Medical Staff Resistance to HIPAA Compliance

May 14, 2015

When physicians and other entities resist complying with HIPAA requirements, it can lead to an increase in practice liability.

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish.

At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.

One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential.

Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:

• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one - along with the date they were executed.

• Never give your user id/password to anyone; the system administrator has it.