The Office for Civil Rights’ Phase 2 HIPAA audits have finally arrived, and organizations need to be prepared. Unlike the first round of HIPAA audits, which only focused on covered entities, OCR have outlined that the Phase 2 audits will evaluate the compliance of both covered entities and their business associates with the requirements of the Privacy, Security, and Breach Notification Rules.
However, many entities that handle PHI are unaware of whether they may be subject to an audit due to confusion within some areas of HIPAA – and the first of the ‘gray areas’ demonstrates this.
Understanding what makes a Business Associate
Although HIPAA is well known to the majority of entities operating in the healthcare industry, the HIPAA rules apply to many organizations outside of the sector. Because of this, many companies wrongly assume that HIPAA compliance does not apply to them.
A Business Associate (BA) is defined by HIPAA as an organization or individual working in association with, or providing services to a covered entity that handles PHI. Generally, any organization or individual that creates, receives, maintains or transmits PHI in the course of performing services on behalf of the covered entity qualifies as a BA.
All covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA is using subcontractors to provide services to a covered entity, a BAA should be executed with them too. Ultimately, it is the covered entity who is responsible for safeguarding its patients’ information: even if a BA commits a data breach or fails a HIPAA audit, the responsibility is shared.
As the Business associates of covered entities may also be subject to audits; some organizations who do handle PHI do not want to sign a BAA. They may use the HIPAA conduit exception rule to avoid signing, which makes the whole chain noncompliant.
An entity that simply transports or transmits PHI, but does not have regular access to it, may claim the “conduit exception”. This rule would apply to the United States Postal Service, internet service providers (ISPS) and couriers, for example.
It is very important to understand that the conduit rule applies to very few organizations, and would not apply to any organization that creates, receives, maintains or transmits PHI on behalf of a covered entity. If a company who is performing any of these services won’t sign a BAA, you shouldn’t risk using their services.
What qualifies as PHI?
Protected health information (PHI) is any information about health status, provision of healthcare, or payment for healthcare that is created or collected by a covered entity or business associate, and can be linked to a specific individual.
Under HIPAA, PHI is linked based on the following 18 identifiers:
- Geographic information;
- Dates (e.g. birth date, admission date, discharge date, date of death);
- Telephone numbers;
- Fax numbers;
- E-mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- IP address numbers;
- Biometric identifiers (e.g. finger and voice prints);
- Full-face photographic images and any comparable images; and
- Other unique identifying numbers, characteristics, or codes.
Health information that has certain identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer considered to be protected health information. This process is known as de-identification. However, the de-identification of PHI poses huge risks, as it can be difficult to remove all traces of personally identifiable information from records.
Once these identifiers are removed, an entity is able to disclose health information, but it can be very difficult to remove all traces of this information to ensure that it does not form a basis to make an individual personally identifiable. If in doubt, organizations should appoint a qualified expert to manage a formal determination of the data.
Don’t overlook addressable standards
Ignoring ‘addressable’ standards within the HIPAA safeguards means that organizations run the risk of noncompliance.
The three sets of safeguards that define security standards to help ensure the confidentiality of patient information and prevent a breach of PHI are physical, administrative, and technical safeguards.
The Technical Safeguards are broken down into 5 standards that focus on the technology that protects and controls access to PHI. Under these 5 standards, there are 9 key areas that organizations need to implement.
- Access Control – Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity
- Access Control – Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency
- Access Control – Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
- Access Control – Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI
- Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
- Integrity – Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
- Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
- Transmission Security – Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of
- Transmission Security – Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate
By ignoring standards classified as addressable, covered entities and business associates increase the risk of fines for noncompliance and leave themselves more vulnerable to breaches. Fines are very likely to be handed to organizations should they experience a data breach as a result of not using encryption, even if a risk assessment is in place. This is expected to be one of the key areas OCR focus on when conducting phase 2 HIPAA audits.
Noncompliance carries huge penalties
Understanding the different penalties for noncompliance is crucial. Since the inception of the Privacy Rule in April 2003, OCR has received over 125,445 HIPAA complaints.
Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are enforced by OCR, are monetary and vary from $100 to $1.5 million, while criminal penalties, enforced by the U.S. Department of Justice, can result in imprisonment for 10 years or more.
It should be noted that different states have different laws, and fines and prison terms may vary depending on the criminal charges the individual faces.
In addition to the civil and criminal penalties, experiencing a breach or being found to be noncompliant can be incredibly damaging for the reputation of an organization and any individual involved. It is therefore crucial that covered entities and their business associates do all they can to familiarise themselves with some of the lesser known situations where HIPAA applies.