Editor’s Note: This article was originally published in the 2016 Spring Issue of Alabama Medicine magazine
A physician client recently asked me a seemingly simple, straightforward question: “So, how do I comply with HIPAA?” The answer, unfortunately, is not as simple and straightforward as the question.
HIPAA (i.e., the Health Insurance Portability and Accountability Act) and its various regulations include numerous, often confusing requirements, and little in the way of practical guidance. With this in mind, this article provides the author’s attempt to give, in simple terms, an overview of HIPAA’s requirements, and a short list of practical steps physician practices may take to establish a baseline of compliance.
In the most simple terms, to comply with HIPAA, a physician practice needs to address and satisfy the obligations of a “covered entity” under the regulations set forth in the HIPAA security regulations, 45 CFR § 164.300 et seq. (the “Security Rule”); the HIPAA breach notification regulations, 45 CFR § 164.400 et seq. (the “Breach Notification Rule”); and the HIPAA privacy regulations, 45 CFR § 164.500 et seq. (the “Privacy Rule”), in respect to “protected health information” (“PHI”) received and maintained by the practice on behalf of its patients. HIPAA compliance has garnered significant attention recently, due to increasing public awareness in regard to data breaches and privacy and information security matters, generally, as well as increased enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (“HHS,” and “OCR”)1 and other government agencies,2 not to mention the looming specter of potential class action and other litigation involving affected patients.3 In addition, OCR recently commenced a new, expanded HIPAA audit program that will select physician practices and other HIPAA-covered entities and business associates for random compliance audits.4
To comply with the Privacy Rule, a physician practice must not access, use or disclose PHI, in paper or electronic form, other than as required or permitted by the Rule. For example, the Privacy Rule requires that a physician practice not disclose a patient’s PHI to a third party without an appropriate written authorization from the patient, except in certain circumstances, such as in connection with the patient’s treatment, or payment for such treatment, or the practice’s health care operations. The Privacy Rule also specifies that, in general, even if a particular disclosure is required or permitted, the practice must ensure that the disclosure is limited to the minimum necessary information. In addition to these foundational issues, the Privacy Rule requires that physician practices take certain administrative steps to facilitate compliance, including identifying a privacy officer, implementing written policies and procedures to formalize privacy practices, and entering into business associate agreements (that include specific provisions outlined in the Rule) with vendors and other third parties that create, receive, transmit or maintain PHI on behalf of the practice (“business associates,” in HIPAA terms). Physician practices must also regularly evaluate and update their privacy policies and practices, provide regular privacy training to their workforce members, and impose appropriate sanctions when workforce members fail to comply with established privacy practices.
Under the Security Rule, physician practices must implement reasonable and appropriate administrative, physical and technical safeguards to protect electronic PHI (“ePHI”). Technical safeguards include, for example, encryption, access controls, audit logs, authentication controls, and other safeguards directed toward securing ePHI. Physical safeguards include locking doors, screening computers, and other safeguards to protect access to workstations and other physical facilities where workforce members access ePHI and protocols to safeguard ePHI during disposal. Administrative safeguards include security risk analysis (discussed further below) and risk management plans, contingency/disaster recovery plans, and security incident reporting procedures, as well as written policies and procedures addressing security practices, regular evaluation of security safeguards, and workforce training and sanctions, similar to the Privacy Rule.
Breach Notification Rule
The Breach Notification Rule requires that, in the event a physician practice discovers an unauthorized access, use or disclosure of unsecured PHI (for example, a breach of unencrypted ePHI), in paper or electronic form, the practice must notify each patient affected by the breach, as well as OCR,5 unless the practice can demonstrate, based on a risk assessment conducted in accordance with the Rule,6 that there is not more than a low probability that PHI was compromised. Like the Privacy Rule and the Security Rule, the Breach Notification Rule also requires physician practices implement written policies and procedures to document their breach notification responsibilities and practices, train workforce members regarding their responsibilities in the event of a breach, and hold workforce members accountable for non-compliance.
In view of the various rules and requirements discussed above, physician practices may take the following steps toward establishing a baseline of compliance with HIPAA.
Perform a security risk analysis in compliance with the Security Rule. It is essential that every physician practice perform (and regularly update, as appropriate) a security risk analysis, in compliance with the Security Rule, as noted above. Done properly, the security risk analysis highlights specific risks and vulnerabilities in the practice’s security practices and recommends specific steps to address them – thereby providing a road map, of sorts, to compliance with the Security Rule. From an enforcement standpoint, OCR has repeatedly zeroed in on covered entities that fail to perform an appropriate risk analysis. As a practical matter, most physician practices utilize third-party consultants, with appropriate information technology expertise and resources, to conduct the risk analysis. In any case, the risk analysis should be coordinated through legal counsel to, among other things, ensure applicable HIPAA requirements are addressed and preserve attorney-client privilege, to the extent possible, as to communications with the consultant (i.e., in regard to security risks and vulnerabilities identified in the analysis). Physician practices should be sure, also, to routinely update their risk analysis, to ensure that new and evolving legal requirements and risks are timely addressed.
