Marti Arvin (firstname.lastname@example.org) is an Executive Advisor at CynergisTek Inc., which is headquartered in Austin, TX.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has been enforceable for more than 18 years, the HIPAA Security Rule has been enforceable for more than 15 years, and the Breach Notification Rule was finalized more than eight years ago. Even after all this time, there are still common issues that occur in physician practices. Some issues apply generally to implementation of the rules, while other issues are specific to an individual rule.
General areas of concern under the rules
There are three sets of obligations under the rules that are often of concern: policies and procedures, training, and business associate relationships.
Policies and procedures
When looking at the HIPAA regulations, there is an expectation that covered entities will have policies and procedures addressing all the requirements of the rules applicable to the way in which the covered entity uses and discloses protected health information (PHI). However, many covered entities do not have policies and procedures that address all the provisions of one or more of the rules. Physician practice compliance professionals should review their policies and procedures against all the provisions of the Privacy, Security, and Breach Notification rules to ensure every regulatory criterion applicable to them is covered.
Even when policies do exist, they might not be sufficient. This can be the result of using templated policies and procedures that were drafted by someone else (e.g., a professional association, a consultant, or a law firm). Templated policies and procedures tend to take a one-size-fits-all approach, which means it is not customized to a particular type of healthcare entity. There is nothing wrong with using such templates as long as the organization customizes and changes the policies and procedures to its actual operational practices. This means making sure there are no places where it says, “insert practice name here” in the final approved policies. This also means reviewing the policy and procedure template carefully to make sure all appropriate changes are made.
Once the policies and procedures are customized to the organization, consideration should be given to having a review by the organization’s attorney to ensure that changes to the template do not create potential noncompliance. Changing one or two words could change the whole meaning of the policy. Consideration should also be given to the readability of the policy and procedure. Always keep the end user in mind. If an organization has policies and procedures that meet the legal requirements of the regulations, but the average workforce member can’t understand them, it will be difficult for employees to follow the policy. It can be a delicate balance between meeting the organization’s legal and compliance obligations and having policies and procedures that are useful to the workforce.
One more shortcoming is the failure to routinely review policies and procedures. The routine review helps the organization ensure the policies are current for any changes to laws or regulations. It is also a good check to ensure that the policies and procedures are aligned with the organization’s actual practices. Organizations may change practices over time for a variety of reasons. The change might be based on changes in technology, improvements around efficiency, mergers and acquisitions, or new personnel. A practice that is inconsistent with the organization’s policies and procedures does not necessarily mean the organization is doing something illegal or noncompliant. But these types of inconsistencies may need to be explained during regulatory inquiry. Such inconsistencies may also create an environment where staff feel it is ok to not follow a policy because they see it being routinely done. Policies and procedures should be reviewed on a routine basis (i.e., at least once every three years and when there is a new law passed or a change to an existing law).
One specific policy that is routinely problematic is a policy on sanctions for noncompliance. Outlining the organization’s approach to sanctions is required by the rules. Several of the Office for Civil Rights (OCR) enforcement actions have identified the lack of such a policy. They have also identified failures to follow the policy when one does exist. A sanction policy should be drafted so that any applicable sanction can be applied in a consistent manner regardless of the offender. This may be a challenge in a physician’s practice. Often the ultimate deciding body is one or more members of physician leadership. While there may be no reluctance to have a strong sanction policy for staff, physician leaders may be less willing to apply the same policy to a physician colleague for a similar act of noncompliance. A sanction policy should be drafted to account for a method to apply a consistent comparable sanction to both staff and physicians for similar offenses.
Training the workforce
Training on the rules is an area where a number of organizations have had issues when the OCR pursues investigations or compliance inquiries. A common finding is that the organization did not do training at all or has not done any for a number of years. The Privacy Rule mandates training on the policies and procedures of the organization for both new and existing employees. The Security Rule focuses more on security awareness, which is not explicitly formal training but can be. Making sure there is training for all employees is important. In physician practices, it can be difficult to ensure the physicians complete the required training. If the training is mandatory, there should be sanctions for anyone who fails to complete the training.
Neither the Privacy nor the Security rule mandates the nature of the training, but often it is done in the form of new employee orientation and ongoing annual training. While this may meet the regulatory obligations of the rule, it should not be the only goal of training. The primary goal of training should be to help ensure the workforce understands what they need to do to help the organization maintain compliance. Effective training is more commonly done by the dissemination of shorter, smaller bits of information dispersed at frequent intervals. This allows the individual to more readily digest and retain the information. This may be done via email, an employee newsletter, or some other means.
