[BreachExchange] HIPAA enforcement in 2016: Is your practice ready?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Feb 23 11:09:10 EST 2016
http://www.familypracticenews.com/views/the-office/blog/hipaa-enforcement-in-2016-is-your-practice-ready/df1c00fbb14efe121c9916af1ea0eee7.html
Two reports from the Office of the Inspector General (OIG) have attracted a
lot of attention in recent weeks: The Office for Civil Rights (OCR), OIG
said, needs to improve and expand its enforcement of the Health Insurance
Portability and Accountability Act (HIPAA). In response, the OCR announced
that it plans to identify a pool of potential audit targets and launch a
permanent audit program this year. That, combined with the substantial fine
levied against a dermatology group last year for violating one of the new
rules, signals the importance of reviewing your practice’s HIPAA compliance
as soon as possible.
You can compare your office’s compliance status against the recommendations
listed on the OCR website, but pay particular attention to your agreements
with Business Associates (BAs). Those are the individuals or businesses,
other than your employees, who perform “functions or activities” on behalf
of your practice that involve “creating, receiving, maintaining, or
transmitting” personal health information.
First, make sure that all individuals and enterprises fitting that
definition have a signed agreement in place. Typical BAs include answering
and billing services, independent transcriptionists, hardware and software
companies, and any other vendors involved in creating or maintaining your
medical records. Practice management consultants, attorneys, specialty
pharmacies, and record storage, microfilming, and shredding services are
BAs if they must have direct access to confidential information in order to
do their job.
The revised rules place additional onus on physicians for confidentiality
breaches committed by their BAs. It’s not enough to simply have a BA
contract; you are expected to use “reasonable diligence” in monitoring
their work. BAs and their subcontractors are directly responsible for their
own actions, but the primary responsibility is yours. Furthermore, you must
now assume the worst-case scenario: Previously, when protected health
information (PHI) was compromised, you would have to notify only affected
patients (and the government) if there was a “significant risk of financial
or reputational harm,” but now, any incident involving patient records is
assumed to be a breach, and must be reported.
Failure to do so could subject your practice, as well as the contractor, to
significant fines. That is where the Massachusetts dermatology group ran
into trouble: It lost a thumb drive containing unencrypted patient records,
and was forced to pay a $150,000 fine, even though there was no evidence
that the information was found or exploited.
Had the lost drive been encrypted, the incident would not have been
considered a breach, according to the Centers for Medicare & Medicaid
Services, because its contents would not have been viewable by the finder.
The biggest vulnerability in most practices is probably mobile devices
carrying patient data. There is no longer any excuse for not encrypting
HIPAA-protected information; encryption software is cheap, readily
available, and easy to use.
Patients have new rights under the new rules as well; they may now restrict
any PHI shared with third-party insurers and health plans, if they pay for
the services themselves. They also have the right to request copies of
their electronic health records (EHRs). You can bill the costs of
responding to such requests. If you have EHRs, work out a system for doing
this, because the response time has been decreased from 90 days to 30 days
– even shorter in some states.
If you haven’t yet revised your Notice of Privacy Practices (NPP) to
explain your relationships with BAs, and their status under the new rules,
do it now. (You should have done it last year.) You need to explain the
breach notification process too, as well as the new patient rights
mentioned above. You must post your revised NPP in your office, and make
copies available there, but you need not mail a copy to every patient.
You also should examine every part of your office where patient information
is handled to identify potential violations. Examples include computer
screens in your reception area that are visible to patients; laptops not
locked up after hours; unencrypted emails or texts that might reveal
confidential information; and documents designated for shredding that sit,
unshredded, in the “to shred” bin for days.
And make sure you correct any problems you find before the OCR auditors
come calling.
To view the recommendations at the OCR website so you can check your
office’s compliance status, go to: www.hhs.gov/hipaa/index.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/fbdb13cb/attachment.html>
More information about the BreachExchange
mailing list