Part 2: Update your security policies.
By Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ
Recent changes to the Health Insurance Portability and Accountability Act (HIPAA) mean that all health care practices and facilities should be reviewing their processes to ensure compliance. Enhancements under the American Recovery and Reinvestment Act (ARRA) of 2009 have strengthened both the Privacy Rule (see part 1 of this series, “Review Your HIPAA Compliance Now,” in the August Coding Edge,) and the Security Rule, which we’ll cover here.
ePHI Must Be Secure
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic personal health information (ePHI). ePHI is any protected health information that is stored, accessed, transmitted, or received electronically. Examples of electronic media are: computers, laptops, disks, memory sticks, smart phones, personal digital assistants (PDAs), servers, disk drives, network systems, email, websites, etc.
Like the Privacy Rule, the Security Rule defines “confidentiality” to mean that ePHI should not be made available, nor disclosed, to unauthorized persons. The Security Rule promotes two additional goals of maintaining the integrity and availability of ePHI. Under the Security Rule, “integrity” means that ePHI is not altered or destroyed in an unauthorized manner; and “availability” means that ePHI is accessible and usable on demand by an authorized person.
Flexibility for how a practice complies with the Security Rule is allowed based on the office’s size and resources. But all covered entities must review and modify their security measures to continue protecting ePHI in a changing environment. This means:
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information
- Protecting against reasonably anticipated impermissible uses or disclosures
- Ensuring compliance by your workforce
The Security Rule requires a practice to:
- Identify potential risks to ePHI
- Implement appropriate security measures to address these risks
- Document what you did
- Devise policies and procedures that outline all required steps your office will take to maintain these security measures
- Routinely assess that your office is maintaining continuous, reasonable, and appropriate security protections for your ePHI
Your policies and procedures will be unique to your office—reflecting your specific business needs and risks—and are in addition to the Privacy Rules’ policies and procedures to comply with HIPAA.
Conduct a Risk Assessment
As a first step, your office should conduct a security risk assessment (also referred to as a risk analysis). Areas to include in the assessment are outlined in sections 164.308, 164.310, and 164.312 of the HIPAA regulations (available at the electronic Code of Federal Regulations (e-CFR) website: http://ecfr.gpoaccess.gov). See the security standards matrix on the next page for a list of risk assessment requirements in the Security Rule. There are 18 standards and 42 implementation specifications requirements, of which 20 are “required” and 22 are “addressable.”
Whereas required implementation specifications must be implemented as written, addressable implementation specifications need only be implemented as written if they are assessed as reasonable and appropriate safeguards for the practice’s environment. If an addressable specification is assessed as unreasonable, you must document why and implement an alternative, equivalent safeguard that is reasonable for your environment. In other words, addressable standards must be implemented, but offer greater flexability.
Use the Security Standards Matrix to conduct a security risk assessment. The assessment should help you to identify security weaknesses or vulnerabilities of your practice’s ePHI.
| Subpart C of Part 164 – Security Standards: Matrix |
| Standards |
Sections |
Implementation Specifications (R)=Required, (A)=Addressable |
|
Administrative Safeguards
|
| Security Management Process |
164.308(a)(1) |
Risk Analysis (R) |
|
|
Risk Management (R) |
|
|
Sanction Policy (R) |
|
|
Information System Activity Review (R) |
| Assigned Security Responsibility |
164.308(a)(2) |
(R) |
| Workforce Security |
164.308(a)(3) |
Authorization and/or Supervision (A) |
|
|
Workforce Clearance Procedure |
|
|
Termination Procedures (A) |
| Information Access Management |
164.308(a)(4) |
Isolating Health Care Clearinghouse Function (R) |
|
|
Access Authorization (A) |
|
|
Access Establishment and Modification (A) |
| Security Awareness and Training |
164.308(a)(5) |
Security Reminders (A) |
|
|
Protection from Malicious Software (A) |
|
|
Log-in Monitoring (A) |
|
|
Password Management (A) |
| Security Incident Procedures |
164.308(a)(6) |
Response and Reporting (R) |
| Contingency Plan |
164.308(a)(7) |
Data Backup Plan (R) |
|
|
Disaster Recovery Plan (R) |
|
|
Emergency Mode Operation Plan (R) |
|
|
Testing and Revision Procedure (A) |
|
|
Applications and Data Criticality Analysis (A) |
| Evaluation |
164.308(a)(8) |
(R) |
| Business Associate Contracts and Other Arrangement |
164.308(b)(1) |
Written Contract or Other Arrangement (R) |
|
Physical Safeguards
|
| Facility Access Controls |
164.310(a)(1) |
Contingency Operations (A) |
|
|
Facility Security Plan (A) |
|
|
Access Control and Validation Procedures (A) |
|
|
Maintenance Records (A) |
| Workstation Use |
164.310(b) |
(R) |
| Workstation Security |
164.310(c) |
(R) |
| Device and Media Controls |
164.310(d)(1) |
Disposal (R) |
|
|
Media Re-use (R) |
|
|
Accountability (A) |
|
|
Data Backup and Storage (A) |
|
Technical Safeguards (see §164.312)
|
| Access Control |
164.312(a)(1) |
Unique User Identification (R) |
|
|
Emergency Access Procedure (R) |
|
|
Automatic Logoff (A) |
|
|
Encryption and Decryption (A) |
| Audit Controls |
164.312(b) |
(R) |
| Integrity |
164.312(c)(1) |
Mechanism to Authenticate Electronic Protected Health Information (A) |
| Person or Entity Authentication |
164.312(d) |
(R) |
| Transmission Security |
164.312(e)(1) |
Integrity Controls (A) |
|
|
Encryption (A) |
Flexibility for how a practice complies with the Security Rule is allowed, based on the office’s size and resources, but all covered entities must review and modify their security measures to continue protecting ePHI in a changing environment.
The next step is for your practice to determine the likelihood or probability for an external threat (such as a hacker trying to access your information) to expose a weakness and potentially gain unauthorized access to your ePHI.
Some examples from our client risk assessments include: the need to improve backup procedures for workstations, encryption for laptops, auditing user activity in the practice management system, or using a professional shredding service to dispose of ePHI. In most practices, human resource policies also will need to be updated to include greater pre-screening of new staff members, improved job descriptions to reflect proper access to and handling of ePHI by staff, exit interviews, and training on data security and proper use of passwords, etc. These safeguards are all part of the HIPAA Security Rule.
Put in place policies and procedures for each of the standards listed in the attached Security Standards table. For example, you might want to address each of the three safeguard areas in the following ways:
1. Administrative Safeguards
- Create office-specific security policies
- Place the copier or fax within the office to limit unauthorized access or viewing
- Appoint a security officer or official
- Conduct staff training on security rules, emergency operations, and reporting of real or suspected breaches (Remember: A breach is an inappropriate use, disclosure, or access of the practice’s PHI in violation of the Privacy Rule.)
- Finalize business associate contracts with outside entities that receive PHI generated by your office to do the work you require of them
2. Physical Safeguards
- Document who has access to the office during business and non-business hours, and which staff members have keys to the office
- Use password-protected screen savers
- Implement theft controls for computers and locate servers only in secured areas
- Conduct regular data backups and store them in a secure location
3. Technical Safeguards
- Control access to your workstations by using unique log-ins and time-limited passwords for all staff members
- Ensure that unattended computers automatically log out a user
- Appropriately dispose of ePHI by shredding or pulverizing, so the information can no longer be accessed
- Encrypt emails containing ePHI
The HIPAA policies you have now or create to comply with the Security Rule should be as detailed as possible. As an example, consider the following policy to address email use in your office:
Be very careful when emailing PHI. As a general rule, unencrypted email should not be used to communicate PHI because email is inherently less secure than other forms of communication, such as U.S. mail, Federal Express, UPS, or facsimile transmission. If email is used, the following safeguards should be taken:
- Attachments containing PHI sent as part of an unencrypted email should be encrypted in another manner before being attached to the email.
- The email message should contain a “confidentiality notice.”
- Verify that email is being sent to the correct person (e.g., always double-check the email address in the “To:” field before you hit “Send.”
Important Lessons to Take with You
A patient’s information—in written, electronic, or verbal form— belongs to the patient: Respect your patients’ privacy. As required by HIPAA’s “minimum necessary rule,” access only the information that is necessary to do your job. Report losses or misuses of information promptly to your privacy and/or security officer(s), so issues may be dealt with early, and harm can be mitigated. Set a protocol for confidential sending and receipt of PHI and ePHI. Question strangers who are in your work area. Never take patient information home or leave it in an unsecured place. And, always consult and comply with your office’s privacy and security policies and procedures.
Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ, is a health care consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Her firm is selling updated HIPAA policies and procedures at www.physicians-ally.com/hipaa_training.html.
September 1st, 2011
Part 1: Updating your privacy policies.
By Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ
From its inception in April 2003, the Health Insurance Portability and Accountability Act (HIPAA) was something of a “paper tiger.” But when President Obama signed the American Recovery and Reinvestment Act (ARRA) into law in February 2009, the tiger got teeth.
Major changes to the privacy law, as outlined below, were included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the larger ARRA.
What did ARRA/HITECH change? For starters, it significantly increased liability for not being in compliance with HIPAA. Previously, the maximum fine was $25,000 per violation. Now, that’s just the first level of fines: You can receive up to $1.5 million in fines for a single HIPAA violation. The HITECH Act also mandates that the federal government—specifically the Office for Civil Rights (OCR)—conduct audits on covered entities to ensure compliance. Even if no complaints have been filed against you, the government can show up and say, “Let us see your policies.”
HITECH allows state attorneys general to bring suits against various covered entities on behalf of “harmed individuals,” and will allow individuals whose rights were violated to participate in any civil monetary penalty if a covered entity is fined (the precise regulations are still being hammered out). There’s also a breach notification law provision in HITECH. What that means is, if you lose even just one patient’s unsecured information you have an obligation to tell the affected individual and the federal government. If more than 500 unsecured records are exposed (for instance, due to a missing laptop or a breach into your system), you have an obligation to tell the affected individuals and the federal government immediately (and local news media, if the breach affects more than 500 individuals in one area).
ARRA/HITECH also applies HIPAA privacy and security regulations to business associates (BAs), creates tighter marketing restrictions, and mandates that the OCR initiate a multi-faceted, national education campaign to inform the public about its privacy rights as patients.
Identify Weaknesses in Your HIPAA Compliance
Most practices probably haven’t considered the changes brought about by ARRA/HITECH, and are still operating under their original HIPAA policies and procedures. If this is the case in your practice, here are some highlights of what is likely to be out of date, based on our experience with the OCR:
- The Notice of Privacy Practices (NPP) is incorrect, and does not list instances when the provider would be obligated to disclose protected health information (PHI).
- A policy on “Consent for the Use or Disclosure of PHI” is unnecessary (Although patient consent for their PHI use is permitted under the privacy rule, it is not required.).
- Safeguards (administrative, technical, and physical) need to be included from the 2005 Security Rule to protect the privacy and security of PHI. (More on this in Part 2 of this series, Security Updates.)
- Due to out-of-date policies, the OCR may suggest intense training to get back in compliance.
- The complaint procedure must list a contact person within the practice.
- Policies may include a form allowing a patient to designate a personal representative, thereby granting the person to have the same rights as the patient under HIPAA. (The form must include all required elements for valid authorization under HIPAA.)
At Physicians’ Ally, Inc., we needed to update our policies that are made available to physician practices. As a baseline, our policies include the five general categories of “Patient Rights” under HIPAA.
- Patients have the right to obtain a copy and review their PHI.
- Patients have the right to request the practice amend PHI when the information is inaccurate or incomplete.
- Patients have the right to an accounting of the disclosures of their PHI by the practice or the BAs.
- Patients have the right to request that the practice restricts use or disclosure of PHI for treatment, payment, and health care operations (TPO) or other disclosures, such as to people involved in the payment of health care or notification to family members (The practice does not have an obligation to agree to these requests for restrictions, but if the practice does agree, it must comply.).
- Patients have the right to complain about the practice’s compliance with the policies and procedures required under the Privacy Rule.
During review, the OCR told us that our forms looked good, but we needed more policies. Our work was cut out for us, as it is for every physician practice that has not seriously updated its original HIPAA policies and procedures. We dedicated many months to learning about recent HIPAA changes and how to incorporate them into the practice’s policies, procedures, and training. We are proud to say that our revised policies and procedures were approved (for use by our client who was undergoing an OCR review).
Get Current, Get Compliant
To get current with HIPAA, we had to create new policies or tweak our existing policies for the following:
A new NPP. This is needed specifically to address that HIPAA allows the use of PHI in the day-to-day operations of the practice. The new notice describes how PHI can be used for “treatment,” meaning the coordination between providers for the care of a patient. PHI can be used for pursuing “payment” on behalf of a patient, such as calling a patient’s insurance company to verify coverage and benefits. PHI can also be used for regular “operations,” such as credentialing, quality improvement, care coordination, and even provider performance evaluation. If the NPP says the practice will use the PHI in a certain way, then it can (such as appointment reminders or “Thank You” notes). If your office’s notice doesn’t mention the specific uses of PHI, then you can’t use the PHI.
It’s not hard to find an NPP to use for your office, but you must customize the form to be an accurate reflection of your practice. The notice also must contain the date when it first went into effect, and mention how revised notices will be distributed. If you’re just now changing or adopting a new NPP, you should follow the procedure for distributing the notice to all patients: The NPP must be provided to patients at their first visit to your facility; it must be available for anyone who asks for it; and, it should be posted in your waiting room and on your website.
A policy indicating the practice would make a “good faith” effort to obtain written acknowledgement of receipt of the NPP by patients. If acknowledgement cannot be obtained (e.g., the patient refuses to sign the Acknowledgement form), the practice will document its efforts to obtain the acknowledgment, along with the reason why the acknowledgment was not obtained. This form must be retained in the medical record for at least six years.
Identify current BAs, and get updated agreements on file. Under the original HIPAA regulation, BAs were under agreement with the practice to protect PHI. Under the ARRA, BAs are directly liable to the federal government for compliance with the privacy and security rules of HIPAA (effective February 2010). Today, even BAs must have policies and procedures in place for how they will handle your practice’s PHI. Examples of BAs are legal counsel, accountants, billing companies, collections agencies, and business consultants.
These policies, forms, etc. also were required or highly recommended:
- A policy on allowable disclosures without authorization
- A policy on allowable disclosures with authorization, including a section allowing revocation of the authorization by patients if they change their mind
- A policy for requesting access to PHI and/or obtaining a copy of PHI
- A policy for requesting restrictions on uses and disclosures of PHI
- A Privacy Complaints form
- A form for requesting alternative means of communication
- A policy regarding how the practice utilizes email contact to transmit PHI over the internet
- A policy regarding marketing uses and disclosures
- Under ARRA/HITECH, the government further strengthened the prohibitions on selling patient information. In general, you should not sell or trade PHI without patient authorization. Face-to-face marketing communication to a patient is allowed, as is providing a promotional gift of nominal value to a patient. You should use the individual authorization form, however, if you intend to receive any kind of direct or indirect payment (remuneration) for marketing to a patient. Under HIPAA, you cannot sell your patient list without each patient’s authorization saying it is OK to do so.
