The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
Security management process
Information access management
Workforce training and management
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
Facility access and control
Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls:
Vice President Joe Biden recently took the stage at Health Datapalooza in Washington, D.C. to discuss where healthcare technology currently stands, and he didn’t hold back. Among other things, he chastised the industry for poor health IT system interoperability and the resulting difficulties it causes providers and patients. “We have to ask ourselves, why are we not progressing more rapidly?” Biden lamented.
Biden’s criticism is only the latest high-profile commentary about the unfulfilled promise of information technology in healthcare. AMA leaders and individual physicians have been grousing about it for years. We’ve seen technology increase efficiency, reduce costs and improve productivity in every other industry – but why not healthcare?
Ironically, seven years after the passage of the HITECH Act of 2009, doctors are less productive than they were before, and IT is the culprit. Rather than enabling a better, more streamlined workflow, IT has become a burden.
The drag that IT is placing on healthcare providers is a principal reason why U.S. Health and Human Services (HHS) Secretary Sylvia Burwell announced with great fanfare at the HIMSS16 conference an “interoperability pledge,” which vendors and providers alike are encouraged to take. Its purpose in part is “to help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.”
This call resonates because the promise of better healthcare through technology has been broken. Technology has changed the way we communicate, the way we shop, the way we watch TV, the way we drive, and the way we interact with our homes. As an industry, healthcare is lagging way behind. The consequences are drastic. In order for us to deliver the kind of holistic care that will truly improve people’s health, it’s time not only to talk about the potential, but to make it a reality for users and providers across the healthcare continuum.
Here’s the reality: we have today what 10 years ago was called a supercomputer in front of physicians – a device that knows virtually everything about the patient – but it isn’t helping out in ways that we take for granted in our everyday lives when we shop online, use Google Maps or order an Uber.
It isn’t that doctors aren’t skilled, intelligent or capable enough—it is that the demands being placed on them are too great.
Time and documentation demands mean that something has to give. As many physicians have pointed out over the years of the HITECH Act’s implementation, the thing that normally “gives” is facetime with patients: actual, hands-on delivery of care and attention. Instead, they are driven to input data for documentation, follow prompts on EHR interfaces, ensure their record-keeping practices will facilitate correct coding for billing, as well as tip-toeing around HIPAA and the explosion of security and privacy vulnerabilities opened up by the shift to digital.
The reality of modern medicine—and especially the rate at which it evolves, grows, and becomes outdated—means that doctors need what most every other industry has already integrated: more brains. Not simply in the form of EHRs for record-sharing, or voice-to-text applications as a substitute for transcriptionists, but as memory-supplements, or second brains.
As a species, humans are also evolving away from memory as a critical element of intelligence, because we now have devices—“smart” devices—always on, always on us, and always connected to the ultimate resources of facts and data.
Our smart devices—phones, tablets, etc.—are gateways to the whole of human knowledge: indexes of information, directories of images, libraries question and answer exchanges. In effect, we are increasingly able and willing to offload “thinking” onto these devices.
Supplement or Supplant?
Depending on the context and application, this trend is both helpful and potentially harmful. For those prone to critical thinking and equipped with analytical skills, offloading some elements of memory to these devices is a question of efficiency. Even better, the more they practice using it, the more effective they become at integrating devices into their cognitive tasks. In others (those less prone to think critically), it is a shortcut that reduces cognitive function altogether: rather than a cognitive extension, the devices act as substitutes for thinking. Similarly, increasing over-reliance on the internet and search engines further diminishes already deficient analytical skills.
The standard roadmap for a medical education entails a lot of memorization—of anatomy, of diseases, of incredible volumes of data to facilitate better clinical performance. It isn’t memorization simply for the sake of recitation, though; it is the foundation for critical thinking in a clinical context. As such, medical professionals ought to be leading candidates for integrating smart devices not as crutches, but as amplifiers of cognition.
So far, that has been far from the dominant trend.
Enter the Machine
Integrating computers as tools is one thing, and even that has proven an uphill battle for physicians: the time and learning curve involved in integrating EHRs alone has proven to be a recurring complaint across the stages of Meaningful Use and implementation.
Patient engagement—another of the myriad buzzwords proliferating the healthcare industry lately—is another challenge. Some patients are bigger critics of the new, digitally-driven workflows than the most Luddite physicians. On the other hand, some patients are at the bleeding edge of digital integration, and find both care providers and the technology itself moving too slowly.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
It has only been about two generations since traveling medicine shows were common forums for medical information. Phony research and medical claims were used to back up the sale of all kinds of dubious medicines. Potential patients had no real method to determine what was true or false, let alone know what their real medical issues were.
Healthcare has come a long way since those times, but similar to the lack of knowing the compositions of past medical concoctions and what ailed them, today’s digital age patients still don’t know what is in their medical records. They need transparency, not secret hospital –vendor contracts and data blocking, like the practices being questioned by the New York Times. One patient, Regina Holliday resorts to using art to bring awareness to the lack of patient’s access to their own medical records.
