Business Associate Agreements: Don't Set it and Forget it!

There is more to HIPAA compliance than privacy and security safeguards. An oft overlooked requirement is the Business Associate Agreement (BAA), and even when covered entities do have a BAA in place with a vendor, there is inconsistent follow-up regarding reviewing and if necessary, updating those agreements concurrent to contract renewals.

According to a HIPAA News report posted June 1, 2018 regarding multiple breaches at Dignity Health, one incident involved a vendor with an outdated BAA. Per the author, " The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake." Clerical errors happen; however, policies and procedures are often not in place. BAA audits is a  good item for compliance professionals to consider for when formulating annual work plans and the Dignity case is a good, public example of the 'why'.

Complying with HIPAA alone won't cut it - Covered entities need to keep up with changes in state laws

For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.

According to Cofense, 91% of cyber attacks begin with a phishing email

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.

Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."

HIPAA Covered Entities Should Start Saving for a Rainy Day (aka Big Breach)

A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.

The HIPAA Privacy Rule 15th Anniversary - Blast from the Past & Hybrid Entities

In April 2003, sports drama ‘42’ was a hit at the box office, hip hop hit ‘In da Club’ by 50 Cent topped the Billboard charts, and the Human Genome Project was completed with 99% of the human genome sequenced to an accuracy of 99.99%. The date also marked the end of years of preparation for healthcare providers and most payers to comply with the HIPAA Privacy Rule.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of provisions that cause confusion include how HIPAA works for entities that have healthcare and non-healthcare related components. An example of an organization type that often experiences confusion regarding compliance with HIPAA is a college or university that offers on-site health services for students.  The Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the health records maintained on students at the campus health clinics of postsecondary schools.  Entities subject to FERPA classify records as either education or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule (with some exceptions) even if the school is a HIPAA covered entity.  A school becomes a hybrid entity, subject to HIPAA, by segregating healthcare related activities into a separate component of operations.

April 2018 Marks 15 Years of Compliance with the HIPAA Privacy Rule

April 2018 marks the 15th anniversary of the requirement for most HIPAA covered entities to comply with the Privacy Rule.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the HHS Secretary to establish and publicize standards for the electronic exchange, privacy, and security of health information. April 14, 2003 marked the official compliance date for the HIPAA Privacy Rule. By that date, all HIPAA covered entities (except small health plans) were required to implement standards to protect and guard against the misuse of individually identifiable health information.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of a lesser known provision are the temporary waivers of certain HIPAA Privacy Rule requirements during a declared disaster event. In 2017, the HHS Secretary issued three separate temporary waivers of select HIPAA Privacy Rule requirements in the areas impacted by hurricanes Harvey, Irma, and Maria. During a national or public health emergency, the HHS Secretary may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004, as well as section 1135(b)(7) of the Social Security Act.  The waivers apply to hospitals that have implemented a disaster protocol and expire 72 hours afterwards. Common Privacy Rule waivers in these situations include the patient right to request privacy restrictions or confidential communications, distribution of the Notice of Privacy Practices, and opt-out of the facility directory. During a disaster, hospitals need to divert resources to the response and away from administrative concerns, so these waivers are a big relief operationally.

HIPAA Privacy implications in the wake of Facebook/Cambridge Analytica?

Much has already been discussed about the controversy surrounding Facebook and Cambridge Analytica and their usage of customers' data. In all the mayhem and confusion surrounding the massive privacy debacle, is there a lesson to be learned for the healthcare industry? 

According to HHS, "the HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information" (45 CFR 164.520). The Privacy Rule also maintains:

Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information...state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice...describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated...include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.

Luckily, HHS provides a model Notice that can be used by Covered Entities to fulfill these requirements. However, simply having the Notice is not enough. Simply having a patient sign that she has received your Notice of Privacy Practices is not enough to maintain compliance. Each patient must be provided with a copy. 

The words of the late Steve Jobs are both timely and relevant to any privacy discussion:

Privacy means people know what they’re signing up for. In plain English, and repeatedly. That’s what it means. I’m an optimist. I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they’re tired of you asking them. Let them know precisely what you’re going to do with their data.

So often in the healthcare world, compliance regulations are seen as a barrier to quality care. But ultimately, isn't healthcare about protecting the patient? Don't let your patients' right to privacy be a barrier to providing them with the care that they deserve - and that includes notifying them about their rights!