CHAPTER 15
Assuring the Health Insurance Portability and Accountability Act Compliance
Chris Apgar
In this chapter, you will learn how to
• Describe, at an introductory level, the legal requirements that health IT (HIT) professionals need to be aware of
• Define the terms business associate (BA), covered entity (CE), privacy, security, and protected health information (PHI)
• Identify legal documentation requirements—what needs to be included in application development to meet legal requirements
• Understand the use of BA contracts, creation of limited data sets, and requirements related to the reduction of legal risk as HIT professionals work with healthcare organizations and vendor partners
• Describe the implications for health IT on the necessary requirements to assure privacy and security for electronic healthcare information
Introduction to the Healthcare Legal Environment
The healthcare regulatory environment is ever-changing and requires frequent monitoring to stay ahead of regulatory deadlines. The most significant change in healthcare law as it relates to privacy, security, and the exchange of administrative health data (e.g., claims, remittance advices, eligibility determinations, etc.) was the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Administrative Simplification provisions.1 Since then, privacy- and security-related requirements have expanded due to the passage of other federal and state laws.
This chapter focuses primarily on the legal requirements related to HIPAA2 including the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subpart E), the HIPAA Security Rule (Part 164, Subpart C), the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), the HIPAA Enforcement Rule (45 CFR Part 160), the Health Information Technology for Economic and Clinical Health (HITECH) Act (PL 111-5, Division A, Title XIII, Subpart D), and the Omnibus Rule of 2013 that amended HIPAA to reflect regulatory changes included in the HITECH Act as well as what can be termed as housekeeping.3 It is important to keep in mind that the HIPAA Administrative Simplification provisions address more than privacy and security. They also establish rules related to the transmission of healthcare administrative data and define national identifiers for employers, healthcare providers, and health plans (see 45 CFR Part 162).
HIT professionals must thoroughly understand the transaction, code-set, and national-identifier rules and related transaction and code sets specifications when developing claims adjudication systems, online administrative transactions, and other applications related to nonclinical data exchange. Most HIPAA legal requirements, such as business associate contracts, fall under the umbrella of privacy and security—hence the focus on privacy and security in this chapter.
Congress and state legislative assemblies continue to pass statutes that may impact the legal side of the healthcare regulatory equation. Also, federal and state agencies periodically revise administrative rules and issue guidance to the healthcare industry. These changes often impact the legal requirements healthcare organizations are subject to.
HIPAA, HITECH Act, and Omnibus Rule Overview2
The purpose of this chapter is to summarize the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, the HITECH Act, and the Omnibus Rule requirements, and what rules take precedence when state laws differ from HIPAA and HITECH. You can refer to the listed requirements when reviewing existing privacy and security programs and regulatory compliance.
Covered entities are required to adhere to the complete HIPAA Privacy, Security, and Breach Notification Rules as modified by the HITECH Act. A covered entity (CE) can be a health plan (public or private), a healthcare provider who exchanges (directly or indirectly) HIPAA-covered transactions, or a healthcare clearinghouse. CEs can be both CEs and business associates. CEs are subject to the statutory provisions and the rule provisions in general, but many CEs are not subject to all provisions of the rules. As an example, there are specific requirements included that only health plans must follow, others that only healthcare providers must follow, and another set of provisions to which only healthcare clearinghouses are required to adhere.
Business associates are required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule and the complete HIPAA Security Rule and Breach Notification Rule (HITECH Act requirement). A business associate (BA) is a third party that uses, discloses, maintains, or transmits protected health information on behalf of a CE or on behalf of another BA (e.g., BA subcontractor). Examples of BAs include billing agencies, electronic health record (EHR) vendors, third-party administrators, health information organizations (HIOs), and accountable-care organizations (ACOs).
The Omnibus Rule of 2013 greatly expanded the number of business associates who are required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule. The rule expanded the definition of business associates to include business associate subcontractors. A business associate subcontractor is a business associate that uses, discloses, maintains, or transmits protected health information on behalf of a business associate who may or may not directly contract with a covered entity.
Business associate subcontractors may themselves contract with downstream business associate subcontractors. As an example, if an electronic health record vendor contracts with a cloud vendor to provide data backup support and the data backed up is the protected health information stored in the electronic health record, the cloud data backup vendor would be a business associate subcontractor. If the cloud vendor subcontracted with a hosting vendor to provide additional backup support in an area geographically different than the cloud vendor’s servers, the hosting vendor would be a business associate subcontractor of the cloud vendor. Business associate subcontractors are required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule by statute and rule, which are the same compliance requirements that business associates are required to comply with.
Protect health information (PHI) is individually identifiable health information that can be used to identify an individual and that individual’s past, present, or future medical condition (acute and mental health). PHI is made up of specific identifiers listed in the HIPAA Administrative Simplification provisions. PHI includes demographic data in addition to healthcare-related data.
NOTE This chapter is not intended to represent legal advice. If questions arise regarding the summary information presented, CEs and BAs are encouraged to refer back to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules as amended by the HITECH Act and the Omnibus Rule, other applicable state and federal privacy and security laws, and/or to contact legal counsel.
Legal Documents Review
HIPAA, the HITECH Act, and the Omnibus Rule include requirements related to the construction of several legal documents. One of the most significant legal documents referenced is the BA contract. A BA contract is a legally binding contract which spells out the privacy and security standards that BAs and their third-party vendors are required to implement and adhere to.
