Is it just me, or are you also having a difficult time believing 2013 is half over? As summer gets started and the days of oppressive heat approach, I thought we might discuss that timeless favorite HIPAA. Before you read further, grab yourself a tall glass of ice-cold lemonade. You will need something to keep you company as we cruise through this exciting topic.
A Brief History
I know some of you are students of history, but for the rest of us let’s recount the birth and evolution of HIPAA in a paragraph (or two or three). Officially referred to as the Health Insurance Portability and Accountability Act of 1996 (yes, soon to be 20 years old!), the act was shortened to one of the most despised acronyms in all of medicine. A sizeable component of the act deals with what the title suggests—protecting health insurance coverage for folks who change jobs. The other piece of the legislation concerns protecting the privacy and security of “individually identifiable health information” during electronic health care transactions. I find it a little more palatable to think about HIPAA from the perspective of two important components—the Privacy Rule and the Security Rule.
The Privacy Rule has been in play for ten years (2003) and defines how a “covered entity” (like your medical practice) should use and disclose what is known as Protected Health Information (PHI). We could devote an entire post to the description of PHI, but broadly speaking the patient-related contents of both your EHR and your billing system fall into this large bucket. At a high level, the HIPAA Privacy Rule tells us we can disclose PHI to a third party without the patient’s expressed consent if the disclosure facilitates treatment, payment, or healthcare operations (TPO). One of the fundamental components of the Privacy Rule is that we make every effort to disclose the minimum amount of information necessary for the receiving party to accomplish what they need to accomplish.
The Privacy Rule’s cousin, the Security Rule, is the actual topic of discussion today and has been in play since 2006. In play, by the way, means that all healthcare providers have been expected to be in compliance with the Privacy Rule since 2003 and with the Security Rule since 2006, so I am sure most of this is simply review for you! The Security Rule is laser-focused on Electronic PHI, so I am sure it comes as no surprise that the topic has made its way into our blog. Compliance with the Security Rule requires attention to three broad safeguard categories: administrative, physical, and technical. One component of compliance with the technical safeguard is the requirement to conduct a security risk analysis.
A Core Objective
While you are refilling your lemonade, let me remind you I am certainly not a healthcare attorney and everything expressed above should be taken with a grain of salt. In fact, other than wearing our practice’s privacy officer hat for several years and knowing my way around Wikipedia, I by no means am a HIPAA guru. The reason I bring the subject up today is because the first and second stages of Meaningful Use include a core objective that is an affirmation the provider is in fact compliant with the security risk analysis component referenced above. This objective has created a bit of confusion among providers, many of whom have assumed simply using a Certified EHR is enough to meet this objective.
One of my colleagues within Fresenius recently shared a couple of links related to this topic which I think you will find useful. The first is one I would encourage each of you to read. With the alluring title Top 10 Myths of Security Risk Analysis, this very quick read dispels many of the rumors swirling around this objective. For those of you interested in a deeper dive, take a look at the Guide to Privacy and Security of Health Information. Of course, you might need an entire pitcher of lemonade for this one.
Although HIPAA remains a reviled acronym among healthcare providers, protecting the security and privacy of our patients’ health information is one of our most important responsibilities. At first blush a formal security risk analysis appears daunting, but there are a number of references on the Office of Civil Rights website that provide guidance. Whether attesting for Meaningful Use or simply fulfilling your obligations regarding HIPAA, your patients deserve the attention.