The Health Insurance Portability and Accountability Act (HIPAA) has been a headache for the majority of physicians since it came into force back in 1996. However, the release of the new omnibus rule has seemingly taken that to a new level, and the majority of physicians are not actually aware of the new liabilities they now face.
Rosalind Hill spoke to Mike Sacopulos, President of Medical Risk Institute, and General Counsel for Medical Justice, to find out what you need to know about this updated legislation, how you can remain compliant, and what the penalties are for non-compliance.
What is HIPAA and what does it mean for the medical community in general?
HIPAA is a federal law that came into existence in 1996 and it’s been strengthened over the years. It’s geared towards patient privacy and the security of patient information. In recent years we’ve seen a great expansion of requirements for medical providers under this law and in this general area of patient privacy. As recently as just last year, 580 pages of new requirements were released. What we’ve also seen is a tremendous increase in financial penalties for physicians, offices, and hospitals that violate requirements of patient privacy. Just last month, one of the largest penalties ever was announced: $4.8 million for the inadvertent release of 6800 patients’ information, which was accidentally accessible via the internet. And that’s just what the federal government penalty was, but obviously the medical provider had to compensate the individual patients and do remedial activities, so the violation by my calculation was more than $1000 per patient involved — even though the patients would not really be able to show any kind of financial harm.
HIPAA and these privacy laws for patient data come under the Office for Civil Rights, and they’ve begun a program of random audits. They’re actively hiring and opening field offices, which for us, given the general condition of federal government, tells you something. They also released a statistic that the Office for Civil Rights recoups $8–9 for every $1 they spend on enforcement.
All this says to me is that we should expect significantly greater enforcement and larger penalties as we move forward, and administratively, there’s more weight being given to this area.
What are the risks within the Omnibus Rule specifically that aesthetic practitioners could face? What constitutes a reportable breach and what determines whether PHI has been compromised?
The Omnibus Rule changed the definition of a breach on its head. Previously, it had to be shown through analysis that there was a possibility that the information was accessible to someone who should not see it. The new rule is the exact opposite: we’re starting with the assumption that there has been a breach and you have to prove that there has not been. Where before we would assume that there was no breach, we would do the analysis and if it looks like there could be then it would need to be reported. I think that has a major significance and requires all providers to have a new breach notification policy.
The other major area in which I see many people having problems are the companies they do business with. Anyone that you share patient information with — whether it’s your accountant, your billing service, your transcription service — anyone who helps you do your job and has access to patient information is considered a business associate. These business associates are now directly under the supervision of the Office for Civil Rights, so it doesn’t change the position of the practice or doctor much, with the exception that new contracts have to be written with business associates. Everyone is supposed to have these new contracts in place with the new requirements for business associates by now. Ten years ago, you had to have a business associate agreement, but the requirements have changed and they need to have everything updated as of late last year, but that’s difficult for many practices. Larger facilities have dozens, if not hundreds, of business associates, so going through and even trying to identify all of them, as well as getting signed contracts with them, is quite challenging.
Some reports suggest that over 95% of practices/businesses are not actually compliant with the new rules. Do you agree?
I don’t know if it’s that high, but I can tell you that the first round of random audits found only 11% in compliance and that was prior to the new rules. What I think we can all agree on is that there is large‑scale non-compliance, which I think has been the case for many years. The problem now is that there has been the game change of significant financial penalties and increased enforcement. As a result, your risk of non-compliance has increased significantly. It was one thing to be non-compliant 5 years ago, but it’s a whole new ball game today. I think that the risk of non-compliance should be very scary to physicians.
What can physicians do to limit the risk of breaching HIPAA rules?
There are a couple of things that I think everyone should start with, and these come from the Office for Civil Rights: you should do a security risk analysis, and you need to have your data encrypted. And so, if you look where most of the breaches come from, it’s on mobile devices that aren’t encrypted — that’s on everyone’s top 5 list of most common breaches. So, if the device is encrypted it’s assumed that there is no breach if it’s lost. If it’s unencrypted and lost, it’s assumed to be a breach. You don’t need an expert to fix this — this is something that most people can do on their own or certainly with minimal help from an IT expert. It’s very easy and it eliminates lots of risk for a very low amount of cost and investment
The risk analysis is harder because that requires you to systematically look at where patient information is and how vulnerable it is. That often requires some expert help.
However, I think the emphasis should be placed on the individual staff and employees because we know that’s where breaches come from. This isn’t necessarily intentional; your system is a lot more vulnerable because of a user error than from someone hacking through a firewall. There was a national group that I did a compliance study for and we found that of that 150 practices that participated, over half of them had said that they had had no education of HIPAA issues for their staff over the last 2 years. It seems to me, therefore, that we shouldn’t be surprised if somebody has a breach or problem if we’ve done zero education. We don’t have to spend all our time studying HIPAA and become privacy experts, but we have to give some attention to the issue — even if it’s a half hour or hour over a lunch period to talk about it once per year. I think that by doing a webinar, talking about issues in the office, some kind of education, practices could drastically reduce the likelihood of having a breach — it’s just general awareness that helps eliminate lots of risk.
Are there any other penalties for non-compliance other than those financial penalties in place?
There’s certainly financial penalties, and in some instances, if it is thought that the breach was intentional with information for identity theft purposes stolen, there are certainly criminal penalties that can be involved, but that requires either a gross negligence or an intent to steal information.
Identity theft in the medical area has more than doubled in the last 2 years, and the FBI recently released a report cautioning the medical community that their information is not well protected and that they are a target for identity thieves. It is, in fact, much easier to steal medical information than it is financial information. The banks are more secure and ahead of the curve. The other interesting fact is that medical information is the most valuable to identity thieves. There are studies that say that a stolen credit card number would be worth $1–2 on the black market, a social security number might be worth $3, but a medical chart is worth $50–60. It has everything possible that an identity thief would want or need.
That should be scary to practices, to think that they have that kind of valuable information in their computer without having trained staff or without having gone through the efforts to properly protect it. We’re seeing practice after practice have problems and have information stolen.
Since the new rule came in, has there been an increase in HIPAA breach cases?
It’s always hard to know because while they’re required to be reported, you don’t know how many are not reported. The numbers look like they’re increasing. Whether it’s just people reporting a breach or whether the gross number of breaches has increased is hard for me to say — but there are definitely more being reported.
Will physicians be better at complying with these rules, or will there still be a lot of problems with identity theft and compromise of PHI?
I think there will be more identity theft compromises and breaches as we go forward, but I also think that the medical community is going to begin to take this issue and their patient data more seriously. There are new studies that have been released that anywhere from one third to half of patients will leave a practice if their information has been compromised. There are all kinds of state-issuing penalties to business penalties, and given that kind of a risk, I think that the medical community has little choice but to respond and become more compliant. That’s not always easy and it may not happen quickly, but I think that as a natural course it will have to happen as there’s so much financial risk involved.