A common question regarding HIPAA is whether a covered entity can be fined for violations of the HIPAA rules even if there is no breach of Protected Health Information. Worryingly, the answer is yes. So a clear understanding of the HIPAA rules is necessary to protect your company.

While HIPAA (the Health Insurance Privacy and Accountability Act) has many rules, when people speak of the “HIPAA Rules” they are usually referring to three primary sets of regulations. These “rules” lay out how covered entities are to handle PHI (Protected Health Information). The three main HIPAA Rules are:

• The Privacy Rule
• The Security Rule
• The Breach Notification Rule

The Privacy Rule

The Privacy Rule applies to PHI in any form, including oral, written, and electronic. Under the Privacy Rule, covered entities are responsible for making certain their employees (and business associates) use and/or disclose PHI only for authorized purposes. This means employers must keep their workforce trained to recognize what data is considered PHI and how to handle it appropriately.

Under this rule, covered entities are also responsible for making certain that only as much PHI as is necessary for a given purpose is disclosed. That is, the rule means it is not appropriate to just share entire medical records; only the portion of a record that is necessary for a given task is appropriate to share.

Other areas covered by the Privacy Rule include requirements for Business Associate Agreements (BAAs) with covered entities’ customers, vendors, and partners; standards to de-identification of Protected Health Information (that is, what kinds of information need to be removed from PHI in order to make it appropriate to share); specifications of patients’ rights to their own PHI; and requirements for covered entities to designate a privacy officer, publishing of privacy practices, and more.

The Security Rule

Unlike the Privacy Rule, the Security Rule applies only to electronic PHI. It delineates requirements for administrative, physical, and technical safeguards of electronic PHI and requires publication of documentation that describes the policies and procedures covered entities employ regarding those safeguards.

The Security Rule also specifies how long a covered entity must retain documentation of their Security Rule compliance.

The Breach Notification Rule

The Breach Notification Rule defines a reportable HIPAA breach, states what covered entities must do in case of such a breach, who they must notify, and how soon they must notify them.

This rule also states under what circumstances unauthorized access to encrypted PHI may not be considered a reportable breach.

Ready to Learn More about HIPAA Compliance?

If you’d like to learn more about how HIPAA compliance, Aperio IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.

You can also take a look at our recent HIPAA-related posts:

• “HIPAA Trends That Could Affect Your Business”
• “Is Your Business Affected by HIPAA Regulations?”

SOX Compliance in Recent News

Although the Sarbanes-Oxley Act has been around since 2002, compliance remains a challenge. In a recent example, a Forbes article from this month explores reasons for Plantronics’ under-performance in the stock market and brings up concerns that Plantronics may be facing a Sarbanes-Oxley violation. The article mentions that the senior vice president of sales at Plantronics, “…was instructing employees who worked under him to delete e-mails that were clearly relevant and responsive to pending discovery having to do with the distributors that are at issue in this case.”

In our last several posts we’ve focused on HIPAA compliance. But of course HIPAA is only one of several areas companies need to keep in mind when it comes to compliance issues. Here’s a quick refresher on the Sarbanes-Oxley Act.

Intent of the Sarbanes-Oxley Act

The intent of the Sarbanes-Oxley Act (also known as Sarbox or SOX) was to protect investors by improving the reliability and accuracy of corporate disclosures. It was enacted in 2002 and while it applies primarily to public companies, the act also contains provisions for private companies. The provisions have to do with the willful destruction of evidence to impede a Federal investigation.

A major feature of the SOX Act is that it is designed to specify financial reporting responsibilities. This means that it should no longer be possible for CEOs and CFOs to claim that ignorance of financial issues means that they should not be held accountable for the accuracy of financial statements.

As a result of the SOX Act, leaders of an organization are held legally responsible for SOX compliance, facing possible monetary fines and imprisonment (up to twenty years) for failure to comply. Thus, even if a company’s IT department prepares SOX audit statements, those statements will need to be certified by the CEO.

What are some of the ways SOX Compliance has affected companies since SOX was enacted?

• Stronger audit committees and public companies, due to the act’s requirement that the audit committee members must be independent of top management.
• Increased costs, especially due to Section 404 of the act. This section requires extensive internal control tests and reporting. As a result of these costs, many companies have seen a need to focus on making their financial reporting more efficient.
• Strengthened public disclosure requirements.
• Stricter penalties for obstructing justice and for securities fraud.

What are the main IT concerns regarding SOX Compliance?

Most aspects of IT are affected by SOX compliance. SOX regulations mean that audit trails must be retained and auditable for five years. Any IT operation that involves financial data or activity may be affected. All forms of communication regarding finance and accounting must be tracked and archived in case of compliance audits.

What kinds of information does IT need to store with regard to SOX compliance, and how?

Generally speaking, all emails, spreadsheets, and documents used to arrive at final financial conclusions. For a more complete breakdown, see our post “What Does Your IT Team Need to Know about SOX Compliance.”

