It Pays to Be HIPAA Compliant! (Part 1)

It Pays to Be HIPAA Compliant! (Part 1)

Technology is rapidly changing and as healthcare providers and vendors to the medical profession, we must all recognize our roles in the safekeeping of our patient’s health information in a world of ever increasing threats to the security of that data. Business Associates like Billing and Collection companies, Application Developers and Data Analytics Companies must be compliant with the HIPAA HITECH regulations. We must ensure the security and privacy of personal health information (PHI) and fully comply with the HIPAA HITECH requirements.  

If you handle PHI, you are a business associate and must comply with all the HIPAA HITECH requirements including critical items like performing periodic risk assessments, documenting and implementing security and privacy policies and procedures, conducting HIPAA awareness training, and regularly testing disaster recovery and business continuity plans. But you may ask: “should I worry if I’m not compliant? Could my business operations be disrupted by a data breach?  Am I prepared if, my customers and partners require me to be HIPAA compliant?”  The answers to all of these should be an unqualified Yes.

The risks are real and they need to be managed.  Here are just a few:

  • There has been years of underinvestment in technology (especially security) in both the healthcare and medical billing/collections industries
  • Healthcare records contain large amounts of personal information
  • Mass digitization of patient data has greatly increased attack opportunities
  • The value to thieves of a healthcare data record is 50 times that of a credit card record
  • Mobile devices have become the primary computing vehicle increasing the potential for lost and theft

A KPMG study reported that 81% of healthcare organizations have been hit with a breach in the last two years.  Some speculate that number could be even higher given that there could be some data breaches that remain undetected or go unreported. Furthermore, over 50% of respondents believe healthcare related organizations will remain the industry most at risk in 2017.  What do you think is the largest privacy and security threat in your organization?  

Most business associates have similar gaps. Do these sound like what your organization looks like? 

  • Incomplete or out-of-date risk assessment; 
  • Missing security and privacy policies and procedures;
  • Limited or no HIPAA awareness training; 
  • Untested disaster recovery plans;
  • Ad hoc data breach incident response; 
  • Limited or no encryption of PHI; and 
  • Unmonitored access controls.

Being HIPAA HITECH compliant can pay dividends to your organization. It can help you generate more revenue and increase new potential business opportunities.  If you haven’t already noticed, more and more business partners are asking, are you HIPAA compliant? Many will not work with you if you can’t answer affirmatively to that simple question. Being HIPAA compliant can also be a business development differentiator; reduce the impact of a costly lawsuit over PHI mishandling or access; prevent reputational damage and consumer mistrust; and minimize potential fines from breaches and audits.  

While not easy by any standard, becoming secure and compliant doesn’t have to be over whelming or cost prohibitive. This investment will pay for itself many times over. Part 2 of this Blog will show you what you need do. So get ahead of the curve. Bottom line…It pays to be HIPAA compliant!

Learn more:

When Can You Accurately Say You Are HIPAA Compliant?

Compliance Today – Gun Control Debate Prompts HIPAA Change

» Changes to HIPAA went into effect February 5, 2016.
» Covered entities will now be permitted to report “mental health prohibitors” to the NICS.
» This reporting was previously barred by HIPAA without a patient’s authorization.
» The determinations to prompt disqualification on mental health grounds are made almost exclusively by organizations not bound by HIPAA.
» It is anticipated these changes to HIPAA will have very little impact on covered entities.


Adam Bullian (abullian@qipsolutions.com) is Director of Privacy Compliance and Operations with QIP Solutions in Washington DC.

Click Here to Download Compliance Today – Gun Control Debate Prompts HIPAA Change Article

 

HIPAA Violations Cases (Cignet Health)

HIPAA Violations Cases (Cignet Health)

Cignet Health pays a $4.3 million penalty for failing to provide medical records.

Before the case of New York-Presbyterian Hospital and Columbia University, Cignet Health held the dubious distinction of most heavily penalized medical organization for a HIPAA violation. And looking into the case of Cignet Health, which was ultimately fined $4.3 million in 2011, it is pretty easy to see why.

Cignet Health Center is a medical group practice based in Temple Hills, Maryland. Over the course of 13 months from September 2008 to October 2009, Cignet Health failed to provide 41 patients their medical records upon request. According to the HIPAA Privacy Rule, patients are to be provided access to their medical records within 60 days of request. The Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, goes into detail about the rights patients have when it comes to their records:

“The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.”

Now for its failure to provide its patients their medical records, Cignet Health received a $1.3 million fine. As stated earlier, their final penalty was $4.3 million. So where did the additional $3 million come from? Well, a lack of cooperation in this situation proved to be worth millions.

$3 million of the $4.3 million fine was a result of a lack of cooperation on the part of Cignet Health with the Office for Civil Rights (OCR) and their investigation. Among the many things that Cignet Health didn’t do, they didn’t produce the medical records when requested by the OCR (even after a federal subpoena was issued), and in general, Cignet Health failed to cooperate with the OCR’s investigation. Covered entities are required by law to cooperate with the investigation of the Department of Health and Human Services.

As Spokeswoman for the OCR said at the time, the $3 million fine was really for “willful neglect.”

This penalty handed down on Cignet Health was monumental on a variety of fronts. For one, before the case of the New York-Presbyterian Hospital and Columbia University, it was the largest penalty handed down on a medical organization for a HIPAA violation. Also, the $4.3 million fine in 2011 was the first civil penalty handed down for violations under the HIPAA Privacy Rule.

This situation is a clear indication that following simple rules can save you millions. Cignet Health failed to cooperate with an investigation that they were obligated to cooperate in. For that, they received a hefty fine.

