Health care providers, plans and clearinghouses (collectively known as “covered entities” for HIPAA purposes) have been subject to the HIPAA privacy regulations since April 2003 and to the HIPAA security regulations since 2005. The HIPAA privacy regulations govern the uses and disclosure of protected health information by a covered entity, while the HIPAA security regulations require covered entities to safeguard the confidentiality, availability and integrity of electronic protected health information.
“Protected health information” includes any information that is created or received by the covered entity and that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual” if the information identifies or could be used to identify an individual.
In 2010, the Health Information Technology for Clinical and Economic Health Act (the HITECH Act) extended the HIPAA privacy and security requirements to include business associates of covered entities, as well as downstream subcontractors of business associates. The regulations define a “business associate” as a person or entity that, on behalf of a covered entity, creates, receives, maintains or transmits protected health information for a function or activity regulated by HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; and repricing.
The term “business associate” also includes a person or entity that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity if the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. Business associates assist covered entities on a regular basis and, depending on the function they are performing by or on behalf of the covered entity, include, but are not limited to, accountants, lawyers, medical record copy services, document destruction and purging services, information technology vendors, business consultants and a variety of other business entities and vendors that provide services to covered entities. Covered entities are required to have written business associate agreements in place with their business associates to ensure the business associate protects the privacy and security of protected health information it receives from the covered entity.
In recent months, OCR announced settlements in numerous cases involving alleged breaches of the HIPAA privacy and security rules. These settlements include:
» A $25,000 settlement with a physical therapy provider for failure to reasonably safeguard protected health information, impermissibly disclosing protected health information without an authorization, and failure to implement policies and procedures to comply with HIPAA’s authorization requirements;
» A $750,000 settlement with an orthopedic clinic for releasing X-ray films and related protected health information to a business partner for transfer to electronic media without first executing a business associate agreement;
» A $1.55 million settlement with a hospital for failure to enter into a business associate agreement with a business partner and for failure to conduct an accurate and thorough security risk assessment that incorporated all of its information technology equipment, applications, and data systems using electronic protected health information;
» A $2.2 million settlement with a hospital for “egregious” disclosure of two patients’ protected health information to ABC film crews and staff without patient authorization during the filming of a documentary at the hospital;
» A $3.5 million settlement with an insurance holding company for failure to implement appropriate administrative, physical and technical safeguards to protect the privacy of its beneficiaries’ protected health information; impermissible disclosure of protected health information to a vendor without a business associate agreement; disclosure of protected health information in excess of the minimum necessary to carry out a function; failure to conduct an accurate and thorough risk analysis; and failure to implement appropriate security measures; and
» A $3.9 million settlement with a biomedical research institute for failure to adopt appropriate privacy and security safeguards with regard to electronic protected health information.
Two of the OCR investigations leading to the settlements above were initiated after OCR received a complaint from a patient. The remainder resulted from self-disclosures of breaches by the covered entities under the HITECH Act’s breach notification requirements.
OCR announced in March that it started a new phase of its audit program, under which it will review the policies and procedures adopted by covered entities and business associates. While Phase 1 of OCR’s auditing program was a pilot program limited to 115 covered entities, OCR stated in its March 21 announcement that:
Every covered entity and business associate is eligible for audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and their business associates to provide the auditors their full cooperation and support.
While OCR stated that these audits are “primarily a compliance improvement activity” OCR will generally use to determine what types of technical assistance should be developed and what types of corrective action would be most helpful, OCR also stated that if an audit report indicates a serious compliance issue, a compliance review may be initiated for further investigation.
In light of OCR’s efforts, covered entities, business associates and subcontractors should review their HIPAA policies and procedures, as well as operations, to ensure that appropriate safeguards are in place. It is imperative that appropriate business associate agreements and subcontractor agreements be put in place, and that entities conduct – and update – accurate and thorough security risk assessments that incorporate all information technology equipment, applications and data systems using electronic protected health information.
» Kimberly L. Cappleman is an attorney with Phelps Dunbar LLP in Tupelo, focusing on health care law. Jeffrey S. Moore is a partner with Phelps Dunbar LLP in Tupelo, focusing on health care law.
BEFORE YOU GO…
… we’d like to ask for your support. More people are reading the Mississippi Business Journal than ever before, but advertising revenues for all conventional media are falling fast. Unlike many, we do not use a pay wall, because we want to continue providing Mississippi’s most comprehensive business news each and every day. But that takes time, money and hard work. We do it because it is important to us … and equally important to you, if you value the flow of trustworthy news and information which have always kept America strong and free for more than 200 years.
If those who read our content will help fund it, we can continue to bring you the very best in news and information. Please consider joining us as a valued member, or if you prefer, make a one-time contribution.Click for more info