HIPAA and HITECH
By Carol Wells, MBA
President Clinton signed the Healthcare Insurance Portability and Accountability act into law in 1996. Its initial purpose was to provide smooth transition from one health insurer to another when a worker changed jobs. In addition, HIPAA established rules to ensure that Private Health Information remained secure and put penalties in place for invading the privacy of patients.
Prior to the law being enacted, there was no uniform nationwide method to transfer Private Health Information (PHI). HIPAA strengthened mandates regarding privacy of health information, identified what information must be maintained as private, how it must be kept private, and who has access to this information.
All Health Organizations are responsible for employee training of policies and procedures for protecting patient data. Protected health data is any information that identifies an individual patient and was created or used while receiving health care services. This includes the name, address, phone number, social security number, Health Insurance Policy information, Medical Record Number, and dates of treatment, and physician visits.
Subtitle II is called “Administrative Simplification” and has five components, 1) a privacy rule, 2) security rule, 3) electronic data interchange standards (4) code sets and transactions, and 5) identifiers.
The three parts of Subtitle II that are of special interest to executives and administrators are:
1) The Electronic Data Interchange rule establishes standardized health information terminology and electronic code sets. This rule defines what classification systems and codes organizations use in their record systems. At present the U.S. is using the ICD 9 code-set. ICD is an acronym for the International Classification of Disease. These codes are coordinated with Healthcare Providers, the CMS, and Insurers to describe what services were rendered and what they are being billed for. These codes are also collaborated on worldwide, and while the U.S. is still using ICD 9, ICD 10 has been in use since the mid 1990’s in most other countries. When all health professionals use the same terminology and coding it prevents confusion when reporting data.
2) The security rule requires all Health Care Organizations to develop policies and procedures internally that will protect the confidentiality of all patient records. These policies must take into consideration access, auditing, authentication, and transmission security. This means that Health information must be protected by security measures against reasonably anticipated threats or hazards.
3) The privacy rule is a set of standards that protect private medical information by requiring authorization to access patients’ medical information. While the patient has the right to decide who can access their information and for what purpose while in a hospital or medical center environment, many workers may need to access to that person’s medical information. Usually the EHR system will only allow certain individuals and departments to access information on a need to know basis.
HITECHThe Health Information Technology for Economic and Clinical Health Act or HITECH was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA furthered the incentives to adopt health information technology and was designed to stimulate and encourage the use of EHR among Healthcare providers. Incentives were offered as grants so that providers, especially smaller Physician Groups, could afford to purchase and begin to use the Electronic Health Records. HITECH was also meant to encourage development of IT systems in larger Health Care Organizations.
Since the emphasis is on meaningful use or measuring how well treatment modalities worked under certain conditions, integration with the CMS and development of a National Database would provide a way for physicians to research and review treatment options for disease, with an emphasis on cost effectiveness.
As an example, the Veterans Health Administration (VHA) has had a fully integrated system HIT since President Clinton overhauled the VHA during his tenure. Not only has it saved millions of dollars, it has provided for superior care for veterans who use the VHA system, which includes Hospitals and Medical Centers, Nursing Homes, Home Care, Telehealth, and outpatient Medical Offices nationwide. Any Veteran can walk into any VHA run facility or medical office, and their electronic record would be available. Research done by the Military regarding head injuries, orthopedic injuries, and trauma has found its way into civilian medicine.
Examples of cases involving HIPAA/HITECH violations:
Like HIPAA, HITECH provided direction about how Electronic Health Information was used, who had access to it, and how privacy standards were maintained. HIPPA provided some enforcement of privacy rules and HITECH strengthens that enforcement. The plan inherent within ARRA is to increase the use of EHR, and HITECH strengthens the rules and protections for use put in place by HIPAA. It also increases liability for non-compliance for providers and organizations that do not adopt the use of IT and EHR. The DHHS designed these rules in stages.
If some Organizations or Physician groups did not comply, they could be subjected to penalties. HITECH also provides funding for a national EHR system, state collaboration, and effectiveness research; as well as HIT training and education for health care professionals. Because of the anticipated potential of a rise in risk to data compromise, HITECH further prepares for potential breach of confidentiality and imposes criminal liability for persons who accessed private patient data despite being unauthorized to do so, and organization that in one way or another do not protect patient confidentiality.
In order to comply with HITECH, organizations must review in-house security policies and procedures for private health information access, develop additional safeguards to keep information secure, develop risk management assessment procedures, and develop breach notification procedures for occasions when individuals violate or cause a violation of confidentiality, with interdisciplinary measures.
A data breach affecting over 500 or more persons must be reported to the Department of Health and Human Services (DHHS). In addition, HITECH establishes new limits and op-out provisions governing the use and disclosure of Patient Health Information (PHI) for marketing and fundraising communications (patients’ decision), prohibits the sale of PHI, and restricts the uses and disclosure of PHI to the minimum necessary.
