Lack of HIPAA Security Rule Awareness Can Hurt Medical Practices

March 26, 2014

Medical practices must become more aware of the HIPAA Security Rule and the HIPAA Breach Notification Rule.

Fines associated with the HIPAA Security Rule and the costs of complying with the HIPAA Breach Notification Rule are the biggest financial risk a medical practice faces. While most physicians are well aware of the HIPAA Privacy Rule and have worked with it for almost 20 years, very few know that the HIPAA Security Rule and the HIPAA Breach Notification Rule, which went into effect in 2005, have a very different approach and carry fines that are more aggressively assessed.

Here are some key facts that practices must know about the HIPAA Security Rule and the HIPAA Breach Notification Rule.

Privacy vs. security and breach
The purpose of the privacy rule is to safeguard protected health information (PHI). The security rule is concerned with electronic protected health information (ePHI), which the rule defines as all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form.

PHI transmitted orally or in hard copy is specifically exempt from the security rule, as are fax transmissions that begin and end as paper without ever having been converted to anything other than data to be carried over a telephone line.

The distinction between PHI and ePHI goes a long way toward explaining the security rule's relative anonymity. In 1996, few medical practices created, received, maintained or transmitted PHI electronically.  Over time, "HIPAA" became a synonym for the HIPAA Privacy Rule, and both the security rule and breach notification rule faded into the background, generally unnoticed.

The breach notification rule describes how ePHI breaches are to be publicized, depending upon the scope of the breach.

The world is very different in 2014 with EHRs, health information organizations, e-mail, text messages, voicemails delivered as audio files, and electronic faxes that can be sent from or received directly into e-mail accounts.

Compliance schedule
Another reason the security and breach notification rules slipped under the radar was that April 20, 2005, was the first date by which compliance was required. HIPAA was old news by then.

The HIPAA Omnibus Rule published in January 2013, implemented provisions of the HITECH Act of 2008. Major changes included the expansion of the definition of a Business Associate and its duties and liabilities. That required initial or amended business associate agreements for all business associates. The changes also required modification to the notice of privacy practices of covered entities, which includes physicians and clinics. The new business associate agreements and notices of privacy practices were to be in place by Sept. 23, 2013.

Difference in approach
The privacy rule describes what practices must accomplish (or avoid) and it is silent as to method. The security rule is prescriptive. It describes exactly, or almost exactly, what practices must do and how they should document those tasks.

An important consequence is that privacy rule violations can be muted by arguing good intentions, best efforts, or bad luck. No mitigation is available for security rule violations. The documentation is either there, or it is not. Judgment does not play a role in a security rule audit.

Fines
The security rule presents particular risks because ePHI, unlike oral and written PHI, is more likely to impact hundreds or thousands of patients. Earlier in 2014, The Office for Civil Rights seemed to announce a multi-million dollar fine every day, some for practices with only four or five providers.

States Attorneys General
The HITECH Act grants HIPAA enforcement authority to States Attorneys General (SAG). The Office for Civil Rights has announced that it is anxious to assist SAG in the exercise of their new authority. In addition to providing guidance, the office is also providing training to SAG to facilitate investigating and seeking damages for violations in the individual states.

This budding partnership means both its state and the federal government can punish a practice for the same offense.

Meaningful use audits
A data security risk assessment is one of the core objectives for both Stage 1 and Stage 2 of the meaningful use incentive program, and meaningful use audits have produced HIPAA Security Rule fines.

The Office for Civil Rights is serious about enforcing the HIPAA Security Rule and the HIPAA Breach Notification Rule. Medical practices ignore the potential impact of these rules at their peril.