HIPAA Regulatory Alert: Are you ready for the new breach notification rule?
HIPAA Regulatory Alert
Are you ready for the new breach notification rule?
How to get in check now
Now that the U.S. Department of Health and Human Services (HHS) has released an interim final rule implementing the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, risk managers and compliance officers have been huddling with their teams (including their attorneys) to determine exactly how it will impact them and what steps they must take to be in compliance. While the new regulation took effect Sept. 23, 2009, HHS said it would not impose sanctions for failure to provide notifications for breaches discovered before Feb. 22, 2010.
However, warns Gordon J. Apple, a health IT lawyer in St. Paul, MN, that does not really mean you have until February to become fully compliant. "If you read the rule carefully, you will see that you are still expected to become compliant now," he says. "You can say, 'It's OK. I will not be sanctioned by CMS [the Centers for Medicare & Medicaid Services] until next year, but do you really want to be in that position?"
Let's say, Apple suggests, that in June 2010 you decide you want to file a notice of breach. "CMS will ask you when you put your policies and procedures into place," he asserts. "If I were CMS, I'd 'whack' you harder than an organization that has made a good faith effort to become compliant as of the effective date."
What does compliance entail?
In brief, the breach notification rule requires covered entities subject to HIPAA to notify individuals promptly if their unsecured electronic health information has been breached. Prompt notification also must be made to the secretary of HHS and the media when a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to HHS annually.
Further examination shows that notification will be required within 60 days that "the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity."
"This goes to the point of having a security administration process," explains Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, director of practice leadership at the American Health Information Management Association (AHIMA). "The expectation is that you will have it in place, you will have done a risk assessment in the organization, have a policies and procedure process for monitoring, and audit control access to your system."
Up to now, he notes, the press often has been the vehicle for "breach notification." "The way the press often finds out is from the patient, who sees something suspicious in their claims or EOB [Explanation of Benefits], or they start noticing strange activity in their credit reports," says Rhodes."You still need processes in place for when consumers bring an issue a way of acting on and mitigating the breach but the expectation is that you be the one that identifies the breach."
What are the methods by which the affected individual(s) must be notified? "A letter in the mail should be your initial response," says Rhodes. "If you're unable to reach them through the mail, you can go to a 'substitute' phone and/or e-mail."
If 10 or more individuals are affected, he continues, the expectation is you will have a notice posted on your web site for 90 days at minimum with a toll-free number. "If you feel it's appropriate, you can also go to the media. If over 500 patients are involved, the expectation is that you will go to the media," says Rhodes.
The information should appear in "prominent" media, Rhodes adds. "It should cover the counties or towns involved; it should ensure it reaches the population that includes your patients," he explains. "If you are on the edge of a state line, the expectation is you will also post it in public media to reach other states."
In order to respond properly to such situations, "You have to have your damage control group all set for how you explain this information, and you have to be able to efficiently handle that notification aspect," says Kendall Walsh, one of the principals of the new compliance & critical communications business unit at Direct Group, a Pennington, NJ-based direct marketing services provider. "That includes both legal and logistical strategies. So, for example, if you have to get 40,000 letters out, you should be prepared to do that."
Rhodes adds that "You must be confident when you send out a notification that a breach really has occurred; you do not want to worry the public unnecessarily and desensitize them against possible future breaches. They need to trust you."
The authors of the rule clearly anticipated such possibilities. "You are required to engage in a risk assessment to see if the breach poses significant risk harm to the individual and it has to be documented," notes Apple.
Finally, warns Rhodes, you do not want to send out multiple notices. "You want to send out as few as possible; so during the 60-day investigation, if you find other breaches, you will want to send out additional notifications, but if you have a good process in place, that should keep this to a minimum."
The process of deciding whether notification is necessary will be very complicated, predicts Apple. "It will be a lot trickier than people make it out to be," he asserts. "I already see turf claims between the lawyers and consultants as to who should be involved. Depending on the particular potential of having to notify or not, some organizations will make the decision to let the lawyer look at it first quickly and make a determination, with the aid of outside consultants or internal resources as to where this is leading, before actually going down the road of fully documenting."
