An expert recently shared the pitfalls of noncompliance with breach-reporting provisions that came into effect last year under the US Department of Health & Human Services (HHS) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act.1 At the National Organization of Rheumatology Managers 2014 Annual Conference, Bill Fivek, president and CEO, Total Medical Compliance, discussed the strengthened provisions as well as consequences if practices are found to be noncompliant.
Mr Fivek’s presentation was one of several that were delivered to small groups during breakout sessions at the conference, which was held September 12-13 in Louisville, KY. Practice managers, practice administrators, managing partners, and others at the conference gathered to learn about current HIPAA guidelines, how to stay in compliance, and what to do should a breach occur.
“One of the Health and Human Services attorneys said, ‘If you have a problem, report it. If you hinder the investigation by hiding a fact, we’ll find out. We’re pretty good. We don’t care how sorry you are, or how you’ll do things different next time,” Mr Fivek said.
Mr Fivek noted the penalty for each violation that is found to be willful neglect and not corrected in a timely fashion is at least $50,000 to a maximum of $1.5 million per calendar year for the same violation, a ceiling that HHS wishes were higher, he said. Some fines have the potential to close practices for good. There are lower fines ($100-$50,000) for violations that occur when the practice does not know of the violation and would not have known of it even if administrators were exercising reasonable diligence. The penalties are also low, although not unsubstantial ($1000-$50,000), when circumstances make it unreasonable to comply with HIPAA.
He said the best way for practices to be protected from penalties is to have careful and well-documented processes in place for the protection of patient data. “If you put preventive processes in place after you’ve screwed up, that’s like doing your homework after it’s due,” he said.
Protected health information (PHI) today is very broadly defined to include health information that is provided orally or recorded in any medium or form, as well as e-mail addresses, license plate numbers, and any other unique identifying number, characteristic, or code. The final omnibus HIPAA rule that came into effect on March 26, 2013 (with compliance required by September 23, 2013) also included expanding the compliance requirements for business associates, as well as making the definition of a health information breach more stringent and clarifying when breaches must be reported to the HHS.1
According to the new rules, unauthorized disclosure, acquisition, access, or use of PHI in any way that is not permitted by the Privacy Rule “is presumed to be a breach unless the covered entity [practice or business associate, as applicable] can prove otherwise,” said Mr Fivek. “Unlike your court of law where you are innocent until proven guilty, with HIPAA you’re guilty until you can prove yourself innocent. You have to demonstrate that your policies show that there couldn’t have been a breach; that the information couldn’t have gotten out to someone.”
There are, however, important exclusions: when a worker who has the authority to access the information accidentally accesses a record for a patient whose care they are not involved in; when a worker who has the authority to access the information inadvertently shares patient information with another worker who isn’t involved in that patient’s care; or when information is shared with someone who isn’t authorized but the unauthorized person would not reasonably have been able to retain such information, said Mr Fivek.
“If I hear an individual patient’s name being discussed by someone associated with a medical practice, that’s not a breach. If I hear a patient has a certain condition but I don’t know who the person is, it’s not a breach. But if I can marry those two pieces of information, then it is a potential breach,” explained Mr Fivek. “And if it’s not a breach, it could be just a HIPAA violation that you document as an incident in your records.”
Another common scenario is when someone sends a paper copy of a patient record to the wrong person. “They call up the office and say, ‘This isn’t mine. I know I’m not supposed to have this. I want to shred it.’ In situations like that, it’s perfectly acceptable to have the patient or individual who received the information in error sign a confidentiality agreement,” explained Mr Fivek.
The mobile electronics era has brought with it a significantly increased potential for patient records to be seen by people who are not authorized to receive such information, Mr Fivek said. Therefore it is important to have rules in place to safeguard patient information on electronic devices, such as making sure that employees have a secure PIN to use their smartphones, that they use a personal login and password to access PHI, and use encryption or patient portals for electronic responses to patient inquiries. The practice also should have an electronic lockout process for when an employee leaves the practice. The effectiveness of these measures should be verified by yearly risk analyses, which are widely available and also can be used for attestation of Meaningful Use, said Mr Fivek.
In fact, every time there is a potential breach, practice administrators should complete a risk analysis checklist, Mr Fivek said, to document the extent and nature of the breach or potential breach and the staff members’ decision processes surrounding it. This includes documenting which individuals inside and outside the clinical practice the matter was discussed with, what decisions were made, and how they were made, said Mr Fivek.
All patients whose information was involved in the breach must be notified by first-class mail or e-mail within 60 days of the breach’s discovery. The written notification to the patients should include an e-mail address or phone number patients can use for inquiries, stipulated Mr Fivek. In addition, when the breach involves data from fewer than 500 patients, the administrators must report the breach to HHS no more than 60 days after the end of the calendar year in which the breach was discovered. When a breach involves 500 or more patients at the same time patients are notified, the practice must also notify prominent media outlets serving that geographic area as well as HHS.2
If an employee acted in a criminal manner by taking deliberate steps to disclose information about patients to people who are not authorized to receive that information, he or she can be held personally responsible, explained Mr Fivek, and the employee and/or the practice may be fined. Otherwise, employees are not legally responsible for breaches. If a business associate caused the breach, that person or business must provide notification to the covered entity within 60 days of the breachs discovery.
“These folks can get you in trouble, so you need to make sure you’ve got proper documentation with them,” Mr Fivek observed. “The business associate agreement must address the timing and reporting of breaches or suspected breach situations. If you didn’t update your business associate agreements in the last year, you need to do so with your business associates.” He pointed to the HHS website as a source for business associate contracts.3
He told attendees that it is important to consider bringing in outside consultants if the breach is potentially large and/or criminal in nature.
“If it’s something small, you can certainly handle it yourself, but certainly don’t feel shy about getting some outside help…because the 60-day timer is cranking. Don’t eat up that time. You have to act with some level of expediency,” said Mr Fivek. “The one thing you want to walk away with from this presentation is when you have a breach, act quickly. Act decisively, but act quick ly. Don’t put it on the back burner, because [if you do] this is going to come bite you.”
- US Department of Health & Human Services. New rule protects, secures health information patient privacy. News release. January 17, 2013. www.hhs.gov/news/press/2013pres/01/20130117b.html. Accessed September 19, 2014.
- US Department of Health & Human Services. Instructions for providing notice of a breach to the secretary. www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. Accessed September 22, 2014.
- US Department of Health & Human Services. Sample business associate agreement provisions. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. Accessed September 22, 2014.