HIPAA: September 23 Has Come and Gone. Now what?

Maintenance, enforcement, and more Q & A with Leslie Meserole, JD

"The most risk-avoidant thing you can do is encrypt."
Leon Rodriguez, Director of the Department of Health and Human Services' Office for Civil Rights

Q: Will you please explain the increases in Health and Human Services auditing, investigating, and penalties, which are now part of the Final Rule?

A: Sure. The Final Rule implements the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which promotes adoption and meaningful use of health information technology, strengthens civil and criminal enforcement of HIPAA, and adds breach notification requirements to HIPAA. The Final Rule includes higher penalties and mandates formal investigations of possible violations due to “willful neglect.” It defines willful neglect as conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA rules that are violated.

Q: When does an audit process kick in?

A: First of all, the HITECH Act requires Health and Human Services (HHS) to perform periodic audits of covered entities (CEs) and business associates (BAs) to evaluate their compliance with HIPAA requirements. The Office for Civil Rights (OCR) established a pilot audit program to meet this mandate, including a protocol to assess controls and processes that CEs are using. These audits began in November 2011. In the future, OCR will audit BAs as well. The audit protocol is located on the HHS/ OCR Web site under Enforcement.

Q: More and more, we are moving toward electronic record keeping. What are some of the specific HIPAA requirements regarding these practices?

A: The Security Rule requires CEs to conduct risk analyses, on an ongoing basis, of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic personal health information (PHI). They must identify certain things, e.g., where PHI is stored, received, maintained, or transmitted, as well as threats and/or vulnerabilities that would create a risk of inappropriate access. They must evaluate and document all privacy/security measures that are in place, assess the magnitude of all potential impacts, determine risk levels for all threat and vulnerability combinations, develop a list of corrective actions to mitigate each risk level, and document their risk analysis findings.

Q: When should a covered entity or a business associate perform an internal audit?

A: Periodic audits are the only way to know that you are 1) complying with all HIPAA rules, and 2) thoroughly and correctly documenting your compliance activity. Now, under the Final Rule, which became enforceable on September 23, 2013, CEs must perform and document a four-factor objective risk assessment when they experience an improper use or disclosure of PHI to determine whether a breach of unsecured PHI has occurred and if the breach notification requirements must be met. Health care providers must appoint a privacy official and a security official (possibly the same person) who is responsible for developing and implementing all of the policies and procedures of the entity, and who would be the focal point of any internal investigation related to a breach.

Q: What must the covered entity or business associate be able to show in the case of an impermissible use or disclosure of PHI?

A: The Final Rule addresses how CEs and BAs must determine if a breach of unsecured PHI has occurred and requires notification to affected individuals, HHS, and/or the media. The amended definition of “breach” in the Final Rule emphasizes that an impermissible use or disclosure of PHI is presumed to be a breach unless and until a CE or BA demonstrates, through its four-factor risk-assessment, that there is a low probability that the PHI has been compromised. In that case, the CE documents its analysis, and the breach notification requirements are not triggered.

Q: What are the four factors in the objective risk assessment?

A: When an entity learns of an impermissible use or disclosure of PHI, it must first determine whether it is a breach. Then it must conduct a four-factor objective risk assessment to determine whether there is a low probability that the privacy or security of PHI has been compromised. A risk assessment must include the following four factors: 1) the nature and extent of the PHI involved (e.g., identifiers such as social security or credit card numbers, the likelihood of re-identification, and the nature and degree of any clinical information used or disclosed), 2) the identity of the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made (Does the person using or receiving the PHI have an obligation to protect the privacy and security of the information?), 3) whether the PHI was actually acquired or viewed (or was there only an opportunity to view the PHI, e.g., sending a patient’s medical information to the wrong address, but the envelope is returned unopened?), and 4) the extent to which the risk to the PHI has been mitigated (e.g., reassurances that the information involved has been destroyed or will not be disclosed again).

Q: If my risk assessment department determines that there is not a low probability that the PHI has been compromised, what do we do next?

A: If you are not able to demonstrate that there is a low probability that the PHI was compromised, then you must determine if the compromised PHI was “unsecured,” which means the PHI is not unusable, unreadable, or indecipherable to unauthorized individuals. If the compromised PHI was unsecured, breach notification is required.

Q: When might a covered entity expect an OCR investigation?

A: The Final Rule requires HHS to conduct an investigation when a preliminary review of a complaint (e.g., by a patient or another health care organization) or another indication of noncompliance indicates a possible HIPAA violation due to willful neglect. It also gives HHS discretion to conduct a compliance review or investigate any other complaint where a preliminary review of the facts indicates a degree of culpability less than willful neglect.

Q: How painful are the penalties when a covered entity is found in violation of HIPAA regulations?

A: It depends. The HITECH Act established higher penalty amounts, which will now be enforced by the Final Rule. The new penalty process incorporates a four-tiered penalty structure. The tiered amounts are tied to whether the violator knew of the violation, had reasonable cause for the violation, was neglectful, and, in the case of neglect, implemented corrective measures within 30 days. The amounts range from $100 per violation to $50,000 per violation, with a cap of $1.5 million for violations of the same requirement in a calendar year.

Q: Should those involved in health care assume that there is now an adversarial relationship between the medical community and HHS?

A: Though enforcement and penalties have increased, HHS really does stress compliance from a preventive measure standpoint. The Office of Civil Rights--the HHS division that conducts civil investigations of potential HIPAA violations--includes quite a bit of guidance for implementing the HIPAA requirements on its Web site. In addition, the Final Rule gives HHS the discretion to resolve a violation through informal means, such as an entity demonstrating compliance or completing a corrective action plan. The Final Rule calls for HHS to provide technical assistance to CEs and BAs to help them comply voluntarily with HIPAA rules.

Q: How does the Final Rule (also called the Omnibus rule) affect companies providing services to covered entities?

A: A Business Associate (BA) is a company that provides services to or on behalf of a CE where the services involve access to PHI, for example, an IT firm that manages a practice’s electronic health records system. CEs and BAs must have a written agreement that provides the BA’s assurances that it is HIPAA compliant. The Final Rule, which has a compliance date of Sept. 23, 2013, requires BAs to comply with certain requirements of the Privacy Rule and the Security Rule; they must now have much more robust compliance programs and documentation. HHS has the same ability to audit BAs as it does to audit CEs, and to impose civil money penalties against BAs. In addition, if a BA engages a subcontractor to perform some of the services that the CE has contracted with the BA to perform, the BA must enter into a formal agreement with the subcontractor that includes HIPAA compliance. Note: the Final Rule became effective March 26, 2013; the date for CEs and BAs to comply was Sept. 23, 2013.

Leslie Meserole, JD, is a principal in the health care practice team of Riddell Williams P.S. She has experience working with hospitals and health systems, physicians and physician groups, public hospital districts, and other health care-related entities in business transactions and regulatory compliance matters. Leslie’s regulatory compliance practice focuses on fraud and abuse, HIPAA compliance and patient privacy, IRS rules applicable to exempt organizations, physician compensation, and Medicare participation and reimbursement.

"I think we're going to find that there were a lot of covered entities that didn't realize they have business associates and business associates that didn't know they were business associates."
Leon Rodriguez, Director of the Department of Health and Human Services' Office for Civil Rights