It's in the "gray" areas where there will be lots of hand-wringing, Apple predicts. "And you'll see lawyers and consultants earning their wages. The client will want you to render an opinion, and the lawyer will say, 'I'm not an IT person.' They may look at it quickly, and based on the analysis of the IT person, say they can opine on it, but in other cases they may not be able to give a black-and-white answer."
So just how do you get the notification process in place? "One of the biggest challenges is re-training and education," says Rhodes. "There's lots of confusion about what you should be doing, but definitions are out there for closure, access, breach, and so on. You need to ensure that your staff understand what exactly is protected information, have a comprehensive plan to do inventory of all information you are going to be protecting, that everyone has a clear understanding of what is being protected, and determining what the risks are."
Rhodes suggests you put together a team of stakeholders across the board medical and administration, your health information privacy manager, IT, risk management, physical security, the admitting staff, and the nurse auditor. "This becomes your security and service compliance team, which will help you monitor activities," he says.
"We strongly recommend that you identify someone in the organization who will have the role of incident response manager," says Walsh. "If you have not identified such a person, all the groups involved will want to own the response; then you'll have a turf battle, and that's not the right time to do it. All of this is best done when it's hypothetical."
Your process also may require outside vendors to handle the logistics of the notification, Walsh adds. "It can help you get out the information promptly and accurately, and give you the paper trail that proves you were compliant," he notes.
Since not every hospital has gone to electronic health records, he continues, additional considerations enter into the picture if you do not use an electronic system. "On the paper-based side of world, the hospital has to have very strict rules," he says. "Data retention is a big problem; people do not like to get rid of records, but backups and files are a 'hazmat' room an accident waiting to happen."
'Get out of jail free'?
One very important part of the new rule can have a significant impact on a number of facilities: It appears that if your protected health information is encrypted, you will not be subject to penalties if a breach occurs. "It is a 'get out of jail free' card," says Walsh, "even if there is a breach or the information is rendered unusable. So, from a risk management perspective, you want to get in touch with your IT folks, explain this regulation because they may not be aware of it and ask them about their encryption policies."
"That's the guidance," echoes Apple. "If your encryption is robust enough, you do not have to file notification." However, he notes, while large health care organizations most likely have all such information encrypted, "Smaller folks may find themselves in a pickle." Nonetheless, he adds, it is worth investigating, as more and more computer manufacturers are actually loading encryption software into their machines.
This is another aspect of what Rhodes calls the "carrot and stick" approach the government is taking to the rule. "They point out the research [that demonstrates the true cost of breaches], and hope that is an incentive to invest [in greater protection]. We will see people going back and putting in new requirements," he predicts.
The way to move forward, he summarizes, is "to look at your entire security process, risk assessment, inventory, put together policies and procedures, and monitor your processes and incident responses." As for encryption, says Rhodes, "I personally do not know anyone who uses it much, but we will definitely see more attention being paid to it."
[For more information, contact:
Gordon J. Apple, Law Offices of Gordon J. Apple PC, 787 Osceola Avenue, Suite 400, St. Paul, MN 55105. Phone: (651) 292-1524. Fax: (651) 292-1543. E-mail: [email protected].
Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, Director Practice Leadership, American Health Information Management Association, Chicago, IL 60601-5809. Phone: (312) 233-1119. E-mail: [email protected].
Kendall Walsh, Principal, Direct Group, Compliance & Critical Communications Business Unit, 1595 Reed Road, Suite 100, Pennington, NJ 08534-5007. Phone: (856) 241-9400.]
Now that the U.S. Department of Health and Human Services (HHS) has released an interim final rule implementing the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, risk managers and compliance officers have been huddling with their teams (including their attorneys) to determine exactly how it will impact them and what steps they must take to be in compliance.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.