Privacy and HIPAA: What Executives Need to Know Now
Keeping protected health information private is a massive task with ever-increasing penalties for failure. Adherence to HIPAA must be an ongoing, full-time effort. Successful compliance requires diligence and continuous improvement, especially in light of the final omnibus HIPAA and HITECH rule, released by HHS in January.
The new rule went into effect on March 26, and covered entities and business associates are expected to comply by September 23. This article outlines three key areas for executive understanding and oversight with regard to new HIPAA privacy rules: business associate relationships, breach reporting expansion and new restrictions on PHI.
Healthcare ripe for information breachHealthcare organizations large and small are susceptible to information breach. Vulnerabilities are inevitable. California-based security firm Symantec lists the healthcare industry as the worst offender of information breach, with 43 percent of healthcare organizations reporting that they experienced a breach in 2011. The second-worst offender was the government industry with 13 percent of organizations reporting a breach.2 And although the actual number of massive breaches (those involving 500 or more people) decreased in 2012, the volume of actual patients impacted by those information breaches nearly doubled, according to data compiled by Kaufman Rossin and Co., a Miami-based accounting firm.3 Information breaches in healthcare have become a near-constant occurrence.
Secondly, the growing cost of breaches is alarming. HIPAA fines are only a fraction of the financial impact. More expensive is the countless staff hours spent once a breach occurs. The HIMSS Privacy & Policy Task Force estimates that time spent on legal issues, resolution and remediation could cost provider organizations between $4-5 million.4
The potential downsides have gotten the attention of the executive suite. More and more organizations now have both privacy and security officers and substantial HIPAA compliance budgets. The allocation of scarce financial resources and human capital to the privacy problem shows that executives have changed their thinking and gotten the message.
Finally, more than 90 percent of breaches are caused by human error and accidental data or device loss. Tighter policies, procedures, education and data encryption help to prevent these occurrences. The remaining breaches are more insidious and involve organized efforts to implement medical identity theft, which is becoming a bigger problem than financial identity theft. On the black market, a stolen social security card costs one dollar while a stolen medical record is worth $50.
Business associate relationships changeUnder the original HIPAA rules, BAs of a covered entity were not liable for information breached while under their control or possession. Liability fell to the CE. However, the final HIPAA omnibus rule changes this policy and makes BAs — as well as BA subcontractors — directly liable for any breach of PHI, including the cost of remediation. BA relationships and contracts should all be revisited in 2013 with the following key changes in mind:
- Security rule safeguards apply to BAs;
- Privacy rule use and disclosure rule apply to BAs;
- BAs can use PHI only as stated in contract/agreement;
- Penalties can now be assessed on BAs;
- BAs are now responsible for having business associate agreements, and their subcontractors will now be treated as BAs.
Breach notification reporting expandsBreach notification for unsecured PHI under HITECH has been updated and expands under the final omnibus rule. A more objective standard for breach reporting is now in place, and breach documentation must be maintained and retrievable for six years. And BAs are now also responsible for breach reporting.
Executive support ensures that a well-vetted and funded breach notification plan is in place when the inevitable breach occurs. A strong plan mitigates risk, potential harm and reputation damage due to information breach. This plan, coupled with documented preventative measures and training programs, shows organizational stakeholders that leadership made every effort to stop breaches. These efforts also go a long way to dismiss negligence or criminal intent accusations, and financial penalties could be considerably less.
Digital age drives new restrictions on using PHIFinally, "the final rule greatly enhances a patient's privacy protections, provides individuals new rights to their health information and strengthens the government's ability to enforce the law," as stated in the HHS statement on the Omnibus rule. HHS Secretary Kathleen Sebelius also emphasizes that "much has changed in healthcare since HIPAA was enacted over 15 years ago" and that the "new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age." With these foundational drivers in mind, I am recommending four changes to boost immediate awareness by senior leadership and covered entity marketing teams.
- Limitations on the use and disclosure of PHI for marketing and fundraising purposes are strengthened.
- The sale of PHI without individual authorization is prohibited.
- Disclosure of PHI concerning treatment for which the individual has paid out of pocket in full is prohibited.
- All notices of privacy practices must be modified and redistributed throughout the entire organization.
Prevention still the best medicinePrevention is still the best medicine for reducing risk of information breach and ensuring HIPAA compliance. The human error aspect of breaches is solvable only through education, education and more education. The era when HIPAA training materials sat on shelves and collected dust is over. 2013 is the year for healthcare executives to become aware and get involved. Executive supervision and active participation are absolute necessities. Privacy is not a one and done; it must become part of the fabric of your organization.
1 "Who's Looking at Your Files," Gorman, Time, May 6, 1996, p. 60, et seq.
2 “2011 Cost of Data Breach Study: United States” Symantec Corp. and The Ponemon Institute. March 2012. Available online at: http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-cost-of-a-data-breach-2011&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US
3 “HITECH Act Three Years Later - Are Health Records Safe?” Kaufman Rossin and Co. July 2012. Available online at: http://www.kaufmanrossin.com/papers-detail.php?id=343
4 “Creating a Trusted Environment: Reducing the Threat of Medical Identity Theft”. HIMSS Privacy & Policy Task Force. June 2012. Available online at: http://himss.files.cms-plus.com/HIMSSorg/content/files/CreatingaTrustedEnvironment_Reducing_the_Threat_of_Medical_Identify_TheftFINAL.pdf
Rita Bowen is a distinguished professional with 20+ years of experience in the health information management industry. She serves as the senior vice president of HIM and privacy officer of HealthPort where she is responsible for acting as an internal customer advocate. Most recently, Ms. Bowen served as the enterprise director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership. Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section. She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).
More Articles on Privacy Issues:3 Points on Why Hospitals Need to Build Data Governance Into HIT Infrastructure
© Copyright ASC COMMUNICATIONS 2012. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.