The HIPAA Privacy Rule also includes requirements related to the construction of authorization forms and the Notice of Privacy Practices. CEs may generate other legal documents to implement requirements outlined in the HIPAA Privacy, Security, and Breach Notification Rules, such as consent forms and requests for a copy of an individual’s designated record set (DRS; medical record or claims record).
HIPAA Administrative Simplification Provisions
The Administrative Simplification Provisions of HIPAA were a part of the original legislation that was passed and signed into law in 1996. The statute was codified in federal regulations 45 CFR Parts 160, 162, and 164. 45 CFR Part 160 can be described as the general rules, definitions, and requirements governing all published HIPAA rules and includes the HIPAA Enforcement Rule. 45 CFR Part 160 includes general definitions, describes when state law preempts HIPAA, describes when the U.S. Department of Health and Human Services has authority to audit covered entities and business associates, and other general provisions that form the “rules of the road” that apply to Part 160 and the remaining Administrative Simplification provisions. 45 CFR Part 162 includes the Transactions and Code Sets Rule and the National Identifiers Rules. (This regulation is not addressed in this chapter.) 45 CFR Part 164 includes the Privacy Rule, the Security Rule, and the Breach Notification Rule.
State Law Preemption: 45 CFR 160.203
The provisions of the HIPAA Privacy Rule are preempted when state law is more stringent than the provisions of the Privacy Rule. “More stringent” is defined as providing greater protection of an individual’s PHI or providing an individual greater access to their PHI.
If state law is contrary to HIPAA and is not more stringent, HIPAA preempts state law. Contrary is defined as a condition that would make it impossible for a CE to comply with HIPAA and state law. Certain state laws that allow collection of PHI for specific purposes, such as for public health or health oversight, are not preempted by HIPAA. If the Secretary of HHS determines that a state law is contrary to HIPAA, before the law can be effective it must be approved as an exception to HIPAA. Certain state laws, such as the monitoring and collection of PHI related to controlled substances, must be approved by the Secretary of HHS prior to the collection of PHI by states. Even when exemption has been granted, the Secretary may later revoke such exemption.
It’s important to keep in mind that other federal statutes may impact which steps covered entities and business associates need to attend to when it comes to regulatory compliance. As an example, 42 CFR Part 24 includes more stringent requirements for protection patient information related to alcohol and chemical dependency treatment. In 2016 the U.S. Department of Health and Human Services and the Federal Trade Commission issued guidance regarding the intersection of HIPAA compliance requirements and compliance with the Federal Trade Commission’s rules.
HIPAA Privacy Rule: 45 CFR Part 164, Subpart E
45 CFR Part 164, Subpart E, “Privacy of Individually Identifiable Health Information,” is better known as the HIPAA Privacy Rule. Subpart E defines the privacy requirements CEs must adhere to. Especially important are the sections that outline the requirements related to the use and disclosure of PHI, individual privacy rights, and administrative requirements related to privacy. BAs and BA subcontractors are required to adhere to the use and disclosure provisions of Subpart E pursuant to the HITECH Act.
There is some duplication or joint privacy and security compliance requirements that are articulated in the HIPAA Privacy Rule and the HIPAA Security Rule. This includes training requirements, BA contracting requirements, development of policies and procedures, and so forth. The HIPAA Security Rule citations included in this section can be directly matched to requirements found in the HIPAA Security Rule.
Use and Disclosure of PHI: 45 CFR 164.502(a)
CEs and BAs are permitted to disclose PHI to an individual; for treatment, payment, and healthcare operations; when authorized by the patient/member or authorized representative; and to friends and family (as long as the patient/member is allowed the opportunity to object to such release). In addition, certain portions of an individual’s PHI can be disclosed in the CE’s facility directory. A facility directory is usually maintained in hospitals and other inpatient care settings. It may include the individual or patient’s name, the individual’s location in the CE’s facility, and the individual’s condition described in general terms that does not communicate specific medical information about the individual and the individual’s religious affiliation. The CE may disclose this information to clergy and if asked for the information by a visitor. The CE can only disclose religious affiliation to members of the clergy. The individual may request his or her name not be included in the facilities directory.
Minimum Necessary: 45 CFR 164.502(b)
CEs and BAs are required to disclose only the minimum amount of PHI necessary to satisfy the reason for which the PHI is disclosed. The minimum necessary standard does not apply for treatment, when required by law, when disclosed to the Office of Civil Rights (OCR), for disclosures related to an individual or the individual’s personal representative authorizations, and when disclosed pursuant to provisions of the HIPAA Privacy Rule to comply with the Privacy Rule.
BA Contracts: 45 CFR 164.504(e), 45 CFR 164.308(b), 45 CFR 164.314(a)
CEs and BAs are mutually responsible for entering into formal contracts or other written agreements that clearly define a BA’s relationship with a CE and what PHI will be used and disclosed between a CE and BA. BA contracts (private) or other written arrangement (government) must require the BA to comply with the HIPAA Privacy Rule. CEs are required to reasonably ensure that BAs adhere to the provisions of the HIPAA Privacy Rule. In addition to the requirements included in the contract or other written arrangement as defined pursuant to 45 CFR 164.314(a), 45 CFR 164.308(b), and 45 CFR 164.504(e), the contract must specify that the BA support the CE when honoring patients’ privacy rights.
