HIPAA and You, A Match Made in Washington – Part 1

Sep 30, 2021 | Uncategorized

This is the first in a series of posts on HIPAA compliance. These blog posts won’t necessarily be quoting the regulations, or even going over the regulations point by point. We will focus mainly on the technological side of things and give you action items you should be doing while working towards your compliance. We will not cover every facet and caveat of HIPAA as it is very long and involved and spends quite a bit of time on non-technical topics. This first post gives a general overview of HIPAA.We are writing this to a general audience to provide information for health care business and those businesses which support them. That said, this will definitely have a focus towards small and medium sized business. For example, we are not gearing this towards a large hospital or health insurance provider. Our goal here is for you to be able to walk away from this with a good appreciation of what is going to be entailed in gaining and maintaining compliance and why you need to do this. While we firmly believe that everything we cover in here applies to anyone that is HIPAA regulated, it is also possible that you will need to do more depending on your circumstances.One more note: we try to err on the side of caution when looking at the statutes and ramifications. The word “reasonable” comes up over and over in the regulations in one form or another. “Reasonable” is up for interpretation, so strongly consider what “reasonable” might mean to an auditor when making decisions. In other words, we don’t want you, or your lawyer, to have to argue your point in front of a judge to try and convince him the auditor was wrong. Please understand that we are not trying to scare you here, but there is valid reason to be concerned. The penalties for non-compliance can easily bankrupt most small and medium businesses.

Legal Stuff Our Lawyer Makes Us Say

Please understand that we are not lawyers, nor are we offering legal advice. Take nothing we say in these blog posts as legal advice. If you have any questions about lawyerly-type things, we strongly recommend you ask your lawyer. If you don’t have a lawyer, we’re more than happy to point you in the direction of one that can help.Now, onto the real reason we’re here.

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act. It came out in 1996 and, as you can see from the name, was geared towards health insurance. Since then, it has been updated with the HITECH (Health Information Technology for Economic and Clinical Health) Act and other regulatory rulings and interpretations, but is still commonly referred to as HIPAA. HIPAA falls under the purview of the US Department of Health and Human Services (HHS). The Office of Civil Rights (OCR) is the entity that oversees audits and enforcements.The current goal of HIPAA is to help ensure the confidentiality of patient information, specifically electronic protected health information (ePHI), against reasonably anticipated threats. HOW you accomplish this is left up to the you in a lot of ways. The regulations simply state things you have to do, such as review logs regularly, but not the specifics of the technologies or implementation details you need to accomplish the goal. This is done intentionally as “reasonable” will vary depending on the size of the organization, the type of health care involved, and other things. So, while both the podiatrist on his own and the giant hospital fall under HIPAA, the details of their implementation will be radically different.A lot of the HIPAA requirements fall under what we would call good business practice in this day and age. Every business, regardless of their industry, should be taking steps to safeguard their client information. So, while there are aspects of HIPAA that aren’t normally found in small and medium businesses, the majority of the steps and procedures that are needed to comply with the regulations are things we recommend to clients every day, even if they aren’t in healthcare.

What Information Does HIPAA Protect?

There is a lot of confusion floating around about what kind of information is covered under HIPAA. Basically, you are to protect the privacy of your clients, so you have to safeguard health information that can be traced to a specific person, aka, personally identifiable. That can mean different things in different scenarios. For example, it definitely means any kind of personally identifiable information linked to any diagnostic or treatment information. But it could also be anything that is tied back to a person: pictures, descriptions, names, etc. The context that the information is in has a bearing on whether it qualifies. Since it isn’t clear cut all the time, we tell clients to treat everything that has not been anonymized as if it was personally identifiable, even if you don’t think it is, just in case. Once again, you don’t want to have to argue the semantics in front of a judge.Something else to remember is that you have to actually store all your health information for a certain time. The length of time depends on your state – for Alabama it is 6 years. So, you have to ensure that you have access to any health information that you have for that period of time.

Who Falls Under HIPAA?

This is one of those points where people like to play it close to the line, in our point of view. We hear things like, “We don’t take health insurance, so we aren’t under HIPAA’s purview” quite a bit. The actual law just says (paraphrased here) if you transmit electronic transactions for which HHS has adopted standards, then you fall under HIPAA. Right now, that mainly has to do with insurance, but they could adopt standards tomorrow about something that is not related and then there you go.However, let’s give you the benefit of the doubt and say you are correct in your reading of the law and you don’t fall under HIPAA. That’s great, but what happens if you experience a data breach? HHS isn’t the only game in town that is going to go after you. On the federal level, you have the Federal Trade Commission. Since we are talking about electronic records you can safely assume they have jurisdiction. On the more local level you can have state and local district attorneys that can come after you. Then, of course, you have the patients themselves. HIPAA is fast becoming the de-facto standard for protecting healthcare information, regardless of HHS’s involvement, because it is considered the “reasonable” (that word again!) thing to do. So even if you don’t fall under the purview of HIPAA directly (and you deal in healthcare) you probably want to strongly consider acting like you do anyways.There are two classifications under HIPAA that are relevant: Covered Entities and Business Associates.

