Two reports from the Office of the Inspector General (OIG) have attracted a lot of attention in recent weeks: The Office for Civil Rights (OCR), OIG said, needs to improve and expand its enforcement of the Health Insurance Portability and Accountability Act (HIPAA). In response, the OCR announced that it plans to identify a pool of potential audit targets and launch a permanent audit program this year. That, combined with the substantial fine levied against a dermatology group last year for violating one of the new rules, signals the importance of reviewing your practice’s HIPAA compliance as soon as possible.
You can compare your office’s compliance status against the recommendations listed on the OCR website, but pay particular attention to your agreements with Business Associates (BAs). Those are the individuals or businesses, other than your employees, who perform “functions or activities” on behalf of your practice that involve “creating, receiving, maintaining, or transmitting” personal health information.
First, make sure that all individuals and enterprises fitting that definition have a signed agreement in place. Typical BAs include answering and billing services, independent transcriptionists, hardware and software companies, and any other vendors involved in creating or maintaining your medical records. Practice management consultants, attorneys, specialty pharmacies, and record storage, microfilming, and shredding services are BAs if they must have direct access to confidential information in order to do their job.
The revised rules place additional onus on physicians for confidentiality breaches committed by their BAs. It’s not enough to simply have a BA contract; you are expected to use “reasonable diligence” in monitoring their work. BAs and their subcontractors are directly responsible for their own actions, but the primary responsibility is yours. Furthermore, you must now assume the worst-case scenario: Previously, when protected health information (PHI) was compromised, you would have to notify only affected patients (and the government) if there was a “significant risk of financial or reputational harm,” but now, any incident involving patient records is assumed to be a breach, and must be reported.
Failure to do so could subject your practice, as well as the contractor, to significant fines. That is where the Massachusetts dermatology group ran into trouble: It lost a thumb drive containing unencrypted patient records, and was forced to pay a $150,000 fine, even though there was no evidence that the information was found or exploited.
Had the lost drive been encrypted, the incident would not have been considered a breach, according to the Centers for Medicare & Medicaid Services, because its contents would not have been viewable by the finder. The biggest vulnerability in most practices is probably mobile devices carrying patient data. There is no longer any excuse for not encrypting HIPAA-protected information; encryption software is cheap, readily available, and easy to use.
Patients have new rights under the new rules as well; they may now restrict any PHI shared with third-party insurers and health plans, if they pay for the services themselves. They also have the right to request copies of their electronic health records (EHRs). You can bill the costs of responding to such requests. If you have EHRs, work out a system for doing this, because the response time has been decreased from 90 days to 30 days – even shorter in some states.
If you haven’t yet revised your Notice of Privacy Practices (NPP) to explain your relationships with BAs, and their status under the new rules, do it now. (You should have done it last year.) You need to explain the breach notification process too, as well as the new patient rights mentioned above. You must post your revised NPP in your office, and make copies available there, but you need not mail a copy to every patient.
You also should examine every part of your office where patient information is handled to identify potential violations. Examples include computer screens in your reception area that are visible to patients; laptops not locked up after hours; unencrypted emails or texts that might reveal confidential information; and documents designated for shredding that sit, unshredded, in the “to shred” bin for days.
And make sure you correct any problems you find before the OCR auditors come calling.
To view the recommendations at the OCR website so you can check your office’s compliance status, go to: www.hhs.gov/hipaa/index.html.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News.