Consent: 45 CFR 164.506
A CE is not required to obtain an individual’s consent prior to sharing PHI for treatment, payment, or healthcare operations. Consent in this context applies only to release of PHI for treatment, payment, and healthcare operations.
Authorization Requirements: 45 CFR 164.508
Unless specifically allowed pursuant to the HIPAA Privacy Rule, disclosures of PHI are not allowed without specific authorization of the individual. This includes psychotherapy notes. A valid authorization needs to be specific and limited by time or event. The Omnibus Rule further defines “time” and “event,” giving “infinity” and “death” as examples. Authorization is required for the use of PHI for research purposes unless an institutional review board (IRB) or privacy board approves the use of PHI for research without authorization. A CE may not condition treatment on providing authorization unless the treatment is related to research (45 CFR 164.512(i)).
Further rules govern the manner in which CEs can use PHI for marketing purposes. The use of PHI for research must clearly define the purpose of such release. Marketing as defined pursuant to HIPAA requires patient authorization with limited exceptions and sale of PHI is prohibited with limited exceptions without individual authorization. Under HIPAA, an individual can object to the publication of their PHI in a facility directory.
Release Without Consent or Authorization: 45 CFR 164.512
A CE is permitted to release PHI without consent or authorization:
• To a public health authority
• To a public authority for child abuse or neglect reasons
• If the person is subject to the Food and Drug Administration (FDA) rules for tracking recalls of prescription medication, reporting adverse events resulting from certain forms of treatment, etc.
• If an individual presents for treatment of a communicable disease
• Reporting a medical incident related to a worksite injury
• In the event of domestic violence and when a personal representative is suspected of abusing or neglecting a patient
• In judicial and administrative proceedings
• When disclosing PHI to law enforcement authorities
CEs are authorized to release PHI for healthcare oversight activities to the following entities:
• The healthcare system
• Government benefit programs
• Entities subject to government oversight activities
• Entities subject to civil laws where such release is necessary to determine compliance with civil laws
Avert a Serious Threat to Safety: 45 CFR 164.512(j)
A CE may release PHI if, in the professional judgment of the CE, such release will prevent a serious threat to public safety or to the safety of another.
Disclosure for Specialized Government Functions: 45 CFR 164.512(k)
A CE may release PHI for the following purposes:
• Military activity
• Medical suitability determinations (State Department)
• National security or intelligence activity
• Correctional institutions or law enforcement custodial situations
• Protective services for the President and others
• CEs that are governmental programs providing public benefits
Limited Data Set: 45 CFR 164.514(e)
CEs may use or disclose a limited data set if the CE enters into a data-use agreement with the limited-data-set recipient. A limited data set includes PHI but excludes the following identifiers of the individual or the individual’s relatives, employers, or household members:
• Name
• Postal address information, other than town or city, state, and ZIP code
• Telephone numbers
• Medical-record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers including license-plate numbers
• Web addresses
• Internet protocol (IP) address numbers
• Device identifiers and serial numbers
• Full-face photographic images and any comparable images
• Biometric identifiers, including finger and voice prints
CEs may use or disclose a limited data set only for the purposes of research, public health, or healthcare operations.
The HITECH Act requires CEs to disclose a limited data set instead of adhering to the minimum necessary standard if feasible until OCR formally defines “minimum necessary.” At this time, OCR has not defined “minimum necessary.”
HIPAA defines ways in which a CE may use certain PHI for fundraising purposes and underwriting.
Notice of Privacy Practices: 45 CFR 164.520
A healthcare provider must present a notice of privacy practices to a patient during first encounter and make every effort to obtain written verification from the patient that the notice of privacy practices was presented to the patient. Health plans are required to mail notices of privacy practices to participating members. Health plans are not required to obtain written verification from members that they received a copy of the notice. CEs are required to notify individuals when significant changes are made to the notice. If the CE maintains a web site, the notice must be prominently posted on the web site and posted publicly in a public location at healthcare provider clinics, hospitals, etc.
Patient Privacy Rights
CEs, and BAs on behalf of CEs, are required to honor certain patient privacy rights that are included in the HIPAA Privacy Rule. Those privacy rights include entitlement to
• Request restrictions on who can access a patient’s record or what may not be disclosed to a third party (45 CFR 164.522(a))
• Request confidential communications (45 CFR 164.522(b))
• Obtain a copy or view designated record set (DRS; medical record) in paper or electronic form (45 CFR 164.524)
• Obtain an accounting of disclosures for purposes other than treatment, payment, or health care operations, when specifically authorized by the patient (45 CFR 164.528)
• File a complaint with the CE or the Office for Civil Rights (OCR) (45 CFR 164.530(d))
Privacy Official and Security Official: 45 CFR 164.530(a), 45 CFR 164.308(a)(2)
A CE must appoint a privacy official who is responsible for overseeing the CE’s privacy program and a security official who is responsible for overseeing the CE’s or BA’s security program.
Workforce Training: 45 CFR 164.530(b), 45 CFR 164.308(a)(5)
A CE must provide privacy and security training to the workforce. BAs are required to provide security training to the workforce. The workforce includes employees, temporary employees, volunteers, and contracted employees.
Standard Safeguards: 45 CFR 164.530(c)
A CE must implement policies, procedures, and practices that reasonably ensure administrative, technical, and physical security of all PHI regardless of the form in which the PHI is stored.
