Summit Discusses the HIPAA Omnibus Final Rule with Aldrich Advisors
What are some of the recent changes to HIPAA that are causing heartburn for medical practices?
HIPAA, as we experience it in the Privacy and Security Rules, went into effect in 2003 and 2005, respectively. During the first few years, the regulations didn’t have many ‘teeth’ in terms of regulatory oversight and associated monetary penalties. In 2009, as part of the Affordable Care Act, the rules underwent some significant changes, which were ultimately codified in the HIPAA Omnibus Final Rule which went into effect in 2013. These changes enhanced some of the requirements in the Security Rule and put some penalties in the regulations such that security or compliance shortcomings can, and often do, have a significant financial impact on an organization.
A few of the changes with the greatest impact include significant monetary penalties, mandatory data breach reporting, and the inclusion of HIPAA Business Associates as entities who are now directly subject to the HIPAA Security Rule. These changes have been coupled with enhanced regulatory enforcement by the Office of Civil Rights so Covered Entities and Business Associates are having to take a second look at their HIPAA security posture. We’re observing that many need help with documenting or implementing the new security requirements.
What are some areas in which practices seem to particularly struggle?
Across our client base we have seen a handful of requirements in this rule that can be more of a struggle for some organizations than others. The challenges tend to fall into one or more of the following categories:
- Risk analysis and management
- Third party vendor risk
- Contingency Planning (disaster recovery / business continuance)
- Proper implementation of technical safeguards
- Comprehensive policy to support these items
I think it’s important to remember that risk analysis undergirds just about everything in the HIPAA Security Rule. If an organization has not conducted a risk assessment, they should perform one as soon as possible. This activity will help an organization support their compliance with HIPAA as well as provide insight into other areas where they may find security or compliance struggles.
The risk assessment process is one of the ways we are able to identify trends that reveal common areas in which many practices struggle with high risk, low compliance, or both. Another way to identify areas of common concern is to review the published list of reported breaches that is posted on the department of Health and Human Services website. This information, coupled with HHS OCR press releases and news bulletins gives a great amount of insight into where organizations are potentially vulnerable or struggling to comply with HIPAA.
One of those areas relates to understanding and managing the risk associated with sharing Electronic Protected Health Information (ePHI) with third party vendors. This can be a bit of a double whammy, if you will, because Covered Entity organizations (such as providers or payers) typically rely on the assertions related to the strength of internal security controls made by third party Business Associates. However, if a third-party Business Associate has an incident or a breach, the Covered Entity (typically a provider or payer) who provided the ePHI to the third-party will still suffer the consequences of the third party’s negligence.
Another category where we commonly see increased risk and/or low compliance is what we refer to as ‘business continuity and disaster recovery’, also collectively referred to as “Contingency Planning” in the Security Rule. As a topic, this relates to the infrastructure and planning that needs to be in place in order for an organization to manage through an outage or a disaster and successfully recover from an adverse event, all while protecting ePHI. To be prepared for what HIPAA requires in this category requires, at the very least, a decent amount of planning, preparation, documentation, and potentially, an investment in some additional hardware and infrastructure. Organizations sometimes struggle in this area because the investment can be substantial and is only realized if there is a disaster or outage.
Finally, another common theme that we frequently see in risk analysis data relates to an organization’s struggle to implement proper technical safeguards to protect ePHI. These safeguards include things like logging and auditing user access to ePHI, proper implementation of appropriate encryption for both data at rest and data in motion, and technical controls protecting transportable media and mobile devices.
Stitching all of these items together is (or should be) a comprehensive policy and procedure framework that outlines and demonstrates how an organization complies with HIPAA, and training demonstrating how members of the workforce are expected to protect the data entrusted to them. Having, and following a comprehensive policy framework is critical for documenting and demonstrating compliance in the event of an audit.
Earlier you mentioned that part of the reason for the renewed interest in HIPAA is that the regulation has gained some significant “teeth.” Can you please elaborate on the implications of that change for a practice?
I think it was Benjamin Franklin that originally coined the phrase “an ounce of prevention is worth a pound of cure”; that wisdom certainly applies in this case. As we examine both the regulatory changes codified in the HIPAA Omnibus Final Rule, as well as how those changes are implemented through OCR enforcement functions, we quickly learn that most of the publicly-disclosed monetary penalties levied for noncompliance are in the six and seven figure range. These are significant financial penalties and could potentially represent an “extinction level event” for a practice that is not prepared to cover that type of expense.
Referencing Ben Franklin again, the good news is that building an appropriate HIPAA security program, complying with the regulation, and preparing for a potential OCR audit is significantly more affordable and attainable than attempting to recover from a security breach or respond to unexpected audit. Our firm has helped clients both before and after an OCR audit as well as before and after a data breach, and we have seen that the amount of expense and effort related to preventative work is much less than the expense, effort, and unfortunate chaos and disruption that an organization goes through after a breach or when attempting to respond to a government audit in a short timeframe. Our advice and request to clients is to please take HIPAA seriously and perform the needed activities to protect the confidential data of the patients who entrust their information to you.