Meeting the April 20 compliance deadline for the new security rule for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) hasn’t been as challenging for healthcare providers as complying with earlier HIPAA mandates.
“Our state agencies are in good shape concerning the security rule,” said Teresa Karnes, special projects coordinator for the Mississippi Department of Information Technology Services (ITS). “It wasn’t as grueling a process as meeting the privacy rule and coding pieces of HIPAA. The changes were more contained within the organizations, which made it easier.”
The privacy rule under HIPPA, which became effective April 14, 2003, applies to all PHI (protected health information) for patients. The rule restricts the availability of information to a need-to-know basis and minimizes the inadvertent release of information. However, the security rule applies to records that contain EPHI (electronic protected health information), to protect the integrity of the electronic record.
“Within the last two years, the most difficult and time-consuming aspects of complying with the security rule has related to HIPAA’s requirement of a disaster recovery plan and a contingency plan,” said Stephen Kennedy, security officer for the state Division of Medicaid. “Even though a lot of agencies already had those types of documents, many of them took a second look at the plans, and spent a good bit of time updating them.”
Because the security rule primarily concerns physical and technical safeguards to protect the privacy and security of EPHI, as opposed to the privacy rule, which was more focused on the permitted and prohibited uses and disclosures of PHI and the rights of individual patients with respect to their PHI, healthcare providers have generally not been requesting legal assistance for compliance with the security rule, said Jackson attorney Cheryn N. Baker, an expert on HIPAA compliance issues with Wise Carter Child & Caraway, P.A.
“They are incorrectly perceiving this as an IT issue rather than legal issues, and the compliance is mostly being handled by the entities’ IT persons,” she said. “However, we are helping clients with amending their contracts with their business associates to comply with the security rule requirements, such as requiring the business associates to report security breaches (called ‘security incidents’) to the covered entities.”
A recent survey reported that, as of mid-February, only 18% of providers were compliant with the security rule and three-fourths of the noncompliant respondents said they still planned to meet the deadline but had not finished preparing, said Baker.
“Even though the security rule deals with technical requirements, providers still need to make sure they are complying with all of the administrative requirements of the rule, which includes updating their current HIPAA policies and procedures to make sure to ensure confidentiality, accuracy and availability of EPHI, and to make sure they protect reasonably anticipated threats to EPHI,” she said.
A risk analysis should have been conducted by now, which will require more than just the input of the IT department, said Baker.
“It should include management, counsel and compliance representatives, as well,” she said. “This risk analysis will assess what the provider’s risks and vulnerabilities are with respect to their ability to protect the EPHI. Once this is completed the provider must determine what security measures it will take to reduce risks and vulnerabilities to a level that is reasonable and appropriate for that particular provider, based on the provider’s size, amount of EPHI, costs of compliance and risks to the EPHI.
“Not only do providers need to update their policies and procedures, they need to make sure that their employees are actually complying with the policies on a day-to-day basis. Providers must also have policies in place to sanction those employees who are not complying with the policies and procedures, and these sanctions must be used, not just be on paper only. For these reasons, it is a good idea to have legal counsel involved in making sure the policies and procedures are compliant with the rule and to involve counsel whenever there is a workforce security rule violation.”
Costs of noncompliance are significant, including civil penalties of $100 per violation and criminal penalties ranging from $50,000 to $250,000, and one to 10 years in prison.
“There has been at least one criminal case so far with respect to the privacy rule, under which an employee of a provider was convicted of a privacy rule violation and sentenced to prison time,” said Baker. “So future criminal penalties are definitely possible with respect to the privacy rule.”
Contact MBJ contributing writer Lynne W. Jeter at firstname.lastname@example.org.