Sanctions: 45 CFR 164.530(e), 45 CFR 164.308(a)(1)
A CE must provide for workforce sanctions in the event of a violation of the Privacy Rule, the Security Rule, or a CE’s privacy and security policies, procedures, or practices. BAs are required to provide for workforce sanctions for failure to comply with the Security Rule.
Privacy and Security Policies and Procedures: 45 CFR 164.530(i), 45 CFR 164.316
CEs and BAs are required to develop and implement privacy and security policies and procedures that fully implement the requirements of the Privacy Rule, the Security Rule, and the Breach Notification Rule. CEs and BAs are required to periodically review and update policies and procedures to accommodate changes in business practices and law. CEs are also required to update and distribute their notice of privacy practices if changes in policy and procedure materially impact the provisions of the notice.
HIPAA Security Rule: 45 CFR Part 164, Subpart C
Under 45 CFR Part 164, Subpart C, “Security Standards for the Protection of Electronic Protected Health Information,” CEs and BAs are required to comply with all standards. If an implementation specification is required, CEs and BAs must comply with the implementation specification. The following codes are used for the implementation specifications described in the sections that follow:
• Required (R) The implementation specification must be implemented/adhered to.
• Addressable (A) Based on the risk analysis (see 45 CFR 164.308(a)(1)(ii)(A); CEs and BAs are required to conduct a risk analysis periodically), the CE or BA must implement/adhere to the implementation specification, implement/adhere to an equivalent security safeguard, or document why the implementation specification will not be implemented/adhered to (the reason cannot be solely based on the cost of implementation/adoption).
Administrative Safeguards: 45 CFR 164.308
The administrative safeguards section of the HIPAA Security Rule addresses what can be best described as the people side of security. It is the longest section in the rule and one of the more important sections to pay attention to. Information security is more often tied to workforce compliance than the technology that has been deployed to secure CE and BA infrastructure. The best antimalware or the best firewall may be implemented, but if administrative security is lax, it may lead to breaches of PHI related to ignorance or carelessness on the part of the workforce.
Security Management Process: 45 CFR 164.308(a)(1)
This is the first administrative safeguards standard. The standard requires the implementation of policies and procedures to prevent, detect, contain, and correct security violations.
• Risk analysis (R) Need to complete a risk analysis periodically to assess security risks to the organization.
• Risk management (R) Need to establish a risk-management program that adequately implements the risk analysis findings; evaluates security incidents as they occur; and takes appropriate mitigating action.
• Information system activity review (R) Software applications, network servers, etc., need to be configured to create audit trails that track activities involving electronic PHI.
Assigned Security Responsibility: 45 CFR 164.308(2)
All CEs and BAs are required to appoint a security official. The security official is responsible for overseeing CEs’ and BAs’ information security program including the development of policies, staff training, and ensuring sanctions for violations occur consistently and in a timely manner.
Workforce Security: 45 CFR 164.308(a)(3)
This standard requires the implementation of policies and procedures to reasonably ensure that all CE and BA workforce members have appropriate access to electronic PHI (ePHI), and to prevent PHI access to workforce members who should not have access.
• Authorization and/or supervision (A) Processes/policies need to be implemented that provide for appropriate workforce supervision when accessing ePHI.
• Workforce clearance procedure (A) Need to implement policies that reasonably ensure workforce access to ePHI is appropriate.
• Termination procedures (A) Policies/procedures need to be implemented that reasonably ensure workforce access to ePHI is terminated when the workforce member is terminated.
Information Access Management: 45 CFR 164.308(a)(4)
The next standard requires the implementation of policies and procedures related to authorization of access to electronic PHI.
• Access authorization (A) Policies/procedures need to be implemented that govern authorization to access ePHI.
• Access establishment and modification (A) Policies/procedures need to be implemented that outline how access to ePHI is granted and modified to meet minimum necessary requirements.
Security Awareness and Training: 45 CFR 164.308(a)(5)
The following requirements were included in this subsection of the Security Rule.
• Security reminders (A) Periodic security reminders need to be distributed to all workforce members.
• Protection from malicious software (A) Antimalware software needs to be acquired, regularly updated, and used to ensure malware does not infect the network, applications, hardware, and portable media.
• Log-in monitoring (A) An audit trail needs to be created that records when a workforce member logs on to the network or a software application.
• Password management (A) Policies/procedures need to be implemented that assist in proper password management (i.e., creation, periodic changes, etc.).
Security Incident Procedures: 45 CFR 164.308(a)(6)
CEs and BAs are required to implement policies and procedures and develop an incident response plan to address security incidents. Examples of security incidents that do not involve the breach of PHI include transmission of unencrypted PHI, and a denial-of-service attack that shuts down a CE’s network.
Contingency Plan: 45 CFR 164.308(a)(7)
This standard requires implementation of policies and procedures that define how a CE or BA will respond to an emergency or other disaster that could damage systems that store and utilize electronic PHI.
• Data backup plan (R) Need to implement data backup and recovery processes that provide for the backing up of ePHI and proper recovery processes so the data can be recovered if data is corrupted or lost.
• Disaster recovery plan (R) Disaster recovery plans need to be developed that clearly outline how critical data are to be recovered in the event of a disaster.
• Emergency mode operation plan (business continuity plan) (R) Plans need to be implemented that allow access to critical ePHI in the event of a disaster and while operating in an emergency mode.
