HIPAA From the Eyes of a Physician and Business Associate: Bottom Line... It Pays to Be HIPAA Compliant!
Date Posted: Friday,
March 18, 2016
Surgeons are taught from the beginning of our training to listen carefully
to our patients, diagnose the problem at hand, create a comprehensive plan
to address the concern and when necessary, perform a surgical procedure to
physically alter and thereby improve the patient's health and wellbeing. But
learning how to be a surgeon, especially in the field that I had practiced,
Otolaryngology and Facial Plastic Surgery, was no easy task. Before the advent
of slim microscopic cameras attached to delicate instrumentation, or headlights
equipped with video cameras that could display the operator's field of view
on a giant screen, the fledgling surgeon was positioned behind the primary
operator, hoping to get a quick glimpse of the surgical field in order to
better understand the anatomy and the procedure being performed. Too many
times to mention, I can remember staring at the back of my mentor's head and
being asked, "Did you see what I did there?" Too afraid to say "Of course
not," I usually answered in the affirmative, while always thinking to myself
"Do you think your father was a glazier?"
The point is that technology is rapidly changing and as healthcare providers
and vendors to the medical profession, we must all recognize our roles in
the safekeeping of our patients' health information in a world of ever-increasing
threats to the security of that data. The good news is that there are software
programs available to healthcare professionals, as well as medical billers
and debt recovery specialists, which clearly disclose the roadmap to compliance.
They offer efficient methods of implementation for these complex HIPAA Privacy
and Security regulations. Healthcare professionals, as well as covered entities
such as Billing and Collection companies, must be compliant with the HIPAA
HITECH regulations. As someone who has bridged both worlds and meshed both
of these cultures, allow me to give you my perspective on why it makes sense
for Business Associates to expend the time and energy to be security and privacy
compliant.
Billing and collection companies have many priorities. Too often, one of
them is not ensuring the security and privacy of personal health information
(PHI) and fully complying with the HIPAA HITECH requirements. If you handle
PHI, you are a Business Associate and must comply with all the HIPAA HITECH
requirements including critical items like performing periodic risk assessments,
documenting and implementing security and privacy policies and procedures,
conducting HIPAA awareness training, and regularly testing disaster recovery
and business continuity plans. But you may ask; "Should I worry if I'm not
compliant? Could my business operations be disrupted by a data breach? Am
I prepared if my customers and partners require me to be HIPAA compliant?"
The answers to all of these should be an unqualified YES.
The risks are real and they need to be managed. Here are just a
few:
-
There have been years of underinvestment in technology (especially security)
in both the healthcare and medical billing/collections industries
-
Healthcare records contain large amounts of personal information
-
Mass digitization of patient data has greatly increased attack opportunities
-
The value to thieves of a healthcare data record is 40-50 times that
of a credit card record
-
Mobile devices have become the primary computing vehicle increasing
the potential for lost and theft
A KPMG study reported that 81% of healthcare organizations have been hit
with a breach in the last two years. Some speculate that number could be even
higher given that there could be some data breaches that remain undetected
or go unreported.
In another recent survey, privacy, security, and risk management leaders felt
employee negligence was the largest privacy and security threat. Given the
number of recent breaches caused by malicious cyber-attacks, this is an interesting
observation by the professionals in the field. Furthermore, over 50% of respondents
believe healthcare-related organizations will remain the industry most at
risk in 2016. What do you think is the largest privacy and security threat
in your organization?
Most billing and collection companies have similar gaps. Do these
sound like what your organization looks like?
-
Incomplete or out-of-date risk assessment;
-
Missing security and privacy policies and procedures;
-
Limited or no HIPAA awareness training;
-
Untested disaster recovery plans;
-
Ad hoc data breach incident response;
-
Limited or no encryption of PHI; and
-
Unmonitored access controls.
Being HIPAA HITECH compliant can pay dividends to your organization. It can
help you generate more revenue and increase new potential business opportunities.
