Keep your money in your pocket—avoid fines for noncompliance
Reenie Kavalar, PT
Welcome to Health Insurance Portability and Accountability Act of 1996 (HIPAA) 101. Since then a number of new HIPAA regulations have been instituted. This is a set of rules that has to be followed by doctors, hospitals, and health care providers to help ensure that all medical records, medical billing, and patient accounts meet certain standards with regard to documentation, handling, and privacy. This set of rules has changed the practice standards for physical therapists and will continue to do so as we enter 2015. HIPAA rules are broken down into Privacy, Security, Transactions, Identifiers, and Enforcement Rules.
I will focus on the Enforcement Rules, as outlined in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of Jan 2009, as they will directly affect us. The most recent modification to HIPAA and HITECH both went into effect in early March 2013 (HIPAA Omnibus Rule) with all changes required to be in place by September 2013. It can be argued that the HIPAA Omnibus Rule is neither a tweak nor sweeping reform. Far too much law is included in the HIPAA Omnibus Rule for it to be characterized as the former. It also cannot be characterized as the latter. However, the HITECH Act was sweeping and, for the most part, the Omnibus Rule is simply HITECH-izing the HIPPA rules. In order to give you information that can be condensed into a usable format, I will highlight a few points:
- HI-TECH Act mandated changes are now codified in final rules.
- Most recent HIPAA provisions directly apply to Business Associates (BA’s) of recent Covered Entities (CEs).
- Business Associate was re-defined.
- The Breach Notification method for conducting a breach analysis was revised.
- Consumer-oriented rights impact CEs, such as the right to electronic copy of medical record, sale, marketing, and fundraising restrictions, and the right to restrict disclosures.
With the United States Department of Health and Human Services (HHS) Office for Civil Rights expected to begin random audits in 2015, covered entities should take another look at the expanded penalties for privacy and security violations under the updated HIPAA Omnibus Rule. Of particular concern is the issue of audited or investigated organizations having done little or nothing to become HIPAA compliant, such as failing to be able to produce policies and procedures that govern a compliance program or not being aware of the need for compliance. The increased fines under the Omnibus Rule cover four areas of neglect: did not know ($100 to $50,000), reasonable cause ($1,000 to $50,000), willful neglect corrected ($10,000 to $50,000), and willful neglect not corrected ($50,000). However, fines can be assessed for multiple violations under any of these categories with a maximum fine of up to $1.5 million per violation per year.
In a presentation given by Gartner Security and Risk Management with Wes Rishel and Paul Proctor, a focus was placed on educating individuals on the broad nature of the regulation and how enterprises have wiggle room. Gartner reported that practices should not use HIPAA as a checklist but use this regulation as a starting point to determine what they can and cannot do. Once organizations understand how little HIPAA actually requires, they can do a better job of assessing what data really needs to be protected and go about protecting it.
According to Proctor, organizations should focus their efforts on performing a thorough HIPAA Risk Assessment, which clearly shows how security controls that have been put in place reduce the threat of scenarios deemed most likely to occur. Above all else, organizations need to provide details that demonstrate that thought and care have gone into their security programs in order to protect HIPAA related data. “Documenting your decisions is in the [HITECH final] rule,” he says. “You can not just make it up on the fly.” For our practice to comply with recent rules and regulations and keep our money in our pocket, make sure you are staying up to date with changes affecting your bottom line. For more information, you can access www.apta.org/hipaa.