Skip to main content

Healthcare Providers Face Tougher HIPAA Rules

 |  By smace@healthleadersmedia.com  
   October 04, 2013

More stringent privacy regulations now in effect mean hospitals and medical practices can expect random audits, higher fines, and a surge in formal complaints from patients who ask for, but do not receive their medical records in a timely fashion.

This article appears in the September issue of HealthLeaders magazine.

Spurred by stricter and closer regulation and enforcement, healthcare providers spent the summer scrambling to update their ability to abide by the federal privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act .

The new rules kick in on September 26, 2013. Providers can expect random audits, fines that now rise based on the number of records compromised, more frequent and sterner communications from HHS' Office for Civil Rights, and a surge in formal complaints from patients who ask for, but do not receive in a timely fashion, their medical records upon request.

"Before, it said, when you have a breach, you can use your judgment to decide if there was risk of harm to the patients," says Pamela McNutt, CIO at the six-hospital Methodist Health System in Dallas. "Under the new omnibus rule, they actually gave some very specific criteria that you have
to consider."

For instance, if someone left some records with protected health information in a box somewhere, before the rule change, if the box turned up on the provider's doorstep or some third party hands the box back to the provider, normally a breach notification did not have to be issued. Now, such breach notifications become mandatory.

Investigators remain lenient for first-time breaches if the breach is addressed properly. "If you haven't done your due diligence, then that's where you open yourself up to the fines," McNutt says. The new omnibus rules "just really put very solidly in writing exactly what you need to do to determine risk. It does turn it into 'assume you're guilty unless you can prove you're innocent.' "

The OIG's promise of random HIPAA audits, even without a breach notification, is putting even more focus on compliance, McNutt says. "The privacy of patient records is not where it needs to be. We're having too many breaches.

Most of the American public can understand somebody's laptop was stolen and it had some data on it, versus when you hear some of these other stories like some company found a hole in their Internet system and found out that people for years have been able to peruse patient records through their Internet. But I think the public's forgiveness is going to be based on how grievous they perceive the error was."

For providers without in-house expertise to train employees about securit and patient privacy, training materials are available for sale, she adds.

Providers must do all this while at the same time expanding authorized access and exchanging protected health information with patients and other providers.

"The more we're pushing for transparency and interchange of records and patients being able to have a lot of access to their own records online, the more you have to think about security and privacy," McNutt says. "We want to give patients portals, but how can we make sure that we've made it secure enough that someone can't hack in and get that patient's records? This raises the bar on the need for security."

As with all corporate security, that can be a tricky balance. Easy-to-remember passwords may be less secure than more difficult-to-remember ones, for instance.

Two more factors arriving at the same time as the new HIPAA omnibus rule are the provider movement toward storing PHI in the cloud and the bring-your-own-device phenomenon among healthcare employees.

"You need to have cloud storage vendors to agree to a business associate agreement to store company data," McNutt says. "One thing that's keeping a lot of CIOs up at night is the explosion of mobile devices and people's desire to do cloud sharing."

 Some cloud providers are refusing to enter into business associate agreements with healthcare providers and, therefore, should not be considered for storing the provider's PHI-based data, McNutt says.

As providers enter into health information exchange agreements, they also can expect to spend considerable time discussing and crafting documents assuring that the appropriate risk assessments and HIPAA compliance steps are being taken in connection with PHI flowing to and from those HIEs, McNutt says.

"It took us over a year to go through contracts in regard to data sharing with the HIE," McNutt says. "Business associate agreements are important to legally protect an organization should a breach occur within the HIE. However, a breach by a provider's business associate could reflect back on the provider, causing reputational harm."

Providers must consider another challenge the HIPAA omnibus rule poses: If a patient pays in full and requests that the provider not bill his insurance company for the services, the provider has to honor that request.

"Most organizations are going to have to implement process and procedural changes to ensure that the patient's request is honored," McNutt says. "That includes tweaking your billing systems to make sure the patient is flagged in such a manner that all employees know that the patient's insurance should not be billed."

Even more important is to establish a culture of privacy in each organization. "When I've seen security firms come in and do security audits, generally the weaknesses are cultural and social, not so much the technology," says Brian Ahier, health IT evangelist at the 49-bed Mid-Columbia Medical Center and president of Gorge Health Connect, Inc., a health information exchange, both located in The Dalles, Ore., about 85 miles east of Portland.

