Importance of Having HIPAA Policies and Procedures at Your Practice
Although HIPAA regulatory requirements are complex, one point is clear: if you are a covered entity (i.e., a healthcare provider), you must have HIPAA policies and procedures in place. From a large corporate hospital to a solo therapy practice, healthcare providers must have specific documentation demonstrating that they protect patient health information (“PHI”). Failure to have the proper HIPAA policies and procedures could result in massive penalties that may affect the viability of your practice.
Our firm has decades of experience in healthcare law. We have helped numerous providers achieve greater HIPAA compliance by creating and implementing robust HIPAA policies and procedures at their respective practices. If you need any assistance or further information concerning these requirements, please do not hesitate to contact Barney Cohen at barney@conciergehealthcareattorneysllc.com.
To learn more about the importance of this subject matter, we provide information regarding the background of HIPAA, the requirements for HIPAA policies and procedures, HIPAA enforcement actions, and sample policies and procedures.
HIPAA Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law passed by Congress in 1996 that protects the privacy and security of certain health information.[1] To fulfill this requirement, the U.S. Department of Health & Human Services (HHS) published what is commonly known as the HIPAA Privacy Rule, which established national standards for the protection of certain health information, and the HIPAA Security Rule, which established a national set of security standards for protecting certain health information that is held or transferred in electronic form.[2]
A primary goal of the Privacy Rule is to ensure that an individual’s health information is adequately protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.[3] The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.[4] Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that must be addressed.[5]
A primary goal of the Security Rule is to protect individual health information privacy while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.[6] Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.[7]
The HIPAA Breach Notification Rule[8], passed in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.[9]
These rules mentioned above form the foundation for HIPAA. As a healthcare provider, failure to comply with these rules could lead to substantial civil monetary penalties and potential imprisonment (See section on penalties below)!
Important Definitions
Protected Health Information. Generally, the HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”[10] “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.[11] Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).[12]
Covered Entities. HIPAA-covered entities include health plans, clearinghouses, and health care providers who submit HIPAA transactions, like claims, electronically.[13] These providers include, but are not limited to: (i) Doctors, (ii) Clinics, (iii) Psychologists, (iv) Dentists, (v) Chiropractors, (vi) Nursing homes, and (vii) Pharmacies. If you have any questions as to whether your practice constitutes a covered entity, please do not hesitate to contact our firm.
Business Associates. Most health care providers and health plans only carry out some of their health care activities and functions by themselves.[14] Instead, they often use the services of various other persons or businesses. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.[15] A covered entity’s workforce member is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity. Some examples of business associates include the following:
- A third-party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant who performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.[16]
Requirements for HIPAA Policies and Procedures
One of the major requirements under HIPAA is that a covered entity must develop and implement written policies and procedures consistent with the HIPAA Privacy, Security, and Breach Notification Rules.[17] Additionally, a covered entity must periodically review and update its documentation, including its policies and procedures, in response to environmental or organizational changes that affect the privacy and security of PHI.[18]
These policies and procedures are critical to have in place before any potential HIPAA issue occurs. We strongly recommend engaging our firm to help craft HIPAA policies and procedures that are modified to fit the specific needs of your practice.
Required Versus Addressable Policies
Covered entities are required to comply with HIPAA Privacy, Security, and Breach Rule standards. However, HIPAA categorizes certain implementation specifications within those standards as “addressable” while others are “required.”[19] If an implementation specification is described as “required,” the specification must be implemented.[20] The “addressable” designation does not mean an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the HIPAA Rules allow the covered entity to adopt an alternative measure that achieves the purpose of the standard if the alternative measure is reasonable and appropriate.[21]
The “addressable implementation specifications” concept was developed to provide covered entities additional flexibility concerning compliance with the security standards.[22] The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. A covered entity’s choice must also be documented in writing.[23]
For example, an “addressable” implementation specification is the requirement that all covered entities must determine whether “Encryption and Decryption” are reasonable and appropriate for their environment.[24] This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
Consulting with legal professionals, such as Concierge Healthcare Attorneys LLC, can help determine which policies and procedures are reasonable and appropriate for your practice.
