Final Rule

HIPAA Omnibus rule enforcement era—what providers want to know.

By Nancy Beckley, MS, MBA, CHC and Paul J. Welk, PT, JD

We are officially under the era of enforcement for the Health Insurance Portability and Accountability Act (HIPAA). Our previous column addressed the September 23, 2013, enforcement date for the HIPAA Omnibus Final Rule (“Final Rule”) and took a look at five key issues of preparedness: business associates, notice of privacy practices, breach notification, risk analysis, and risk management and training. Within that context, we addressed compliance requirements, enforcement examples, and best practices for the physical therapy practice. This column takes a closer look at enforcement, addresses some common HIPAA questions from providers, and presents related resources to assist practices in achieving HIPAA compliance.

HIPAA enforcement is under the auspices of the Office of Civil Rights (OCR), a federal agency at the Department of Health and Human Services (HHS). HIPAA is not a Medicare compliance obligation, but is applicable to all providers who meet the definition of a covered entity under HIPAA, as well as to all business associates. The OCR is charged with enforcing “the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.”¹

For those providers who believed HIPAA enforcement was only a concern for large providers, OCR sent a clear message in early 2013 that it would also take strong enforcement action against small providers. Specifically, a hospice provider in Idaho agreed to pay $50,000 to HHS to settle potential violations of the HIPAA Security Rule. The breach occurred when an unencrypted laptop used in field-work was stolen from an employee’s car. The breach involved the protected health information of fewer than 500 patients. Nonetheless, OCR took strong action against this provider and required the hospice to enter into a Resolution Agreement, in large part because the organization failed to conduct a required security risk assessment. Additionally OCR found that the hospice did not have policies and procedures in place to address mobile device security, which is a requirement of the HIPAA Security Rule. This represented the first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals.

Large data breaches reported over the past holiday season at national retail merchants have created a great deal of public attention, heightening the awareness of personal and financial security and identify theft. These breaches have also brought HIPAA security to the forefront of many physical therapy practice owners’ minds. Practice owners, it seems, have yet another reason to lose sleep at night worrying about HIPAA non compliance and the potential of a data breach. There is good reason to be concerned about this topic and to raise appropriate questions. The following address some of the frequent questions being asked by physical therapy practices in the areas of HIPAA enforcement and security.

