As we continue to move further into electronic medical records (EMR) and all things electronic, providers become more and more vulnerable to cybercrime. Because healthcare is so rich in personal data, protections of both electronic protected health information (EPHI) and other personal data is crucial. This is evident in the far more stringent rules that will take effect next week and the stiff fines associated with the new rules.
As we reported in our April 2013 article and in our May 2013 webcast, compliance with the HIPAA HITECH Omnibus Final Rule1 is required by Sept. 23, 2013, and the effective date was March 26, 2013, which gave providers 180 days to comply. Health and Human Services (HHS) has oversight and their Office of Civil Rights (OCR) is responsible for enforcing the new rules.
The entire healthcare industry is already feeling the effect of this new requirement. Entities have been fined and hospitals are now being surveyed through the CMS conditions of participation (CoP) patient rights for compliance to the new rules. As in other CMS programs, such as the Recovery Auditor program, government agencies are working together to ensure compliance—in this case, the OCR and CMS.
Two initial actions this year demonstrate how far-reaching this new rule actually is and how seriously providers should take it. In the first action, as reported in August, Affinity Health Plan serving metropolitan New York was fined $1.2 million when it reported over 300,000 individuals’ PHI were breached through photocopiers.2 In this case, when leased photocopiers were returned to the vendor, it was discovered the PHI had not been deleted.
The second fine may set a new precedent in that an individual, and not OCR, sued Walgreens for a breach by an employee who violated company policy.3 In this case, a jury awarded $1.4 million to the individual because the jury believed Walgreens did not do enough internally to prevent the pharmacist from accessing the patient’s PHI. The patient had previously alerted Walgreens there was a breach, but it happened again after the notification.
So what should you have already done to be ready? First and foremost, review the new rules and ensure understanding across your organization. In addition, designate a security official who has been trained and receives ongoing training. You may not need to add a new employee; instead, you may designate an existing staff member with the appropriate position and background to implement and maintain compliance.
Perform a risk analysis of your organization, and develop a plan to address any and all findings. If necessary, look for tools to help guide you through this process, such as the free tool from National Institute of Standards and Technology (NIST).4 Maintain documentation of the risk analysis as you may be asked to produce evidence of compliance. Also, be prepared to conduct a risk assessment for breach notification that changes the standard from “significant risk” to “low probability”.5
Update your business associate agreements (BAA). Review the definition of subcontractor and make sure BAAs are updated and signed. The new rule holds business associates directly liable for compliance with HITECH rules and expands the definition of business associate.6 (See 7 for link to sample BAA).
Update all related policies and procedures (P&Ps) to reflect the new rules. During an OCR or CMS survey or after a breach, your P&Ps will be reviewed and staff held accountable for the new policies. As a component of the P&P update, include all forms, such as HIPAA notification. As always with new P&Ps, every employee must be trained on the new rules. This may be one of the most important aspects of the new rules to employers, as this will require training and documentation of training including annual competency.
No longer will staff just need to understand how to protect hard copy PHI or pull curtains for privacy; they will be required to understand protection of EPHI as well. Remember the copier story above? Consider using passwords or signing off electronic medical records after use.
Update notices of privacy practices. For providers, an individual may request that if a full payment is made out of pocket, the PHI related to that service is not shared with a group health plan.8. For health plans, this means individual access to EPHI.
Finally, make sure you have enough liability insurance to protect your entity in case of a breach.5 The new, stiffer fines for a breach are daunting, and when reporting a breach the entity may not be able to accurately predict the outcome.
This article is not all-inclusive, but is meant to give you some guidance on what to review immediately as the September 23, 2013, effective date for HIPAA HITECH Omnibus Final Rule1 approaches.
About the Author
Elizabeth Lamkin, MHA, is a partner in PACE Healthcare Consulting. Elizabeth has more than 20 years of C-suite level hospital executive management experience. Most recently, she was the CEO/Market President for Tenet Healthcare’s Hilton Head Regional Healthcare. Elizabeth holds an undergraduate degree in Business Administration, Cum Laude and a Master’s in Healthcare Administration from the University of South Carolina.
Contact the Author
To comment on this article please go to firstname.lastname@example.org
- Federal Register Accessed September 18, 2013 www.gpo.gov Final Rule Published January 25, 2013
- Accessed Health Data Management September 18, 2013
- Accessed Lawyer.com on September 18, 2013
- Accessed September 18, 2013 www.nist.gov/itl/csd/20111122_hipaa_tools.cfm
- Capital Checkup April 11, 2013 http://www.segalco.com/publications Accessed September 18, 2013
- http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Accessed September 18, 2013
- John “J” Trinckes, Ohio Shared Information Services, Inc. (OSIS) www.osisonline.net