The nexus of new technology and privacy rules springing from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) leads to a lot of stress and trepidation for health care professionals. Lucia Savage, chief privacy and regulatory officer for Omada Health, and Matthew Fisher, a health law attorney based in Worcester, Mass., who specializes in compliance issues, dispel common HIPAA myths and offer advice on how to protect yourself and your practice.
Truth: Physicians are not responsible for email security flaws from patient servers, said Ms. Savage, who served as chief privacy officer for the Office of the National Coordinator for Health IT under President Obama. HIPAA requires only that health providers send emails from a secure system that protects a doctor’s message from their end, she said.
“There’s this myth out there that you cannot send an electronic message to a patient’s email box if that email is unsecured, and that’s not true,” Ms. Savage said at a recent American Bar Association meeting. “The obligation is to secure what you send, not to secure what an unregulated, private person receives.”
Just remember to warn patients that they’re responsible for the safe storage of an email message once it arrives.
Truth: An email with protected health information (PHI) accidentally sent to the wrong health provider is not likely to get doctors in trouble with the Office for Civil Rights. In the last 12 years, there have been 184,000 HIPAA-related complaints to OCR and only 55 resulted in financial settlements, according to research Ms. Savage conducted through the Department of Health & Human Services website. Of the 55 settlements, none were associated with PHI accidentally sent from one health provider to another, she said in an interview.
“[The OCR] tends to seek fines for really eye-poppingly bad behavior,” Ms. Savage said, not small-scale accidents. For example, OCR fined one hospital for including the name of a patient in a press release without patient permission. Another health professional was fined for repeated failures to encrypt their computer system.
If a document with PHI does end up in the wrong inbox, Ms. Savage advises calling the receiver and asking that they immediately delete the email.
Truth: Breaches alone are not the reason most fines are levied, nor do breach notifications mean an instant penalty, Mr. Fisher said in an interview. Fines by OCR are more often tied to further noncompliance found when the agency begins investigating the entity after the breach report.
“Most breach reports will result in OCR conducting a follow-up investigation, usually with paper-based requests,” he said. “If responses to those requests reveal widespread or consistent noncompliance, then OCR may latch on and dig in order to impose a fine.”
For example, a breach could be the result of a lost USB drive or laptop, but OCR’s investigation might ultimately find that the practice failed to conduct an adequate risk analysis. Because a risk analysis is a fundamental component of HIPAA compliance, the inadequate risk analysis becomes the basis for a fine, Mr. Fisher said.
The best way to avoid an OCR fine is to ensure that proper HIPAA protocols are in place to assess security risks, prevent breaches, and mitigate breaches should they occur. “Part of good compliance is constant review and revision of policies as well,” Mr. Fisher said. “It is not sufficient to put the policies into place and then never revisit those policies. Circumstances change all of the time and policies need to keep up.”