Marc Haskelson

The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it. Refresher training only has to be provided to those the change affects; but, if the training relates to a change in HIPAA policies and procedures, the training must be documented and – where required by state law – attested to by those who attend. In addition, it is a best practice to provide annual refresher training to all members of the workforce so that those not directly affected by material changes to policies and procedures are made aware of them.

It is important that all members of the workforce receive ongoing security awareness training for two reasons. The first reason – that training is provided to all members of the workforce – is because an attacker can infiltrate a network via a device that does not have access to electronic PHI, and then move laterally through the network until they find a healthcare database to attack. The second reason – that training must be ongoing – is due to the evolving nature of cyberthreats. Members of the workforce must be informed about the latest threats, how to recognize them, and how to report them.

HIPAA Authorization Forms have to comply with §164.508 in order to be valid. If a HIPAA Authorization Form lacks the core elements or required statements, if it is difficult for the individual to understand, or if it is completed incorrectly, the authorization will be invalid and any subsequent use or disclosure of PHI made on the reliance of the authorization will be impermissible. For this reason, members of the workforce responsible for obtaining valid authorizations must be trained on the implementation specifications of this standard. HIPAA Authorization Forms must be stored for a minimum of 6 years.

The requirement to have a security management process is the first standard in the HIPAA Security Rule’s Administrative Safeguards. The process must consist of at least a risk analysis, an actioned remediation plan, a sanctions policy, and procedures to regularly review information system activity. All analyses, remediation plans, sanctions, and reviews must be documented. Documentation must be stored for at least 6 years, either physically on paper on via HIPAA compliance software.

There are many examples of when it may be necessary to retrieve documentation within a specific timeframe to comply with HIPAA. The most common is when an individual requests access to their PHI maintained in a designated record set. Less common examples include when an individual wishes to revoke an authorization or when HHS’ Office for Civil Rights requests documentation to resolve a HIPAA complaint. In most cases, the documentation has to be provided within 30 days.

It is necessary to monitor business associate compliance because a covered entity can be held liable for a violation of HIPAA by a business associate if the covered entity “knew, or by exercising reasonable diligence, should have known” of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligations under the HIPAA Business Associate Agreement.

It is important to identify partners and vendors that qualify as business associates because when a service is provided for or on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of PHI, a HIPAA Business Associate Agreement has to be entered into which stipulates the permitted uses and disclosures of PHI by the business associate, both parties’ compliance obligations, and other terms that may apply.

The application of sanctions is important to ensure members of the workforce do not take compliance shortcuts “to get the job done”, and the shortcuts deteriorate into a culture of non-compliance. The sanctions applied should be relevant to the nature of the violation. For example, a verbal warning and/or refresher training may be appropriate for a minor violation, while repeated or more serious violations should attract harsher sanctions. The application of sanctions must be documented and records stored for at least 6 years, either physically in paper records or with HIPAA compliance software.

A HIPAA Notice of Privacy Practices advises patients and plan members of their privacy rights, how the organization can use or disclose PHI, and how an individual can complain if they believe their privacy rights have been violated or their PHI has been used or disclosed impermissibly. Notices must be reviewed and amended as necessary whenever a material change affects either an individual’s rights or how PHI can be used or disclosed. They must then be re-distributed and/or re-displayed in accordance with §164.520.

Members of the workforce must know how to respond to patient access and accounting requests – even if it is to direct the request to the HIPAA Privacy Officer – because the primary reason for complaints to HHS’ Office for Civil Rights in recent years has been the failure to respond in the time allowed with the information requested. At present, the majority of HIPAA enforcement activities focus on non-compliance with the patients’ rights standards of the HIPAA Privacy Rule.

The documentation and record keeping of every HIPAA training session is important for two reasons – so that covered entities can keep up to date with which members of the workforce have received what training in the event of transfers or promotions, and so that covered entities can demonstrate the training has been provided in the event of an OCR compliance investigation. Workforce attestation is also required by some state laws with more stringent privacy protections than HIPAA.

The healthcare sector and healthcare records in particular is often targeted by hackers due to the billing details contained in medical records and ransomware value of the personal information in Protected Health Information. Email is one of the most common attack vectors. It is important healthcare staff know how to identify malicious software and phishing emails because the detection capabilities of security software are often limited to how the software is configured and how frequently it is updated. Even the best security software can allow threats to evade detection and, when this happens, users need to be able to identify the threat and report it so other users do not (for example) open a malicious attachment or interact with a phishing email.

