Earlier this month health insurer Anthem, Inc. disclosed a data breach involving an estimated 80 million records containing protected health information (PHI). In 2013, Anthem (then known as Wellpoint) was fined $1.7 million by the Department of Health and Human Services (HHS) in connection with an unauthorized disclosure of PHI.
Last May, Columbia University and New York-Presbyterian Hospital were fined a combined $4.8 million for HIPAA violations when a doctor disconnected his personal computer from the hospital network, leaving patient information vulnerable to discovery through Internet search engines.
After some delay, Phase II of the HIPAA Audit Program is expected to begin soon. This means the Office of Civil Rights (OCR) will begin conducting compliance audits this year. If you have not completed a HIPAA risk assessment in the last 12 months, you should do so now. Risk assessments are a fundamental requirement under HIPAA, not a “nice to do.” There is no way to properly implement HIPAA policies and procedures without fully understanding your environment and the risks it presents to protecting privacy and securing PHI.
When HIPAA was enacted in 1996, privacy was not the principal focus of the legislation. Indeed, it took HHS eight years to publish the initial HIPAA Privacy Rule. It took several more years for HHS to publish the initial Security Rule. The Security Rule directed “covered entities” (e.g., providers, hospitals, health insurers) to perform a risk assessment, understand where their vulnerabilities were, and to adopt reasonable safeguards to fix them. There are three categories of HIPAA safeguards:
These involve designating personnel, creating and adopting HIPAA policies and procedures, and training your workforce to understand the policies and procedures, including how to document compliance. Training is not the place to cut corners because it is key to ensuring a HIPAA-compliant workplace – data security relies as much on institutional culture as it does on technology.
How your practice manages the physical devices and media where patient information is stored and can be accessed is vitally important. Locks and alarms for facility access remain important, but address a limited aspect of physical safeguarding. OCR reports HIPAA violations occurring because of lost or stolen flash drives, hard drives, laptops, and even paper files blowing out of car windows. It is therefore imperative that you develop physical safeguards that minimize or eliminate the possibility of exposing PHI through sloppy access protocols, leaving unencrypted PHI on electronic media, etc.
This may be the one area in which it is reasonable to believe that HIPAA compliance is a headache only for the CIO, CTO, and the IT department.
Technical safeguards focus on things like access controls, the integrity of PHI (i.e., making sure it can’t get corrupted), authentication (making sure the person trying to access PHI is who she says she is), and transmission security (is there a risk that PHI can be “grabbed” while it’s in transit?). That said, never lose sight of the fact that Security Rule compliance is based on implementing all of the safeguard types – meaning it necessarily involves personnel from a variety of disciplines within a covered entity’s organization.
In 1996, HIPAA compliance might have simply required a memo to staff, a sturdy lock on the records room, and an alarm on the building. The creation and rapid adoption of electronic health records over the last several years have rendered locks and alarms a quaint reminder of simpler data security times. Hence the Security Rule’s requirement that covered entities (and now business associates) conduct a proper risk assessment.
A risk assessment does not need to be expensive. The OCR website has a downloadable tool for performing a security risk assessment (SRA). The SRA tool consists of 156 “yes” or “no” questions about the organizational policies and procedures for your practice. When you are done, you will have up-to-date information about where your practice needs improvement with respect to HIPAA. Importantly, the SRA tool does not report information outside of your practice. The idea is to provide information helpful to your becoming fully compliant. Be aware, though, that HHS cautions that use of the SRA tool does not guarantee HIPAA compliance, and the ultimate determination of compliance is left to each health care provider and organization.
Phase II of the OCR’s HIPAA audit program is imminent, and may herald a further crackdown on compliance. While no formal announcement regarding the scope or concentration of the audits, OCR has been consistent in suggesting a substantial increase in on-site audits (as opposed to desk audits).
The OCR’s HIPAA audit protocol (in its current form) is obviously useful information as you continue your HIPAA compliance journey.