News

Media

Issues

Resources

Continuing Education

HIPAA and beyond: The rules and regulations surrounding data protection

November 12, 2019

Terri Lively

Article

For over 20 years, HIPAA has required you to protect the private health records of your patients. However, few practices have security that is 100 percent up-to-date on the rules and regulations that apply to data protection-a mistake that could cost hundreds of thousands of dollars (or more) in penalties and other fees. Here's a closer look at what you need to know about the federal law.

On November 5, 2019, the University of Rochester Medical Center (URMC) settled on a $3 million penalty to the Office for Civil Rights (OCR) for using unencrypted mobile devices.[1] The OCR is the enforcement body at the U.S. Department of Health and Human Services (HHS) for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

URMC was a repeat offender for not encrypting mobile devices and had two thefts of devices (a flash drive in 2013 and a laptop 2017) that contained Protected Health Information (PHI).[2] The OCR felt that because URMC had not corrected the problem, a hefty fine was issued. In addition, URMC was ordered to fix the problem.

Let’s take a closer look at what you need to know about the federal law.

What is HIPAA?

HIPAA is a law passed during the Clinton Administration to “improve the efficiency and effectiveness of the health care system.” Lawmakers recognized that as our electronic technology advanced, private health records were at risk.

Within the law, there exists mandatory national standards for electronic health records privacy and security for health care providers, among other things. These standards include:

The Privacy Rule

The Security Rule

The Enforcement Rule

The Omnibus Rule

Continue reading on the next page...

The Privacy Rule

Firstly, the Privacy Rule defines PHI as any data that contains the individual’s health history, including past, present, or future physical or mental conditions. It includes records of the care provided to the person and it also covers the past, present, or future payments made for the healthcare provided. In addition, PHI includes information that identifies the person, such as demographic data, name and address, birth date, or Social Security number.

Also, the Privacy Rule outlines required disclosures and permitted uses and disclosures. The only required disclosures are when the patient asks for it or when the HHS is investigating the practice for compliance. Permitted disclosures include:

Giving PHI to the individual

During treatment, payment, and other healthcare operations,

In situations where the patient can grant informal permission (i.e., patients say it’s okay)

In day-to-day use for administrative tasks

When it meets one of 12 public interest specifications (i.e., preventing and controlling outbreaks, in FDA regulation cases, and serious threats to safety, among others).

Practices can also disclose PHI after removing the patient’s identifying factors from the record. However, in all cases, the Privacy Rule uses the principle of “minimum necessary” use and disclosure. In other words, only the minimum necessary information should be released that is needed to complete a task.

Secondly, this rule protects the electronic PHI that healthcare providers have on site or in the cloud. The concept behind the law was to define and limit the circumstances that entities subject to the HIPAA jurisdiction disclose PHI. Compliance with the Privacy Rule (finalized and modified by 2002) was required for all health care providers by 2004.

The rule applies to dental practices because they are healthcare providers who transmit PHI in electronic form. It does not matter the size of your practice or whether a third-party is used to send this information. From claims to benefit eligibility inquiries to referral authorizations and other situations, your practice falls under the jurisdiction of HIPAA regulations, and your job is to ensure that unauthorized people don’t see PHI.

Continue reading on the next page...

This responsibility also applies to business associates or people or organizations outside of your employees that work on your behalf and use PHI. Business associates could be claims processors, data analysis teams, billing, and other similar services. They can provide legal or accounting services, work as consultants, or handle IT, and many different types of services. The only third-parties excluded from business associate status are those that do not use or access PHI.

As a result of their access to PHI, your business associates must have a business associate agreement. Per the HHS website, “the Rule requires that the covered entity include certain protections for the information in a business associate agreement.” The site also provides links to sample business associate contract language.

To read all the details of the Privacy Rule, please click here.

The Security Rule

The national standards for maintaining the availability, confidentiality, and integrity of electronic protected health information (e-PHI) came next. The Security Standards for the Protection of Electronic Protected Health Information, aka The Security Rule, establishes the standards for protecting data. It also addresses the technical and non-technical safeguards for which practices are responsible. The Security Rule was finalized in 2003 and compliance was mandated by 2006.

As technology advanced and dentists and labs began to use digital means for practicing instead of paper records, the electronic transfer of PHI became a higher security risk. Per the HHS website, the Security Rule “operationalizes” the Privacy Rule, which means it defined what practices should do to protect data. However, the goal is to protect electronic PHI (e-PHI) while allowing practices to adopt technology to improve patient care and efficiency.

Furthermore, the HHS says the Security Rule is meant to be flexible and scalable, allowing it to consider the practice in compliance. In other words, it allows for small practices to handle e-PHI security in a way that makes sense for them and larger practices to do the same.

Continue reading on the next page...

Like the Privacy Rule, the Security Rule applies to dental practices and their business associates. The Security Rule does not, however, apply to written or spoken PHI.

The guidelines of the Security Rule include the following:

Dental practices must ensure the confidentiality, integrity, and availability of all e-PHI they enter, get from elsewhere, store, and send.

Practices must recognize potential threats to the security or integrity of the e-PHI in their possession and protect themselves.

They must also safeguard against potential and unacceptable uses or disclosures of e-PHI.

Practices should train their employees and ensure compliance in the standards.

