Privacy & security: Enforcement activities have 'increased dramatically' (Part 1 of 2)

Because identity theft is one of the fastest growing crimes, healthcare privacy and security “enforcement activities have increased dramatically over the last two years,” Linn Foster Freedman, JD, an attorney with Nixon Peabody in Providence, R.I., said during a program presented by the Rhode Island Quality Institute.

She cited one incident in which someone downloaded 11,000 patient records to his laptop from which he had stripped the encryption. The offender then lost the laptop after leaving it in a restaurant. The information was password-protected but not encrypted so those 11,000 patients had to be notified of the breach. The records included patients from 31 different states which meant complying with the privacy and security laws of those 31 states.

This breach notification is required by the HITECH Act of 2009 which has been in effect since 2009, but Freedman has seen hospitals that still don’t have privacy and security policies and procedures even though they’ve been required to since HIPAA was passed in 1996. And, hospitals should not only have written policies and procedures, they should be implementing them as well, she said. “It’s not enough to have a policy in place.”

The privacy rule also requires mandatory contractual provisions with business associates (BAs) and a notice of privacy practice provided to all patients and posted in provider offices. The security rule primarily relates to electronic protected health information (PHI), “although there are certain security standards you should be following even if you still have paper records.”

At the top of that list of security standards is a risk analysis, Freedman said. “Your security risk analysis should be very, very high on your to-do list.” During audits, the Office of Civil Rights (OCR), healthcare privacy and security enforcement agency, has been focused on making sure that covered entities (CEs) have performed a risk analysis and are managing their risks. This also is required to meet the specifications of meaningful use core measure 15, Freedman explained.

OCR representatives have told Freedman that PHI—individually identifiable health information—includes just a name and Social Security number written on a piece of paper that has a particular medical provider on it. “People think PHI has to have some health information attached to it but it’s anything that’s personally identifiable.”

When in doubt, get the patient’s authorization and you’ll always be covered, she advised. Also remember that providers must give patients their information when they request it. Freedman discussed a case in which the OCR got 42 patient complaints about a CE that wouldn’t give the patients their information. The entity ignored the OCR so the OCR got a subpoena. The entity also ignored that. The OCR then asked a judge to compel the entity to give the patients their information. The entity ignored the order. The lesson here was “never ignore the OCR,” she said. The entity was eventually fined $4.3 million—$1.3 million for not allowing patients access to their information and the other $3 million for violating HIPAA and the HITECH Act.

Meanwhile, we’re waiting for CMS to issue its final rule on minimum necessary, Freedman said. The rules are going to change, she said. “Only give the information asked for.”

Also remember that not everyone in an office needs access to records. “Make sure that only those people who need to get into records actually have access.” She cautioned against giving someone a password just to “make life easier.” The practitioner is the one responsible if someone accesses a record who is not supposed to. CEs must make sure their policies and procedures limit exposure to the minimum necessary information. “You don’t have to use minimum necessary if another provider is asking for information for treatment purposes but I will tell you that it’s best practice and better for risk reduction if you only give them what they need.”

Under HIPAA, CEs must implement internal access and use controls to PHI. “You need an access policy that says ‘these people can have access to my EMR and these people cannot’ and the same for billing records, even if there are only two people in your office.”

The entire process shouldn’t be burdensome, she said, but CEs should be thinking about it and should be able to show the OCR that they are thinking about it.

CEs also must establish and implement policies and procedures for routine and recurring disclosures or requests for disclosures and establish a policy for how they will respond to requests for information. CEs are allowed to reasonably rely upon other CEs when they make a request for PHI. Providers also should have BA agreements with their attorney and accountant.

“Individual accounting and access is coming into play in a big way under the new rules,” Freedman said, although CMS has not issued the final rule. The draft rule was very controversial because providers said it was too burdensome. Previously, under HIPAA, patients could get an accounting of disclosures that included intended use of PHI and request that incorrect information be corrected. The new rule calls for both CEs and BAs to track every member of their workforce that has access to records as well as all third parties. So, the requirement is an accounting of all views of an EMR.  

Make sure your software vendor has the capability to do individual accounting of disclosures, Freedman said. The OCR recently said that it will start to require that providers have a system with the ability to see who is looking at billing and appointment records. Despite the controversy, Freedman said the new rule is coming and it will say that patients have the right to know who in a provider’s office was looking at their information. There have been many breaches and unauthorized accesses reported to HHS where people for curiosity sake are looking into people’s medical records, she said. Hospitals must have proper measures in place to make sure unauthorized individuals cannot access records. “Individual accounting and access is very important and you should be talking to your software vendors about it.”

Providers are allowed to provide PHI to their BAs with whom they have a written contract that requires the BAs to keep privacy and security measures in place. BAs are now required, under the HITECH Act, to have procedures in place that comply with the privacy and security rules, Freedman said.

BAs are any service providers that receive PHI from a provider. The most common BAs are software vendors, accountants and attorneys. “Anyone that has access to your PHI,” she said. It’s very important for you to determine who has access to your PHI and make sure you have a written contract with them.” She recommended that CEs sit down with their office staff and determine which of their BAs require agreements.

BA agreement rules have changed dramatically since the passage of the HITECH Act, Freedman said. As a result, CEs should eliminate any verbal contracts and put an end to any automatically renewing contracts. “They’re out of date and probably won’t protect you if there are costs associated with a breach notification.” She also recommended that CEs make sure they reach agreements with their BAs on indemnification.

“It’s incredibly important in these agreements to make sure the vendor agrees to indemnify you if they’re at fault for a breach. The agreement should discuss how breaches are handled.” The CE should be the one with control over notification if there is a breach, she said, because it’s the CE that is required, under HIPAA, to notify patients about a breach. “It’s not good for another entity to contact your patients directly about something they did because you’re going to need to do some public relations with your own patients. You want control of the information going to your patients,” Freeman noted.

Look for the second part of this story tomorrow in the daily CMIO newsletter.