Implement appropriate written policies and procedures for compliance with the Privacy Rule, Security Rule and Breach Notification Rule. It is also essential that every physician practice implemented, written policies and procedures to facilitate compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule. “Template” policies and procedures may be obtained from various sources, and may be sufficient for compliance, at least temporarily; ultimately, however, practices should tailor their policies and procedures to their particular circumstances – including, for example, the specific risks and vulnerabilities identified, from time to time, in the practice’s (ongoing) security risk analysis, as well as the practice’s history and experience with (actual) privacy, security and breach matters. As noted above, it is also critical that the practice regularly review and update its policies procedures to ensure compliance with applicable laws and regulations, and to take into account, again, any recent privacy, security or breach related matters at the practice.
Address encryption. Technically, encryption is not required to comply with the Security Rule. Like risk analysis, however, encryption (specifically, lack of encryption) is a favorite target of OCR, in its enforcement efforts, especially in regard to (unencrypted) mobile devices, such as laptops and tablet computers, smartphones, and the like.7 Moreover, encrypted ePHI (i.e., “secure” ePHI)8 is not subject to the Breach Notification Rule; that is, even if the information is somehow breached, the practice need not notify patients or OCR regarding the incident.
Vet vendors and vendor contracts. Physician practices should routinely vet any vendors (i.e., business associates) that have access to PHI, in paper or electronic form, to ensure the vendor has appropriate safeguards in place, similar to those required of the practice. In addition, as noted above, physician practices should ensure that they have written, HIPAA compliant, business associate agreements in place with such vendors. Practices should also confirm that business associate agreements and/or related vendor service contracts include adequate protections (in the form of indemnification, and other remedies) for the practice, in the event of a data breach or similar incident. Moreover, due to the significant risk
management and legal implications now associated with ePHI, practices are advised to coordinate review of their vendor arrangements and contracts with appropriate legal counsel.
Implement appropriate back-up and contingency plans. The Security Rule requires that physician practices have in place secure procedures for backing up PHI and safeguards to protect PHI and to recover lost PHI, in the event of a natural disaster or other, similar contingency. Some practices utilize their own servers or resources to back up data; others utilize “cloud” or similar third-party services. As a practical matter, similar to risk analysis, contingency plans are often developed and implemented in coordination with a third-party consultant with appropriate expertise.
Confirm appropriate insurance coverage is in place. Many insurance carriers now offer some form of “cyber” insurance coverage to protect against losses related to data breaches and other information security matters. Cyber insurance typically addresses the insured’s overall information technology security practices; it may or may not address specific HIPAA compliance issues. In lieu of (or in addition to) cyber coverage, physician practices may look to other insurance (directors and officers, errors and omissions, professional liability, general liability, etc.) for coverage. In any case, particularly in view of the significant enforcement and litigation risks now associated with HIPAA and related privacy and security matters, physician practices must be sure they have adequate insurance coverage in place in the event of a data breach or similar privacy or security incident – and, in the event coverage is available from multiple sources, that they understand the interplay between the various policies.
- OCR enforcement efforts include a number of high dollar settlements (known as “resolution agreements”) entered into between OCR and HIPAA covered entities, including physician practices. For additional information pertaining to OCR resolution agreements and other enforcement efforts, please see the HHS website, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. (To view OCR resolution agreements involving physician practices, visit the above link, and select “Private Practices.”)
- Besides OCR, data breaches (whether or not HIPAA is implicated) may trigger enforcement efforts by state attorneys general, the Federal Trade Commission and other state or federal agencies.
- See, e.g., Class Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase, HIPAA Journal (Oct. 5. 2015), accessible at http://www.hipaajournal.com/flowers-hospital-class-action-data-breach-lawsuit-moves-to-discovery-8133/ (last visited March 24, 2016).
- See OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/audit/phase2announcement/index.html.
- Notification to OCR is delivered using an online portal on the HHS website, accessible at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
- The Breach Notification Rule includes specific factors the physician practice must take into account in conducting the risk assessment. These factors are set forth at 45 CFR §164.402.
- OCR data indicates that a significant portion of reported breaches of unsecured PHI, perhaps more than half, involve theft or loss of an unencrypted mobile device.
- To avoid the notification requirements of the Breach Notification Rule, ePHI must be encrypted according to specific, National Institute of Standards and Technology (“NIST”) protocols. For information regarding specific encryption protocols, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals, on the HHS website, at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.
The information in this article reflects the thoughts and opinions of the author, and does not, and is not intended to, constitute legal advice. If you have specific questions pertaining to HIPAA or other legal matters addressed herein, please consult appropriate legal counsel.
Contributed by D. Brent Wills, Esq., a partner at Gilpin Givhan P.C., a Bronze Partner with the Association.