Lawyer offers tips for HIPAA compliance
In a year where "compliance and enforcement is really where the action is going to be," it might help to have some advice on how to keep on the right side of patient privacy law.
[See also: At $1.2M photocopy breach proves costly]
That promise, delivered this past week at HIMSS14 by Susan McAndrew, deputy director for health information privacy at HHS' Office For Civil Rights, served notice to health organizations and their business associates that fines – potentially big ones – were in the offing in 2014 for those who don't comport with the new HIPAA omnibus rule.
But attorney James Wieland, principal at Ober|Kaler's Health Law Group, also had some helpful hints for those who might still be unclear on some of the rule's more obscure aspects. He sought to give some advice on the "things causing interest and confusion in the minds of the clients I take care of." Among his tips:
[See also: New HHS rule broadens patient access]
- Rights to electronic access are just as important as rights to privacy. "The rights of the consumer are now more and more exercised because more records are stored in electronic form, and more and more people in all age ranges are aware of their access rights," said Wieland – who reminded providers that "you can charge for the media if you provide it. Most providers will not let someone else's thumb drive go into their system, so the ones I know will typically buy (USB drives) in bulk and just make them available at cost. You are within your rights to do that."
- Explicit approval is needed any time PHI is transferred, even if it's at the patient's request. "If you get directions or requests from an individual to transfer their personal health information to a third party, you must get them to clearly state it -- in writing -- or you will be at risk," he said. "And I would recommend that if it's through a non-secured means, such as transmittal over the public Internet, you get a consent or acknowledgement from the individual that says, 'I understand the risks of sending this in non-encrypted form.'"
- The importance of a "real, demonstrable risk assessment" cannot be overstated. This particularly goes for "providers that do not have their own in-house IT staff, that may be relying on a vendor to provide the security," said Wieland. "It is one of the first thing in the current environment of enforcement that OCR will ask for if you're investigated for any kind of breach. I tell small providers they can do it themselves, but I direct them to a copy of the first annual guidance, published almost two years ago. It goes through, in detail, about just what OCR expects in terms of risk analysis: It's a thorough review of where PHI flows within your organization and a stratification of the risks, and a mediation plan.
- Beyond avoiding fines, meaningful use dollars depend on it. "For reasons that have always eluded me, meaningful use has one thing that has nothing to do with EHRs, and has been the subject of a great deal of meaningful use audits – and that's having your risk assessment that includes the electronic health record system," he said. "The other thing to note is that under meaningful use, as opposed to under HIPAA, you have to do that every year. With HIPAA, you have to do it when you have major changes in migration."
- Know your user settings. "The other thing to watch out for, in terms of boy-is-my-face-red-oops-what-did-I-do, is user settings," said Wieland. "You've got to be careful to control and monitor what settings your sweet, innocent users can alter – and turn them off if they're not appropriate."
"The old rule – why change it?" he asked. The simple reason is "the sea change that has happened since the interim rule was published – the rise of electronic media, of electronic transport and the concomitant rise of loss of data. I think there was good reason to tighten up the rule."
Another "major motivation" was that "OCR and the Secretary perceived people were being too liberal under the old rule," said Wieland. "And when you look at it, there really is a difference between a subjective analysis of, 'Can the individual be harmed?' and an analysis of, 'Has the information been compromised?' Because compromise is something that is much more objective."
Some people have argued that, despite all the attention it's gotten in the past year or so, HIPAA "hasn't really changed much," he said. "I would suggest otherwise. I would suggest (processes) must be much more analytically rigorous and much better-documented."
Toward that end, Wieland added one more thought on breach notification: "Always remember that, even if you don't have to send a notice, it's subject to accounting. And while individuals have not necessarily been aggressive in getting accounting, if they do, when they see this and make a complaint, and you haven't filed, or don't have a rigorous, defensible analysis of why it wasn't called a breach, you could be in, uh, I think the legal term for it is 'deep doodoo.'"