The first guideline defines what confidentiality, integrity, and availability mean. First, confidentiality means that unauthorized people don’t see e-PHI. Integrity means that it doesn’t get changed or destroyed. Lastly, availability means that e-PHI is available and operational to authorized people.

As mentioned, the guideline is meant to be scalable and flexible to accommodate practices of all sizes (and resources). However, technology and the threats to security are always changing. That means the dental practice should regularly review and revise their security. Furthermore, the Security Rule requires a practice to engage in periodic risk analyses to evaluate the chances of a breach and respond with appropriate measures. It also directs practices to document the security measure, as well as the reason for choosing it. Finally, it says that a dental practice should “maintain continuous, reasonable, and appropriate security protections.”

There are three areas of safeguards for e-PHI, as dictated by the Security Rule. These include administrative safeguards, physical safeguards, and technical safeguards.

Continue reading on the next page...

Administrative safeguards: This includes the security management process (i.e., the risk analysis and responses), designating a member of the team to manage security for the practice, defining the policies and procedures for authorizing access to e-PHI, and ongoing training on e-PHI security.

Physical safeguards: This safeguard address the actual location of the e-PHI; in other words, where this information is physically located. It also requires workstation and device security policies and procedures for proper use of and access to e-PHI, as well as how it’s transferred, removed, or disposed of.

Technical safeguards: The technical safeguards address access control policies and procedures from a technical standpoint, audit controls in the hardware and software that monitor the activity surrounding e-PHI. It also covers the integrity controls that keep it safe from unauthorized changes or loss, and transmission security which protects e-PHI over an electronic network.

One of the ways that the Security Rule is flexible is in what it calls “addressable” and what it calls “required.” When a specification in any of these three areas is required, the practice must comply. If the specification is addressable, it means the practice can decide if the specification is reasonable and applicable for the practice. If the practice decides that it is not addressable, then it can adopt an alternative and more appropriate specification.

The Security Rule also addresses data security with business associates. It says that if the practice determines that one of their vendors or third parties is violating the Security Rule, the practice must take reasonable action to remedy the situation. The HHS also has requirements for business associates and requires a dental practice to have a business associate contract with any in their employ.

One crucial part of the Security Rule is the documentation requirements. Dental practices should have security policies and procedures in writing, as well as a record of the security activity, meaning all the risk assessments and how they responded to any potential threats over the years.

To read all the details of the Security Rule, please click here.

Continue reading on the next page...

The Enforcement Rule

The Enforcement Rule covers the compliance and investigation provisions, as well as the fines (called civil money penalties) for violations, and the procedures for any related hearings. It was finalized in 2006.

To see all the documentation for the Enforcement Rule History, please click here.

The Omnibus Rule

In 2009, the HHS added the Health Information Technology and Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections from their origins in 1996, It also significantly increased the fines for violations of HIPAA rules.

Before 2009, the HHS could only fine healthcare providers $100 for each violation of a provision, and no more than $25,000 in any one provision category, per the HHS Press Release on the HITECH Act.[i] Furthermore, one only had to claim ignorance of the HIPAA rule to get out of paying the fine.[ii]

The HITECH Act, which is what prevails today, changed all that. It provides for tiered ranges of breach that increase in penalties up to $1.5 million for violations in any one category.[iii] Furthermore, the “I-didn’t-know” defense is no longer valid unless the provider fixes the problem in 30 days or less from the infringement’s discovery. [iv]

To read more details on the Omnibus Rule, please click here.

Continue reading on the next page...

A part of HHS, the OCR is the organization that works with doctors and patients to ensure that patients know their rights and what the privacy standards are regarding personal health information and medical treatment options. They’ve also enforced the HIPAA Privacy and Security Rules since 2009.[v]

As of September 2019, the HHS website states that OCR has received 218,382 HIPAA complaints since 2003, which resulted in 980 compliance reviews. [vi] They have resolved 98 percent of them (214,911). Sometimes the resolution occurs because there was no violation or the case simply wasn’t eligible for enforcement because of jurisdiction, timeliness, or not part of HIPAA. Other times, the OCR required the violator to fix the issue and provided technical assistance. However, in 66 of the cases, the OCR imposed penalties, which combined came in at $102,766,582.[vii]

Per the OCR, the most frequent violators were general hospitals followed by private practices and physicians. The most common violations included:

Using protected health information in ways that are not permitted by the law.

No safeguards in place for PHI

Not providing patients access to their PHI

No administrative safeguards on electronic PHI

Using or disclosing more than the minimum necessary PHI

Data security is a complicated and vital issue. Keeping patients’ PHI private is your responsibility. Not only can breaches be damaging to the patients, but they can also cause severe consequences for your practice. Along with the financial implications, there is the loss of trust that can occur in the instance of a data breach. For all these reasons, data security is a crucial part of your practice management strategy.

Sources:

[i] HHS (2013). HHS Strengthens HIPAA Enforcement. [online] Available at: https://wayback.archive-it.org/3926/20131018161347/http://www.hhs.gov/news/press/2009pres/10/20091030a.html [Accessed 2 Nov. 2019].

[ii] Ibid.

[iii] Ibid.

[iv] Ibid.

[v] HHS.gov. (2019). HIPAA Compliance and Enforcement. [online] Available at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html [Accessed 2 Nov. 2019].

[vi] HHS.gov. (2019). Enforcement Highlights - Current. [online] Available at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html [Accessed 2 Nov. 2019].

[vii] Ibid.