Learn more about the SOX Act:

• Basics of the SOX Act – SOX–Online
• Information on the Sarbanes–Oxley Act at the Securities and Exchange Commission’s (SEC’s) website.

Our previous posts regarding SOX Compliance:

• Making Sure Your Company Is SOX Compliant
• What Does Your IT Team Need to Know about SOX Compliance

Not sure if you should be concerned about HIPAA regulations? It’s time to start thinking about it if you haven’t already: on March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

How does this affect your business? Well, if you’re a covered entity or a covered entity’s business associate you could, of course, be selected for auditing. But even if you don’t draw the short straw when it comes to being audited, you can still face liability costs if you’re found to be out of compliance. According to an April Bloomberg BNA article, New York-Presbyterian Hospital reached a $2.2 million settlement with the OCR after the agency alleged that the facility had violated HIPAA when they allowed filming of patients without those patients’ consent.

While hospitals are a fairly obvious example of covered entities, you should be aware that hospice care providers, palliative care providers, and respite care providers are also considered covered entities under HIPAA. This means that if one of your company’s clients provides any of these kinds of care, you may be considered a business associate under HIPAA.

• Hospice care – involves terminally ill patients. This type of care is designed to support people in the final phases of a terminal illness and focuses on quality of life and comfort instead attempting to cure the illness.
• Palliative care – involves chronically ill patients, although not necessarily terminally ill ones. This type of care is designed to provide relief from the symptoms and stress of a serious illness.
• Respite care – involves planned or emergency care for a patient in order to provide temporary relief to caregivers (usually family members).

Generally speaking, a business associate is any individual or organization that creates, receives, transmits, stores, or otherwise maintains Protected Health Information (PHI) on behalf of a covered entity for a function regulated under HIPAA. Further, the obligation to comply with HIPAA applies to business associates even if they have no formal agreement with the covered entity stating that they are considered business associates.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. Please contact us to register if you’d like to attend.

Additional information on HIPAA:

• For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?”
• To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?”

REGISTER HERE:
http://events.r20.constantcontact.com/register/event?oeidk=a07ecnjnfc31de5b02d&llr=hxcf8qcab

APERIO IT, ALONG WITH LENOVO AND HIPAA PLUS, WILL BE HOSTING A FREE LUNCH AND LEARN EVENT THAT WILL START AT 11:30AM AND GOES UNTIL 1:30PM ON JUNE 8TH. WE WILL GO OVER SOME NEW HIPAA LAWS THAT WENT INTO EFFECT AND THEN HOLDING A ‘Q & A’ SESSION TO ANSWER ANY HIPAA RELATED QUESTIONS YOU MAY HAVE

The HIPAA Audit Program

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

According to the OCR, the number of audits done in this phase will be relatively small. This  smaller number of audits reflects the OCR’s primary goal of better understanding the compliance efforts of covered entities and their business associates. The audit results will hopefully provide information to help them to determine what support is necessary for successful compliance.

This could be good news for companies that experience an audit; while the OCR maintains the option to initiate a compliance review in the case of egregious compliance issues, it will probably not be focusing primarily on enforcement actions.

HIPAA’s Privacy Requirements vs. the Spread of Social Media

How to maintain patients’ privacy in the face of widespread social media use is an ongoing challenge. With privacy rules that were originally written in 2000, then updated only once in 2009, it’s no wonder that HIPAA is lagging behind the rapid pace of technological change.

Although current regulations don’t completely cover the changing technological landscape, there are some common sense steps businesses can take to protect themselves. A good practice is to carefully remove all identifiers from PHI if it must be shared without the patient’s prior consent.

But be warned: modern search engines mean that surprisingly small amounts of information can unexpectedly be enough to identify patients. This means even a seemingly vague post on a site like Facebook could contain enough information to identify a patient, leading to liability concerns for the poster and their employer. Examples in the past few years include a Rhode Island physician who lost her privileges to work in the Emergency Room and faced a monetary fine for posting information online about a trauma patient. According to a Boston Globe article, “… [the] posting did not include the patient’s name, but… enough that others in the community could identify the patient.”

Your company will need to have clear, well-planned policies regarding social media use and will need to be certain that all employees have been made aware of these policies.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations.

[action full_width=’no’ content_in_grid=’yes’ type=’normal’ icon=’fa-ticket’ icon_size=” icon_color=” custom_icon=” background_color=” border_color=” show_button=’yes’ button_text=’REGISTER HERE’ button_link=’http://events.constantcontact.com/register/event?llr=hxcf8qcab&oeidk=a07ecnjnfc31de5b02d’ button_target=’_blank’ button_text_color=” button_hover_text_color=” button_background_color=’blue’ button_hover_background_color=” button_border_color=” button_hover_border_color=”]

PLEASE REGISTER FOR OUR EVENT HERE (YOU MAY BRING 2 GUESTS)

[/action]

Additional information on HIPAA:

• For a detailed look at dealing with Protected Health Information online, read The Hospitalist’s article on avoiding data breaches and HIPAA violations when posting online.
• For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?”
• To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?”