As a result of several recently completed examinations of healthcare practices and healthcare related entities, it has become apparent that there is a major lack of understanding of borrowers’ and examiners’ responsibility as it relates to the Health Insurance Portability and Accountability Act’s (HIPAA) privacy rules and compliance. The misapprehension of compliance requirements ranged from the belief that no action was needed due to a general confidentiality agreement, to the belief that testing of patients’ billing is prohibited, including all clinical and financial information. There is obviously a great deal of confusion related to HIPAA privacy laws. In an effort to clarify the requirements, various Department of Health and Human Services publications have been produced dealing with this complex issue.
HIPAA was passed by Congress in 1996, then known as the Kennedy-Kassebaum Act, with the goal of enabling workers to continue their health insurance coverage when changing jobs. It was also meant to fight healthcare fraud and abuse, to standardize electronic billing and processing and to protect medical records. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) act expanded HIPAA compliance requirements to include business associates. A “business associate” is defined as a person who is not employed by the healthcare organization, who creates, receives, maintains, or transmits protected health information for a function or activity, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and re-pricing. In March 2013, the Department of Health & Human Services issued new rules to bring the HIPAA and HITECH compliance under the same umbrella, in order to enhance patient privacy and to further protect their health information.
The 2013 modification, among other things, made business associates of a healthcare provider directly liable for HIPAA compliance. Section160.103 specifically identifies entities providing legal, accounting, actuarial, consulting and data aggregation services as business associates. A subcontractor that performs services on behalf of a business associate is also considered to be a business associate.
A business associate is expected to comply with the same security standards as the healthcare provider. In short, a business associate needs to make sure that Protected Health Information (PHI) is created, received, maintained and transmitted in a secure environment. PHI is defined as any individually identifiable health information, regardless of whether it is in electronic, paper or oral media. PHI also includes both clinical and financial records. Section 164.308 goes into detail on the standards that the business associate must follow. Access to electronic health information must be limited to the workforce involved and monitored using logs and incident tracking reports. Computers with access to sensitive healthcare information must have set electronic procedures that will terminate the session after a set period of inactivity. Before being transmitted, such protected electronic health information must be encrypted. Additionally, business associates are required to have a data backup plan and a disaster recovery plan, including the ability to restore any loss of data and to ensure continuation of critical business processes for protection of the security of electronic protected health information. Such procedures must be supervised and periodically tested and revised. HIPAA also requires a proper disposal of PHI and of hardware where PHI was maintained.
“We are in the midst of a technological revolution in which data is the epicenter and privacy, portability, and accountability are paramount. With the advantages derived from a data driven approach come matching risks of data breach or loss; this should not, and cannot, be taken lightly,” noted Syed Ali, a manager in the WeiserMazars Health Care Practice.
It goes without saying that a subcontractor is required to maintain the same level of security procedures to safeguard the information. All of the above-mentioned assurances must be documented in a written contract between the healthcare provider and a business associate. A similar agreement should be drafted between the business associate and a subcontractor. Although HIPAA compliance contracts vary significantly, the Department of Health & Human Services lists provisions that must be included in the business associate contract. A contract must:
- Define the permitted use of information
- Require the business associate to properly safeguard the information
- Report any breaches of data
- Require the business associates to disclose health information with respect to individual’s requests for copies of their protected health information
- Require the business associates to make available to Health & Human Services its internal practices, books and records associated with protected health information
- Require business associates to return or destroy all created or received protected health information
- Require that business associates obtain the same level of assurances from their subcontractors
- Authorize termination of a contract if a business associate violates a material tem of a contract
Penalties for violating HIPAA rules vary from $100 to $50,000 for each violation, depending on whether a healthcare provider or the business associate was aware or unaware of the violation, on whether there was a reasonable cause for a violation and on whether the violation was corrected within 30 days. All violations of an identical provision are capped at $1,500,000 in a calendar year; however penalties may exceed $1,500,000 if violations of multiple provisions occur. Under certain circumstances, HIPAA violators may also face criminal penalties. Business associates and subcontractors can be held directly responsible for HIPAA rules violations.