Share this article on:
The government, via the Office of the National Coordinator for Health IT (ONC), has issued a new set of guidelines on Privacy and Security of Protected Health Information. The update to the guidance was made in the most part to facilitate the interoperable exchange of healthcare data but also to improve cybersecurity defenses and the understanding of HIPAA Rules, in addition to outlining the core objectives of Stage 2 of the Meaningful Use program.
The guidelines set out to explain why PHI must be protected and convey that HIPAA compliance is a responsibility that is shared between everyone employed in the healthcare industry. Advice is provided on how compliance can be achieved under the Health Insurance Portability and Accountability Act and best practices are outlined that should be adopted by Medicare Eligible Professionals (EPs) and HIPAA –covered entities (CEs).
The guidelines were last updated in 2011 so an update has been long overdue, especially in light of the 2014 EHR Certification Rule which, like the HIPAA Privacy Rule, allows patients the opportunity to access their healthcare records.
Examples are provided on when the Privacy Rule applies and to whom PHI can be legitimately disclosed (and under what circumstances). The minimum necessary standard is also explained; detailing how much information should be provided.
It is hoped that by providing additional guidance the ONC will help to reduce healthcare data blocking; a practice which appears to be rife in the healthcare industry. The ONC has recently cited information blocking as causing serious problems with improving interoperability.
HIPAA Security Standards Explained
A significant portion of the guidelines relate to cybersecurity, and the efforts CEs must make in order to protect their organizations – and the PHI they hold – from coordinated attacks by hackers, as well as practical steps that can be taken to prevent other types of HIPAA data breaches. Further information is provided on data encryption, and when this is required under HIPAA Rules.
One of the aspects of compliance that causes CEs the most problems is the risk analysis, which is a requirement under the HIPAA Security Rule. Due to the number of non-compliance issues discovered by the OCR during the pilot audits, further guidance on this aspect of HIPAA is long overdue.
Advice is offered on how CEs should conduct a security risk analysis to check for vulnerabilities that could potentially be used by unauthorized individuals to gain access to PHI, while a seven step process is described to help CEs manage any risks that are uncovered by their risk analysis.
Are you a Business Associate?
The guidance offers help for any vendor that is unsure whether they are classed as Business Associate of a covered entity and a number of examples are provided to help organizations determine whether they are covered under HIPAA Rules.
For instance, an example is provided in which a CE hires a company to turn accounting records from visits into coded claims for submission to an insurance company for payment. In this example the company is a Business Associate that is employed for payment purposes.
However, a contract clearer employed to clean office facilities, which includes a room containing medical files, is not a Business Associate, as their job does not require them to have access to PHI.
The guidance makes a distinction between two situations which involve a web designer, one in which the vendor is considered to be a Business Associate and a situation when the designer is not covered by HIPAA. In the case of a web designer who is employed to improve the look and functioning of the site, the designer would not be covered under HIPAA Rules.
However, if that designer was tasked with improving patient access to their health information, such as by downloading information or entering data into the web forms, this position would result in the provider being classed as a Business Associate, as access to healthcare data would need to be provided.
The Penalties for Non-Compliance
Many healthcare providers and other CEs struggle with certain aspects of the current legislation governing the storage, transmission and use of PHI. The guidelines set out to explain these areas of confusion and provide information in a clear and easy to read format. The guidelines are essential reading for Healthcare IT professionals and any individual granted access to PHI.
As well as covering CEs responsibilities under HIPAA, the guidance also includes details of the penalties which are applied for not implementing the appropriate security standards.
Since the guidance is considered to be compulsory reading for all compliance, privacy and security officers, and responsibilities are explained clearly, there really are no excuses for healthcare providers and other CEs not implementing the appropriate security and privacy controls to safeguard PHI. As pointed out, the fines for non-compliance are real and are likely to be issued if CEs do not do enough to protect the data they hold on their patients and plan members. These fines can be as high as $1.5 million per violation, per year that it was allowed to persist.