Ahier notes the coming surge in patient complaints about being denied access to their electronic medical record. "The HIPAA omnibus rule expands that right now into the digital realm," Ahier says. "I'd be willing to bet that the first penalty that gets applied after September is going to be one not for a breach, but from a patient complaining about being denied their PHI. People from advocacy groups have been plastering letters around from the OCR explaining patients' access right, with information on how and where to complain."

Ahier also contends that patients can request their electronic PHI be provided in an unencrypted format, even if they wish it to be emailed to their Yahoo or Gmail account—although such a transmission being sent in an unencrypted format is itself a breach of HIPAA.

Despite this possibility, other providers intend either to deny such a request from patients, or plan to make patients sign consent forms so that they understand the risks of receiving PHI in an unencrypted format.

"It's a substantial contradiction," says Ron Strachan, CIO at Community Health Network in Indianapolis, Ind. "That was an oversight in the rule development, something that's going to have to be corrected. Certainly sending it unencrypted to a public email provider like a Yahoo or a Google is the absolute wrong way to do it."

Strachan says if patients won't sign a release that holds the provider harmless for sending the EHR unencrypted, the provider should not be obligated to send the EHR that way.

Community Health, with annual revenues topping $2 billion, is a network of seven hospitals whose total bed count is approximately 1,500 and includes more than 200 ambulatory sites throughout central Indiana. CIOs such as Stratchan aren't going it alone in their enterprises on such HIPAA decisions. Corporate privacy officers, compliance officers, and attorneys are part of the decision-making process, Strachan says.

"The way the people who I know in the business look at it, it's not a question of if you're going to have a breach," Strachan says. "The question is really when and how it is going to occur, and then how you react to your notification and the cleanup."

HIPAA's chief enforcement officer said as much at a June appearance at a patient privacy conference in Washington, D.C.

"Our rules do not proscribe a specific security approach or a specific kind of security, but they do require an actual process to evaluate whether in fact the things you are using are providing you an adequate level of security," said OCR Director Leon Rodriguez.

At the conference, Rodriguez was asked about the tension providers feel to provide healthcare data interoperability and data privacy simultaneously.

"I'm actually a person who thinks that tension is sometimes useful," Rodriguez said. "Tension helps you sometimes balance priorities, balance competing issues. To me, the patient always needs to be the fulcrum of the discussion. A lot of these questions ultimately can be resolved thoughtfully and correctly if both the interest and the dignity and autonomy of the patient are the fulcrum of the discussion and I think generally you'll end up in the right place on these issues."

Technology to oversee HIPAA compliance will play a role in achieving that balance. At CaroMont Health, "we've done what lots of other organizations have done, which is listen to every webinar, printed the omnibus rule and read it a bazillion times, and put together a to-do list of the things that we have to get accomplished in order to be in compliance before the enforcement date," says Donnetta Horseman, vice president of corporate responsibility at the system, which features a 435-bed hospital and 43 primary and specialty physician offices headquartered in Gastonia, N.C.

When she arrived in 2010, she had her work cut out for her: "We found some of our applications didn't even have audit logs turned on." She set about "sending the message [of security and privacy] and saying it in different ways so that while [staff is] hearing the same thing, you're making it interesting. We did carnivals and had games and gave away prizes. In our newsletter we'll do crossword puzzles and different things just to get people engaged."

But in addition, CaroMont has FairWarning software that analyzes its network and examines audit logs and presents at-a-glance summaries of this information.

"It's also a huge deterrent to employees who in the past were used to looking at their own records or records of their family members, even though we've always had a policy that that was not allowed," Horseman says. "There was never anybody watching, and so nobody was ever getting in trouble. Nobody was ever getting caught. So they just continued to do it.

"Then we put FairWarning on. Within the first month that we had it in, we had hundreds of alerts that were popping up. We sent all that information out to department managers and directors and said, 'Look, these are all the alerts for the people in your department. You need to be reinforcing the policy and doing the education,' and within the first two weeks after we started enforcing it, this inappropriate access just fell off the face of the earth."

Protecting healthcare privacy will never be simple. In a few short years, providers have evolved from unencrypted laptops being stolen or lost to more sophisticated threats, sometimes inside jobs. But as the HIPAA omnibus rule and the random audits kick in, regulations and enforcement will be harder for healthcare providers to ignore, as digital privacy and associated safe practices rise to their proper place alongside other healthcare safety practices.

Reprint HLR0913-7


This article appears in the September issue of HealthLeaders magazine.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.