As technology becomes more integrated with patient medical records, healthcare providers face increasing risksin storing, handling, and transmitting electronic protected health information (ePHI) via email, smart phone, text, and cloud technology. To mitigate liability associated with noncompliance with HIPAA and the HITECH Act, providers should take five steps to assess these risks.
Conduct a risk assessment to determine vulnerabilities. Auditors for the Office of Civil Rights (OCR), along with the Federal Trade Commission and state attorneys general, are increasingly auditing healthcare organizations and are responding to reported potential and actual security breaches involving personal health information. By conducting a thorough risk assessment, both internally and externally, to identify areas where security of patient information might be at risk—and by taking the appropriate steps to enhance security—a provider can mitigate the legal, economic, and reputational liability associated with an adverse audit. Such an assessment should be performed in accordance with recommendations from the National Institute of Standards and Technology. Initial steps should include ascertaining whether formal or informal policies exist to assess risks and vulnerabilities; evaluating IT activities (e.g., audit logs, access reports, and security incidence tracking); and assessing whether all electronic mediums that hold, store, or transmit ePHI are encrypted.
Identify the ePHI within the organization. This step involves compiling a list of all devices that house, store, or transmit ePHI and then determining whether the ePHI is transmitted internally or to business associates and their subcontractors. Develop action plans around the external sources of ePHI (e.g., vendors, consultants, and IT suppliers). Providers should list external entities that are sources of ePHI and contact them. This is a good time to review and update business associate agreements and perform due diligence related to contractors’ risk assessments and compliance with HIPAA and the HITECH Act. It is important to consider not only the direct business associate, but also the associate’s subcontractors (e.g., IT vendors, cloud servers, and contracted personnel) that handle ePHI.
Review the “Security Rule” to determine whether the implementation specifications for protecting ePHI are “addressable” or “required.” The OCR’s HIPAA Privacy and Security Audit Program, per the HITECH mandate, analyzes processes, controls, and policies of selected covered entities. “Required” actions for protecting ePHI are mandatory, while “addressable” items have a caveat—that is, if an organization elects not to implement a particular performance criteria, then a greater penalty is assessed in the event of a breach. If a breach occurs and the entity has treated an “addressable” action as “required,” the penalties assessed will be less severe.
Make sure the required business associate agreements are comprehensive and address liability in the event of noncompliance or a breach. In essence, hospitals and health systems should receive adequate assurance from their business associates that an adequate risk assessment has been performed, that ePHI standards have been met, and that, in the event of a breach, liability can be comparatively assessed. In some instances, indemnification may be appropriate.
Rachel V. Rose, JD, is principal, Rachel V. Rose—Attorney at Law, PLLC, Houston, and a member of HFMA’s Texas Gulf Coast Chapter (firstname.lastname@example.org).
Publication Date: Tuesday, January 01, 2013