Issue link: https://beckershealthcare.uberflip.com/i/148060
20 Sign up for the FREE Becker's ASC Review E-Weekly at www.beckersasc.com or email sbecker@beckershealthcare.com HIPAA Compliance: 5 Key Considerations for ASCs, Physician Practices and Small Providers By Holly Carnell, JD, Associate and Meggan Bushee, JD, Associate at McGuireWoods September 23, 2013 Compliance Deadline for New Requirements. On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the long-awaited omnibus final rule (Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA). The Final Rule is effective as of March 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013. The key compliance tasks for covered entities related to the Final Rule are as follows: • evise and redistribute Notices of Privacy R Practices to patients. • evise policies and procedures and train R workforce on new requirements. • pdate breach definition and breach asU sessment tools to comport with the new "objective" breach standard (as discussed below). • valuate all business associate relationE ships to ensure business associate agreements are in place as required under the expanded definition of Business Associate. • evise existing business associate agreeR ments by September 23, 2014. • ITECH Mandated Audits Have ComH menced. The HITECH Act requires HHS to perform periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The Office for Civil Rights (OCR) implemented a pilot program whereby KPMG LLP, a public accounting firm, developed an audit protocol and conducted 115 audits of covered entities from November 2011 through December 2012. The audit protocol is posted on the OCR website and provides a useful tool for providers to ensure they comply with the Privacy and Security Rules and Breach Notification standards. Small Providers are Facing Large Fines. On January 2, 2013, HHS announced it had reached an agreement with the Hospice of North Idaho (HONI) to settle potential violations of the Security Rule. HONI was investigated after it reported to HHS the theft of an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 441 patients. In its press release regarding the settlement, OCR Director Leon Rodriguez emphasized that the action against HONI "sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." Another notable enforcement action against a small healthcare provider occurred in April 2012, against Phoenix Cardiac Surgery, P.C., a cardiology practice with just two owners. The initial claims against the practice related to postings by practice staff of clinical and surgical appointments for patients on a publicly accessible Internet-based calendar. The OCR investigation soon expanded into a full review of the entity's HIPAA compliance which led to a determination by OCR that the practice, amongst other things, failed to implement adequate policies and procedures, document employee training, appoint a security official, and conduct a security risk assessment. The practice paid $100,000 to settle the claims against it and entered into a corrective action plan (CAP). Holly Carnell Meggan Bushee Security Rule Compliance is the Focus of OCR Enforcement Actions. Recent HIPAA enforcement actions publicized by OCR demonstrate a pattern of sanctioning entities that are out of compliance with the Security Rule. As of February 28, 2013, OCR had 258 open complaints and compliance reviews specifically pertaining to the Security Rule. In June 2012, following a $1.7 million settlement of Security Rule violations, OCR Director Leon Rodriguez cautioned, "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices." Also in June 2012, following agreement by Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. to pay HHS $1.5 million to settle potential Se- curity Rule violations, Rodriguez commented, "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices." While Security Rule compliance may not have been a focus of providers in the past, it is an area where an increased effort towards compliance may render significant benefit to covered entities and business associates.