• Testing and revision procedure (A) Need to implement policies/procedures that define periodic testing activity for the disaster recovery plan and the emergency mode operations plan.
• Applications and data criticality analysis (A) Data need to be analyzed to determine whether it is critical and addressed as such in the disaster recovery plan and the emergency mode operation plan.
Evaluation: 45 CFR 164.308(a)(8)
This standard requires periodic technical and nontechnical evaluations to be conducted to reasonably ensure CEs and BAs comply with the provisions of the HIPAA Security Rule.
Physical Safeguards: 45 CFR 164.310
The physical safeguards section of the HIPAA Security Rule focuses on the implementation of physical safeguards to protect PHI, servers, individuals, and so forth. This section is more than just making sure there are locks on the doors. It also requires the implementation of safeguards to protect workstations, media that is used to store PHI, secure destruction of hardware and media, and protection against disasters such as the installation of a fire suppression system.
Facility Access Controls: 164.310(a)
This standard requires implementation and maintenance of facilities where PHI may be used and disclosed.
• Contingency operations (A) Policies and procedures need to be implemented that accommodate emergency operation in the event of a disaster. This is directly tied to the contingency planning requirements articulated at 45 CFR 164.308(a)(7).
• Facility security plan (A) A facility security plan needs to be developed, implemented, and maintained.
• Access control and validation procedures (A) Policies and procedures need to be implemented that govern access management to the facility (i.e., key management, key card management, etc.).
• Maintenance records (A) Policies and procedures need to be implemented that accommodate maintenance of records when access control devices are installed, maintained, replaced, or decommissioned.
Workstation Use: 164.310(b)
This standard requires CEs and BAs to adopt policies, procedures, and practices that govern workstation or class of workstation use, physical location, and function.
Workstation Security: 164.310(c)
This standard requires CEs and BAs to adopt policies, procedures, and practices that reasonably ensure the physical security of workstations used to access ePHI. This includes all mobile devices used to access or store ePHI.
Device and Media Controls: 164.310(d)
This standard requires CEs and BAs to adopt policies, procedures, and practices to physically secure hardware and media.
• Disposal (R) Proper practices need to be implemented that accommodate secure disposal of electronic media and hardware used to store ePHI when no longer needed or usable.
• Media reuse (R) Proper practices need to be implemented that provide for complete destruction or erasure of ePHI stored on electronic media or hardware when the media or hardware will no longer be used to store ePHI but will be used for other purposes.
• Accountability (A) Practices need to be implemented to record movement of electronic media or hardware and the individuals authorized to approve movement.
• Data backup and storage (A) Practices need to be implemented to create an exact copy of ePHI stored on hardware that is to be moved before the actual move.
Technical Safeguards: 45 CFR 164.312
Technical safeguards address what many think of as core to information security. While important, as noted earlier, administrative safeguards, if not adhered to, represent a more significant security deficiency. That said, this section focuses on what information technology systems need to include as at least basic functionality. As an example, systems need to support assigning users a unique ID and an associated way to authenticate a user such as the use of a password to access an electronic health record.
Access Control: 164.312(a)
This standard requires the implementation of technical controls to permit only access to PHI that meets the minimum necessary standard of the HIPAA Privacy Rule.
• Unique user identification (R) Workforce members must be assigned unique logon IDs.
• Emergency access procedure (R) Practices must be implemented to reasonably ensure access to ePHI in the event of an emergency.
• Automatic logoff (A) CEs and BAs need to implement technical processes that automatically terminate workforce members’ access after a period of inactivity.
• Encryption and decryption (A) Proper technical processes need to be implemented to encrypt and decrypt ePHI transmitted over an open network and when at rest.
Audit Controls 164.312(b)
This standard requires CEs and BAs to implement technical processes that accurately record activity related to the creation, modification, and deletion of ePHI. When technically feasible, access to ePHI should also be recorded.
Integrity: 164.312(c)
This standard requires CEs and BAs to implement processes to reasonably ensure ePHI is not improperly altered or destroyed.
• Mechanism to authenticate ePHI (A) Processes need to be implemented that validate that data have not been improperly altered or destroyed.
Person or Entity Authentication: 164.312(d)
This standard requires CEs and BAs to implement controls that accommodate the proper authentication of an individual or entity before allowing access to ePHI.
Transmission Security: 164.312(e)
This standard requires CEs and BAs to implement policies, procedures, and practices that secure ePHI that is transmitted over an open network (the Internet).
• Integrity controls (A) CE and BAs need to implement integrity controls that check for improper modification or destruction of data in transit across an open network.
• Encryption (A) ePHI transmitted over an open network must be properly encrypted.
Policies and Procedures and Documentation Requirements: 45 CFR 164.316
CEs and BAs are required to adopt policies that document how CEs and BAs comply with the HIPAA Security Rule. Policies, training material, risk analysis reports, and other HIPAA Security Rule compliance–related documentation must be retained for a minimum of six years.
Lack of required documentation or documentation that is inaccurate or not current represents one of the most significant regulatory risks to healthcare entities. For example, policies need to be current, accurate, and enforceable. Proper and timely execution of required legal documents is critical to avoid regulatory, legal, and other risks. The document requirements may change over time, so it is important to regularly review and update or amend these documents as needed.