There are many reasons patients want access. Second opinions, convenience, instant access in a medical emergency and right of ownership—I paid for them, I own them. Other reasons patients need to view their records is for accuracy and validity. Inaccurate record keeping has even caused the EHRI Institute to cite incorrect or missing data in EHRs and other health IT systems as the second highest safety concern in its annual survey, outlining the Top Ten Safety Concerns for Healthcare Organizations in 2015.
Healthcare system executives, from CIOs to CEOs are very aware of the increasing requirements from patients asking for their records and the various state and federal laws that come into play. However, they are also aware that by making it too easy for patients to access records they risk liability and HIPAA issues. They also don’t want to provide documents that can easily enable cost comparisons or raise questions about charges.
Riding the wave of interest in accessing personal medical records are organizations like Get My Health Data. Org. The organization was founded in June 2015 as a collaborative effort among leading consumer organizations, healthcare experts, former policy makers and technology organizations that believe consumer access to digital health information is an essential cornerstone for better health and better care, coordinated by the National Partnership for Women & Families, a non-profit consumer organization. On July 4 it launched #DataIndependenceDay to create awareness for the HIPAA law which states that patients must be granted access to their health information with very few exceptions. An update to those laws that was finalized in 2013 extends these rights to electronic health records.
Despite the introduction of personal health records (PHRs), Blue Button technology and product introductions from blue chip technology leaders, such as Microsoft and Google, there has been no significant, unifying technology to ignite pent up demand for their medical records by consumers. This lack luster interest and ongoing interoperability issues might be the unifying force to drive many consumers to consider Personal Health Information Exchanges (PHIEs) as an alternative to EHRs and Health Information Exchanges (HIEs) that unnecessarily duplicate data and risk HIPAA violations.
Will PHIEs Ignite the Patient Record Access Movement?
Frost & Sullivan, in its research report, “Moving beyond the Limitations of Fragmented Solutions Empowering Patients with Integrated, Mobile On-Demand Access to the Health Information Continuum”, identifies personal health information exchange (PHIEs). They are described as providing individual patients, physicians, and the full spectrum of ancillary providers with immediate, real-time access to medical records regardless of where they are stored by using an open API.
The PHIE can provide access to the entirety of an individual patient record, regardless of the number of sources or EHR systems in which the patient data resides. This technology is made possible through fully interoperable integration servers that can access any EHR system with available APIs and portray the integrated data in a viewable, secure and encrypted format on a mobile device.
By leveraging the powerful simplicity of open APIs, PHIE technology can also access medical records in a way that is much more comprehensive than the closed EMR portals commonly used by doctors’ offices. Despite their pervasive use, these portals are cumbersome and expensive for patient’s use. The portals also include the same lack of interoperability that plagues hospital EHR systems.
How many doctors have you seen in your lifetime? Don’t know or remember? You’re not alone – the average American patient will see nearly 19 different doctors during their lifetime. Nineteen different offices. Nineteen different medical charts. Nineteen different phone numbers. Nineteen different calls to track down your records. Now, can you even remember your last five doctors?
The future: Imagine this, you visit your doctor – or any doctor for that matter – and they quickly pull up your medical history. Vaccinations when you were a child? Check. Currently on a hypertensive medication? Check. Pre-disposed to a medical condition? Yep, that’s in there, too. No more arriving 20 minutes early to the doctors’ office to fill out the industry-average seven pages of paper forms. Your records – past and present – are already being reviewed by your trusted provider.
Beyond the sheer convenience, the accuracy and completeness of having your entire medical history available at the fingertips of your provider can impact your well-being and scope of care. Can you accurately remember all procedures you’ve had? And when? Or all the medications you’ve ever taken? With dates? Imagine if you were a senior. Not just daunting, but nearly impossible. Instead of going over just snippets of what you actually remember, your doctor is empowered to holistically review your entire medical history with the potential to make more informed decisions about your health.
Seem like a pipedream? If you were to ask a mere decade ago, most would have agreed. As recently as 2007, 88 percent of physicians were still charting on paper. And those physicians on an EHR system – who were paying a premium – were almost exclusively using a localized, server based platform with no connectivity. For cost perspective, according to HealthIT.gov, the average upfront cost of implementing an EHR is $33,000 per provider plus an on-going fee of $4,000 yearly, a cost-prohibitive amount for most private practices.
Fast forward to 2009 and the passage of the HITECH Act which provided billions of dollars of incentives for providers to implement an electronic health record. In addition to the incentives, new vendors appeared on the market who provided electronic health record platforms completely free-of-charge, allowing providers to reinvest the incentives in their practice as additional staff, new equipment, etc.
Guest post by Michael Simpson is the CEO of Caradigm.