HIPAA Policies and Procedures
The list of required and addressable policies and procedures under the HIPAA Privacy, Security, and Breach Notification Rules is lengthy. Below is a list that includes some of these necessary policies and procedures for your practice[25]:
Administrative Safeguards
- Risk Analysis and Management
- Limiting Uses and Disclosures to the Minimum Necessary
- Disclosures and Requests for Disclosures
- Privacy Practices Notice and Other Individual Rights
- Business Associates
- Workforce Security
- Authorization and supervision
- Workforce clearance procedure
- Termination procedures
- Information Access Management
- Access authorization
- Access establishment and modification
- Security Awareness and Training
- Security reminders
- Protection from malicious software
- Log-in monitoring
- Password management
- Contingency Plan
- Testing and revision procedures
- Applications and data criticality analysis
Physical Safeguards
- Facility Access Controls
- Contingency operations
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Device and Media Controls
- Accountability
- Data backup and storage
Technical Safeguards
- Access Control
- Automatic logoff
- Encryption and decryption
- Integrity
- Mechanism to authenticate electronic protected health information
- Transmission Security
- Integrity controls
- Encryption
Enforcement of HIPAA Law
Within the U.S. Department of Health & Human Services, the Office for Civil Rights (“OCR”) implements and enforces the Privacy Rule concerning voluntary compliance activities and civil money penalties for HIPAA violations.[26]
Criminal Penalties.[27] Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission, such as using PHI to commit identity theft. The criminal penalties for HIPAA violations include potential jail time and fines as follows:
Tier 1: Deliberately obtaining and/or disclosing PHI without authorization | Penalty: Up to one year in jail and a $50,000 fine |
Tier 2: Obtaining PHI under false pretenses | Penalty: Up to five years in jail and a $100,000 fine |
Tier 3: Obtaining PHI for personal gain or with malicious intent | Penalty: Up to 10 years in jail and a $250,000 fine |
Civil Penalties.[28] Civil penalties are usually issued in cases where an offender was unaware that they were committing a HIPAA violation, such as having a hacker steal PHI. The civil monetary penalties for violations of HIPAA are tiered and range from $100 per violation and up to $1.5 million per year, as follows:
Tier 1: Unaware of the HIPAA violation and exercised reasonable diligence | Penalty: Minimum $100 per violation, maximum $25,000 per year |
Tier 2: Reasonable cause and actions were not “willfully neglectful” | Penalty: Minimum $1000 per violation, maximum $100,000 per year |
Tier 3: Willful neglect but did attempt to resolve the issue afterward | Penalty: Minimum $10,000 per violation, maximum $250,000 per year |
Tier 4: Willful neglect and did not attempt to resolve the issue afterward | Penalty: Minimum $50,000 per violation, maximum $1.5 million per year |
To date, OCR settled or imposed a civil money penalty in 145 cases, resulting in a total dollar amount of $142,663,772.00.[29] From the compliance date to the present, the compliance issues most often alleged in complaints are compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of PHI;
- Lack of safeguards of PHI;
- Lack of patient access to their PHI;
- Lack of administrative safeguards for e-PHI; and
- Use or disclosure of more than the minimum necessary PHI.[30]
Numerous settlements in recent years have highlighted the importance of having HIPAA-compliant policies and procedures in place. The following cases are illustrative:
- iHealth Solutions settles HIPAA investigation with OCR for $75,000 after disclosure of PHI on an unsecured server.[31]
- Summary: OCR initiated an investigation of iHealth Solutions after receiving a breach report stating that iHealth Solutions had experienced an unauthorized transfer of PHI, known as exfiltration, from its unsecured server. The PHI of 267 individuals included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure of iHealth Solutions to analyze risks and vulnerabilities to electronically protected health information across the organization. As part of the settlement, iHealth Solutions agreed to develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
- $750,000 HIPAA settlement with OCR by Cancer Center Group emphasizes the importance of risk analysis and device and media control policies[32]
- Summary: HHS received notification from the Cancer Center Group (CCG) regarding a breach involving unsecured electronic protected health information (ePHI). CCG reported that a laptop bag was stolen from an employee’s car in Indianapolis, Indiana. According to the report, the laptop bag contained the unencrypted computer server backup media, which included the ePHI of approximately 55,000 individuals. The OCR investigation also revealed that CCG failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronically protected health information into and out of a facility and the movement of these items within the facility.
