumulate when a breach affects many individuals since the California state law allows damages of $1,000 per individual for the risk of disclosure, even if there is no actual damage to the individual.
Danger of maintaining the status quo
Privacy and security measures initially developed in response to the original 1996 federal HIPAA law are not likely to be enough to meet today's standards. A complete program of policies, procedures, controls and education isn't just for covered entities anymore. Business associates also need a comprehensive data protection program. In February 2012, the Minnesota Attorney General filed the state's first HIPAA enforcement action against a business associate for failing to encrypt patient information on a laptop that was stolen out of an employee's rental car. The incident, which happened in 2011, affected as many as 23,000 patients whose personally identifiable information — name, Social Security number, medical scores, conditions and dollar amounts allocated to the patient's healthcare provider — was compromised. In addition to the breach, the AG alleged that "the business associate violated the Minnesota Health Records Act and various state consumer fraud and deceptive practices acts by, among other things, failing to disclose to the hospital patients its extensive role in the hospitals' revenue cycle process, its role as a debt collector and its role in the proactive management of patient care, including the incentive payments based on the hospitals’ cost savings."4 The business associate paid $2.5 million to settle the case with a restriction on conducting business in Minnesota.5 If this case had been prosecuted after the final rule was put into effect, the hospital and its business associates would undoubtedly have suffered even graver penalties.
Under the umbrella of the Department of Health and Human Services, the Office for Civil Rights is responsible for enforcing HIPAA. The OCR investigates complaints and conducts compliance reviews and audits. The OCR published the case of a complaint against a business associate, a law firm working for a pharmacy chain that alleged that the practice improperly disclosed some of the pharmacy chain's PHI. Although the investigation identified no evidence of impermissible disclosure, the OCR did discover that there was no required Business Associate Agreement in place between the parties to ensure the protection of PHI. Without such an agreement, a covered entity may not disclose PHI to a business associate. In the end, the OCR simply required the pharmacy chain and the law firm to enter into a BAA.6 What might have happened to the pharmacy chain today if the law firm had improperly disclosed PHI and there was no business associate agreement in place? How could the pharmacy chain have identified this regulatory oversight before the OCR complaint and investigation?
The industry will likely see far more resolution agreements and civil money penalties as the OCR escalates its enforcement measures, including audits of entities regardless of a filed complaint. Although the OCR will not identify a covered entity in its published audit findings, it can initiate a compliance review if serious issues are identified, possibly resulting in a resolution agreement with significant financial penalties. The audit criteria include oversight responsibilities for business associates and the use of a mitigation process to address any harmful outcomes due to violations of policies and procedures by a covered entity or its business associate. Again, it is imperative that hospitals and other healthcare providers fully assess their privacy and security measures to identify and address gaps, minimize harm and reduce risk of exposure/breach of PHI.
Mitigation through third-party accreditation
Every stakeholder in the healthcare industry needs continuous review and improvement measures. One way to mitigate the risk of non-compliance with the privacy and security rules is to engage a nationally recognized, independent third-party to review policies, procedures, controls, business practices and technical performance. In addition, it may be practical to require business associates to undergo a similar review since their breaches can affect a covered entity's business.
Third-party review of covered entities and business associates can help protect your patients and the hospital by identifying and remediating privacy, security, confidentiality and risk exposures. It not only promotes industry best practices in healthcare EDI through regular, comprehensive and objective evaluation but also ensures compliance with HIPAA privacy, security and transaction requirements.
Lee Barrett is executive director of the Electronic Healthcare Network Accreditation Commission, a federally recognized, standards development organization designed to improve transactional quality, operational efficiency and data security in healthcare.
Footnotes:
1 HIPAA Privacy Rule – What Employers Need to Know. “What about state laws?” Retrieved March 3, 2013, from http://www.twc.state.tx.us/news/efte/hipaa_basics.html
2 Texas Enacts Expansive New Health Privacy Law. Hunton & Williams, LLP. (July 11, 2011)
Retrieved March 3, 2013, from http://www.huntonprivacyblog.com/2011/07/articles/texas-enacts-expansive-new-health-privacy-law/
3 Civil Code Section 56-56.07. Confidentiality of Medical Information Act. Retrieved March 2, 2013, from http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=00001-01000&file=56-56.07
4 Minnesota AG Sues Business Associate for Loss of Patient Data Stored on Laptop. Baker & Hostetler LLP, John S. Mulhollan. (February 2, 2012) Retrieved March 2, 2013, from http://www.lexology.com/library/detail.aspx?g=a4b4e1fa-617f-43ed-804b-c4fd25796285
5 Accretive Health, Hospital Debt Collector, Lawsuit Alleging Harsh Treatment Of Patients Settled. Jeffrey Young. Huffington Post. (July 31, 2012) Retrieved on March 3, 2013,
http://www.huffingtonpost.com/2012/07/30/accretive-health-lawsuit-hospital_n_1721338.html
6 All Case Examples. (2012). Retrieved March 2, 2013, from
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html#case20