The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect American families from the dangers of losing health insurance coverage. Mainly it was designed to provide workers with insurance portability during a job change or loss. Its secondary purpose is to ensure the security and privacy of individual health information. HIPAA turned 20 last year, but the healthcare system is still a long way from full compliance.
1. PHI covers a lot of ground.
There have been several amendments to HIPAA since it was signed into law. The first in 2003, known as the Privacy Rule, defined Protected Health Information (PHI) as any health-related information that can be used to identify a particular individual. This can be information related to an individual’s past, present or future physical or mental health or condition, any provisions of healthcare to an individual, and any past, present, or future payment for the provision of healthcare to an individual.
2. Organizations can be slow on the uptake.
The Security Rule was enacted in 2005 to standardize the handling of electronic PHI by providing specific guidelines for physical, technical, and administrative safeguards. Unfortunately, last year’s HIPAA compliance survey by NueMD found that only 70 percent of healthcare organizations planned to strive for HIPAA compliance. This number is certainly disappointing when the adoption rate is lower among employer groups offering group health plan’s, business associates, and health insurance agencies. This is based on Total HIPAA’s assessment of these other groups.
3. HHS OCR enforces compliance.
Under the Enforcement Rule of 2006, the Department of Health and Human Services Office for Civil Rights (HHS OCR) received the responsibility to monitor organizations who should be complying with HIPAA regulations. HHS OCR has the power to investigate complaints related to the Privacy and Security Rules, and to fine those who fail to meet HIPAA regulations. The penalties range as low as $100 to $1.5 million per violation, but resolutions with HHS OCR have been in the hundreds of thousands of dollars to all the way into the millions having multiple settlements exceeding $5 million.
4. All health-related businesses count.
Any businesses that see health related information connected to an individual is expected to comply with HIPAA. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires healthcare organizations to notify their business associates and subcontractors that they are legally expected to work in accordance with HIPAA. The 2016 NueMD survey indicated that only 60 percent of healthcare organizations surveyed were aware of this expectation.
5. Your organization may be subject to an audit.
For over six years now HHS OCR has conducted compliance audits in hopes of increasing HIPAA compliance. In 2011, OCR implemented a pilot audit program (Phase One) to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. Phase Two of OCR’s HIPAA audit program started last year by selecting over 200 Covered Entities and Business Associates, sending notification letters in the summer and fall to inform them that they were selected for a desk audit. Last year only 40 percent of healthcare organizations were aware these audits were being conducted according to the NueMD survey. Currently, the on-site audits by OCR have been delayed to late 2017 or early 2018.
6. PHI must be stored for at least 6 years.
HIPAA requires Covered Entities and Business Associates to maintain documentation of PHI they have collected for a minimum of six (6) years from the date of its creation, or the date when it last was in effect, whichever is later. Organizations that hold PHI need to review their state’s retention requirements before properly disposing PHI to assure state compliance.
7. HIPAA compliance declines.
The NueMD surveys also showed that from 2014 to 2016 the number of employed security and privacy officers had gone from 56 and 55 percent down to 53 and 54 percent, respectively. There are also fewer healthcare organizations providing HIPAA compliance training, from 62 to 58 percent.
8. The dawn of electronic communication.
More healthcare providers are using phone apps, email, and social media to get in touch with patients. As more organizations move to communicate electronically, it is important to monitor the security of these processes. Total HIPAA has reviewed HIPAA compliant software for electronic communication like email encryption and text messaging to help organizations figure out a best-fit solution.
Where do we go from here?
In summary, adoption of HIPAA compliance is still in its infancy. OSHA took more than 20 years to be widely adopted by US-based companies. Although the first portion of HIPAA went into effect 20 years ago, key parts of the law have only been in effect since 2009.
HHS still has not ruled on whether patients, employees, or clients can share in the fines now being levied by HHS when these individual’s PHI has been breached. If HHS rules that individuals can be reimbursed when their PHI is breached, the flood gates will open. Those groups that need to be HIPAA compliant will rush to complete the process and may be caught playing catch up. Don’t get lost in the rush. Act now and become HIPAA compliant.
Also, four state supreme courts have upheld HIPAA as a Standard of Care (Missouri, North Carolina, Connecticut, and West Virginia). This means that Covered Entities who don’t properly protect PHI could face legal action from private citizens, not just HHS.
People are more aware of their rights under HIPAA than you might realize. Not being HIPAA compliant exposes your practice or company to a whole host of regulatory issues that are best mitigated before there is an issue. The reality is, compliance is much more affordable than ever, and noncompliance is much more costly than ever.
Are you HIPAA Compliant?
By: Total HIPAA Guest Bloggers