Covered Entities

A covered entity is basically a health care provider (doctors, pharmacies, physical therapists, nursing homes, etc.), health insurance plan, or a health care clearinghouse. Something interesting to note here, if your company is self-insured, and you handle that in house, then you fall under HIPAA! Exciting, no?If you aren’t sure if you are a covered entity, there is some helpful information for you HHS’s website.

Business Associates

Business associates are companies that covered entities hire to help them with their business. This applies to companies that have access to the health information of the covered entity or business associate that hired them. Some common examples would be:

  • IT companies
  • Malpractice attorneys
  • Cloud providers that have ePHI hosted on their system (regardless of encryption)
  • The company that services your printers and copiers
  • Practice management firms

A covered entity needs to have a signed Business Associate Agreement (BAA) with every business associate. This document should, among other things, state that they will treat all ePHI in a HIPAA compliant manner. You can read about the specifics of what needs to be in a BAA on HHS’s website or consult your lawyer.A business associate also needs to have a BAA with anyone they do business with that will have access to ePHI on their behalf. In the IT world, this is most likely with cloud vendors. For instance, we have BAAs signed with various backup vendors that will be storing client data that contains ePHI. A BAA is a chain of trust, so that if you sign one with me then I agree to have any sub-contractors sign one as well, they agree to have THEIR sub-contracts sign one, and so forth.A business associate that experiences a data breach of ePHI has to report the breach up the chain of its agreements until it eventually gets to the covered entity, which must then follow the notification procedures outlined under HIPAA, about which we advise you to talk to your lawyer.

How Does HIPAA Get Enforced?

In the past, the main way enforcement actions were launched was through the servicing of complaints. Anyone can lodge a complaint against you which will trigger OCR to start an investigation. It will stop investigating under certain circumstances and has purview to voluntarily stop investigations under others, but we aren’t going to go into that here.OCR can also do random audits of covered entities, just like the IRS. So even if no one notifies them, you can just get lucky. Random audits weren’t performed much in the past but have been increasing in frequency in the past few years.Something important to note is that OCR has the jurisdiction (via HITECH) to help pay for HIPAA enforcement from the results of HIPAA enforcement. So, it can dip into the fines it collects to help pay for more enforcement actions.

What If I’m Not HIPAA Compliant but Should Be?

If you are not compliant and they catch you, then they generally levy fines. The fines come in four different categories and range from $100 to $50,000 per infraction. Each record or document can be considered an infraction. The good news here is that you max at $1.5 million a year per provision (to date OCR is averaging $1.4 million per settlement from providers of all shapes and sizes). Your name also goes up on the HHS website about their enforcement actions, which is commonly called “The Wall of Shame”.Now, if you were really naughty, HIPAA does include the possibility of jail time. This is basically reserved for when someone willingly divulged ePHI for gain, so we’re not going to worry about that here, but don’t do that.

Hey, I Bought a “HIPAA Compliant” Package to Set Up My Practice. I’m Covered!

HIPAA is not just about one piece of software. It also covers physical access to your computers, planning, and documentation. So, just because the sales guy said you’d be compliant with his software package, doesn’t mean you are. Also, we have found that while these “HIPAA Compliant” software packages can be set up to be compliant, they often are not, because the people setting them up for you aren’t necessarily well versed in HIPAA’s requirements.The close cousin to the “HIPAA compliant package” is thinking you’re covered because you have a HIPAA handbook. While you do need to have a HIPAA handbook, this does not cover all of HIPAA, and the policies and procedures need to be reviewed regularly. HIPAA is not a once-and-done kind of thing.

Documentation, The Key to Everything

The most important thing to remember about HIPAA compliance is that, like most government things, it runs on documentation and paperwork. If you make a change in your policies, document it. When you do employee training, document it. As you go through the things to do for the technology safeguards, document not just what you decided, but WHY. Without documentation, you can’t prove you’ve done what you are supposed to have done.Any documentation about HIPAA, including your policies and procedures needs to be kept for at least 6 years from the date of the item, or the date the policies and procedures were last used. This can all be stored in an electronic format, so it doesn’t have to be actual paper.

Conclusion

So, this wraps up part one. Hopefully now you have a good idea of who is covered and why you should be concerned. In part two, we’re going to dive right into the actual things you need to start with to start your compliance journey.If you have questions or concerns, feel free to contact us. If you need help with your HIPAA compliance then we are more than happy to provide it.