If you haven't already noticed, more and more business partners are asking
"Are you HIPAA compliant?" Many will not work with you if you can't answer
affirmatively to that simple question. This is especially true in a system
where a greater number of physicians are employed by a large institution and
are no longer opting for a traditional private practice. Being HIPAA compliant
can also be a business development differentiator, reduce the impact of a
costly lawsuit over PHI mishandling or access, prevent reputational damage
and consumer mistrust, and minimize potential fines from breaches and audits.
Once you have completed all required remediation activities and are compliant,
demonstrating your commitment to adhering to HIPAA HITECH regulations can
go a long way to obtaining and maintaining critical business relationships.
It doesn't have to be expensive. There are several software solutions to
guide your project and allow you to focus on only what you really need to
do. This can make being HIPAA compliant a cost-effective and potentially revenue-enhancing
initiative. So what steps should you take right now as we enter the year 2016?
At a minimum, you should complete basic HIPAA HITECH security activities
to minimize risks and be prepared to respond to business partners and new
customer requests.
This means completing at least the following:
- Risk Assessment to understand where PHI is stored and used, identify
critical technology risks that must be controlled, and understand what mitigating
actions need to be taken.
- Gap Analysis to prioritize remediation activities and develop a work
plan to systematically close identified requirement gaps.
- Workplan to have a plan and strategy so progress can be measured and
tracked.
- Remediate Critical Risks and Implement Mitigating Controls to reduce
risk and implement a secure and protected environment.
-
Develop and implement core security and privacy policies and procedures.
-
Implement ongoing monitoring tools to secure your technology, networks,
and physical environments.
-
Develop Core Risk Management Plans including
-
Risk Management
-
Incident Response
-
Contingency/ Business Continuity
-
Physical Security
Conduct workforce training to ensure staff understands what security risks
exist and what actions every staff member must take on a daily basis to maintain
a secure environment. This, along with some privacy training, is the typical
measure that most Business Associates have in place and feel like they have
thereby completed their HIPPA compliance. The advancement and ubiquity of
data storage and transfer in healthcare makes this effort only a part of the
overall, comprehensive plan to be HIPAA HITECH compliant in 2016.
Completing these activities should put you in position to comply with critical
HIPAA HITECH requirements. As HHS leadership strongly states: "Organizations
must complete a comprehensive risk analysis and establish strong policies
and procedures to protect patients' health information … Further, proper encryption
of mobile devices and electronic media reduces the likelihood of a breach
of protected health information" (HHS OCR Director Jocelyn Samuels).
Many healthcare-related organizations have purchased a data breach insurance
policy to protect them in the event they face a breach. While this insurance
can be very useful in helping to cover the rising costs of a healthcare breach,
it is not a standalone solution to protecting an organization from the costs
of a breach. In most instances, the insurance carrier still requires the Business
Associate to complete the above critical compliance activities. As the following
recent story indicates, the organization must be actively working to protect
PHI.
In December 2013, Cottage Health Systems notified almost 33,000 patients that
their PHI had been compromised. Cottage Health filed a claim with their breach
insurance, Columbia Casualty Insurance, which has paid out over $4.1 million
for costs associated with this breach. However, Columbia recently filed suit
against Cottage Health to recoup the money it has paid associated with this
breach. According to Columbia, Cottage violated its policy because it did
not perform the necessary due diligence to safeguard PHI.
The other key initiative to reduce risk is to ensure you have Business Associate
Agreements (BAAs) in place with any organization with which you exchange PHI.
Here are some quick Business Associate Agreement best practices:
-
Single Repository: Your organization should have one place where all
executed Business Associate Agreements are stored. There should also be
a master list of all organizations you receive PHI from, or transfer PHI
to, as well as what PHI is transferred.
-
Good Contracting Practices: If you are the organization providing a
Business Associate Agreement for signing, ensure that it has been reviewed
by your attorney beforehand. Seemingly subtle changes can have significant
consequences in these agreements.
