Achieve HIPAA Compliance By Sept. 23
Aug. 8, 2013
Big and small health care entities face growing challenges when it comes to protecting the personal data of their patients. The Health Insurance Portability and Accountability Act (HIPAA) was developed to ensure the privacy and security of personal health information. During the past 17 years, some of the largest breaches of health information reported to the Department of Health and Human Services (HHS) and protected under HIPAA have involved business associates.
For example, in 2012, BlueCross BlueShield of Tennessee (BCBST) agreed to pay HHS $1.5million to settle violations of the HIPAA Privacy and Security Rules. BCBST reported that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. HHS found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
The Administrative Simplification provisions of the Affordable Care Act build on the HIPAA regulations with several new, expanded or revised provisions that would strengthen the privacy and security protections for PHI, particularly information that is maintained in electronic health records and other formats. The new rules allow for protection and security regardless of whether the information is being held by a health plan, a health care provider or one of their business associates. Three of the key changes you need to be aware of include the need for revised Business Associate Agreements, a stronger Breach Notification Rule with stricter enforcement requirements and a new Notice of Privacy Practices requirement.
Business Associate Agreements
The new HIPAA rule expands the definition of a Business Associate. Now the privacy rules that apply to a Business Associate include its subcontractors, as well as organizations that maintain or access protected health information on a routine basis. This means that the covered entity must have agreements with each of its subcontractors and business associates must have privacy and security agreements with its subcontractors. However, if you have existing Business Associate Agreements prior to Jan. 25, 2013, these contracts may continue to be honored until they expire or renew, or until Sept. 24, 2014, whichever comes first.
Breach Notification Rules and Enforcement
The 2013 HIPAA regulations also stipulate a higher standard for breaches of PHI and stiffer requirements for enforcement. Before Sept. 23, 2013, there was no presumption that a breach had occurred unless there was significant risk present. After Sept. 23, 2013, the burden is on the health entity to show that there is a low probability of harm based on a four-tiered risk assessment. Each tier has an increasing penalty that ranges from $100 to up to $1.5 million for a non-corrected willful neglect of PHI.
New Notice of Privacy Practices
Under the new 2013 regulations, your Notice of Privacy Practices must change to address situations involving access to protected health information. For instance, can you post pictures of patients on your Facebook page? What happens if you leave your thumb drive in a taxi? How do you deal with accessing information from mobile devices?
To be compliant with new HIPAA requirements, physicians must: