I bet many of you have heard of HIPAA, but you may not realize its impact on you and your organization. Personally, if you or a family member has been to see a physician in the last 10 year, you were presented with a HIPAA form to sign. Professionally, if you work in healthcare, you surely have heard of it and hopefully have been through awareness training. Even though there’s a training course in place, that doesn’t mean your organization is fully compliant. For those of you that work for a third party that provides services to a healthcare organization, the potential impact to your organization is even more urgent. So please read on.
The basic types of healthcare entities in the market are payers, or health plans, and providers. Payers are organizations that offer health insurance, either through their own health plans or working with employers to support the employer in offering an employer-sponsored health plan. More than 50% of the people in the US participate in an employer sponsored plan. As for the remaining Americans, 16% are covered by Medicare, 17% by Medicaid and the remaining 15% are uninsured. I’m sure you’ve seen the news lately about the opening of the Health Insurance Exchanges, or HIXs. Initially, the HIXs are targeting those that didn’t have insurance, either because the individual didn’t work for an employer that offered health coverage or due to cost. Healthcare reform has made changes to ensure that everyone can obtain coverage and do so affordably, either through an HIX or your employer.
The term provider refers to all who deliver health care services to you and your family. A provider can be your family doctor, local hospital or MRI facility. Providers deliver health care services to you and, if you have insurance, interact with the insurance company to determine what your health plan will pay and what you as a patient are required to pay, such as a deductible and copay.
More than 15 years ago, in response to an increase in the abuse of personal health information (PHI), HIPAA was established to protect the privacy of you as a patient and to prevent improper disclosure and use of that information. HIPAA specifically applies to covered entities, or CEs. Initially, CEs were defined as payers or health plans, providers and clearinghouses. There is a fourth group that was indirectly identified, known as business associates (BAs), who are third parties contracted by a CE to perform duties and services where there’s a possibility that they might come into contact with PHI. In support of a BA relationship, a Business Associate Agreement or BAA must be part of the contractual arrangement.
As it pertains to PHI, there were two rules introduced. The first is the Privacy Rule. This rule requires that CEs use appropriate safeguards to protect a patient’s medical record and other PHI, sets limits and conditions on uses and disclosures with patient authorization, and provides patients the right to access and examine their PHI. The second rule is the Security Rule. This rule requires CEs (and BAs) to follow established national standards to protect electronic PHI, or ePHI. There are 3 categories of safeguards that must be observed: administrative, physical and technical. HIPAA and the accompanying Privacy and Security Rules are law, and must be complied with. Non-compliance can result in a fine, potential civil lawsuits and getting your organization’s name on the CMS “Wall of Shame.” An example of non-compliance is a breach or situation where ePHI has been “lost.” The CMS fine for each breach can be as high as $1.5M.
Now, focusing on Business Associates, there was a change earlier in 2013 that now makes a BA directly liable for non-compliance with HIPAA. As such, if not done already, each BA must review the law, understand what privacy means to the services and products provided under contract with a CE and take action to comply with the security standards and safeguards. The Security Rule begins with an assessment, which must be done on an annual basis, to determine which of the 42 security safeguards apply to the BA. The standard BAA essentially requires the BA to comply with HIPAA. One of the 20 required safeguards is education and awareness of the Privacy and Security Rules. As such, each employee of the BA that is involved in an engagement involving PHI/ePHI must go through an online program to help them understand the Privacy and Security Rules and what their responsibility is. It’s not uncommon that a CE may impose additional contractual obligations on the BA that go beyond the standard BAA.
The Centers for Medicare & Medicaid Services (CMS), has stepped up the enforcement of HIPAA. Earlier this year they completed the first annual audit of CEs. Now that BAs are directly liable, the next annual CMS audit will include randomly selected (small, medium, large) BAs. Particularly for BAs, a lack of compliance can be business impacting as the results of the audit are made available.
Even though CEs have been required to comply with the Privacy Rule for the last 10 years and the Security Rule the last 8 years, many are not. In the first CMS audit done, 59 of the 61 providers were not compliant. Shockingly, 35% of the time the reason for not being compliant was ignorance. I’m not sure what’s worse, being ignorant 1/3 of the time or knowingly non-compliant 2/3 of the time. With the greatly increased funding for enforcement, it won’t matter as public knowledge of BAs non-compliance will cost more than any fine CMS could level will.
Now’s the time to get compliant! In particular for BAs, given the recent changes to the law, take heed as you’re probably not compliant. Being compliant with HIPAA is not only required by law, but doing so gets your organization down the path towards best demonstrated practices with respect to security in general. Believe it or not, the HIPAA Security Rule isn’t all encompassing. If you’re not sure about the next steps, then engage some outside help. The sooner you get started, the better.