Why do an annual risk assessment?
Smart clinicians make the time – ideally at the beginning of the year – to conduct a risk assessment of PHI sharing procedures, records management and cyber safety issues. Review the latest changes in governmental and payer regulations and requirements, with the help of your IT team as well as a legal adviser familiar with healthcare billing and reimbursement, to ensure that your practice is compliant with all guidelines.
What’s new in healthcare privacy regulations
Recent developments with the Health and Human Services (HHS) Office of Civil Rights (OCE) include the publishing of a Request for Information in the Federal Register on December 14, 2018. With this request, the floor will be opened up to the general public on aspects of the Privacy Rule and Security Rule which may interfere with care coordination between providers.
When last modified in the Omnibus Rule, Section 164.506(c) states the following implementation specifications:
- A covered entity may disclose protected health information (PHI) for treatment activities of a healthcare provider.
- A covered entity may disclose PHI to another covered entity or healthcare provider for payment of activities of the entity receiving the information.
- A covered entity may use or may disclose PHI for their own treatment, healthcare operations or payment.
- A covered entity may disclose PHI to another covered entity for healthcare operations activities of the entity receiving the information, as long as each has or had a relationship with the individual who is the subject of the requested PHI, the protected information pertains to such relationship and disclosure is a) for a purpose listed in the definition of healthcare operations, or b) for the purpose of healthcare abuse, fraud detection or regulatory compliance.
- A covered entity participating in an organized healthcare arrangement may disclose PHI about an individual to other participants in the healthcare arrangement for any healthcare activities of the organized healthcare arrangement.
HIPAA – a quick review
Simply put, the Health Information Portability and Accountability Act (HIPAA) of 1996 prevents disclosing protect health information (PHI) unless the patient has given consent to disclosure or for treatment purposes, such as sharing information between physicians in the course of treating the same patient. Like most laws and regulations, there are exceptions, however, for most practices, it’s always prudent to play it safe and stay compliant.
Legal implications of violations: case examples
In a recent action at OCR, Advanced Care Hospitalists ACH), which provides contracted internal medicine providers to nursing homes and hospitals in Florida, contracted with a person identifying himself as representing another Florida-based company, Doctor’s First Choice Billings, Inc. The problem was that the individual who providing medical billing services to ACH under First Choice’s name and website did so without its knowledge or permission.
Eventually, a hospital tipped off ACH about the availability of PHI on a website, leading to the discovery by OCR that it never entered into a BAA, Data Use Agreement, Privacy and Security Agreement or otherwise performed the necessary due diligence including implementing required physical, technical and administrative safeguards as stipulated by the Security Rule. Consequently, OCR ordered a fine of $500,000 levied against ACH - an expensive and humiliating lesson for organizations in performing due diligence.
Going after even bigger fish, the OCR recently announced a $16 million settlement with Anthem – the largest HIPAA settlement ever, following the largest-ever health data breach in U.S. history. (This is almost three times the next-highest settlement of $5.5 million paid by Florida’s Memorial Healthcare System in 2016.)
The reasons, according to OCR’s announcement, included Anthem’s numerous security missteps leading to a data breach:
- Anthem’s failure to implement appropriate measures to detect hackers, who had gained access to their system, with the theft of patient’s private information, passwords and more. Being a large entity made it an attractive target for cyber thieves – a fact that Anthem should have considered by monitoring and responding to security threats as well as implemented high-level password maintenance.
- In addition to “the impermissible disclosure of electronic protected health information (ePHI)…Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.”
How can a medical practices promote cyber security
- First, schedule and perform a security audit on a regular basis. If your assessment runs into omissions or gaps in protection, you must immediately take steps to address and fix them.
- Second, in compliance with HIPAA, conduct frequent audit trails to identify whether data is being hacked, the success of the hackers and how to reduce the effects of the breach before it causes major compliance issues.
- Finally, pay attention to who has access to passwords and other sensitive information. Having a written policy in place is in fact required by HIPAA for those utilizing electronic records and other confidential information. You will be asked whether your policy covers who among staff, vendors and software programs has access to sensitive information.
Getting legal and other third-party assistance to protect your practice
If there’s any doubt about procedures involving sharing PHI, it’s a good idea to consult with an experienced legal counsel who specializes in healthcare as well as cyber security matters. Be sure that whatever you might sign is valid and covers all contingencies.
Because health care record-keeping is mandated to utilize electronic databases, reimbursement emphasis is increasingly placed on HIPAA compliance, as well as the accuracy and timeliness of a medical claim. Utilizing an experienced trusted medical billing service such as M-Scribe, with its adherence to stringent cyber-safety procedures, can reduce accidental data breaches while ensuring that your practice receives the reimbursement it deserves. Contact M-Scribe at 770-666-0470 or by email to learn more about safeguarding your practice and patient information while increasing profitability.