• The Long Arm of HIPAA, Encore Presentation

  • Dear Readers,

    I have decided to give some of my earlier articles an encore performance. The articles I have chosen have created conversations and stimulated questions along with many comments.

    Today our daily news is rupturing with stories regarding new breaches, data hacking and employee threats, and I felt that this article is as relative today as it was a year ago.  Sign-up to receive JAL’s monthly newsletters by visiting our new website at www.jalconsultantsaz.com

    The Long Arm of HIPAA

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is broken into two sections. The first is Title I, which provides insurance coverage protection for workers and their families. It states that any employee who has existing healthcare insurance cannot be disqualified from the coverage even if the worker loses its job or decides to change their career.

    The second section is Title II, which has five parts; Standards for Electronic Transactions, Unique Identifiers Standards, Security Rule, Privacy Rule, The Prevention and Exploitation of Fraud and Enforcement Rule. In general, Title II discusses the establishment of rules and regulations in regards to health care, set of civil and criminal penalties if the regulations were disregarded by covered entities.

    Fast forward to January 26, 2013; on this date The Office of Civil Rights (OCR) adopted the HIPAA Omnibus Rule, overhauling and updating the existing volumes of the HIPAA Act and The Health Information Technology for Economic and Clinical Act (HITECH) Act.

    The new laws extensively hold second and third party businesses responsible in keeping Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) confidential and private. The Long Arm of HIPAA now reaches all seventy-four (74) possible Business Associates (BA), who can be, and will be, held equally responsible for any breach containing a patient’s PHI. The expansion of this act includes the subcontractors or independent workers of the BA equally.

    Those professionals touched by The Long Arm of HIPAA, are Attorneys, Certified Public Accountants and their subcontractors. Interestingly, law firms who often are assisting covered entities to comply with HIPAA regulations, are often a BA themselves. Previously the contract, or Business Associate Agreement (BAA), between the law firm and the covered entity stated the terms and conditions for handling PHI or ePHI as was deemed by HIPAA and HITECH Acts. The Omnibus Rule has increased the liability to these professional services as with all BA’s. They are held liable for impermissible uses and disclosure, breach notifications, providing access to a copy of PHI or ePHI, accounting of disclosures and criterial elements of The Security Rule should they have access to the entity’s PHI or ePHI.

    Earlier in 2014, Iron Mountain Incorporated, (NYSE: IRM), published reports which was a six (6) month culmination of a study and review by the industry information professionals from the Law Firm Information Governance Symposium. Established in 2012, this platform for the legal industry was created out of the need for an information governance roadmap. “Most firms are in the very early stages of building their enterprises-wide governance programs,” stated Carolyn Casey, Esq., senior manager, legal vertical for Iron Mountain.

    Law Firms and other professional service industries who handle PHI or ePHI should be addressing the way they handle their access to PHI and ePHI.  Firms must comply with many of the Privacy and Security Rules, including the minimum necessary standard. Below are a few recommendations from that report:

    • Develop, implement, and document the organization’s approach to handling PHI and ePHI in accordance with the minimum necessary standard of the Privacy Rule going forward. Modify and document new intake procedures and processes. Include questions on intake forms to identify and flag HIPAA-related matter in order that appropriate security measures can be applied.
       
    • In conjunction with the implementation of, and compliance with good data asset protection policies, firm-wide training, and auditing procedures, the firm should inventory systems where PHI or ePHI is created, maintained, stored or transmitted. This can be achieved by using tools like data loss prevention software and predictive coding/classification technologies.
       
    • Identify information that contains PHI or ePHI by executing a manual keyword search and classification of unstructured content performed by attorneys, accountants and staff. Further, designate PHI and ePHI content in its profile properties form within structured environments like a document management system.

    Mark O. Dietrich CPA/ABV, co- author of The Financial Professional’s Guide to Healthcare Reform, a guest author for the September 2014 issue of AICPA Insights, writes “the Business Associate Agreement isn’t a contract for services or a typical non-disclosure agreement. It deals only with your responsibilities as a “Business Associate” under HIPAA.” He goes on further to state that “the HIPAA Privacy Rule protects all "individually identifiable health information” held or transmitted by a covered entity or its Business Associate, in any form or media, whether electronic, paper or oral. PHI goes beyond medical records. Patient names, addresses and social security numbers are also protected.” Mr. Dietrich reminds us to remember the key word, “identifiable.” If patients can’t be “identified” from the data that you “hold” or “transmit” on behalf of your covered entity, you don’t have PHI and should not be required to sign a Business Associate Agreement.”

    The Long Arm of HIPAA not only reaches across to medical related covered entities, health plan providers, health plans, health care clearing houses, it’s reaches now crosses to those non- medical professions, which has access to PHI, ePHI, whether they have entered into a Business Associates Agreement or not. These professions must review their policies, incorporate acceptable and reasonable policies and procedures in order to protect PHI and ePHI that they have access too. Or they will find themselves needing legal advice on how to mitigate violations, both monetary and criminal.  

    Judith Lindsay, CEO of JAL tackles the elements of the compliance puzzle. Successfully assisting organizations to make sense of it all, by implementing the correct policies and procedures that are reasonable and appropriate for each entity. Judith is available for training, speaking engagements and consultations. To read more about the world as it pertains to the compliance, visit JAL’s new website www.jalconsultantsaz.com or connect on Twitter @judithconsult 

    "Protecting You A Million Different Ways"

    judithconsulting@gmail.com
    @judithconsult
    www.jalconsultantsaz.com