HIPAA: A $50,000 Question

Ask Joy: This Week – HIPAA Omnibus Rule Deadline

Do you feel it—the looming deadline of the HIPAA Omnibus Rule? September 23 is quickly approaching. This week, we’ll get you closer to compliance by addressing some distinctions in the HIPAA language, tackling risks with business associate agreements, and reviewing best practices for conducting audits of your clinical applications.

Q:  What is the difference between a “required” item and an “addressable” item in a HIPAA assessment?

A: HIPAA languages uses the terms “required” and “addressable” for each of its specifications. If the term “required” is used, then that specification is mandatory and therefore must be complied with. If the term “addressable” is used, it is up to the organization to determine if that specification applies to them.

The concept of “addressable” implementation specifications was developed to provide covered entities some flexibility. For example, using encryption when sending electronic protected health information (ePHI) is “addressable.” If the ePHI is being sent over the internet and is not encrypted, then there is substantial risk of disclosure. So, if you can encrypt the ePHI, do it. However, if the data is merely traveling between two machines in your office, over a closed network, there is no need to encrypt it.

Keep in mind that the decision to not address a specification should not be taken lightly, as the term “addressable” does not mean “optional” and ignoring HIPAA requirements, addressable or required, is deemed as willful negligence, where ignorance does not serve as an excuse.

For each “addressable” specification, covered entities should do one of the following:

  1. Implement the addressable implementation specification
  2. Implement one or more alternative security measures to accomplish the same purpose
  3. Document in writing why the specification is unreasonable and inappropriate for your practice, making sure to include the factors you considered as well as the results of the risk assessment on which the decision was based.

Q: My EHR application is ‘cloud-based’ and all the EHR data is stored with the cloud provider.  The cloud provider won’t sign a Business Associates agreement.  They are a well-known company, do I have to get a signed agreement? What happens if I don’t?

A: This right here is the $50,000 question and I mean that literally. Under the new omnibus rule of HIPAA, business associates are now required to comply with many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. Business associates are defined as any person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. HHS clearly stated that business associates agreements are required. The obligation to implement business associates agreements rests with the covered entity.

So what happens when your cloud-based EHR—or any other business associate—refuses to sign an agreement to comply with HIPAA? Well, if you continue to do business with this company, you put your organization in the “willful neglect” category for civil penalties. For any violation that comes to light, your organization could be charged with a fine between $10,000 – $50,000. That’s some serious risk!

The management of protected health information requires constant attention. Ensuring that business associate agreements are in place is not only a compliance requirement, but also an important best practice throughout the health care industry.

Q:  How often should we review our audit logs?

A: The short answer to this question is user activities within clinical applications should be reviewed monthly.

For some organizations, audits are a rare task performed when staff find extra time. In some cases, organizations examine their audit logs only when there is a suspected problem. Although this is common practice, it is certainly not a best practice. Ideally, audit logs are reviewed as close to real time as possible and as soon after an event occurs as can be managed.

Understanding the challenge this presents, many organizations rely on third-party audit tools that systematically and automatically analyze data and quickly generate reports based on search criteria matching the organization’s audit strategy or defined triggers.

Certified EHRs that meet stage 1 meaningful use criteria also meet health IT audit criteria and may provide enough detail to determine if there was an unauthorized access into a patient’s record and should help with the auditing process.

Remember, if you need extra help with HIPAA, there are professional services available through the 4Med Marketplace.

About the Author: Joy Rios has worked directly with multiple EHRs to develop training programs for both trainers and practice staff. She has successfully attested to Meaningful Use for multiple ambulatory practices in both Medicare and Medicaid. She also authored the Certified Professional Meaningful Use course for www.4Medapproved.com. Joy holds an MBA with a focus in sustainability. She is Health IT certified with a specialty in Workflow Redesign, holds HIPAA security certification, and is a great resource for information regarding government incentive programs. Ask Joy is a regular column on 4Medapproved HIT Answers.