Early in the history of the Health Insurance Portability and Accountability Act (HIPAA), violations typically involved receiving a warning letter from the Department of Health and Human Services (HHS). It was basically toothless and carried no penalties. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH), which supplied the government with a range of tools to support enforcement. In short, HIPAA grew fangs.
In 2010, HHS began holding training seminars for state attorneys general on enforcing HIPAA rules. As a result, that year alone saw an increase of 27 percent in the number of HIPAA-related complaint investigations.
Part of what the HITECH Act added to HIPAA was to replace warning letters with mandatory fines for HIPAA violations. The toughest category, "willful neglect," could carry penalties up to $1.5 million for violations like unsecured protected health information (PHI).
A more typical fine at the physician's office level are first-tier violations that start at $100. A second-tier violation is the most common for physicians. These fines start at $1,000 per violation and can go as high as $25,000 per violation, which can be levied for multiple infractions.
HIPAA Audits
Prior to 2012, these were referred to as HIPAA investigations, but are now called HIPAA audits. Random audits may be conducted, although the number of physicians in the U.S. compared to the number of auditors makes the odds of being chosen for an audit fairly low.
There are three types of breaches that may result in a HIPAA audit.
1. Breach or a complaint of a breach. Any breach of protected health information that affects more than 500 people must be published on the HHS website. This can be found at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
2. A complaint of a security or privacy violation. HHS is required by law to investigate all HIPAA violation complaints. Directions for how to file a complaint can be found on the HHS website at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
3.Filing for Electronic Health Record (EHR) reimbursements. The 2009 American Recovery and Reinvestment Act (ARRA) provided financial incentives for physicians able to demonstrate "meaningful use" of an electronic health record system. Those incentives were as high as $44,000 prior to April 2011, but have decreased yearly until 2016 when they will disappear completely. In order to qualify for the reimbursement, physicians need to describe how their medical practice meets HIPAA compliance requirements. In addition, the EHR must be HIPAA compliant, as well as all the physician's policies and procedure manuals. Staff in the physician's office must have documented training in HIPAA.
Audits and Documentation
If audited, physicians must provide documentation of their HIPAA compliance practices. Some of the items examined are:
- Prevention, detection, containment and correction of security violations;
- List of software used to manage and control access to the Internet;
- Policies and procedures for emergency access to electronic information systems; and
- Password management policies and procedures.
The list is so long and comprehensive it might seem impossible for anyone to comply. However, most physician professional organizations can supply privacy and security manual templates. Usually a member of the physician's staff will need to become the privacy/security officer whose job it is to implement and maintain HIPAA compliance records and policies.
When purchasing an EHR system, make sure the product is HIPAA compliant and the vendor is fully aware of HIPAA regulations. The same goes for hiring a HIPAA consultant. Check the consultant's background and determine his or her specialty (for example, are they focused primarily on accounting or law firms or physician's offices?).
Audits and Personnel
During an audit, HIPAA auditors will request that key personnel be available for questions. This will include the physician, the practice's IT person and the HIPAA compliance officer.
Questions Likely to Be Asked
The specific questions a HIPAA auditor is likely to ask will vary according to the nature of the audit and type of security breach, as well as the type and size of the organization. Typical questions include:
- Are you able to provide a list of software used to manage and control access to the Internet?
- Do you have an emergency mode of operations plan?
- Show us a list of terminated employees.
- Provide a list of antivirus software, service, date of installation and list of updates.
- Can you provide a list of users who can access your system remotely?
- What is your employee violations/sanctions policy?
- Show us a list of systems administrators, backup operators and computer system users.
- Show us how your system authenticates users' access to electronic protected health information (EPHI).
- Do you have a disaster recovery plan?
Good Medicine
Although it sometimes seems that HIPAA and the HITECH Act have added yet another layer of bureaucracy to practicing medicine, it's important to remind yourself that the purpose of both laws is to protect a patient's confidential health information. In addition, since so much of a patient's financial information flows through a physician's office, the regulations cover that as well.
For the most part, HIPAA security regulations are built upon computer security best practices and once in place, are reasonably easy to follow. Yet it seems every week there's a news story about a major breach at a health care institution, doctor's office or health care agency.
Implementing good patient information security practices can save you, your practice and your patients a lot of headaches and potential financial penalties. Plus, it's just good medicine.