- A policy describing the privacy officer’s position in detail, which includes investigating all suspected HIPAA violations and handling complaints
- A minimum necessary standard policy, directing the staff to only look at records essential to who is being treated
- A non-retaliation policy declaring that the practice will refrain from intimidating or retaliating against any person for exercising any right established by the Privacy Rule, including the filing of a complaint against the practice
- A non-discrimination policy
- Designated employee sanctions for violating privacy or failing to report suspected or actual violations
- Workforce member hiring and termination procedures, such as the practice reserving the right to conduct criminal and/or credit record checks
- An “open door policy” and philosophy: Every manager’s door is open to every employee to encourage open communication, feedback, and discussion about any matter of importance
- Safeguards (physical, administrative and technical security) that prevent people from accessing electronic PHI
- A breach identification process: This requires employees to report breaches or suspected breaches of privacy without fear of retaliation (Under ARRA/HITECH, federal regulations now require that if you think there is a security breach or a potential breach of privacy, you must tell your privacy officer.)
- Patient notification of breach: Required if you lose (breach) unsecured PHI and there is a risk of significant harm to a patient because of the breach (Interim regulations allow a covered entity to go through a risk assessment to determine the level of harm to the individual(s) whose information was breached—notification of the breach to the affected individuals must be done in a specific manner and within a certain timeframe.)
Sidebar
We dedicated many months to learning HIPAA changes and how to incorporate them into the practice’s policies, procedures, and training.
Make Training Part of Your Compliance Plan
In addition to updating your practice’s policies and procedures, offer privacy training periodically to all workforce members (defined by HIPAA as full-time, part-time, and temporary employees, as well as volunteers). Keep training documentation, and signed confidentiality statements (not required by HIPAA, but a nice touch) on file and maintained for six years.
As an employee, be aware of who your practice’s privacy officer is and where the HIPAA policies and procedures are kept. Your practice should have a central location where all HIPAA documents are stored and where staff can access them. Begin using updated forms/policies at once, and immediately undertake the administrative project of updating your practice’s BA list and filing signed BA agreements.
Perform a risk analysis to ensure compliance with HIPAA regulations. In Part 2 of this series, we’ll address how to do a security risk analysis, which should be performed on a regular basis to keep your practice up to date with changing electronic technology.
Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ, is a health care consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Her firm is selling updated HIPAA policies and procedures at www.physicians-ally.com/hipaa_training.html.
August 1st, 2011
According to the HIPAA Privacy Rule, covered entities (CEs) such as hospitals, physicians, clearing houses, and certain insurance payers are obligated to safeguard individually identifiable health data, known as protected health information (PHI). The HIPAA Security Rule extends liability of CEs to PHI transmitted in an electronic format (ePHI). HIPAA also defined business associates (BAs) as entities that work as “trading partners” with CEs, and medical billing services under this definition are classified as BAs. Unlike CEs, BAs were initially exempt from HIPAA statutes, but that has changed.
One provision of American Recovery and Reinvestment Act (ARRA), passed in January 2009, called Health Information Technology for Economic and Clinical Health (HITECH) contains a stipulation about BAs such as billing companies now being liable for actions under HIPAA for such acts as breach of PHI/ePHI. This raised a stir among billing agencies as to the scope of responsibility under HITECH and also raised the question as to whether independent billing services can be cited under the False Claims Act if a client commits fraud.
There’s one missing link in the life cycle of the administrative process, and that’s the coder. Independent billing companies do not always have coders on staff; neither do they have ready access to their clients’ medical records. Coders are usually employed by their provider, and they abstract information from the doctor’s notes to determine the appropriate codes to be designated on the superbill. Billing companies serve as a pipeline to the payer, and are not typically vulnerable to false claim charges. However, if the billing company does provide coding services, such as documentation integrity review or code verification, its billers may be liable in the case of an OIG or payer audit should one uncover an act of fraud such as upcoding or unbundling.
Under HITECH, if an independent billing company receives PHI such as on paper registration forms, superbills, and referral forms, it must protect such information, including proper waste destruction with shredders and/or the use of a certified data destruction company. If the billing service handles ePHI, it must ensure that it has appropriate safeguards (such as firewalls and encryption/decryption) as required by the HIPAA Security Rule, and follows proper procedures for certain destruction or initialization of data-storing media.
By Ken Camilleis, CPC, CPC-I, CMRS
April 27th, 2011