If complying with the Health Insurance Portability and Accountability Act (HIPAA) isn’t one of your practice’s top priorities, it should be. While there are no new requirements for 2018, HIPAA is more strictly enforced than ever, and important clarifications have been issued as technology becomes more deeply integrated into practice management. The safety of your patients’ data and the longevity of your practice depend on your compliance.
A brief history of HIPAA
Passed in 1996, HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence and report breaches.
The Enforcement Rule put initial financial penalties in place, but HIPAA didn’t gain teeth until three things happened:
- The HITECH Act expanded HIPAA’s scope as part of a national mandate for implementing and promoting the meaningful use of electronic health records (EHRs)
- The Office of Civil Rights (OCR) was named enforcing agency for HIPAA violations, commencing nominal audits in 2011 and a second round in 2016.
- The Omnibus Rule of 2013, among its many provisions, expanded HIPAA requirements to the business associates of covered entities (e.g., EHR vendors) and put more enforcement and penalty provisions into place.
As the law enters its third decade, being “HIPAA ready” means having not only the right systems in place but also having a compliance and risk assessment program that clearly demonstrates a commitment to privacy and security.
A formal compliance program has never been more important
The past two years have seen a dramatic increase in the number of HIPAA-related settlements and associated financial penalties. It’s critical that your practice implement/maintain a formal compliance program with the policies, procedures, and personnel to pass muster with the OCR. While the agency has not yet announced a new round of audits, practices would do well to familiarize themselves with the existing protocols, which cover:
- Information use and disclosure
- PHI and authorized representatives
- Confidential communications
- Privacy practice notice requirements
- Business associate agreements (BAAs)
The OCR, along with the Office of the National Coordinator for Health Information Technology (ONC), has also compiled an excellent toolkit for HIPAA compliance, including sample BAAs and privacy notices that practices can freely use.
E-mail and text? Yes, but know the rules
As Smartphones gain dominion over every aspect of our lives, email and text messaging have become powerful tools for patient engagement and health management. Practices are now using marketing automation tools, social media, chatbots, and SMS marketing tools to remind patients of existing appointments and make positive changes through wellness initiatives.
HIPAA allows providers to use these tools for communications to and from patients, but message encryption/security is critical. If not offered, practices must notify patients and allow them to opt out.
In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.
HIPAA and cloud-based data requirements
More and more patient data is migrating to the cloud, which HIPAA allows. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Critical to note, your CSP is considered a business associate under HIPAA and therefore subject to its rules, even if the CSP only stores your data and does not maintain the encryption key.
Your BAA with your CSP must contain language that holds it liable for HIPAA compliance. This includes adherence to the Security Rule (ensuring limited access to ePHI), Privacy Rule (ensuring proper use and disclosure of ePHI), and the Breach Notification Rule (reporting incidents). Troy Parks with the American Medical Association says it best: “[If] you use or are thinking of using a CSP to create, receive, maintain or transmit ePHI on your behalf, you must have a BAA with the CSP, or both you and the CSP will be in violation of HIPAA.”
New administration, new competition
Currently, messages are mixed as to whether HIPAA will expand under the Trump Administration. On one hand, the OCR’s 2018 budget includes fewer dollars for enforcement. On the other, OCR Director Roger Severino has indicated that finding a “big, juicy, egregious” data breach case is among his top priorities. Whatever tack the OCR takes, one thing is clear: with nine settlements and more than $17 million in associated fines in 2017, HIPAA compliance will remain paramount.
A final thing practices should bear in mind? The role of new competitors and the impact on the HIPAA landscape. In January of this year, Amazon announced its search for a HIPAA Compliance Lead, fueling speculation that the online retailer is looking to enter healthcare in a big way.
AdvancedMD will continue to watch this space as more players enter the healthcare landscape and look for ways to remain compliant as cloud-based and other tech solutions grow.
Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker’s, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.