The Administrative Requirements of the Privacy Rule (§164.530) requires covered entities to train all members of their workforces on the policies and procedures developed to comply with the Privacy and Breach Notification Rules. Naturally, the sooner training is provided, the less chance there is of an inadvertent impermissible disclosure due to a lack of knowledge. It is important to note that training must be provided even if a new member of the workforce has held a similar role in a previous position and that some states have mandatory time frames within which training must be provided (for example, in Texas, training must be provided within 90 days).

It is necessary to prove the breach notification requirements are complied with to ensure covered entities and business associates do not overlook notifying individuals in the required timeframe when submitting an annual breach report to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals. Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves from such events. The burden of proof standard mitigates the likelihood of individuals being overlooked.

While many types of impermissible uses and disclosures, data thefts, and unauthorized access events are clearly notifiable breaches, there are also many types that are not. If it can be determined that an impermissible use or disclosure does not qualify as a notifiable breach by using the exclusion criteria in §164.402, it will not be necessary to comply with the breach notification requirements – saving organizations time and money, and a potential compliance review by HHS’ Office for Civil Rights.

Although it is not a requirement of HIPAA to provide an anonymous reporting channel, members of the workforce should be encouraged to speak out when they believe a violation of HIPAA has occurred in order that the incident can be investigated and corrected if necessary. It is felt (although cannot not proven) that anonymous reporting channels generate more reports because members of the workforce feel protected against retaliation. However, if an anonymous reporting channel is provided, it needs to be used in compliance with HIPAA, and any PHI contained within the anonymous report has to be safeguarded against unauthorized access, loss, and theft.

It is important to execute HIPAA-compliant Agreements with business associates because if an Agreement does not comply with the relevant standards it is invalid. If an Agreement is invalid, covered entities are not permitted to disclose PHI to the business associate, and any disclosure of this nature would represent a violation of HIPAA.

It is important for organizations to monitor changes to transaction code systems for two reasons. The first is that using out-of-date transaction codes can result in delays to (for example) authorizations and payments. The second reason is that organizations who persistently use out-of-date transaction codes can be reported to CMS – which has the authority to enforce Part 162 of HIPAA via corrective action plans and financial penalties.

The National Provider Identifier identifies your organization or subparts of your organization in Part 162 transactions. It is important that NPIs are used correctly in (for example) eligibility checks and authorization requests to prevent delays in responses to requests for treatment. It is also important that NPIs are used correctly in claims and billing transactions to make sure payments are received on time.

Automatic logoff capabilities are important to prevent unauthorized users from accessing ePHI when a device is unattended. Additionally, if a device is lost or stolen, the device cannot be used to access ePHI without the login credentials being known and used.

It is important that login credentials and passwords are not shared for systems that contain ePHI because, if multiple users are using the same access credentials, it will be impossible to determine when specific users access ePHI. As well as eliminating the usefulness of audit logs and access reports, if a system has been configured to reject multiple logins using the same credentials, it could result in users being blocked from accessing ePHI when necessary, or the system being corrupted.

The requirements to implement and test a data backup plan, an emergency mode operations plan, and a disaster recovery plan fall within the contingency plan standard of the Security Rule (§164.308). These requirements are designed to ensure the integrity and availability of ePHI in the event of a natural or manmade disaster.

Information access policies should make sure that the right people have access to the right level of ePHI at the right time. This means the policies have to be sufficiently flexible to support changing roles, promotions, and time off due to (for example) a suspension or maternity leave. The policies should also include procedures for terminating access to ePHI when a member of the workforce leaves so the departing individual cannot access the organization’s ePHI remotely.

The reason it is necessary to have procedures in place to respond to patients exercising their HIPAA rights is that some rights are susceptible to exploitation. For example, procedures should be in place to verify the identity of patients, review confidentiality requests, and determine if a request is being made to support an abusive, deceptive, or harmful activity.

The minimum necessary standard (§164.502(b) and §164.512(d)) requires that only the minimum necessary information is used or disclosed to achieve the purpose of the use or disclosure. This is to better protect the privacy of individually identifiable health information. However, the standard does not apply in every circumstance, and covered entities that apply the standard too rigidly could encounter communication challenges or, in some cases, be in violation of other HIPAA regulations.

Although covered entities and business associates have many similar HIPAA compliance obligations, some regulations apply differently to each type of organization depending on the nature of their activities. If you qualify as a covered entity, and you also provide services to other covered entities as a business associate, it will be necessary for you to complete the assessment twice.