As 2020 comes to a close, three items related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) emerged.
As 2020 comes to a close, three items related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) emerged.
First, the highly anticipated Department of Health and Human Services Office for Civil Rights’ (“HHS OCR”) 2016-2017 HIPAA Audits Industry Report (Dec. 2020) was released. OCR’s periodic audits are required under the HITECH Act in order to ascertain compliance with the Privacy, Security, and Breach Notification Rules (“HIPAA Rules”).
Second, HHS published proposed changes to the HIPAA Privacy Rule, which center around increasing an individual’s rights and access to his/her protected health information (“PHI”), expanding information sharing for purposes of care coordination, providing disclosure flexibility in select situations (i.e., opioid overdose, COVID-19), and reducing administrative burdens on covered entities.
Lastly, a recent indictment highlights the notion that stealing PHI and using it for the purpose of personal gain rises to the level of criminal conduct.
The long-awaited results from OCR’s second audit (“Phase 2”) of select covered entities and business associates was presented to Congress in early December 2020. As part of its obligations under Section 13411 of the HITECH Act, HHS is required to “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
Phase 1 of OCR’s pilot program was conducted 2012, with 115 covered entities being assessed. Phase 2, which occurred between 2016-2017, included both business associates and covered entities, most of which were providers. Initially, 166 covered entities were audited, which required them to provide a list of their respective business associates. From there, a pool of business associates was created, and 41 business associates were ultimately chosen. Therefore, the number of entities audited increased by 92.
An individual entity was rated on a scale of 1-5, with No. 1 being compliant and No. 5 being severely out of compliance. Some of the audit findings are eye-opening:
These outcomes, although for a limited group, should be alarming and signal a call to action. Class action lawsuits, as well as the U.S. Government agencies’ warnings of increased cybersecurity attacks, are just significant consequences that cannot be overlooked. The best place to start is to do the following five items: (1) conduct a comprehensive, annual risk analysis; (2) make sure business associate agreements are executed; (3) encrypt data at rest and in transit; (4) ensure annual HIPAA and cybersecurity training for workforce members; and (5) implement adequate policies and procedures.
As value-based initiatives continue to become more prevalent, in an effort to remove barriers that are perceived to impede care coordination between providers and health plans, on December 10, 2020, HHS announced proposed changes to the HIPAA Privacy Rule. The notice of proposed rule making gives the public 60 days after publication in the Federal Register to comment on the proposed changes.
The three laws implicated are: HIPAA, the HITECH Act, and the 21st Century Cures Act. The key areas to focus on are as follows: reinforcing an individual’s right to access his/her own PHI, including ePHI; improving the sharing of information for purposes of care coordination; facilitating greater family and care giver involvement through appropriate disclosures during crisis situations (i.e., the COVID-19 pandemic, opioid crisis); and reducing administrative burdens on providers.
It is important to note that OCR will continue to protect individual’s health information privacy interests. And, if the past two years are any indication, the trend of penalizing providers who fail to provide patients with their PHI will continue.
A recent indictment serves as a reminder that breaches involving the wrongful taking and use of PHI can have criminal consequences. On December 7, 2020, the United States Department of Justice for the Eastern District of Texas announced that two individuals pleaded guilty, while another individual awaits additional charges, for allegedly breaching a healthcare provider’s electronic medical records system for the sole purpose of stealing patients’ PHI and personally identifiable information (“PII”) and utilizing it to commit subsequent illegal acts. Specifically, the stolen PHI and PII “was then ‘repackaged’ in the form of false and fraudulent physician orders and subsequently sold to durable medical equipment (DME) providers and contractors.”
Over a period of nearly eight months, the defendants netted in excess of $1.4 million in ill-gotten gains from the sale of the stolen information. Additionally, there were superseding indictments, whereby the defendants allegedly conspired to “pay and receive kickbacks in exchange for orders from physicians that were subsequently used to obtain payments from federal health care programs” in violation of the Anti-Kickback Statute. As a result of selling the physicians’ orders to each other, as well as other DME suppliers, another $2.9 million accrued from the criminal scheme.
This case serves as a reminder that the HIPAA criminal statute, 42 U.S.C.A. §1320d-6 applies when “[a] person who knowingly and in violation of this part – (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individual identifiable health information to another person, shall be punished as provided in subsection (b) of this section.” Overall, the stealing, as well as the illegal sale and use of the PHI rises to the level of a criminal violation under HIPAA.
Healthcare industry participants have a lot on their plates. In light of the government’s announcements of increased cybersecurity attacks targeted towards the U.S. healthcare sector participants, HIPAA compliance cannot be overlooked. The costs of breaches from a reputational, financial, regulatory, and legal standpoint cannot be overlooked.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Asset Protection and Financial Planning
December 6th 2021Asset protection attorney and regular Physicians Practice contributor Ike Devji and Anthony Williams, an investment advisor representative and the founder and president of Mosaic Financial Associates, discuss the impact of COVID-19 on high-earner assets and financial planning, impending tax changes, common asset protection and wealth preservation mistakes high earners make, and more.
How AI billing delivers precision, compliance, and savings
November 26th 2024For healthcare providers, executives, and decision-makers, embracing AI in claims processing is not just a step toward improved financial outcomes—it’s an ethical commitment to better care and a more patient-centered approach to service delivery.
How to reduce surprise billing in your practice
November 15th 2021Physicians Practice® spoke with Kristina Hutson, a product line developer at Availity, about surprise billing events in independent healthcare practices and what owners and administrators can do to reduce the likelihood of their occurrence.