This also expands individual’s rights to access their PHI, to receive information regarding any disclosure of their PHI, and place restrictions on disclosure of their PHI. This in turn increases the potential civil and criminal liability for non-compliance, and provides for greater enforcement of health plans. This enforcement includes rules under the Genetic Information Nondiscrimination Act, guidance on how to handle breach investigations, and includes higher penalties, reasonable cause, and tiers for violations.
Penalties for HIPAA violations by individuals can start at $50,000.00 and a sentence of 1 year in jail; if the breach was committed under false pretenses, the fines can be up to $100,000.00 and up to 5 years in jail. If the information was stolen with the intention of selling or use for personal gain or malicious harm, the penalties can be up to $500,000.00 in fines and up to 10 years in jail.
What does this legislation mean for healthcare?
Since this requirement of having IT systems in place and using Electronic Health Information nationwide is so new, many in the legal field perceive problems in terms of litigation because there is no case law that is directly applicable. Most states have already addressed the “Breach” issue and have some legal remedies on the books, but each state is different. Additionally, there is an issue State to State concerning the definition of a breach of patient confidentiality. Some states do not see names and addresses as private information.
Differing views on what a breach is and what constitutes breach of information has caused much confusion. Since this is Jurisdictional, merging the type of information that is deemed private, such as a combination of the name, social security number, drivers’ license number, personal financial data, and insurance policy data may be a resolution. Additionally, there is no set time limit for reporting violations of private information nationwide, each state has its own time limit and currently reporting is left to the individual organizations.
The Obama Administration has proposed a national law in order to unify and equalize the legal remedy for breach of information and non-compliance. In its final rule for the HITECH, which is built into the American Recovery and Reinvestment Act, the DHHS views a breach as to “require harm before notifying individuals of a data breach.” While the DHHS has put a “harm” requirement on reporting, there is no overall definition of what “harm” is.
While these violations are mostly concerning health organizations, it can fall under Risk Management procedures. This also makes it a Corporate Law issue. Health related Corporations own Health Organizations, i.e. hospitals, medical centers, medical center complexes, in other states or are national Health Organizations, i.e., HMO’s, Homecare organizations, Medical chains, with offices located in other states.
This brings up another dynamic of confidentiality, transmission of information over the corporate network and emails. One failsafe would be to put “smart” detection into the email system and screen for Protected Health Information and then encrypt the email. Archival systems on servers should have safeguards in place that comply with security rules.
Threats to data safety can be both external and internal. Examples of Internal threats are unauthorized access to health records and loss of data; and External threats may come from vendors, other contracted organizations, and employees using organizational email for personal use. Both threats can be handled by a combination of physical security, encryption, and using backup systems to prevent data loss.
Internal data protection can be accomplished through management of data access, and external security can be accomplished through firewall protection and a reduction in the amount of information transmitted electronically outside the organization. Some other ways to prevent breach of data are internal policies that protect information on paperwork, such as keeping fax machines out of open access areas, having a lock box for items headed to the shredder, shredding internal documents as soon as possible, making sure no paperwork remains open on employee desks, etc.
Data breaches have been in the news quite a bit. All of us have heard of laptops being stolen with patient data on the hard drive. This seems to happen quite a bit. The following are examples of these cases and how they were resolved:
1. In 2009, BCBS of Tennessee paid $18.5 million dollars for a security breach when 57 hard drives were stolen, containing the unencrypted health information of over 1 million subscribers.
2. In 2010, Cignet Health Care denied the right of 41 individuals to access their private health data, Cignet then refused to cooperate with an investigation by the Office of Civil Rights (OCR). The OCR imposed a fine of 4.3 million dollars against Cignet.
3. The OCR instituted a penalty against Alaska’s Medicaid program when a USB drive containing unencrypted information about members was stolen from an employees’ vehicle. This was self-reported in accordance with HIPAA rules. In the investigation, the OCR found the DHHS did not perform a complete risk analysis or put risk management procedures in place, did not complete employee security training, did not put controls for devices and other forms of media in place, and did not do anything about encryption for those devices and other forms of media. As a result, they were fined $1.7 million dollars and had to agree to a 3 year corrective plan.
As you can see, violations can be extremely costly for an organization. With Risk Management built into procedures, breach of confidentiality could be easily controlled.
About the Author
Carol Wells worked as a nurse for 25 years in diverse clinical areas, as well as in different types of health care organizations. In 1996, she graduated with a BS in Health Care Management. She went on to obtain her MBA in 2001 and continued with her education to achieve 2 additional MBA specialties including Healthcare Management in 2005.