Issue link: https://beckershealthcare.uberflip.com/i/1120168
43 CIO / HEALTH IT 5 common questions about HIPAA, answered By Andrea Park T he federal Office for Civil Rights issued a record-breaking $28 million in fines for HIPAA violations in 2018 and, judging by how many hospitals, insurance providers, government health departments, nonprofits and more are already under investigation by HHS, 2019 could be well on its way to topping that record. Despite the prevalence of news and updates about HIPAA and its many violations, questions may still arise about the law's rules and regulations, who it concerns and how violations can be prevented, all of which is necessary knowledge for healthcare providers hoping to avoid legal trouble and hey fines. Here are answers to five of the most common questions about HIPAA. What is HIPAA and who must abide by it? e Health Insurance Portability and Accountability Act was enacted in 1996 to protect individuals' private health information from fraud and the, among several other health insurance-related policies. Ex- amples of protected information are medical records, conversations between clinicians about an individual's treatment plan and patient billing information. Entities required to comply with all HIPAA regulations include health insurance companies, government programs like Medicare and Med- icaid, most healthcare providers, billing companies, claims processing firms and any company that stores or destroys medical records. Parties outside the traditional realm of healthcare must comply with HIPAA, too. New soware allowing healthcare organizations to trans- mit patient information using Amazon's voice assistant Alexa is HI- PAA-compliant, as is the Uber Health medical transportation service. What constitutes a HIPAA violation? HIPAA requires all covered entities to establish safeguards to pro- tect patients' medical information, procedures to limit who can view and access information, and training programs to educate employees about protecting the covered information. Additionally, under HIPAA, patients have the right to ask for a copy of their health records, issue corrections to the records, request reports of how their records have been or will be used and shared, and permit or deny the sharing of PHI for marketing and other purposes. Potential violations of these rules and regulations are investigated by the HHS' OCR if a complaint is filed or an OCR review finds an entity is not in compliance with HIPAA. Noncompliance is determined to be a civil violation if an unintentional breach is found and the entity does not satisfactorily resolve the matter; a criminal violation, meanwhile, occurs when an entity is found to have knowingly disobeyed HIPAA. What are the most common causes of HIPAA violations? No matter how many electronic safeguards a covered entity en- acts to comply with HIPAA, numerous violations can still oc- cur due to human error. Citations are commonly issued when, for example, devices containing PHI are lost or stolen, patients' photos are shared on social media, unauthorized employees ac- cess records out of curiosity or medical records are mishandled. What is the most costly HIPAA violation in history? e largest individual HIPAA settlement was reached in October 2018, when the OCR fined health insurer Anthem $16 million. e violation came about, according to OCR Director Roger Severino, because "Anthem failed to implement appropriate measures for de- tecting hackers who had gained access to their system to harvest pass- words and steal people's private information." Between December 2014 and January 2015, cyberattackers breached Anthem's system to steal names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information of almost 79 million individuals, in what OCR has called "the largest health data breach in U.S. history." How could HIPAA change in 2019? In December 2018, the OCR issued a request for input from stake- holders about ways to modify HIPAA to promote value-based health- care. At the time, the office expressed its desire to update the law to better allow information sharing that will improve care coordination — especially in the case of patients with substance abuse and mental health issues — and patients' ability to access their own PHI. e public comment period ended on Feb. 11, just days aer the Amer- ican Medical Association issued a letter imploring the OCR not to make any concrete rule changes that could potentially endanger patients' pri- vacy. ough the OCR has not yet offered any further information about potential HIPAA updates related to this request for input, on April 26, the HHS announced its decision to implement a tiered system of annual fine caps determined by level of culpability, based on a reinterpretation of the existing Health Information Technology for Economic and Clin- ical Health (HITECH) Act that amended HIPAA in 2009. n Inova ends genetic tests following FDA warning By Andrea Park F alls Church, Va.-based Inova Health System an- nounced that it will cease using its five proprietary MediMap genetic tests after the FDA issued a warning about their unauthorized usage, according to the Washington Business Journal. The nonprofit health organization's MediMap tests were used by physicians in the Inova Genomics Laborato- ry to predict drug dosage, side effects and efficiency for patients. On April 4, the FDA issued a letter to Inova warning that claims on the lab's website were in violation of the Feder- al Food, Drug, and Cosmetic Act. Though Inova claimed the MediMap tests could predict patient responses to drugs, the FDA noted that it had not approved the tests' safety and accuracy. n