-
Due Diligence: When entering into a new business associate or subcontractor
relationship, ask two important questions about their HIPAA preparedness.
Have they done a risk assessment in the last year; and who in the organization
will be the Chief Compliance Officer? Remember, you have an obligation to
end the transfer of PHI to any organization you have reason to believe is
not able to safeguard the data. Remember to ask this question if you are
using a forwarding agency or contracting with any outside vendors that have
access to your data.
-
Audit: Review your Business Associate Agreements at least once a year.
Also, look at all vendors you do not have Business Associate Agreements
with and make sure you are still not transferring PHI with these organizations.
By now, I know what you are all thinking. Isn't it enough that we have to
deal with the FDCPA, FCRA, TCPA, CFPB, etc.? Now HIPAA HITECH too? Let me
share with you a recent letter I received from a debtor, posing as a validation
request (coming in well after the 30 day validation period) and my response.
To whom it may concern:
I recently sent you a letter that you basically ignored. HIPAA requires that
you maintain the same level of security that the health care maintains. Please
provide me with your current process for securing my information and the agency
that inspected your facility. Also send me a copy of the assignment between
you and the health care provider.
In the event of noncompliance, I reserve the right to file charges and/or
complaints against you and the health care provider with the OCR on HIPAA
violations and appropriate County, State & Federal authorities, the BBB and
State Bar associations for violations of the FDCPA, FCRA, and Federal and
State statutes for fraudulent slander of credit and illegal reporting activities
on an account that is time-barred as well as North Carolina medical privacy
rules.
I will wait 15 days to file my complaint.
Mr. XXXX
____________________________________
Dear Mr. XXXX,
I am in receipt of your communication and attached please find the documentation
you requested verifying your debt.
In regards to the questions you put forth regarding the HIPAA regulations,
as a retired surgeon, I am well aware of the HIPAA requirements and FMS is
in compliance with all state and Federal regulations regarding the protection
of personal health information. I have reviewed your account and see no evidence
of a breach in security. The information you are requesting is proprietary
in nature and is not required to be disseminated to the general public without
evidence of a breach in security regarding your personal health information.
Allow me to add that your letter has many inconsistencies in that your debt
is not time-barred and has nothing to do with the North Carolina medical privacy
rules.
A representative will be available to discuss how you would like to handle
your outstanding balance after you have reviewed the documents verifying your
debt.
Sincerely Yours.
Dr. H.
Since this was the first notice received by my company, and the debt was
not out of statute and had no relation to North Carolina, it was clear to
me that the content was merely cut and pasted, probably from some debtor advocacy
internet site. Mark my words, it won't be long before the plaintiff attorneys
begin trolling for HIPAA cases against healthcare Business Associates!
In summary, the time for taking effective steps to secure protected health
information is now. Medical billing and debt collectors are coming under the
microscope of regulators and business partners and must be able to demonstrate
their safeguard protocols. As businesses and consumers become ever more computer
savvy and as large data breaches are announced frequently in the media, they
are already starting to ask "Is my Personal Healthcare Information data secure
and do you follow good security and privacy practices?" As technology advances
and interoperability becomes more than a fairytale, standards to do business
in this environment will be increased. While not easy by any standard, becoming
HIPAA compliant doesn't have to be overwhelming or cost prohibitive. This
investment will pay for itself many times over. It will be mandatory for business
leaders to adopt practices so that their firms will be viewed as secure, auditable,
and compliant with Federal and state healthcare regulations. Get ahead of
the curve. Bottom line…It pays to be HIPAA compliant!
Jeffrey N. Hausfeld, MD, MBA,
is the Managing Director of FMS Financial Solutions, a debt recovery firm
in Greenbelt, Maryland. He is a Medical/Business consultant to QIP Solutions,
a software platform for HIPAA HITECH compliance. Dr. Hausfeld is also the
Chairman of the Board and Founder of the Society of Physician Entrepreneurs.