Regardless of the training method used, the organization should have some way of evaluating the effectiveness of the training. This might be done by tracking the number of compliance concerns or questions raised before and after the training, which can help demonstrate that individuals can identify a particular compliance concern if the reports increase after the education. Even an increase in questions regarding the topic of training can demonstrate the audience retain the material enough to know to ask the question. Organizations may also do a pre- and post-training test. This can inform the organization of the change in the individual’s level of knowledge. To test whether employees are retaining the material over time, the organization may consider an employee survey once some time has passed after the training is completed. Another method is to pose a compliance question via email or through a newsletter, ask employees to respond with their answers, and then put the names of everyone who responded correctly in a drawing for some small prize.
Just like with policies and procedures, adopting a templated training platform created by a vendor, law firm, or another party can have issues. There is no reason to reinvent the wheel, so using material created by someone else as a starting point can save time. However, the practice needs to ensure that appropriate changes are made to customize the training to the organization. Compliance professionals are notoriously generous. If a compliance officer asks a colleague for a copy of their training material, it is likely to be shared. Just be careful that the material is rebranded for the organization, an appropriate assessment is performed, and changes made to reflect the organization’s policies and procedures, and any necessary changes reflect differing legal requirements that may be needed to comply with state or other federal laws applicable to the organization. Also, don’t assume the material is correct.
Business associate issues
Addressing the HIPAA compliance obligations around business associates is a struggle for most covered entities. For physician practices, it may be more of a struggle because they may not have the same resources and bargaining power as larger entities. It can also sometimes be difficult to tease out whether a particular vendor is a business associate. If the compliance professional is not involved in the process of reviewing potential vendor relationships, agreements can be signed without anyone realizing the need for a business associate agreement (BAA). Confusion also remains on whether a BAA is needed when the agreement is between two covered entities. A covered entity can be the business associate of another covered entity, so the fact that both parties are covered entities does not mean the relationship is not a business associate relationship.
In the Phase 2 audit protocol used by the OCR, it became clear there was an expectation that organizations have a method for clearly identifying their business associates. Several of the resolution agreements signed with OCR have identified the lack of a business associate agreement as one of the violations.
The Privacy and Security rules also have specific criteria that must be included in a valid BAA. If the language is not there, it could constitute a violation of one or both rules. Because there is a standard under each rule for the requirements of the BAA language, failure to have the necessary language could constitute a violation of both rules, which means civil monetary penalties could be imposed for each rule violation. Physician practices, particularly smaller practices, may not have the needed expertise to review language to ensure all the necessary components are present. Simply relying on the BAA provided by a vendor might not be sufficient.
Another violation identified in OCR resolution agreements is the lack of an updated BAA to reflect the provisions of the Health Information Technology for Economic and Clinical Health Act. Changes to the law made it necessary to update most organizations’ BAAs. It was necessary for covered entities to review BAAs that existed at the time and make the appropriate changes. If the entity has limited resources and lacks a structured process for identifying business associates, this was made more difficult, and thus BAAs might exist that do not reflect the necessary changes.
Implementing a process by which all the appropriate parties know what constitutes a business associate relationship and ensuring that the required language is part of the agreement with the vendor is critical. This is also necessary to monitor the ongoing relationship and engage in appropriate due diligence of the vendor. The lack of due diligence when engaging a vendor could result in an OCR investigation and potential fines if there is a data compromise on the part of the vendor.
Business associate due diligence
The failure to conduct sufficient due diligence is not unique to physician practices. However, physician practices, particularly smaller practices, may not have adequate resources to conduct the needed due diligence when engaging the vendor and are even less likely to have the resources to conduct ongoing due diligence. The assessment necessary at the initiation of a business associate relationship can vary depending on the services the business associate will be providing and the volume of PHI the vendor will be accessing, maintaining, transmitting, or receiving on behalf of the practice. Vendors who will handle larger volumes of PHI should get more scrutiny than those who might only occasionally touch PHI.
The practice should not only be asking what the vendor has in place regarding appropriate controls to protect its PHI, but also conducting some verification of key aspects. For example, if the vendor will be hosting the practice’s electronic health record, the practice may want to confirm the vendor has done routine risk assessments. Ideally, the vendor will be able to demonstrate not only that the routine risk assessments have been performed, but also that there has been some form of recent independent third-party assessment to validate what the vendor has done internally. Another component of the due diligence it so to ensure any significant risk identified by the vendor’s risk assessment has been appropriately mitigated.
Both of the steps require some level of expertise in information security practices that may not be present in a physician’s practice. This could be a function that the physician practice wants to outsource. If the practice does not know how to assess a risk the vendor has identified and evaluate whether the mitigation approach seems appropriate, due diligence will not exist.