Covered entities can expect increased regulation, legislation and penalties…
Many medical offices struggle with the various and ever-changing requirements for privacy and security compliance. Increasing regulation and, most importantly, stringent enforcement of these regulations is a reality that all within the broad aspects of the medical community must face. The regulations and compliance are now tied to reimbursement, as in the case of HIPAA attestation for EHR meaningful use reimbursement. We predict that the list of regulations will continue to grow. No one is immune: from the smallest office or the largest hospital corporations to contractual financial intermediaries.
So what is the current state of the overarching Federal law known as HIPAA and HITECH 2009? The rules and requirements are being audited currently through various mechanisms. We predict the Final Rule, while it is overdue and has not yet been promulgated, will be forthcoming imminently. The Office of Civil Rights (OCR) of the Department of Health and Human Services, which administers these rules, is actively working with and teaching State Attorney Generals how to administer and enforce these privacy and security obligations. In fact, the Texas House Bill 300 is in many ways more stringent than the Federal law which establishes the baseline for further regulatory activity.
Criminal Liability for Violations of HIPAA/HITECH
Can you go to jail for violation of HIPAA? The answer is YES! The U.S. Court of Appeals for the Ninth Circuit on May 10 of this year rejected a motion to dismiss criminal charges in a headline-grabbing case involving Huping Zhou. Zhou faced criminal misdemeanor charges related to HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of the law. It hammers home the point that those who access patient information without a valid reason could face jail time. This case has significant relevance because it sets a relatively low bar on what conduct may be deemed a criminal violation of HIPAA.
Greatest Vulnerability in Handling PHI: The Human Factor
Many small practices feel that their vulnerabilities are limited. This is a completely wrong assessment. The OCR released a sobering analysis of lost and compromised PHI records in major events (defined as 500 or greater records), that clearly indicates the assumption that the greatest vulnerability is a computer network is simply wrong! Loss from paper records topped the list at 35%; laptop loss was 32%; 20% from mobile devices or phones and only 13% from networks.
“There was a consistent lack of compliance measures, regarding the treatment of PHI at each of the smaller practices we acquired”, stated John Reinecke, a former executive of a primary care initiative in Las Vegas, NV and currently VP of Healthcare Services for Atlantic-Pacific Processing Systems, Inc. “One of our first objectives was to create policies and procedures specifically tailored to each practice which thoroughly defined and outlined the handling of sensitive information. Small practices or groups need to take the time to understand the extreme importance of creating a system in which these vital protocols are established and kept as mandate of ongoing internal training.”
A combination of increasing complexities, both physical and electronic, as well as increasing regulatory requirements have made these issues more pertinent and, at the same time, both challenging and demanding for all concerned. All practices, whether primary care, specialty or those associated with the ongoing provision of direct patient care now fall under the regulatory reach of HIPAA and HITECH.
Increasing Legislation and Regulation
The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Increasing Penalties: Loss of License and Auditing
In addition to Federal legislation, many states have either enacted or are in the process of enacting or enforcing HIPAA requirements. Texas was the first state to enact a law with significant sanctions including the loss of licensure for violations of these regulations.
EMR financial incentive reimbursement mandates acknowledgment and attestation that the applying entity must be compliant. CMS has determined that up to ten percent of all offices that apply for EMR incentives will be audited to determine that the requirements for HITECH compliance have been met.
The average practice does not understand how to comply or have the facility to comply in a meaningful and measured manner. There are several key changes in the 2009 Federal enactment of HITECH. First, within the medical office all personnel are covered; not just those with direct patient contact. Next, the distinction between those offices with direct patient care (traditional covered entities), who had a different standard than those entities that serve the needs of direct patient care offices, known as business associates, no longer exists. In addition, sub-contractors of business associates are now covered as well.
Concerned that HIPAA and HITECH did not provide enough safeguards for protected health information (PHI), the Texas legislature passed H.B. 300 in 2011. This law, containing even more stringent regulation than the federal scheme, went into effect on September 1, 2012. The importance of the Texas Public Law is that it is serving as a model for other states.
Individuals and entities determined to be “covered entities” (CE) under H.B. 300 will face several new requirements, including new training for employees regarding PHI, additional patient rights related to electronic medical records, and the potential for increased penalties for noncompliance.
CE must provide ongoing, customized training for their employees regarding both federal and state laws related to the protection of PHI. The training should be tailored to employee responsibilities and the entity’s contacts with PHI. Each new employee must complete the training within 60 days after his or her hire date, and the training must be repeated at least once every two years. Notably, under HIPAA, training is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under both HIPAA and H.B. 300, “covered entities” must maintain records of every employee’s training attendance.
CE must provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request (under HIPAA, records must be provided within 30 days of a request). Additionally, the new Texas law requires the Texas Attorney General to establish a website that explains patient’s privacy rights under Texas and federal law. Also contained in H.B. 300 are provisions that prohibit the sale of PHI and require notice to patients regarding the electronic disclosure of PHI.
CE that wrongfully discloses a patient’s PHI will face increased civil penalties under H.B. 300 as well as any penalties for violating federal laws. The new Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, H.B. 300 lists five factors a court may consider:
– The seriousness of the violation
– The entity’s compliance history
– The risks of harm to the patient
– The amount necessary to deter future violations
– Efforts made to correct the violation
Six Key Elements Required for HIPAA/HITECH Compliance Programs
Any HIPAA/HITECH compliance program that you utilize must provide the following important elements to be of value and to keep you in compliance with both Federal and potential State law. The program must:
Provide the policies and procedures that you will need
Operate as a GAP analytic in the form of a survey to determine where you might not be fully compliant
Provide a remediation schedule for resolution of identified deficiencies
Provide event-specific training and re-training
Enable the tracking of completion of training by each member of the staff, and finally,
Must be flexible to account for changes in law and circumstance.
While the complexity continues to increase, companies and non-profits who proactively tackle their compliance program will benefit greatly.
Dr. Ross Federgreen, Founder of CSR, the leader in data compliance solutions, holds professional certifications from the International Association of Privacy Professionals, addressing US government and pan-European privacy law and is a Fellow of the European Privacy Association. Ross can be reached at email@example.com.
By Dr. Ross Federgreen, CIPP/US, CIPP/G, CIPP/E