REQUIREMENTS TO Protect ELECTRONIC HEALTH INFORMATION Under HIPAA:
Minor Lapses Lead to Major Litigation
If your practice or company creates, receives, maintains, or transmits, in electronic format, any individually identifiable information related to the health or condition of a person, or the provision or payment for health care, then you must comply with all of those provisions of the Health Insurance Portability and Accountability Act (HIPAA) specifically designed to safeguard health information that exists in electronic format (“ePHI”)
There has been an uptick in enforcement litigation regarding failure of entities to comply with HIPAA’s requirements for the protection of ePHI. For all the complexity of HIPAA, these enforcement actions often arise from easily correctable security lapses, such as the failure to password protect a physician’s laptop or encrypt information stored on a Blackberry.
Liability also often arises from failure to obtain the precise security-related contractual assurances from third parties handling ePHI, such as companies that practices hire to digitize charts.
In one recent enforcement action, Seattle’s Providence Health and Services agreed to pay $100,000 to the federal government, and implement an extensive corrective action plan, for allegedly allowing backup tapes, optical disks, and laptops containing unencrypted patient information to be removed from its offices and left unattended.
REQUIREMENTS GOVERNING ePHI
The three core requirements of HIPAA relating to ePHI security are categorized as administrative, physical, and technical safeguards. Under each of these three categories there are numerous specific requirements. Having adequate policies and procedures to implement the requirements is the appropriate way for an entity to mitigate its risk of liability. Such policies and procedures will, for example, address how physical access to ePHI will be limited to those persons who have been granted access rights, provide for tracking the removal of hardware and electronic media that contain ePHI, describe technical methods of protection from computer viruses and hacking, and require sanctions against violating employees.
The HIPAA security requirements for ePHI apply not just with regard to servers and desk top computers in the office, but also cover laptops, home-based personal computers, PDAs and smart phones, wireless access points (WAPs), flash drives and other storage and remote access devices. Indeed this is often where the greatest risk of liability arises. The failure, for example, of a medical practice to require physicians to password protect PDAs used to store or transmit ePHI is a glaring HIPAA violation, but one that still frequently occurs.
HIPAA allows a certain amount of flexibility in the details of implementation of its ePHI security requirements, in accordance with the size, complexity, and capabilities of the covered entity, its technical infrastructure, hardware and software security capabilities, the cost of security measures, and the probability and criticality of potential risks to ePHI.
WHAT THE GOVERNMENT GOES LOOKING FOR
The Office of the Inspector General of the Department of Health and Human Services (OIG), which is tasked with enforcement of the HIPAA security standards, has set forth its primary audit and enforcement goals:
- Ensure the confidentiality, integrity, and availability of ePHI that the covered entity creates, receives, maintains, or transmits;
- Protect against reasonably anticipated threats or hazards to the security or integrity of the ePHI; and
- Protect against reasonably anticipated uses or disclosures of ePHI not otherwise permitted or required.
In short, the OIG wants to see that an entity has assessed the risks to ePHI, both from external threats such as hackers and internal threats such as unauthorized users, and is using security measures adequate to mitigate the risk in light of the specific HIPAA ePHI security requirements.
Specifically, OIG has indicated that at the very least it will likely delve into the following in the event of a HIPAA security audit:
- Authentication methods used to identify users authorized to access ePHI;
- Lists of contractors with access to ePHI, including copies of pertinent business associate agreements obligating these contractors to implement ePHI security standards;
- Encryption and decryption of ePHI;
- Use of wireless networks; and
- Sanctions requirements for workforce members in violation of policies and procedures governing ePHI access or use.
With enforcement on the uptick and medical privacy a growing public concern as medical recordkeeping shifts from paper to electronic format, now is a good time to ensure that adequate HIPAA policies and procedures are in place to mitigate the growing legal risks.