The healthcare industry often uses portable devices for the storage and transmission of protected health information. I find it concerning to hear many of the people I speak with thinking that because they use a jump drive or an external hard drive to store patient information, they are compliant. It simply isn’t true.

The HITECH Act now specifically says that information must be encrypted during transmission AND at rest. That means all of the patient information you are storing on any kind of portable device must also be encrypted. In the publication by OCR of breaches, you will find a good many of them are as the result of theft or loss of a laptop or jump drive.

In a recent conversation I had with a transcription service owner, who is a business associate and thus subject to these new laws, the response to the above information was “well, the customers don’t care so I can’t be responsible for it.” If you read the laws, you realize this is not the case and that business associates are held to the same standards as the covered entity. In addition, you are responsible for the actions of your subcontractors. Simply “telling them to use an external drive for storage” doesn’t relieve you of that responsibility.

Simply storing things on an external drive without encryption isn’t good enough. Be sure you are not caught in this situation. If you are audited, it could mean monetary penalties and fines for you.

In the first HIPAA legal case against an individual, a former UCLA Medical Center researcher was sentenced on April 27 to four months in federal prison for looking at the confidential medical records of co-workers and celebrities such as Tom Hanks, Leonardo DiCaprio and Arnold Schwarzenegger.

This is certainly evidence that the government is going to take the enforcement of HIPAA violations seriously. In addition, because the new rules related to HIPAA and the HITECH Act hold individuals responsible, the responsibility for protecting patient information becomes even more crucial.

Be sure your systems have the ability to provide audit trails, and be sure those audit trails are periodically reviewed for unauthorized access.

Training of all staff is critical here. The researcher's defense is that he did not know this was a federal offense and that no reasonable person would have understood this. Training of staff so that they fully understand the consequences of their actions is critical in being able to show that you have met your responsibilities under the law.

HIPAA requires training in privacy and security for everyone, and now you can meet that obligation here. The first HIPAA and HITECH Act training courses will start on June 14, 2010. Whether you are an independent business owner, an independent contractor, a business associate, a covered entity, or simply someone who would like a general overview of the HIPAA and HITECT Act laws, there is a course designed for you.

In addition to the courses being offered, you will also find sample policies and procedures. If you are struggling with what to do about creating the policies and procedures that that law now requires you to have, these are customizable to your business setting.

Discounts!
Registration is now open for these courses. In honor of Medical Transcriptionist Week, which is May 16-22, we will offer a 10% discount for anyone registering before May 22. After that date, the regular prices will apply.

Don't delay in being sure that you have the necessary training and documentation that you have completed this training. Sign up today for one of our courses and join us in June! Be sure to sign up by May 22 to receive your discount.

One of the biggest challenges for many of us is doing the required risk analysis that is in the HIPAA Security Rule. The industry has struggled with how to conduct this, what to cover, and how to document it. This past week the Office of Civil Rights has issues a draft guidance document about the risk analysis required by the security rule.

The document is titled "HIPAA Security Standards: Guidance on Risk Analysis" and should be reviewed if you still have not conducted your risk analysis.

The OCR is tasked with issuing annual guidance related to the security rule. Following these guidelines as they are issued will help you stay on top of what you should be doing to be compliant.

Have you conducted your risk analysis? If not, now is the time!

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

• Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
• There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
• The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
• Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
• The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
• The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

• Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
• Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
• Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of  information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
• Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
• Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
• Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
• Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.