The dark side of HIPAA compliance: 3 things health-care providers should know in 2016
HIPAA has been a thorn in the side of the health-care industry since its inception some 20 years ago. Unfortunately, compliance for dental practices is easier said than done.
The civil and criminal penalties associated with non-compliance apply to all HIPAA-covered entities, so regardless of size, stature, or intent, the onus is on health-care providers to ensure their patients’ protected health information (PHI) remains protected.
With the Office for Civil Rights’ (OCR) Phase 2 HIPAA audits now underway, there is no better time for those operating in the dental industry to ensure their own HIPAA policies are well polished, regardless of whether they have been selected for an audit or not.
Unfortunately, HIPAA compliance is easier said than done; even those with a relatively good understanding of HIPAA’s Privacy, Security, and Breach Notification Rules may still be caught off guard by any one of HIPAA’s gray areas.
Shining light on some of HIPAA’s gray areas
Whilst no means an exhaustive list of HIPAA’s rules, the three areas outlined below should serve as a stark reminder that when it comes to HIPAA compliance, not everything is black and white.
1. HIPAA does not stop at the practice walls
HIPAA rules apply to any entity that directly handles health information; specifically, health-care providers, clearinghouses, and health plans.
However, while every precaution can be taken to ensure HIPAA compliance is followed within the practice walls, those who enlist the help of third-party “business associates” (administrators, attorneys, data transmission and storage companies, etc.) to perform certain functions or activities must ensure that they, too, comply with HIPAA’s rules.
The HIPAA Privacy Rule allows covered entities to disclose PHI to third parties (business associates), providing satisfactory assurances are obtained by the covered entity that the business associate will:
● Use the information only for the purposes for which it was engaged by the covered entity
● Safeguard the information from misuse
● Help the covered entity comply with some of the covered entity’s duties under the Privacy Rule
These assurances should exist in writing in the form of a Business Associate Agreement (BAA). Without having a BAA in place with all business associates, entities leave themselves much more vulnerable to data breaches. In other words, a security chain is only as strong as its weakest link.
Certain companies may try to get out of signing a BAA by claiming the “conduit exception.” The conduit exception rule came into force in 2013 and applies only to entities that transport or transmit PHI, but do not have regular access to it. Examples of such entities include United States Postal Service, internet service providers, and couriers.
The conduit exception rule applies to very few organizations, however some entities have been known to claim the conduit exception rule as a way of bypassing a BAA. If a company claims the conduit exception, it does not necessarily mean they are HIPAA compliant. If they won’t sign a BAA, do not disclose PHI with them, it’s as simple as that.
2. Addressable safeguards are not optional
Covered entities must comply with every HIPAA Security Rule standard, as outlined on the US Health and Human Services (HHS) website. These standards are categorized as either “required” or “addressable.” The required standards must be implemented. But if you’re thinking the addressable standards are optional, you’d be wrong.
In its summary of the HIPPA Security Rule, HHS states:
The "addressable" designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.1
By ignoring the standards classified as addressable, covered entities and business associates run the risk of fines for noncompliance and leave themselves more vulnerable to data breaches.
3. Risks and repercussions are real
The health-care industry is under constant threat from data thieves. A recent study by Ponemon Institute concluded that health data breaches are increasing in cost, becoming more frequent, and continue to put patient data at risk: almost 90% of the health-care organizations surveyed had a data breach in the past two years, resulting in an estimated annual cost of $6.2 billion.2
But what does this mean for individual practices, in terms of the repercussions they might face in the event of a data breach? Failing to comply with HIPAA can result in both civil and criminal penalties, which are enforced by the OCR and The US Department of Justice, respectively. Civil penalties are monetary and vary from $100 to $1.5 million, while criminal penalties, at their most severe, can result in up to 10 years in jail.3
The laws also differ significantly from state to state: California has the most stringent patient privacy laws in the country, and was also the first state to enact a security breach notification law. Currently, Alabama, New Mexico and South Dakota have no laws related to security breach notification at all. In addition, some states allow individuals to sue for privacy violations, while others do not.
HIPAA is no walk in the park—that much is obvious. But ignorance of the law is not an excuse for noncompliance. For those with any doubts about HIPAA compliance, now is the time to get educated.
Gene Fry is the compliance officer and vice president of technology at Scrypt. He joined Scrypt in October 2001 and has 25 years of IT experience, working in industries such as health care and for companies based in the U.S. and Latin America. He is a Certified HIPAA professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security by the American Health Information Management Association and as an Electronic Health Record Specialist Certification (CEHRS) through the National Health Career Association, and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers. For more information visit scrypt.com/.
For the most current dental headlines, click here.
1. Summary of the HIPAA Security Rule. US Department of Health and Human Services website. http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/. Accessed June 3, 2016.
2. Criminals Target Healthcare Data. Study independently conducted by Ponemon Institute LLC Publication. https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents. Published May 2016. Accessed June 3, 2016.
3. American Medical Association. HIPAA Violations and Enforcement.
http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page. Accessed June 3, 2016.