Here at QIP Solutions, the only advice we have in a situation like this is:

When patients request their medical files, give it to them. They’re entitled to their medical records and must be provided free access to their records and copies for only what it costs to produce them (paper, postage, and supplies). Again, continuing in reference to the remainder of the Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, it says:

“Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).”

Also, if the government steps in to investigate an issue with your organization, cooperate. No good can ever come from not cooperating with a government-led investigation. Nobody wants to pay a stiff fine for being uncooperative.

All in all, following basic HIPAA guidelines can result in not only having happy and satisfied customers, but also in avoiding millions of dollars in fines.

The next case that we will examine is the case of Stanford Hospital and Clinics, which is yet another $4 million case.

HIPAA Violations Series (NYP/CU Breach)

HIPAA violations are detrimental to everyone involved, most notably the victims whose personal information is either breached or compromised. But for the organizations who commit the breaches a violation of HIPAA rules can be taxing not only to a company’s reputation, but on their collective pocketbooks as well.

Over the years, we have seen plenty of organizations that have compromised the information of their customers, sometimes unknowingly and sometimes maliciously. From CVS Pharmacies to small healthcare clinics to large hospitals, there is no shortage of HIPAA violations and large settlements that sometimes follow suit.

Over the course of the next several weeks, we will take a look at some of the most infamous and expensive cases of HIPAA breaches by organizations across the United States. We will also examine what could have been done to prevent these violations, and how QIP Solutions can help you at any level of compliance you might be lacking in. By the end of our analysis, we hope that organizations, if they haven’t already, realize the enormity of their responsibilities when they are charged with the tasks of not only treating those in need, but protecting their valuable information.

The first case we will examine is the most expensive case on the books, the case of the New York-Presbyterian Hospital and Columbia University, which dates back to 2010. But the ultimate ruling and settlement wasn’t made until four years later.

In 2014, the New York-Presbyterian Hospital (NYP) and the Columbia University Medical Center (CU) agreed to pay almost $5 million after failing to secure the protected health information of more than 6,800 patients (roughly $7000+ per record). To this point, that is the most expensive HIPAA breach on record. NYP paid $3.3 million, while Columbia University Medical Center paid $1.5 million, to the Department of Health and Human Services.

To sum up this situation, almost 7,000 patient records became accessible via the internet after an employee tried to deactivate a personally owned computer server on a network that also contained the personal health information of patients at New York Presbyterian Hospital. This led to a patient finding the information of a deceased partner who was formerly a patient at New York Presbyterian. Among the information that was accessible were vital records and lab results.

In this situation, there were several things that NYP/CU did wrong.

First, their servers were not secure, which is Internet safety 101. If servers aren’t protected, then any decent hacker can gain access to them, compromising all of the information on those servers. For a hospital as large as NYP/CU, there was no excuse for the servers not to be secure.

The second major mistake that was made in this situation was the fact that there was no risk analysis in place, meaning that there was no risk management plan in place. This issue could have been solved had there been an adequate risk assessment in place. Risk assessments are crucial to healthcare organizations because they help find out what the areas of weakness are for companies. Had NYP/CU completed a risk assessment periodically, they could have potentially found out that their servers were not secure, and they could have taken the proper steps to remediate this issue.

Lastly, the policies in place to access information in their database were inadequate, and employees even failed to follow the substandard procedures that were in place. The information being accessed was delicate, so the protocols to access said information should have been extremely strong. And the employees should take these procedures seriously, however futile they were.

All in all, NYP/CU played very loose with procedures, and did not do everything, or even little things, to make sure that they were taking all of the proper precautions to protect the health information of their patients. In this situation, NYP/CU should have implemented security measures to prevent the breach and compromising of health information for the close to 7,000 people affected. At the very least, NYP/CU needed to conduct a security risk assessment and remediate the issues it identified. This would have significantly reduced the risk to the PHI, and would certainly have led to a smaller fine from OCR.

This case proved that the information of just a few thousand people is worth several million dollars.

For information on everything HIPAA Compliance, and specifically the importance of risk assessments, visit qiexpress.com. Also, feel free to contact us if you have any questions.

The next case we will examine is the case of the Cignet Health in Temple Hills, Maryland, and how their breach was previously the most expensive before the case of NYP/CU.

HIMSS 2016

HIMSS 2016

Robert Zimmerman of QIP Solutions, along with John Kornack from the University of Maryland, presented at HIMSS 2016 in Las Vegas. The presentation, given to a standing room audience only, was on Telemedicine in Rural Areas: Risk and Rewards. This very interactive session covered practical ideas, solutions and best practices supported by a case study and project experiences. Key discussion points included key telemedicine implementation steps, communication technology limitations, security and privacy considerations and lessons learned.

Sample Business Associate Agreement

Sample Business Associate Agreement

THIS HIPAA BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into effective [date] (the “Effective Date”), by and between <>, Inc. (“Business Associate”) and <> (the “Covered Entity”).

The Business Associate will perform certain functions and/or activities on behalf of Covered Entity involving the creation, receipt, maintenance, transmission and/or disclosure of protected health information. Business Associate and Covered Entity agree to the following terms and conditions set forth in this Agreement so as to satisfy certain party obligations under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, each as may be amended from time to time (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act and its implementing regulations, each as may be amended from time to time (“HITECH”), including, but not limited to, those regulatory amendments of the Department of Health and Human Services made effective March 26, 2013.

In consideration of the promises and mutual agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereby agree as follows:

Definitions

Catch-all definitions: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions: (a) Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean <>, Inc. (b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity]. (c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean <>, Inc. (b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity]. (c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity]. (c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.


Download Sample Business Associate Agreement (Full Version)