Few physicians realize today the new liability they face after September 23, 2013, the date when the US Department of Health and Human Services (HSS) released the new Omnibus rule to increase the existing HIPAA regulations. HIPAA (Health Insurance Portability and Accountability Act) was enacted by the US Congress and signed by President Clinton in 1996 to help establish the national standards for handling electronic health care transactions for physicians, employers, and health insurance plans.
The rapidly expanding adoption of mobile and web-based technologies in the healthcare industry brought new challenges to the original set of HIPAA rules that no longer account for the range of privacy breaches possible today.
In this article I will give an overview of the regulatory updates, discuss specific HIPAA-related risks medical physicians face today, offer means to mitigate these risks, and introduce digital technology opportunities for medical practices.
Regulatory Updates
The Omnibus rules introduced strict new guidelines on how to handle patient health information (PHI) and what to do if/when a breach occurs. HHS introduced a steep increase in penalties for non-compliant individual providers or large health organizations. An individual provider can now be fined up to $1.5M per year for non-compliance.
Before the Omnibus rules, providers were required to report a breach only if it involved “significant risk of harm”, today HSS regards any unauthorized disclosure of PHI a reportable breach. The new rules require providers to notify all patients involved in a HIPAA breach within 60 days of the breach and most importantly, if 500 or more patients were affected, local media must be notified also within 60 days.
In case of a breach, asking several targeted questions will help determine the severity of the situation. For example, did the breach include:
a) a list of patients?
b) identifiable data such as Social Security Numbers?
c) any financial information?
d) any intimate medical records such as photos?
A study performed by Kaufman, Rossin & Co. for HHS identified important facts highlighting the severity of breaches occurring today. For example, from 2010 to 2011 the total number of patients affected by breaches doubled to 16.2M. Most of these were due to theft (53%), followed by unauthorized access (20%), and loss (14%).
The alarming fact is that even with these new stringent rules in place, over 95% of physicians are not compliant (Dermatology Times, June 2013, Vol 34, No. 6). A recent significant change is that HHS is now paying much closer attention to individual providers as opposed to large healthcare organizations as it was the case before the Omnibus rules were introduced.
To help better describe the range of enforcement cases pursued by HHS, I will briefly discuss a few examples:
Adult & Pediatric Dermatology (APDerm), a Massachusetts based provider agreed to settle with HSS in December 2013 a potential violation of HIPAA Privacy, Security and Breach Notification Rules by paying a fine of $150,000. The provider was required to implement corrective measures to satisfy the HIPAA compliance.
Another example of a provider violation is Massachusetts Eye and Ear Infirmary (MEEI), who was fined in September 2012 by HHS for $1.5M to settle potential violations resulting from the theft of an unencrypted personal laptop containing the electronic health information of MEEI patients and research. The stolen laptop also included patient prescriptions and clinical information.
In July 2013 WellPoint was fined $1.7M by HHS for leaving information accessible over the Internet and not adequately implementing policies and procedures for authorizing access to the on-line application database or have technical safeguards to verify the person seeking access to electronic protected health information – a risk that most medical physicians face today. As a result, WellPoint was found to have disclosed the PHI of over 600,000 patients by allowing access to the database to unauthorized individuals.
HIPAA Risks for Medical Physicians
I will next discuss specific examples of patient engagement methods used today that expose medical physicians to risk. We are all familiar with the standard “Contact Us” forms that most medical practices websites use today (Figure 1). Most websites are not encrypted and PHI is being collected using non-secure methods when a patient contacts the office. Such PHI includes easily identifiable facts about this person, such as their name, contact information, desired procedure, and private comments. Furthermore, vendors managing the websites of medical physicians have unrestricted access to the PHI of hundreds or even thousands of patients without a strict HIPAA compliance process in place, this constitutes a HIPAA breach.
A solution is to amend your websites and stop collecting PHI using the standardized forms. Vendors building websites are generally not qualified to create and implement multiple security measures required in addition to encrypting the website.
In addition, the use of smart phones is now a universally accepted method of communication for follow-up patients. Physicians often provide their personal phone numbers to patients who text or email post-procedure follow-up information containing PHI, including photos. Phones can be lost or stolen, potentially giving access to patients’ PHI. Multiple such cases already exist, as illustrated by the article published on June 30, 2013 in the Lincoln Journal Star describing the loss by an individual provider of a thumb drive containing thousands patient medical records. As a result, the provider had to send individual letters to all patients involved in the breach as well as report the incident it to the Federal Government.
Popular personal email providers (e.g., Gmail, Aol, Yahoo) are also at risk given the high number of accounts being hacked. For example, in December 2012 a British Columbia physician’s email was hacked and patient healthcare information was compromised, resulting in a breach.
Remember; it takes one violation to have a potential HHS fine, a lawsuits from your patients, as well as a damaged reputation.
Means to Mitigate Risk
There are several measures medical physicians should implement immediately to minimize their risk of being fined. To comply, your practice needs to:
- Make sure to establish policies and procedures on how to handle situations when PHI is lost, stolen, or improperly disclosed. Your staff needs to be trained on these policies and procedures.
- PHI needs to be encrypted.
- Patients have the right to instruct their physician not to share with insurance companies information about a treatment for which the patient paid out of pocket. Your practice Electronic Health Record needs to support flagging information.
- Patients have the right to obtain an electronic copy of their record within 30 days from requesting it. Your practice needs to be able to provide such a copy electronically.
- Never text PHI to your staff.
- Never take photos of your patient on your smart phone.
- Never allow your child to use a phone that contains PHI.
- Report a lost or stolen device that contains PHI.
Digital Technology Opportunities for Medical Practices
With the advent of new technologies, medical practices can benefit from a number of enhancements to their workflow in addition to having HIPAA-compliant means to engage patients online. Remedly (www.Remedly.com) is a leading HIPAA-compliant practice optimization software for medical clinics.
Remedly provides, in one cloud-based integrated solution, all the tools needed to operate a successful medical practice. Running within any browser, Remedly empowers medical practices to (a) increase their revenue, (b) decrease loss to follow-up, (c) increase patient satisfaction. Used by leading plastic and cosmetic surgeons throughout the US, Remedly is rapidly transforming the medical industry by helping address the HIPAA compliancy need as well as making medical practices more efficient.