1. Is there a checklist or specific format that my practice should use to conduct the risk analysis that is required under the HIPAA Security Rule? HHS provides rather extensive guidance on satisfying the risk analysis requirement under the HIPAA Security Rule. Specifically, the Security Rule requires that a practice conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a physical therapy practice. The HHS website reviews in detail the risk analysis requirements as well as the specific elements of a risk analysis.² This website is an excellent starting point for practices that are completing a HIPAA Security risk assessment.
2. How do I determine whether my practice is a covered entity subject to the privacy and security requirements of HIPAA? The HIPAA Administrative Simplification Regulations define a covered entity, in general, to include a health care provider that conducts certain transactions in electronic form. As a practical matter, the vast majority of physical therapy private practices are therefore covered entities under HIPAA. To assess whether your specific practice is a covered entity, HHS has developed a decision-making tool to assist in the analysis.³ In addition to considering whether a particular practice is a covered entity, the practice should also consider whether it may also be subject to the HIPAA compliance requirements, either through acting as a business associate or through any contracts in which it has agreed to comply with HIPAA.
3. I visit patients in their homes for outpatient home therapy. I use a laptop and write my notes contemporaneously on the laptop. What do I need to think about to keep patient information secure? HHS acknowledges that mobile devices are often used to store or transmit protected health information. Given the frequency of mobile device use by health care providers, HHS has published guidance dealing with health information privacy and security in connection with mobile device usage.⁴ Some specific protection mechanisms to consider when using a mobile device include the use of a password, the encryption of health information, utilizing a remote wiping or disabling program for use on lost or stolen devices, installation of a firewall or security software, and maintaining physical control of devices.
4. Our practice has a Facebook page and I am concerned that a patient might reveal protected health information when he or she makes a comment or post. Is our practice liable for a HIPAA violation if a patient posts his or her own protected health information? As a general matter, the practice would not be liable if a patient chooses to post his or her own protected health information electronically. However, practitioners should give careful consideration to any responsive messages. Should a representative of the practice’s workforce post protected health information in an area that is publicly assessable, the practice is at risk. Practices should consider establishing policies and procedures governing the use of social media by their workforce and all staff should be trained on the established policies and procedures. An additional issue to consider in connection with the use of social media by a health care provider is whether medical advice is being provided and whether this is appropriate or legally permitted. Finally, practices should consider auditing their social media outlets to assure compliance with policies, procedures, and applicable law.
5. Our practice is updating all of our Business Associate Agreements (BAA), and we want to clarify if we should provide our BAA to the other party (in this instance our billing company) or if we should sign the other party’s BAA. What is the best practice to protect our practice? As with any contract, BAAs set forth certain rights and obligations of the parties. Presumably, a form of BAA utilized by a physical therapy private practice is going to be more favorable to the practice than a BAA presented to the practice by a vendor. For this reason, the practice should utilize its more “provider friendly” BAA whenever possible. If a Business Associate is insistent on using its form BAA as a starting point for negotiations or otherwise unwilling to change the terms of its BAA, the provider should be certain to understand the risks and benefits associated with signing that particular document. HHS has published a number of FAQs directly related to Business Associates that may serve as an additional resource for common questions.⁵
6. Our practice provided our external audit consultant with patient records maintained on a thumb drive. The thumb drive was subsequently lost. How do we determine if this is a reportable breach? HIPAA provides that breach notification is required if the breach involves unsecured protected health information. Unsecured protected health information is that protected health information which has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a specified technology or methodology. These technologies and methodologies include encryption or destruction of the protected health information. HHS provides specific guidance for rendering unsecured protected health information, unusable, unreadable or indecipherable to unauthorized users.⁶ The specific requirements for protecting such information relate to factors such as whether the information is in electronic form or hard copy.
7. I have heard that I can buy insurance to protect against the risks associated with a HIPAA breach. Is this correct? A number of insurance providers that service the physical therapy market offer information privacy or similar coverages. There may also be coverage available for HIPAA violations under current policies already maintained by private physical therapy practices. In performing the practice’s individual risk assessment under HIPAA, a prudent step would be to speak with the practice’s insurance provider regarding current information privacy coverage and options available to mitigate HIPAA risk through appropriate insurance coverages.

HIPAA Privacy and Security Compliance is an area where regulation and enforcement have steadily increased over time. As the scope and breadth of the requirements on covered entities and business associates have increased, so has the potential for non compliance. Through the performance of a risk assessment, practices can seek to mitigate potential losses due to HIPAA non compliance. Hopefully, the above resources and sample questions provide a good starting point for an analysis.

Nancy Beckley, MS, MBA, CHC, s certified in Healthcare Compliance by the Compliance Certification Board and is a frequent speaker and author on outpatient therapy compliance topics. She advises practices on compliance plan development and audit response. She can be reached at nancy@nancybeckley.com.

Paul Welk, PT, JD, s a Private Practice Section member and an attorney with Tucker Arensberg, frequently advises physical therapy private practices in the areas of corporate and health care law. He can be reached at pwelk@tuckerlaw.com.

Notes

1. U.S. Department of Health and Human Services. Website http://www.hhs.gov/ocr/privacy/index.html. Accessed February 13, 2014.

2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html. Accessed February 23, 2014.

3. http://www.healthit.gov/providers-professionals/how-can-you-protect-and-secure-health-information-when-using-mobile-device. Accessed February 23, 2014.

4. http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security. Accessed February 23, 2014.

5. http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/index.html. Accessed February 23, 2014.

6. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html. Accessed February 23, 2014.