Jump To Navigation

Protecting Patient Data Under HIPAA: Minor Lapses Lead to Major Litigation

If your company creates, receives, maintains, or transmits electronic medical information, there are several regulations under the Health Insurance Portability and Accountability Act (HIPAA) with which you and your company must become aware and familiar. An outbreak of litigation has surfaced recently regarding failure of employees of covered entities and the entities themselves to comply with the standards required by HIPAA. Privacy issues resulting in litigation can arise from seemingly minor and easily correctable security lapses such as the failure to password protect a physician's laptop or encrypt information stored on a Blackberry or other PDAs or to more complex issues such as the failure of a third party data storage facility to fully comply with the HIPAA privacy and security requirements. However, even the failure to implement minor safeguards can lead to severe civil liability and subject a covered entity to administrative penalties. On July 17, 2008, the first-ever HIPAA related monetary settlement with the federal government was reached between the Seattle, Washington covered entity Providence Health and Services and the Department of Health and Human Services. During 2005 and 2006 Providence allegedly allowed backup tapes, optical disks, and laptops containing unencrypted electronic patient health information to be removed from the Providence offices and left unattended. The tapes, disks and laptops were subsequently lost or stolen containing the health information of over 380,000 patients. Under the settlement agreement, Providence agreed to pay $100,000 to DHS and agreed to implement an extensive corrective action plan.

HIPAA requires covered entities, i.e. health plans, health care clearing houses, and health care providers, to take certain precautionary measures to protect the rights and privacy of patient health information. In March of 2007, the Office of Inspector General (OIG) began the first HIPAA security compliance audit. This recent trend in greater enforcement of the HIPAA requirements makes now more than ever, a time to update and ensure compliance with the standards established by HIPAA.

This outline has been prepared in order to inform the reader of the laws that govern electronically protected health information (ePHI), how electronically protected health information has been targeted by HIPAA audits, and possible ways a covered entity may protect itself.

RULES GOVERNING ELECTRONICLLY PROTECTED HEALTH INFORMATION

HIPAA is a set of federal laws which contains requirements intended to protect the privacy of patient medical and health information. It gives the patient certain rights with regard to his or her information. The three core requirements of HIPAA, administrative, physical, and technical safeguards, require a number of standards for ePHI. For example, covered entities must:

  1. Implement policies and procedures to prevent, detect, contain and correct security violations;[1]
  2. Implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI, and prevent those workforce members who do not have access from obtaining access to ePHI;[2]
  3. Implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed;[3]
  4. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights;[4] and
  5. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and also the movement of these items within the facility.[5]

These requirements, and others, force entities to take "reasonable and appropriate" standards to protect the information stored on devices and tools such as laptops, home-based personal computers, PDAs and smart phones, Wireless Access Points (WAPs), flash drives and other storage devices and remote access devices.[6] For every "standard", the security rule gives a number of "implementation specifications." There are two types of implementation specifications: required and addressable.

Required implementations must be performed by a covered entity. For example, it is required that every user of ePHI information receives a unique identification (i.e. login name).[7] Addressable implementations, on the other hand, covers security procedures with discretion as to how to satisfy the standard; it is not optional whether or not the procedure is in place. In other words, every addressable implementation specification must be satisfied, however, the security measure used to satisfy specification is up to the entity. HIPAA often uses this flexible method of regulation when the nature of a covered entity's business is unique to that covered entity and a required specification would be difficult if not impossible for the entity to implement. By allowing the entity to use a variety of security measures, the HIPAA regulations enable the entity to reasonably and appropriately implement the standards that will best protect the patient information given the actions of the entity in regards to ePHI. However, when an entity is deciding which security measures to use, it must take into account the following factors:[8]

  1. The size, complexity, and capabilities of the covered entity;
  2. The covered entity's technical infrastructure, hardware, and software security capabilities;
  3. The costs of the security measure; and
  4. The probability and criticality of potential risks to ePHI.

The "addressable" security measures that each entity implements to comply with the HIPAA standards is a big part of what is scrutinized by the OIG due to the likelihood that these measures have the greatest chance of failing to meet the requirements of the relevant standards.

WHAT IS THE OIG SEEKING?

It is clear, based on information released by the Department of Health and Human Services that the OIG has three primary goals for an audit. Those goals are:

  1. Ensure the confidentiality, integrity, and availability of ePHI that the covered entity creates, receives, maintains, or transmits;
  2. Protect against reasonably anticipated threats or hazards to the security or integrity of the ePHI; and
  3. Protect against reasonably anticipated uses or disclosures of ePHI not otherwise permitted or required.

In other words, the OIG wants to see that the internal security measures are fundamentally sound, being implemented, and are functioning well within the entity. An example of this is during the audit of Atlanta's Piedmont Hospital, HHS officials requested Piedmont to supply them within 10 days, a list of 42 items consisting of the policies and procedures for such internal security measures.

After the OIG auditors assess the documentation setting forth the ePHI policy and procedures, they will seek information regarding whether the policy and procedures are actually being followed by the entity. For example, after an entity delivers the policy and procedure on the encryption software relating to remote access, the auditors will likely test a sample to determine whether the entity has complied with the policy.

While neither the DHS nor Piedmont have officially released what information was requested during the Piedmont audit, DHS has released a sample interview and document request for HIPAA onsite investigations. DHS provided that during an audit, it would likely interview an entities President, CEO and/or Directors, any HIPAA Compliance Officer, a human resources representative, any director of employee training and any incident response team leader. DHS also stated that some policies and procedures that may be requested for investigation, include:

  1. Lists of authentication methods used to identify users authorized to access ePHI;
  2. List of individuals and contractors with access to ePHI, including copies of pertinent business associate agreements;
  3. Information regarding encryption and decryption of ePHI;
  4. Information regarding use of wireless networks; and
  5. Sanctions for workforce members in violation of policies and procedures governing ePHI access or use

ENTITIES MUST HAVE A PROACTIVE VIEW

A HIPAA ePHI compliance audit can be a burdensome and time consuming event. However, an entity can help minimize this burden by maintaining and updating its policy and procedure and internal records on a regular basis. By doing so, the entity can have all information readily available for prompt delivery to DHS and help keep its patients and the provision of services the primary focus during the event.

© 2009 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com


 

[1] 45 CFR § 164.308(a)(1)(i).

[2] 45 CFR § 164.308(a)(3)(i)

[3] 45 CFR § 164.310(a)(1).

[4] 45 CFR § 164.306(a)(1).

[5] 45 CFR 164.312(d)(1)

[6] 45 CFR 164.306(b)(1)

[7] 45 CFR 164.312(a)(2)(i)

[8] 45 CFR 164.306(b)(2)
Find out how we can serve you or your business.
402-504-1300
Articles
Announcements Key Numbers Health Care Law Blog Estate Planning Pay with Credit Card Here

Our Home Office

Parsonage Vandenack Williams LLC
5332 S. 138th St., Suite 100
Omaha, NE 68137-2974

Phone: 402-504-1300
Fax: 402-504-1935

Map & Directions

FirmSite® by FindLaw, a Thomson Reuters business.


Clients of the law practice Parsonage Vandenack Williams LLC come to the law firm from Nebraska communities including Omaha, Lincoln, Bellevue, Elkhorn, Blair, Schuyler, Gretna, Grand Island, Kearney, Freemont, Hastings, Norfolk, North Platte, Columbus, Papillion, Scottsbluff, Beatrice and Lexington; from counties including Douglas County, Dodge County Washington County and Sarpy County; and from international and nationwide locations including Iowa, Michigan, Wisconsin, Colorado and South Dakota.