By Holly Carnell, JD, Associate and Meggan Bushee, JD, Associate at McGuireWoods.
September 23, 2013 Compliance Deadline for New Requirements.
On January 17, 2013, the U.S. Department of Health and Human Services' (HHS) released the long-awaited omnibus final rule (Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA). The Final Rule is effective as of March 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013.
The key compliance tasks for covered entities related to the Final Rule are as follows:
The HITECH Act requires HHS to perform periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The Office for Civil Rights (OCR) implemented a pilot program whereby KPMG LLP, a public accounting firm, developed an audit protocol and conducted 115 audits of covered entities from November 2011 through December 2012. The audit protocol is posted on the OCR website and provides a useful tool for providers to ensure they comply with the Privacy and Security Rules and Breach Notification standards.
Small Providers are Facing Large Fines.
On January 2, 2013, HHS announced it had reached an agreement with the Hospice of North Idaho (HONI) to settle potential violations of the Security Rule. HONI was investigated after it reported to HHS the theft of an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 441 patients. In its press release regarding the settlement, OCR Director Leon Rodriguez emphasized that the action against HONI "sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information."
Another notable enforcement action against a small healthcare provider occurred in April 2012, against Phoenix Cardiac Surgery, P.C., a cardiology practice with just two owners. The initial claims against the practice related to postings by practice staff of clinical and surgical appointments for patients on a publicly accessible Internet-based calendar. The OCR investigation soon expanded into a full review of the entity's HIPAA compliance which led to a determination by OCR that the practice, amongst other things, failed to implement adequate policies and procedures, document employee training, appoint a security official, and conduct a security risk assessment. The practice paid $100,000 to settle the claims against it and entered into a corrective action plan (CAP). The resolution agreement, which includes the OCR's findings and the details of the CAP, may be found here.
Security Rule Compliance is the Focus of OCR Enforcement Actions.
Recent HIPAA enforcement actions publicized by OCR demonstrate a pattern of sanctioning entities that are out of compliance with the Security Rule. As of February 28, 2013, OCR had 258 open complaints and compliance reviews specifically pertaining to the Security Rule. In June 2012, following a $1.7 million settlement of Security Rule violations, OCR Director Leon Rodriguez cautioned, "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”
Also in June 2012, following agreement by Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. to pay HHS $1.5 million to settle potential Security Rule violations, Rodriguez commented, "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices." While Security Rule compliance may not have been a focus of providers in the past, it is an area where an increased effort towards compliance may render significant benefit to covered entities and business associates.
New Standard for Breach of Unsecured PHI.
HIPAA requires notice to affected individuals, HHS and, in certain circumstances, the media when covered entities or their business associates discover a "breach" of unsecured PHI. HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. Previously in the Interim Final Rule, HHS defined the phrase "compromises the security or privacy of the PHI" to mean that the acquisition, access, use or disclosure "poses a significant risk of financial, reputational, or other harm to the individual," which became known as the "risk of harm standard."
After considering public comments, HHS determined that the risk of harm standard was too subjective and could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of "breach" to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. To determine whether there is a low probability that the PHI has been compromised, the covered entity or business associate, as applicable, must conduct a risk assessment that considers certain factors to determine the overall possibility that the PHI has been compromised.
More Articles on Surgery Centers:
7 Steps for Spine Surgeons to Add an ASC
15 Statistics on Medium-Sized ASC Revenue
5 Measures to Slash ASC Supply Costs
September 23, 2013 Compliance Deadline for New Requirements.
On January 17, 2013, the U.S. Department of Health and Human Services' (HHS) released the long-awaited omnibus final rule (Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA). The Final Rule is effective as of March 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013.
The key compliance tasks for covered entities related to the Final Rule are as follows:
- Revise and redistribute Notices of Privacy Practices to patients.
- Revise policies and procedures and train workforce on new requirements.
- Update breach definition and breach assessment tools to comport with the new "objective" breach standard (as discussed below).
- Evaluate all business associate relationships to ensure business associate agreements are in place as required under the expanded definition of Business Associate.
- Revise existing business associate agreements by September 23, 2014.
- HITECH Mandated Audits Have Commenced.
The HITECH Act requires HHS to perform periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The Office for Civil Rights (OCR) implemented a pilot program whereby KPMG LLP, a public accounting firm, developed an audit protocol and conducted 115 audits of covered entities from November 2011 through December 2012. The audit protocol is posted on the OCR website and provides a useful tool for providers to ensure they comply with the Privacy and Security Rules and Breach Notification standards.
Small Providers are Facing Large Fines.
On January 2, 2013, HHS announced it had reached an agreement with the Hospice of North Idaho (HONI) to settle potential violations of the Security Rule. HONI was investigated after it reported to HHS the theft of an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 441 patients. In its press release regarding the settlement, OCR Director Leon Rodriguez emphasized that the action against HONI "sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information."
Another notable enforcement action against a small healthcare provider occurred in April 2012, against Phoenix Cardiac Surgery, P.C., a cardiology practice with just two owners. The initial claims against the practice related to postings by practice staff of clinical and surgical appointments for patients on a publicly accessible Internet-based calendar. The OCR investigation soon expanded into a full review of the entity's HIPAA compliance which led to a determination by OCR that the practice, amongst other things, failed to implement adequate policies and procedures, document employee training, appoint a security official, and conduct a security risk assessment. The practice paid $100,000 to settle the claims against it and entered into a corrective action plan (CAP). The resolution agreement, which includes the OCR's findings and the details of the CAP, may be found here.
Security Rule Compliance is the Focus of OCR Enforcement Actions.
Recent HIPAA enforcement actions publicized by OCR demonstrate a pattern of sanctioning entities that are out of compliance with the Security Rule. As of February 28, 2013, OCR had 258 open complaints and compliance reviews specifically pertaining to the Security Rule. In June 2012, following a $1.7 million settlement of Security Rule violations, OCR Director Leon Rodriguez cautioned, "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”
Also in June 2012, following agreement by Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. to pay HHS $1.5 million to settle potential Security Rule violations, Rodriguez commented, "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices." While Security Rule compliance may not have been a focus of providers in the past, it is an area where an increased effort towards compliance may render significant benefit to covered entities and business associates.
New Standard for Breach of Unsecured PHI.
HIPAA requires notice to affected individuals, HHS and, in certain circumstances, the media when covered entities or their business associates discover a "breach" of unsecured PHI. HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. Previously in the Interim Final Rule, HHS defined the phrase "compromises the security or privacy of the PHI" to mean that the acquisition, access, use or disclosure "poses a significant risk of financial, reputational, or other harm to the individual," which became known as the "risk of harm standard."
After considering public comments, HHS determined that the risk of harm standard was too subjective and could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of "breach" to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. To determine whether there is a low probability that the PHI has been compromised, the covered entity or business associate, as applicable, must conduct a risk assessment that considers certain factors to determine the overall possibility that the PHI has been compromised.
More Articles on Surgery Centers:
7 Steps for Spine Surgeons to Add an ASC
15 Statistics on Medium-Sized ASC Revenue
5 Measures to Slash ASC Supply Costs