Breach Notification Rule: 45 CFR Part 164, Subpart D
The HIPAA Breach Notification Rule was added as a compliance requirement with the passage of the HITECH Act in 2009. The rule was published as an interim final rule on September 23, 2009, and was finalized as part of the Omnibus Rule of 2013. The rule requires CEs to notify individuals and the Office for Civil Rights in the event of a breach of unsecure PHI and requires BAs to report any breach of unsecure PHI to its CE customers or, if the BA is a BA subcontractor, to notify its BA customer.
Breach Definition: 45 CFR 164.402
Breach means the acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI. Breach excludes:
• Unintentional use or disclosure of PHI by a workforce member or person acting under the authority of a CE or a BA, if use or disclosure was made in good faith and does not result in further use or disclosure.
• Inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, and the information received as a result of such disclosure is not further used or disclosed.
• A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Unauthorized use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. The finalization of the Breach Notification Rule (included in the Omnibus Rule) changed how CEs are required to evaluate whether or not notification is required. Prior to the rule finalization, CEs were required to notify individuals and OCR only if the CEs determined that the breach may cause significant harm to those individuals. The final rule now requires CEs to assume notification is required until proving to themselves otherwise by conducting a four-factor risk assessment. The required risk assessment must include at least the following factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
• The unauthorized person who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated
Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by OCR. CEs and BAs may conduct the four-factor risk assessment described in 45 CFR 164.402. Even if the BA conducts the four-factor risk assessment, the BA is required to notify CEs of any breach of unsecure PHI (45 CFR 164.410).
General Breach Description Notification Requirements: 45 CFR 164.404(a–c)
CEs have an obligation to notify individuals and OCR of the breach.
• A breach is considered to be discovered as of the first day the breach is discovered or should reasonably have been discovered.
• Notifications must be made “without unreasonable delay” but no later than 60 calendar days after the breach discovery by the CE. The same notification requirements applies to BAs and BA subcontractors as it relates to notifying its CE or BA customer.
• The CE or BA has the burden of demonstrating that notifications were made in a “timely” manner. This includes retaining appropriate documentation related to breach notification.
• CEs are regulatorily required to notify individuals, the Office for Civil Rights, and potentially the media in the event of a breach of unsecure PHI where the risk of compromise is determined to not be low. CEs may delegate this responsibility to BAs but, from a regulatory perspective, if the BA doesn’t properly notify, the CE is ultimately responsible for rule compliance.
Methods of Notification: 45 CFR 164.404(d)
Notice must be provided to the individual using the following form:
• It is the responsibility of the CE to notify affected individuals even if the breach was reported to the CE by the BA.
• Written notification must be sent by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address or, if e-mail is the specified notification preference of the individual, by e-mail.
• If there is insufficient or out-of-date contact information (including phone number, e-mail address, or available contact information) that prevents direct individual notification of ten individuals or more, a substitute notice is required. The substitute notice includes conspicuous posting of the breach for 90 days on the home page of the web site of the CE or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside.
• Media and/or web notices need to include a toll-free phone number that is active for no less than 90 days so that the individual can call to learn whether the individual’s unsecured PHI was or potentially was a part of the breach.
• If the notice is made through the media, the notice must be made to well-known media outlets in the state or jurisdiction. Also, if the breach involved more than 500 residents of a given state or jurisdiction, media announcement is required (45 CFR 164.406).
Notification Delay for Law Enforcement Purposes: 45 CFR 164.412
If a law enforcement official determines that required notification would impede a criminal investigation or cause damage to national security, notification shall be delayed for the period defined by law enforcement.
Specific CE Requirements: 45 CFR 164.404
In the event of a breach, a CE that stores, uses, or discloses unsecured PHI is required to notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached or inappropriately accessed by an individual or entity (includes internal and external breaches/inappropriate disclosure) within 60 days.
CEs are required to notify OCR within 60 days of when the breach was discovered or should have been discovered if it involves 500 or more individuals (45 CFR 164.408). If the breach involved fewer than 500 individuals, the CE is required to maintain a breach log. The breaches recorded in the breach log must be reported to OCR within 60 days following the end of the calendar year. OCR maintains a list on its web site that lists all CEs who have reported a breach involving 500 individuals or more.
Specific BA Requirements: 45 CFR 164.410
In the event of a breach, a BA that stores, uses, or discloses unsecured PHI is required to notify the CE of the breach. The notice needs to include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached or inappropriately accessed (includes internal and external breaches/inappropriate disclosure) and sufficient detailed information to accommodate the CE’s individual notification requirements. Lack of required documentation or documentation that is inaccurate or not current represents one of the most significant regulatory risks to healthcare entities. For example, policies need to be current, accurate, and enforceable. Proper and timely execution of required legal documents is critical to avoid regulatory, legal, and other risks. The document requirements may change over time, so it is important to regularly review and update or amend these documents as needed. For example, the HITECH Act significantly changed how business associates are treated—they are now directly required to adhere to certain HIPAA rules. Prior to HITECH, business associates were required to adhere to HIPAA but not directly—only through contract with covered entities.
HIPAA Enforcement Rule: 45 CFR Part 160
The HIPAA Enforcement Rule was augmented when the Enforcement Interim Final Rule became effective. The final rule was included in the Omnibus Rule of 2013. The purpose of the rule is to define “willful neglect” and to move to the HITECH Act–related increases in civil penalties that CEs and BAs may be required to pay in the event of a HIPAA rule violation.
