There are many agencies that medical facilities have to answer to. From medical waste handling and disposal regulations to required annual OSHA training, it can be overwhelming to stay on top of all the federal, state, and local laws. HIPAA is yet another body of rules to stay compliant with, and is arguably the most violated regulation in healthcare.
This article will look at the following:
The Health Insurance Portability and Accountability Act, or HIPAA, was signed into law in 1996. In the healthcare industry, it is generally the HIPAA Title II section that outlines the standards medical practices need to follow.
There are 5 specific standards in Title II:
- Unique Health Identifiers - This is the unique 10-digit National Provider Identifier, or NPI, that all healthcare providers, health plans, and individuals are required to have.
- Transfer of Information Among Health Plans - This requires all healthcare organizations to follow a standardized electronic data interchange when submitting and processing insurance claims.
- Security Standards for Health Information - Perhaps the most violated standard, this details what Protected Health Information is and to what extent health agencies are to guard and proactively protect against any “reasonably anticipated threats or hazards to the security or integrity” of that information.
- Code Sets - This standard outlines the set of codes that are to be used for encoding data elements. This includes tables of terms, medical concepts, medical diagnosis codes, and medical procedure codes. These Code Sets took effect in 2002 to help simplify the processes and decrease healthcare costs.
- Electronic Signature - This specifies standards specifying procedures for the electronic transmission and authentication of signatures.
According to the Department of Health & Human Services, Protected Health Information, or PHI, is “information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual”.
The department further defines PHI as “information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
HIPAA requires that all employees at a healthcare institution, from medical clinics and hospitals to insurance companies and healthcare clearinghouses, have HIPAA training. This applies to all employees at the facility, so it not only includes doctors and dentists, but receptionists, part-time workers, and temporary employees as well. Anyone at the business dealing with Protected Health Information is required to have the mandatory training.
HIPAA also requires “periodic” refresher trainings. Although the time intervals are ambiguous, the rule of thumb in the industry is to have these refreshers annually.
Health care facilities and their business associates are required to conduct a risk analysis on their respective systems. The Health and Human Services Department and the Office for Civil Rights, the latter of which enforces HIPAA regulations, jointly created a tool to make that task manageable: called the HIPAA Security Risk Assessment (SRA) Tool.
Although using the HIPAA assessment tool is not required, a thorough and accurate assessment of the safety and potential vulnerabilities of managing Protected Health Information is definitely required.
As noted by an NIST Special Publication, the types of questions to ask in an assessment are:
• “Have you identified the electronic PHI (or e-PHI), within your organization? This includes e-PHI that you create, receive, maintain or transmit.
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
• What are the human, natural, and environmental threats to information systems that contain e-PHI?”
If there is ever a breach to the integrity of an organization’s digital PHI information, be it an outright cyber attack on files or the misplacing of an information storage device, you are required to self-report the breach. This is dictated by the HIPAA Breach Notification Rule, which requires you to self-report the breach to the Health and Human Services Department. There are severe fines involved for violating the breach rule.
Business Associate Agreements
HIPAA requires that any vendors and third party affiliates that interact, or could interact, with Protected Health Information sign a Business Associate Agreement (BAA). Through these contractual agreements, the vendors and third party affiliates make it clear how it is that they follow all HIPAA regulations. These associates are also then expected to have the required HIPAA training.
There are many examples of healthcare facilities being fined for violating this requirement. To name a few:
In 2013, a Raleigh, NC orthopedic clinic was required to pay $750 million for engaging in the services of a third-party provider in absence of a BAA.
In 2018, a Florida contractor physicians group was fined $500,000 for sharing PHI with a vendor in absence of a BAA.
HIPAA does not clearly outline rules regarding labels on regulated waste. If healthcare employees are trained on the proper disposal of medical waste including PHI labeling, and a regulated disposal system is in place that sees that waste being disposed of, then there are no extra steps to stay HIPAA compliant.
The Office of Civil Rights (OCR) is tasked with enforcing HIPAA legislation in the following ways:
- It investigates complaints that are filed with the office.
- It conducts compliance reviews.
- It performs education and outreach to encourage HIPAA compliance.
- It works in conjunction with the Department of Justice when possible HIPAA violations are discovered.
There can be stiff fines for breaking HIPAA regulations. Even if a healthcare facility has been the victim of a data breach, they can be found liable.
A facility can be forced to pay civil money penalties from $100 to $50,000 or more per violation, with a one-calendar year cap of $1,500,000.
A healthcare employee who knowingly discloses PHI can face a criminal penalty of up to $50,000 and up to one-year imprisonment. The penalties increase up to $250,000 and 10 years imprisonment if the crime is found to involve false pretenses and/or the intent to sell the information for monetary gain or to cause malicious harm.
Some real-world violations to note are:
In 2014, the Office of Civil Rights announced an $800,000 HIPAA settlement with Parkview Health Systems after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.
In 2017, Memorial Hermann Health violated HIPAA regulations by releasing the name of a patient in a press release. The settlement was for $2.4 million.
As it can be seen, staying HIPAA compliant is extremely important, as the consequences for not doing so could be dire, including six figure lawsuits. However, by adhering to the five standards spelled out in Title II, properly managing Protected Health Information, and training your staff, your business can stay HIPAA compliant and avoid the painful pitfalls.
For information on what to look for in Medical Waste Contracts, click below.