By Dr. Phyllis Miller, Ph.D., RHIA, RHIT, CHPS, Lean Six Sigma Green Belt, AHIMA ICD-10-CM/PCS Trainer
As August 21, 2020 marks the 24th anniversary of Bill Clinton’s HIPAA Law, it is not a bad time to reflect on the how the law has been doing. As with any big changes in healthcare, whether the advent of electronic health systems (EHRs) in the past decade or a pandemic like COVID-19, nothing stays the same. All laws, rules and regulation occasionally need some breathing room and this also applies to HIPAA. Here is an update on HIPPA changes and some examples of what not to do.
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcing various rules and regulations issued under HIPAA which was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act to protect the privacy and security of protected health information.
New Telecommunication Rules
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, health care providers covered by HIPAA can now communicate with patients and provide telehealth services through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA’s coverage of health care providers, may now not fully comply with the requirements of the HIPAA Rules.
As an example, a covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can do so. However, this does not mean or imply that the HIPPA rules are not offering the same basic laws of protecting patient’s confidential medical information which they were designed to do. It simply makes the jobs of providers a bit easier while delivering the same level of service to patients suffering from COVID-19.
OCR will also no longer impose penalties against providers and their business associates for violations of certain provisions of the HIPAA Privacy Rule. This change covers good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 pandemic. It is designed to support federal public health authorities and health oversight agencies (such as the CDC and CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data from business associates. These partners can now share this data without risk of a HIPAA penalty.
Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.