Is Your Practice Violating HIPAA Regulations?

April 10, 2017

With new technology in medicine, the privacy lines are often blurred. Here are some things to keep in mind regarding HIPAA compliance.

Corpus Christi Medical Associates (CCMA), a family practice in Corpus Christi, Texas, has always found it difficult to comply with HIPAA's privacy and security regulations.

"We struggle to have enough resources to dedicate to the ever-changing environment," said J. Stefan Walker, MD, a family medicine physician at CCMA. "There is always something new and regulations are constantly evolving. It's a moving target, and cyber-liability is probably the greatest risk, added Walker."

Despite this sentiment, Walker was determined not to be one of the practices listed on the "Wall of Shame" webpage maintained by the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. Practices are listed there if they report a data breach that affects 500 or more patients. 

Walker said that CCMA has been the target of a few breach attempts already. "For a small practice like ours, dealing with the fallout from a breach could literally bankrupt us. We are looking at how to minimize the risk," he says.

That desire led Walker to participate in a pilot phase of a new cybersecurity tool designed to help small practices identify and address weaknesses. Called HITRUST CSFBASICs, the program goes into greater detail than the security assessment required in the EHR Meaningful Use program, according to Walker. HITRUST sought to create a program that small practices could take advantage of. "I think the emerging product will do just that," he said.                                                                                             

A privately held organization, Health Information Trust Alliance has established a Common Security Framework (CSF) that can be used by organizations that store or exchange health data.

CCMA is not alone when it comes to finding HIPAA compliance challenging. Many small practices struggle with both privacy and security policies, and practices may be in violation of the law without even realizing it. Physicians Practice asked several consultants who work with provider organizations to describe some common weaknesses they encounter and what practices should be doing to address them.

Encryption and Other Challenges

Jason Karn, chief compliance officer with Raleigh, N.C.-based Total HIPAA Compliance, a provider of HIPAA compliance and training tools, said one of the biggest challenges is that the language of the HIPAA law can be vague. For instance, people argue about whether HIPAA requires encryption or not. The law says you have to do a risk assessment to determine whether encryption is the right thing to do, according to Karn.

"We do risk assessments for companies all the time, and we have yet to find a good reason not to encrypt data," he says. If a laptop is lost and the data is encrypted, the provider organization wouldn't have to report it as a breach as long as the key or password for the device is not with it. There is no way that a hacker can get at that information. "Encrypting can save you a lot of heartache if anything happens, and possibly save your practice," Karn says.

Another potential violation Karn's firm finds involves doctors and nurses texting about patient information using applications such as iMessage, which is not HIPAA-compliant. Unencrypted e-mail is also problematic.

One troubling area for some practices is patients' right to access their own records, both in paper and electronic format, and what the practice is allowed to charge for making copies. This is an area that OCR takes very seriously. In 2011, it penalized Maryland-based Cignet Health $4.3 million for violations of the HIPAA Privacy Rule among other charges. OCR's investigation found that Cignet violated 41 patients' rights by denying them access to their medical records.

The Privacy Rule requires health organizations to provide patients with a copy of their medical records within 30 (and no later than 60) days of the patient's request. If a record is in electronic format, it must be available that way upon request. HIPAA says you can charge a reasonable amount, and many states have said no more than 25 cents per page.

In 2016, OCR issued guidance seeking to clarify what providers can reasonably charge patients. It specified what types of fees were permitted and outlined a few options providers could use to calculate those fees. Providers could calculate the combined labor, supplies and postage costs to prepare and send an explanation or summary. Alternatively, they could charge a flat fee, with the OCR suggesting $6.50.

Lacking Risk Assessments

Some practices get in trouble when they face a HIPAA audit or a Meaningful Use audit because they have never done a security risk assessment, experts say.

"A lot of practices think they have an IT person who takes care of everything for them, so everything must be okay," says Laurie Aloi-Zabel, the director of billing and compliance for MedSafe, a consulting and OSHA and HIPAA compliance services company based in Wellesley, Mass. A practice must have the documentation that it has done an assessment and has started addressing vulnerabilities, she added.

A security risk assessment is the first thing the OCR auditors would look for, stresses Kathy Downing, senior director for information governance at the American Health Information Management Association (AHIMA). Some physicians think that if they identify risks, they are responsible for having mitigated them all, but OCR has never claimed that, according to Downing.

"They want you to know your risks and mitigate to the extent possible based on your size, complexity, and technology," she explains. The OCR has a downloadable model risk assessment tool, she adds, or you could have a consultant do it for you, but it's important to establish a baseline.

HIPAA auditors would also look at whether employees are receiving training on both privacy and security rules. "The insider threat is real," Hicks notes. "There are all kinds of situations where insiders have taken names and Social Security numbers for malicious reasons. If you don't have documentation that you have trained employees, you could get fined."

If you do have that documentation, whether a breach is inadvertent or malicious, the focus will be more on that person as an individual and less on you as an entity. In other words, experts say practices will have proven they did their job in terms of training.

On the other side, practices may get into trouble for failing to update their business associate agreements with vendors who handle protected health information. The changes in the HIPAA Omnibus Rule that went into effect in 2013 made business associates liable as covered entities for HIPAA violations, but providers are responsible for making sure the business associate is assessing its own risks and doing training.

"If you are using a record storage company, but you never vetted them and they aren't following required procedures, it could open you up to partial breach liability as well as them," Karn says.

In the unfortunate event that they do lose a laptop or thumb drive with patient information on it, practices can run afoul of breach notification rules. Providers may struggle with understanding if a breach requiring notification has actually occurred, who notifications must be sent to, and how quickly, says MedSafe’s Aloi-Zabel, who added that she regularly walks clients through the process of determining their incident response.

No Excuses

In many cases, a practice manager is dealing with Occupational Safety and Health Administration (OSHA) regulations and filing insurance claims, among other administrative tasks. In addition, they are asked to be responsible for a risk assessment and to look at administrative, physical security, and technical security. While AHIMA's Hicks says that it is understood that small practices have limited resources, most of HIPAA's requirements have been the same since 2003.

"There is really no excuse at this point for not knowing you have to do some of these things," she stresses. "The OCR has a model notice of privacy practices on its website. If you are getting the basic HIPAA privacy notice wrong, you haven't even gone to look for the model notice. It has all the information about right to access and patient rights, and if you read it you know what you are supposed to be doing."

Corpus Christi Medical Associates' Walker has been converted into something of an advocate. "People have no clue the risk they are exposed to. I really think there is a lot of ignorance out there," he says.

"Security is not a topic people like talking about. Doctors shy away from it as a group, and I was one of those kinds of people. But participating in this CSFBASICs pilot really opened my eyes. We learned just how vulnerable we are and the things we need to be doing," says Walker.

Bryan Cline, vice president of standards and analytics at HITRUST Alliance LLC, said that small practices have to pay more attention to issues such as phishing and ransomware.

"Physicians might be associated with a large institution that is targeted," he explains. If they can't get in through the hospital itself, they might try to find out which physician practices are affiliated with that hospital. It is easier to crack a physician practice than the perimeter defenses of a hospital.

"The threat environment has gotten to the point where nobody is safe," Cline added, "so I think there is a real interest in working on this."