Willful neglect is defined as cases in which the entity knew of a violation of the HIPAA rules or should have known. This means willful neglect may be found and lead to much higher civil penalties or monetary settlements when noncompliance is related to ignorance or incomplete knowledge of the compliance requirements.
The HITECH Act included language that significantly changed the level of civil penalties that could be levied against CEs and now BAs. The categories of civil penalties were expanded and associated penalties increased. OCR may also reach a monetary settlement with CEs and BAs rather than levying what could be higher civil penalties. Since 2011, OCR has imposed civil penalties and reached monetary settlements with a number of CEs and, in 2016, a BA. OCR can levy penalties up to $50,000 per violation up to $1.5 million for the same violations that occur within a calendar year.
As an example, if OCR investigates a CE or BA and finds violations, such as the lack of a completed risk analysis or a breach of unsecure PHI that resulted from deficient security safeguards (for example, from the lack of encryption of a mobile device), a separate violation occurs each day the covered entity or business associate is in violation of the provision. So, if the CE or BA has not completed a risk analysis, that counts as one type of violation and if, in addition, the CE or BA failed to encrypt the mobile device and a breach resulted, that counts as another type of violation. In this example if the CE or BA failed to conduct a risk analysis for 365 days, that’s 365 violations of the same type, so OCR can levy civil penalties of up to $1.5 million for that type of violation. In addition, if the mobile device should have been encrypted and was not for a period of 60 days, that would represent 60 violations of the same type. This means that OCR could levy civil penalties of more than $1.5 million (365 days x $50,000) because a risk analysis wasn’t conducted, and an additional $300,000 (60 days x $50,000) because a mobile device wasn’t encrypted, resulting in a breach of unsecure PHI.
The HITECH Act mandates OCR conduct regular compliance audits of CEs and BAs. The OCR audit program was launched November 2011 (Phase 1) and only CEs were audited as part of the Phase 1 audits. The Phase 2 audits were launched in March 2016. Phase 2 audits will include desk and comprehensive audits of CEs and BAs. The audit program does not replace other enforcement and other compliance-related investigations that may be conducted by other federal agencies and reported to OCR if another federal agency believes a CE or BA is not compliant with HIPAA.
Additional Guidance
OCR has been publishing guidance to the healthcare industry since 2003, with expanding guidance on HIPAA and compliance requirements beginning in 2015. Guidance of note includes
• Mental health disclosures (www.hhs.gov/hipaa/for-professionals/special-topics/mental-health)
• De-identification of data for research purposes (www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)
• Patient right to access health information (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access)
• Compliance training resources (www.hhs.gov/hipaa/for-professionals/training/index.html)
Other resources are available from the OCR web site (www.hhs.gov/hipaa/index.html) and the Office of the National Coordinator for Health Information Technology (ONC; www.healthit.gov).
Chapter Review
The HITECH Act coupled with the Omnibus Rule expanded the reach of HIPAA by adding subcontractors of BAs to the list of entities that are required to comply with HIPAA. This represented a significant change in the number of vendors who now need to pay attention to HIPAA.
HIPAA, HITECH, and state law require CEs and BAs to implement sound privacy and security practices and a sound breach notification process. This includes addressing:
• Use & Disclosure of PHI
• Minimum Necessary
• Individual privacy rights
• Policy development
• Staff training
• And so forth
The HIPAA rules are foundational when it comes to privacy, security, and regulatory compliance. Not adhering to HIPAA can lead to violations, sanctions, and civil penalties imposed by HHS. CEs and BAs need to implement privacy and security programs that are consistent with HIPAA requirements and to periodically monitor compliance. CEs and BAs also need to be in a position to demonstrate compliance through retained documentation and demonstrated action. The OCR HIPAA Audits that kicked off in 2016 included the publication of audit protocols that address in detail what CEs and BAs are required to document and prove. For example, are staff complying with privacy and security policies? Are authorizations to disclose PHI accurate? Do CEs provide individuals copies of their designated record set in a timely manner? This also amounts to more than just retaining documentation—for example, the adoption of privacy and security policies and procedures. CEs and BAs need to be in a positon to demonstrate that, in this example, the workforce is adhering to adopted policies and have been provided training regarding what is expected when it comes to the workforce and privacy and security responsibilities. CEs and BAs need to periodically evaluate compliance with HIPAA because of the regulatory mandate and because not complying can have an adverse impact on the business of healthcare and its customers.
Questions
To test your comprehension of the chapter, answer the following questions and then check your answers against the list of correct answers that follow the questions.
1. From a regulatory perspective, what are the differences between what a BA is required to adhere to when it comes to the HIPAA rules and what a CE must adhere to?
A. There are no differences.
B. The BA is required to adhere to the HIPAA Privacy, Security, and Breach Notification Rules, but the CE is not required to adhere to any of them.
C. The BA is required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule and the full Security and Breach Notification Rules, and the CE is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions.
D. The BA is required to adhere to the full Security and Breach Notification Rules, and the CE is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions.
2. What enforcement action can OCR take if a CE violates provisions of HIPAA’s Administrative Simplification provisions?
A. OCR has no enforcement authority.
B. OCR may levy up to $50,000 for any level of violation with a maximum of $1.5 million per calendar year for the same type of violation.
