Although the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed more than 15 years ago, it remains a source of confusion and challenges for healthcare providers, especially smaller practices like many hearing healthcare offices.
Since its original passage, HIPAA has been significantly modified and adapted by new legislation, including the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which widened HIPAA's privacy and security protections in anticipation of a massive increase in electronic healthcare transactions, and the Affordable Care Act of 2010, which aimed to reduce the administrative burden of HIPAA through new and revised requirements.
For providers, it's crucial to develop an understanding of whether and how the legislation's stipulations apply.
“By protecting your patients' privacy, you are also protecting yourself, your employees, and your practice,” said Mehrnaz Karimi, AuD, an audiologist with Kaiser Permanente in Orange County, CA.
HIPAA applies to healthcare providers who engage in any of the particular transactions spelled out in the regulations, making them a “covered entity,” said Amy Hasselkus, a member of the American Speech-Language-Hearing Association (ASHA) and a speech-language pathologist with experience working on HIPAA-related issues. For hearing healthcare professionals, that means billing insurance electronically.
“If you take only private-pay patients, for example, or if you do paper billing, you may not be a covered entity under HIPAA,” Ms. Hasselkus said.
Some hearing healthcare practices may still fit into that box, but always check with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights, which is charged with enforcing HIPAA, to be sure.
NO NEED TO REINVENT WHEEL
In terms of what exactly HIPAA requires, a complete answer to that question could fill an entire health policy graduate course. The legislation has two sections—one on portability of insurance and one on administrative simplification. It's that second section that contains HIPAA's Privacy Rule.
In brief, the Privacy Rule mandates that healthcare providers and other covered entities must safeguard information that reasonably could allow someone to identify an individual receiving care. That kind of information is known as protected health information (PHI).
Protected health information includes a patient's name, address, phone number, e-mail address, and Social Security number; birthday and other important dates, such as admission date, discharge date, and date of death; health insurance plan information; photos; and any and all information about health status, treatments, prognosis, and payment.
“Imaging and test results are PHI,” Dr. Karimi said. “For the audiologist, for example, audiograms and audiology reports are PHI.”
Protected health information remains protected health information no matter how it's disseminated: in writing, electronically, or orally.
“Never talk about a patient's PHI unless it is for purposes allowed by law and required by your job,” Dr. Karimi said. “When you do need to discuss a PHI, close your door or lower your voice when talking on the phone.”
Accounting firms, lawyers, and other such professionals aren't covered entities under HIPAA. But when outside services are used to audit practices, for example, and, as part of those reviews, have access to protected health information, the services must sign a business associate contract that provides assurances that they, too, will appropriately safeguard patients' private information (see FastLinks).
This provision doesn't apply to communication between healthcare providers for the purposes of treatment, so if a provider is sending an audiogram to a hospital audiology department or an otolaryngology office, a business associate contract is not needed.
HIPAA requires that covered entities give their patients a notice of privacy practices (NPP) that addresses privacy rights and how patients' protected health information may be used or disclosed.
The wheel doesn't have to be reinvented for these forms; many healthcare providers have already developed forms and notices that can be modified and adapted to suit other providers' specific needs.
GAUGING AND RESPONDING TO RISK
Every healthcare practice that's a covered entity under HIPAA needs a privacy and security officer who is responsible for reviewing the regulations (see FastLinks).
“If you're a sole practitioner or the only professional, that's you,” Ms. Hasselkus said.
A risk assessment and gap analysis of the office must be conducted, with a review of all systems—including medical records; desktops, laptops, and tablets; smartphones; and any other place healthcare information is stored and accessed—to assess how well they measure up to HIPAA's privacy requirements and consider the potential for a security breach.
A compliance plan is necessary to address whatever gaps are found.
“If the government audits you, that's what they're going to want to see,” Ms. Hasselkus said. “If you decide not to address a specific risk, you have to have justification for why you didn't do anything.”
Regular privacy training also has to be provided for staff members. For providers planning their own practice's training, there are materials available online from the HHS Office for Civil Rights, and ASHA offers a guide to HIPAA compliance (see FastLinks).
If combing through the online materials to plan staff training seems too daunting, looking to a professional is another option.
“It sounds expensive, but you may want to hire a consultant to make sure that your staff gets appropriate training and that your privacy measures are sufficient,” Ms. Hasselkus said.
A word of warning: HHS does not endorse any specific trainers, companies, training materials, or software as HIPAA compliant. The Office for Civil Rights has received reports that some consultants and education providers are falsely claiming this label.
THE CASE FOR ENCRYPTION
One question that comes up is whether special computer software is necessary, and the response has changed over time. A few years ago, smaller practices may not have needed such technology. As long as reasonable measures were taken to make sure e-mail and electronic records didn't go astray, such as the addition of a “this communication is only intended for use by the named recipient” tag to the bottom of each message, that may have been good enough.
But more recently, experts have begun to suggest that it's really advisable to use some form of encryption software to protect e-mail and other electronic transactions. (Besides encryption software, there are additional ways to safeguard protected health information. See Table.)
HITECH's modifications to HIPAA require that all covered entities notify patients—and sometimes even the media—if there is any type of breach of unsecured protected health information, such as a hacker attack. But if you have encryption or disruption technologies, such a notification is not required, even if there is a security breach.
“Encryption is worth every dollar you invest,” said Roxanne Shaw, a compliance officer with Kaiser Permanente. “And the cost is far less than the possible penalties for noncompliance.”
On Jan. 2, the Department of Health & Human Services announced its first settlement of a HIPAA breach involving fewer than 500 patients. An Idaho hospice, which regularly uses laptop computers in its fieldwork with patients, had a laptop stolen in June 2010. The laptop was unencrypted, and an HHS investigation revealed that the hospice had not done a risk analysis or put policies and procedures in place to safeguard protected health information on mobile devices.
The hospice agreed to pay HHS $50,000. It probably would have cost them less than $1,000 to install the necessary encryption software and conduct a basic risk analysis to protect their patients' privacy and satisfy the HIPAA requirements.
“Even small audiology practices can afford to put in place basic compliance measures,” Dr. Karimi said. “The consequences of not doing so can be severe: fines and penalties, losing your job, jeopardizing your license to practice in your profession, and even possible jail time.”
That last concern is not just theoretical: A medical school researcher in California was sentenced to prison for accessing and reading the private health information of colleagues and high-profile patients, and the decision was upheld by an appeals court in 2012.
“The cost of noncompliance with HIPAA is enormous,” Ms. Shaw said. “Every time I see a case of a HIPAA violation that's gone all the way to the penalty phase, it's clear that if the organization had just addressed the issue to begin with, their exposure would have been substantially less.”
- Read a sample business associate contract: http://1.usa.gov/BizAssoc.
- Review the HIPAA Privacy Rule: http://1.usa.gov/HIPAA-PR.
- Access materials from the HHS Office for Civil Rights: http://1.usa.gov/HHS-OCR.
- Get answers from ASHA on health information privacy: http://bit.ly/ASHA-FAQ.
- Learn how to secure information on mobile devices: http://bit.ly/Mobile-Privacy.