HITECH Act – Privacy Compliance Action Plan

HIPAA became a new word in the insurance industry lexicon way back in 1996. For more insurance brokers, HIPAA meant changed rules regarding portability of coverage. Brokers also became Business Associates of Covered Entities (insurers and health plans). The latest provisions of HIPAA, known as the HITECH Act expand the provisions and requirements for Business Associates especially as it relates to any breaches of health care data.
The HITECH Act directly obligates Business Associates to comply with the HIPAA Security Rule’s administrative, physical and technical safeguard requirements. The compliance deadline of February 17, 2010 is rapidly approaching!
The HITECH Act Oxford Healthcare Careers states:
Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity (emphasis added).The additional requirements of this title [Title XIII of Division A of the ARRA] that relate to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate….
Compliance, in general, requires:
o Business Associate agreements will need to be revised to reflect these changes
o Developing and implementing comprehensive security policies and procedures with respect to the use and storage of protected health information (PHI)
o Requiring notification to affected individuals and the Covered Entity following the discovery of a breach of unsecured PHI (protected health information).
While HIPAA has largely been regarded as a “paper tiger” with little or no federal enforcement, that is changing. The federal government is beefing up enforcement actions. More importantly, the HITECH Act allows the Attorney General in a state to bring an action for violations. And, Business Associates may be liable for both civil and criminal action in the event data is breached.
Secured and Unsecured Medical Treatment Case Definition Hse PHI
PHI, protected health information, is “individually identifiable health information held or transmitted in any form or medium…subject to certain limited exceptions.” HIPAA Covered Entities and Business Associates have, long ago, come to understand this term. The HITECH Act establishes the need to disclose breaches of PHI to various parties, including those whose information has been disclosed as well as to government agencies.
The Act makes a distinction between secured and unsecured PHI. A “safe harbor” rule allows that if PHI is secured, then any breach does not have to be disclosed. This “safe harbor” relies on the fact that no harm will come to an individual if the lost or stolen data cannot be credited to a particular person.
“Unsecured PHI” is PHI that is not secured through use of a technology or methodology identified by HHS as rendering the information unusable, unreadable, or indecipherable to unauthorized persons using encryption and destruction technologies. Therefore, an entity using or storing PHI should take steps to:
1. Control and limit access to PHI to only those with a need to access the information
2. Encrypt or otherwise secure PHI by making it unreadable or unusable to unauthorized persons
3. Use destruction methods to render PHI unusable.
Notice of Security Breaches
As with the original security provisions of HIPAA, when electronic records were more dream than reality, the goal is to ensure that protected health information (PHI) is used appropriately and that measures are taken to keep PHI secure. A breach is defined as:
“The unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information.”
A data breach may be a breach to a system, a lost or stolen computer or laptop, a lost or stolen USB flash drive or the loss of a paper file and more. Obviously, in most cases, a breach of electronic information has graver consequences since the quantity of data exposed is multiplied exponentially and electronic information is so much more “portable.”
If a breach of unsecured PHI is discovered, notices are required. Notices must include a description of what happened; when the breach occurred; when it was discovered; types of data breached (names, social security numbers and the like); account numbers, etc. The federal government estimates that the combined cost for composing and preparing a breach notice to an individual at $42. The average cost of investigating the nature and cause of a breach is estimated at a minimum of $400, ranging into the thousands of dollars.
Reporting of a breach is only required for unsecured protected health information. Breaches by a Business Associate must be reported to the Covered Entity. Ultimately, all breaches are reported to the affected individuals by either the Business Associate or the Covered Entity. Therefore, efforts to secure data should be robust and immediate. The number of individuals affected by the breach determines when a notification must be submitted to the Secretary of HHS.
Breaches affecting fewer than 500 individuals must be provided to the Secretary of HHS, with notice annually. All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. A form for reporting of breaches is available on the HHS website for the Office of Civil Rights. A separate form must be completed for every breach that has occurred during the calendar year.
If a breach affects 500 or more individuals, notice of the breach must be made without unreasonable delay and in no case later than 60 days from discovery of the breach.
Individuals must also be notified that a breach of their records has occurred. A “Covered Entity” must be notified in the event a breach occurs by a Business Associate. In most cases, the Covered Entity will notify the affected individuals. There are also other requirements regarding notice that apply in some cases including alerting the media, providing toll-free phone calls for more information and website alerts among others.
Compliance Action Plan
Brokers are well-advised to institute a risk management strategy to protect and secure PHI – and they are likely to be required to do so by Covered Entities. Using approved encryption and destruction technologies creates a “Breach Notification Safe Harbor” that means the onerous and costly notification provisions are not required even if data may be lost or stolen. In fact, this is a good opportunity to secure and protect PII (personal identifiable information), data that can uniquely identify an individual, as well as financial and credit data specific to an individual. A number of states as well as other federal laws and rules address these types of data and require those who possess this data to secure it.
A compliance action plan should include:
1. A review of the uses of and storage of PHI, PII and other individually identifiable data. This includes data stored in paper files, stored in computers or portable devices – the gamut. Steps to secure all such data should be taken so there is no unsecured data.
2. Review and revise Business Associate agreements, or respond to Covered Entity amendments to such agreements.
3. Development of policies to protect data. It’s a good idea to appoint a security official to assess, develop and implement security policies. Questions to consider include: who has access to data; who needs access to data; where or how can it be accessed; how is it destroyed when it is no longer needed; how is it kept secure when in use, in storage or in transit.
4. Implementation of the data protection policies. Implementation would include requiring that all paper and electronic files be secured when not in use; locking file cabinets; encrypting electronic data; locking down or logging off computers when not in use and the like. Other measures may include positioning computer monitors so non-authorized persons cannot see them.
5. Data protection also applies to data that is being transmitted by whatever means. A simple step might be to personally close an envelope with secure data rather than letting a mail clerk seal it. Many firms have placed security notices on faxes as a first step. Secure and encrypted email is available and it has the added benefit of sending large files at lower cost than other types of physical “snail mail”.
6. Determining how to authenticate someone’s access to data and their level of access. Is the person accessing data authorized to do so and are their limits on what actions they can take? Someone may have authorization to review a file but not be authorized to make changes to it.
7. Train employees on data security, develop sanctions for non-compliant employees and contractors, conduct regular reviews of security policies and practices and monitor for compliance.
A Word on Passwords
Passwords and PINs have become increasingly common to access any number of websites, programs and even physical locations. But, as passwords are used in many offices, they represent little protection.
It’s not uncommon to see “sticky notes” with passwords attached to a monitor. Others “hide” password lists in a drawer, under a mouse pad or any number of places. And, all too frequently, passwords are too simple thereby affording little, if any, protection.
It is inadvisable to rely solely on passwords to protect data. However, if passwords are used policies must be in place to manage them and every effort should be made to ensure that they are kept secret and that they are sufficiently robust. There are websites that evaluate a password for strength. In general, however, a strong password has a minimum of eight characters using upper and lower case letters, numbers and symbols in combination. A robust password is not easy to remember and should not be based on information that directly relates to a person such as their birthday, maiden name and the like.
A strong policy on the use of passwords and securing of passwords must be an integral part of any implementation strategy.
Compliance with the new provisions of the HITECH Act is required as of February 17, 2010. More regulations of this nature can be expected as more health information is digitized and available electronically.