Data privacy and security is an area of rapidly expanding regulatory activity and patient interest. For most health care providers, legal obligations regarding data privacy and security are established by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Therefore, adhering to HIPAA is an important compliance obligation for healthcare providers. Indeed, in recent years, a large number of healthcare providers, from large integrated health systems to private practices, have experienced sanctions, unwanted public attention and reputational damage, and other negative consequences for failing to comply with their HIPAA obligations. doing.
Importantly, as a general rule, HIPAA does not provide any special exceptions for small health care providers. Rather, subject to some technical exceptions, all regulated HIPAA health care providers, whether large health systems or private practices, are subject to similar baseline requirements under HIPAA. need to do it. Therefore, all regulated health care providers, regardless of size, should be aware of their legal obligations under HIPAA. This article provides a basic roadmap of the key steps you need to take to become HIPAA compliant and outlines how to respond to a potential breach of HIPAA-regulated data.
Of course, every practice and situation is different. In particular, a healthcare organization’s HIPAA risk profile and compliance burden will depend in part on its activities. For example, if a company has a number of complex data sharing arrangements with vendors and other partners, its HIPAA compliance obligations may become more complex.
First, let’s explain some basic HIPAA terminology. First, a “covered entity” under HIPAA is an entity that is primarily regulated by his HIPAA. These include health care providers submitting electronic transactions in a standardized format, such as billing and eligibility inquiries. In particular, health care providers that do not submit claims to third parties, such as cash-only concierge providers, may not be subject to HIPAA.[1] Second, the primary regulatory agency for HIPAA is the U.S. Department of Health and Human Services Office for Civil Rights, or “OCR.” This agency promulgates HIPAA regulations and guidance and also investigates and sanctions potential HIPAA violations.
HIPAA compliance basics
HIPAA compliance is a complex and ongoing process, and many organizations overlook some, if not many, requirements. The most important fundamental elements needed to implement compliant practices include:
- Policies and procedures. Eligible organizations cover the HIPAA Privacy Rule (focusing on rules regarding the permissible use and disclosure of “protected health information” or “PHI”), the HIPAA Security Rule (maintaining the security of electronic PHI) There should be a comprehensive set of policies and procedures in place to and safety), and the HIPAA Breach Notification Rule (Addressing Improper Use or Disclosure). Some consultants will provide form policies and procedures, but these should be customized to your specific practice.
- A particularly important policy is the HIPAA-compliant Notice of Privacy Practices or NPP. This is typically provided to all patients, posted online if your practice has a web presence, and must be physically posted.
- employee training. Employees of healthcare organizations must receive their HIPAA training upon hire and periodically thereafter. Employees include all employees and independent contractors, particularly anyone who may have access to her PHI.
- HIPAA Risk Assessment. A HIPAA risk assessment is a written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. This typically includes where electronic PHI is stored, the risks to the PHI, who has access to the PHI, and the security protocols used. Risk assessments should be reviewed regularly and updated as risks change. This analysis can be quite technical, so many providers hire IT security consultants to assist with this aspect of HIPAA compliance, at least in the early stages.
- Designated Compliance Leader. This practice formally identifies the individual responsible for compliance with HIPAA privacy requirements (known as the HIPAA “Privacy Officer”) and the individual responsible for HIPAA security requirements (known as the HIPAA “Security Officer”). must be appointed. Given the technical aspects of the HIPAA Security Rule, the “Security Officer” is often an individual with her IT background, while the “Privacy Officer” may take on more general compliance or administrative functions. It happens often.
- business associate management. A “business associate” for HIPAA is essentially any provider vendor that has access to or uses her PHI on her behalf. Common examples include (1) your electronic health record provider, (2) your attorney, consultant, and similar advisor if you want to access your PHI, (3) your cloud storage provider, and (4) your claims processor. I can list it. Most other health care providers do not have access to your PHI and are therefore not business associates. of practice on behalf of; instead, they are entities that are subject to themselves. Similarly, vendors and other contractors (such as landscapers) who do not have access to PHI are generally not business associates. Covered entities are responsible for ensuring that HIPAA-compliant Business Associate Agreements are maintained and executed. prior to Disclosure of PHI to such vendors. A covered entity must maintain an inventory of all its HIPAA business associates and associated agreements.
- Prompt response to inquiries from patients. A patient has rights to her records under HIPAA. Additionally, OCR has recently focused on validating this right. In recent years, the agency has investigated and sanctioned a number of health care providers, including small clinics, for failing to comply with HIPAA patient access rights.[2] Additionally, recent amendments to HIPAA have strengthened this right. Currently, health care providers typically must respond to a patient’s request within her 30 days (by creating a record, refusing on legally valid grounds, or taking a one-time (either subject to the 30-day extension rule). Therefore, healthcare providers must prioritize meeting patient demands.
- Continuous audit.Other requirements. As part of continuous quality improvement, a business should audit its HIPAA compliance and pay particular attention to unauthorized uses and disclosures. Additionally, keep in mind that HIPAA sets legal minimums. This means that other laws (both state and federal) may require more practice, depending on the nature and location of the business and affected individuals.
Roadmap for Addressing Unauthorized Use or Disclosure
Providers must monitor for unauthorized use and disclosure of PHI. If you are identified by an employee, business partner, or other person, it is important to act quickly. If the incident is a breach, the provider has 60 days from the date of discovery to make the necessary report to the individual. While every case is fact-specific and often requires close collaboration with an attorney, the key steps are:
- investigate immediately. Important facts to uncover include the date of the incident, the number of individuals affected, identifiers, to whom the PHI was disclosed or used, and how the risk of harm can be mitigated. Understand how the incident occurred and the root cause. If disclosures continue, take steps to prevent further disclosures. Although an investigation must begin immediately, providers can and often must act before the investigation is complete.
- Breach analysis. Determine whether the incident constitutes a reportable HIPAA violation. Not all unauthorized uses or disclosures of PHI are his HIPAA reportable violations. Specifically, if a covered entity determines that it is unlikely that PHI has been compromised based on a risk assessment that includes certain factors, it need not treat the incident as a breach. This analysis is quite technical and must be documented. Many providers hire attorneys to assist with this analysis.
- Contact your insurance company. Engagement with insurance companies should start early in the process, especially if the insurance company has a cybersecurity policy that is becoming an industry standard. It’s worth talking to your insurance broker to determine whether the practice carries cybersecurity insurance and, if not, whether to procure coverage.
- Assessment of other legal obligations. Each state has data breach reporting laws, and additional federal requirements may apply depending on the nature of the breach. Additionally, data breaches may relate to contractual requirements. These areas need to be considered as part of the response.
- to repair. Depending on the nature of the incident, remediation may include employee discipline and training, rebuilding business relationships, and IT improvements.
- Implementation notice. When a HIPAA reportable violation occurs, the violation must be reported to the affected individual and her OCR. Notices must be in writing and comply with certain content requirements. The individual must be notified without undue delay and within 60 days of discovery. The timing of OCR depends on the size of the breach. For larger violations, media notification is also required.
Ensuring HIPAA compliance has become increasingly important given the tightening data regulations in the United States. However, while HIPAA compliance is a complex and ongoing project, there are a set of core elements that are readily available to practices of all sizes.
[1] Of course, healthcare providers have other medical confidentiality obligations, and patients may expect HIPAA-type compliance. Therefore, it is common for even unregulated healthcare providers to comply with standards like HIPAA.
[2] See examples: 11 Enforcement Actions to Support Patient Rights Under HIPAA (July 15, 2022) https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html.