It’s been five years since the HITECH Act was enacted as part of ARRA, and while there’s still a lot of debate about the technical details, rules and timelines involved with electronic health record (EHR) adoption and meaningful use, it’s clear that the focus on EHRs – and incenting hospitals and professionals to use EHRs in a meaningful way – represents a critical, foundational step in transforming health care in this country.
After all, meaningful use targets the right goals – goals that every hospital, health system and healthcare professional supports, including improved quality, safety and efficiency of care; reduced disparities; more engaged patients and families as core members of the care team; improved care coordination and population health; and more secure patient health information.
More important, the stages of meaningful use drive a set of progressively more advanced capabilities that are fundamental to achieving those goals. Digitizing data was the first critical step, and the good news is that according to a recent HHS press release, about 60 percent of all hospitals have adopted an advanced EHR, leaving the paper world behind. The next steps are sharing that data – securely – among providers and patients, reporting on quality to understand and improve it, using clinical decision support at the point of care, and many other capabilities critical to transforming care and outcomes. If providers and professionals meet meaningful use requirements, we should see more transparency, greater efficiency, reduced waste and more healthy people in our communities over time.
Stage 2 Challenges
It’s a long and challenging journey, and while hospitals and health systems are making good progress against Stage 1 requirements, very few are prepared for Stage 2. In fact, according to survey data from the American Hospital Association, fewer than 6 percent of hospitals have met the criteria for Stage 2, and only 10 percent have met the requirement for patients to be able to view, download and transmit their health information online.
Why are providers getting stuck as they try to move to Stage 2? Because as the requirements become more demanding – e.g., using clinical decision support, generating patient lists, protecting patient health information, engaging patients – these organizations need a new set of technology capabilities to meet those requirements. These capabilities leverage and extend the functionality and benefits of the EHR.
Moreover, to reach the ultimate goals targeted by Meaningful Use — improved quality, efficiency, outcomes and population health — providers will need to aim even higher than meeting the requirements of meaningful use stages, strategically using data from EHRs and myriad other systems across the care continuum to enable a new level of capabilities.
NueMD, provider of cloud-based medical practice management software for small practices, in partnership with Porter Research and the Daniel Brown Law Group, surveyed practices and business associates about HIPAA compliance and how small practices and billing companies are coping. The survey of about 1,200 healthcare professionals, conducted during October 2014, found medical practices and billing companies are struggling to comply with regulations under the Health Insurance Portability and Accountability Act.
“Understanding HIPAA can be difficult for practices and billing companies, especially if they’re already scrambling to keep up with changes like ICD-10 and meaningful use,” said Caleb Clarke, sales and marketing director at NueMD, in a statement. “With audits looming, we wanted to get a sense of where the industry stands and provide resources to help those who may be struggling.”
NueMD surveyed practices and billing companies in all 50 states; most of the practices were small and made up of one to three providers.
In a nutshell, the survey found that:
66 percent of respondents were unaware of HIPAA audits (a staggering number)
35 percent of respondents said their business has conducted a HIPAA-required risk analysis
34 percent of owners, managers and practice administrators reported that they were “very confident” that their electronic devices that contain PHI were HIPAA compliant
24 percent of managers, owners and practice administrators at medical practices reported that they’ve evaluated all of their business associate agreements
56 percent of office staff and (non-owner) care providers at practices said they’ve received HIPAA training in the last year
HIPAA is one of the primary and most comprehensive government regulations that affect the daily activities of each healthcare organization every day.
Signed into law in 1996, the law outlines policies to protect sensitive patient data and penalties for those who don’t comply. Recent updates under the HITECH act introduced several changes that affect the responsibilities and liabilities of covered entities and business associates.
Enforcement of breaches is occurring at a more rapid pace. HITECH extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:
Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs.
Greater penalties for noncompliance.
Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
Opening the way for enforcement by states’ attorneys general.
Also, the HITECH Act incentivizes a more aggressive pursuit of HIPAA, which means it’s more likely that healthcare organizations will now be audited more regularly.
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.
Guest post By Barry P. Chaiken, MD, FHIMSS, chief medical information officer at Infor.
In many ways healthcare is like a symphony orchestra. Although information technology can enhance care planning, assist in medication administration and reduce duplicative testing, it cannot replace the people required to deliver care services to patients. Nurses are needed to administer medications, therapists are needed to provide treatments, and physicians are needed to diagnose illnesses and provide treatment plans. On average, hospitals devote close to 70 percent of their budget to labor costs. Until robots replace humans in the delivery of patient care, selection of the proper skill mix and number of professionals remains a significant factor that determines cost in provider organizations.
Although information technology cannot replace the staff delivering care to patients, it can assist organizations in choosing the best talent available, help develop that talent and determine the best way to utilize the skills of these professionals.
To identify the best talent, information technology tools allow the extraction of an employee’s “behavioral DNA” – the measurement of behavioral, cognitive and cultural traits. Organizations then compare this prospective employee’s “DNA” to the “DNA” of existing high performing employees within the organization in an effort to identify individuals who possess a high probability of excelling within the organization.