By Matt Fisher, Esq
Twitter: @matt_r_fisher
A recent article on Forbes by Dan Munro asked the question whether anyone is really HIPAA compliant in healthcare. As recognized in the article, answering this question is not a simple and direct matter. From one perspective, many entities are compliant with HIPAA requirements, others are clearly not compliant, and then some organizations may not even need to comply. Getting a clearer answer to this question will be necessary sooner rather than later though.
As has been well documented, the Office for Civil Rights at the Department of Health and Human Services has been issuing fines against organizations breaching their HIPAA requirements. The fines have been levied in a variety of circumstances and are often being used to provide lessons to healthcare entities. For example, one entity was fined for not implementing a breach notification policy, many for not encrypting mobile devices and others for not performing a risk analysis.
Another element impacting the ability to be HIPAA compliant is the expanding universe of where protected health information can be found. The growth of mobile applications and portable devices has exponentially increased the number of places where protected health information is both developed and stored. The numerous number of locations places compliance obligations not a similar variety of organizations from health care providers to app developers to data storage companies and others. A major issue is that not everyone is aware of what it takes to comply with HIPAA or claim to be certified when no such certification exists from the government.
However, instead of focusing on whether it is possible to be HIPAA compliant, it may be more appropriate to ask what does it mean to be HIPAA compliant. Determining what it means to be HIPAA compliant requires , in particular the Privacy Rule, the Security Rule and the Breach Notification Rule. These rules provide a framework to guide covered entities, business associates and others who may be swept under the ambit of HIPAA in establishing policies and procedures.
The Privacy Rule is designed to set standards for the protection of protected health information. Privacy is determined by controlling the use and disclosure of protected health information. Under the Privacy Rule, protected health information can only be used with an authorization in certain circumstances, after the individual received the opportunity to object and then without any need for authorization or objection in certain clearly defined instances. The Privacy Rule also affords individuals with certain qualified rights to access, amend or receiving accountings related to the use of their protected health information. As initially stated, the basic purpose is to protect the integrity of the data and limit how the information may be used.
From the compliance perspective, the Privacy Rule sets forth clear policies that must be put into place. When preparing policies, it is actually reasonable to take the language right from the regulations, to an extent. In somewhat of a rarity in the healthcare regulatory context, the Privacy Rule is relatively clear cut.
The second aspect of HIPAA compliance is satisfying the requirements of the Security Rule. Much like the Privacy Rule, the Security Rule is intended to protect the safety of protected health information. The Security Rule includes administrative, physical and technical safeguards. As such, while it primarily covers electronic information, there are aspects impacting physical information as well. Digging deeper into the Security Rule, its requirements are broken into two categories: required elements and addressable elements. As a result, it may not be necessary to implement a policy or procedure for every single element of the Security Rule.
From the compliance perspective, the Security Rule is meant to flexible and scalable. A large hospital system will need much different security policies and procedures than a physician’s offices with four providers. However, an essential first step is to perform a risk analysis. A risk analysis will reveal an entity’s vulnerabilities when it comes to the confidentiality, integrity and availability of protected health information. Once a risk analysis is performed, an entity can then take the results to formulate which policies and procedures it needs. Additionally, for those elements that are addressable, the risk analysis can help supply the support necessary to decide whether or not to implement that policy.
The third and last major component necessary under HIPAA now is to implement a breach notification policy. A breach notification policy is necessary to ensure a proper response when the privacy or security of protected health information is not maintained. Having a policy in place will help mitigate adverse effects and aid an entity in organizing a quick and appropriate response. In the event of a breach, a policy will guide the response, including determining who must be notified. Awareness of notification obligations may also aid in creating more safeguards.
Going back to my initial question, what does it mean to be HIPAA compliant, it means understanding what HIPAA requires and then conscientiously implementing those requirements. Every organization is human, and while the government may not admit the following statement, and as such cannot be fully compliant all of the time. The factors that will influence the outcome are what the entity has done to help reduce risks ahead of time and how it responds. With the prevalence of electronic information and the value placed upon medical records by hackers and others, in reality it is only a matter of time before every healthcare organization experiences a breach of some sort. But, if an entity has implemented a robust HIPAA compliance policy by reading and understanding the Privacy Rule, Security Rule and Breach Notification Rule, then it will be better able to re-secure information and reduce potential penalties from the government.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.