C. OCR may levy up to $25,000 for any level of violation with a maximum of $500,000 per calendar year for the same type of violation.
D. The penalty depends on the severity of the disclosure.
3. What are the privacy rights afforded patients pursuant to the HIPAA Privacy Rule (45 CFR Part 164, Subpart E)?
A. The maximum rights of quality, efficiency, and effectiveness.
B. Patients must be informed of disclosed PHI other than for treatment, payment, and healthcare operations.
C. The patient has the right to request a copy of their legal medical record.
D. The patient has the right to register a complaint with the U.S. Department of Health and Human Services, Office of the Inspector General.
4. A state law that is more stringent than the HIPAA Privacy Rule preempts HIPAA. What does stringent mean?
A. Stringent is defined as providing greater protection of an individual’s PHI or providing an individual greater access to their PHI.
B. Stringent is defined as a state law that is in conflict with HIPAA.
C. Stringent is defined as covering more serious disclosures.
D. Stringent means allowing more enforcement.
5. What are the document creation and retention requirements for CEs?
A. CEs are required to retain medical records for a minimum of six years.
B. CEs are required to create and retain for a minimum of six years all disclosures, complaints, mitigations, compliance reviews, and EHR audit reports.
C. All document retention requirements are for one year only.
D. CEs are required to retain all elements of PHI information indefinitely.
6. Are vendors required to adhere to HIPAA?
A. Yes, if the vendor contracts with a CE.
B. Only if the vendor is a software vendor or a cloud services vendor that uses, discloses, maintains, or transmits PHI on behalf of a CE.
C. Only if the vendor has not passed a HIPAA certification course recognized by OCR.
D. Only if the vendor uses, discloses, maintains, or transmits PHI on behalf of a CE or another BA.
7. The Omnibus Rule expanded the number of entities who are required to adhere to HIPAA. Which new category of entity was added to entities that are required to adhere to HIPAA?
A. SaaS vendors
B. Vendors who contract with CEs and have access to PHI
C. Vendors who contract with a CE or a BA and who can view PHI
D. Vendors who contract with a CE or a BA and who use, disclose, maintain, or transmit PHI on behalf of the CE or BA
8. What does “unsecure PHI” mean?
A. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by OCR
B. PHI that is electronic and not encrypted
C. PHI that is left in an area where patients and visitors can view the PHI
D. PHI that is not totally and completely destroyed
9. When may a CE disclose a limited data set?
A. If the CE is contracting with an outside vendor to conduct marketing on behalf of the CE
B. Only for the purposes of research, public health, or healthcare operations
C. When requesting payment from a health plan
D. If the CE is contracting with an outside vendor to conduct fundraising on behalf of the CE
10. The HIPAA Security Rule requires PHI to be encrypted in which circumstance?
A. If the PHI will be transmitted over an open network.
B. If the PHI is stored on a USB drive.
C. If the risk of the exposure of PHI that is stored or transmitted is significant, such as when stored on mobile devices or emailed to an entity or individual outside of the CE or BA’s network environment.
D. All PHI must be encrypted at all times.
Answers
1. C. The business associate is required to adhere to the use and disclosure provisions of the HIPAA Privacy Rule and the complete Security and Breach Notification Rules, and the covered entity is required to adhere to the Privacy, Security, and Breach Notification Rules and the other HIPAA Administrative Simplification provisions.
2. B. OCR may levy up to $50,000 for any level of violation with a maximum of $1.5 million per calendar year for the same type of violation.
3. B. Patients must be informed of disclosed PHI other than for treatment, payment, and healthcare operations.
4. A. Stringent is defined as providing greater protection of an individual’s PHI or providing an individual greater access to their PHI.
5. B. Covered entities are required to create and retain for six years all disclosures, complaints, mitigations, compliance reviews, and EHR audit reports.
6. D. Any vendor who uses, discloses, maintains, or transmits PHI on behalf of a CE or another BA is required to adhere to HIPAA.
7. D. The Omnibus Rule expanded the type of entities that are required to adhere to HIPAA. The new category of entities are BA subcontractors who use, disclose, maintain, or transmit PHI on behalf of a CE or a BA.
8. A. Unsecure PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by OCR.
9. B. CEs may use or disclose a limited data set only for the purposes of research, public health, or healthcare operations.
10. C. The HIPAA Security Rule requires the encryption of PHI when PHI is transmitted over an open network, if the risk of exposure of stored PHI is significant. This would include the need to encrypt the PHI when stored on mobile devices or portable media and, wherever feasible, when the PHI is stored in an application, such as when PHI is stored in an electronic health record.
References
1. Public Law 104-191, 104th Congress. Health Insurance Portability and Accountability Act of 1996. Section 1, Title II, Subpart F (HIPAA Administrative Simplification provisions).
2. Public Law 104-191, 104th Congress. Health Insurance Portability and Accountability Act of 1996. 45 CFR Parts 160 and 164 (HIPAA privacy, security, breach notification, and enforcement rules).
3. Public Law 111-5, 111th Congress. American Recovery and Reinvestment Act of 2009. Division A, Title XIII, Subpart D (ARRA/HITECH privacy, security, and enforcement provisions).
4. Ibid. 42 CFR Part 2 (alcohol and chemical dependency privacy rule).
NOTE The legal documents referenced in this chapter are available from Apgar & Associates, LLC. More information is available at http://apgarandassoc.com.