- Snooping on medical records by the hospital security guard leads to a $240,000 HIPAA settlement with OCR.[33]
- Summary: In May 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose. The OCR’s investigation of the breach incident indicated potential violations of the requirement to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other provisions of the Security Rule. As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule.
- Orthopedic clinic pays $1.5 million to settle systemic non-compliance with HIPAA rules.[34]
- Summary: A journalist notified Athens Orthopedic that a database of their patient records, including the records of 208,557 patients, may have been posted online for sale. A hacker contacted Athens Orthopedic and demanded money for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials to access their electronic medical record system and exfiltrate patient health data. The hacker accessed protected health information (PHI) for over a month. OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
- Small healthcare provider agrees to settle with OCR for $25,000 after failure to implement multiple security rule requirements.[35]
- Summary: A small healthcare provider (“Metro”) filed a breach report regarding the impermissible disclosure of PHI to an unknown email account. The breach affected 1,263 patients. OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any risk analyses, implement any HIPAA Security Rule policies and procedures, and neglect to provide workforce members with security awareness training.
REMEMBER: One of the first questions a government investigator will ask in case of a potential HIPAA breach or violation is whether your practice has HIPAA policies and procedures in place. If it meets the definitions of a covered entity or business associate above, your practice will only comply with the law with such HIPAA policies and procedures. Thus, having a robust HIPAA policy and procedures manual is one of the first and best protection methods against substantial HIPAA penalties.
Sample HIPAA Policies and Procedures
Our firm can help create and implement HIPAA policies and procedures tailored to your practice’s specific needs. For your review, we have attached a few sample policies and procedures concerning the following HIPAA requirements that we can help adapt to your practice:
Policy #1 – General HIPAA Compliance Policy and Procedure
Policy #2 – Mobile Device Policy and Procedure
Policy #3 – HIPAA Training Policy and Procedure
Policy #4 – Business Associate Agreement
For any legal assistance regarding HIPAA policies and procedures or any other HIPAA compliance issue, you can contact our firm today at the following:
Email: Barney@conciergehealthcareattorneysllc.com
Phone: (312) 804-1739
Don’t wait until there has been a potential HIPAA violation at your practice. As they say, an ounce of prevention is worth a pound of cure!
[1] Pub. L. 104-191.
[2] https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
[3] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[4] Id.
[5] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[6] https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
[7] Id.
[8] 45 CFR §§ 164.400-414.
[9] https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
[10] 45 C.F.R. § 160.103.
[11] 45 C.F.R. § 160.103.
[12] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[13] https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/hipaa/covered-entities.
[14] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
[15] 45 CFR 160.103.
[16] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
[17] 45 C.F.R. § 164.530(i); 45 C.F.R. § 164.316; 45 CFR §§ 164.400-414. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
[18] 45 C.F.R. § 164.316(b)(2)(iii).
[19] https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
[20] https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html.
[21] 45 C.F.R. § 164.306(d).
[22] In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. See, https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html.
[23] Id.
[24] 45 C.F.R. § 164.312(a)(1).
[25] See generally, 45 CFR 160, 162, 164.
[26] https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[27] 42 USC 1320d-6.
[28] 45 CFR § 160.404.
[29] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
[30] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
[31] https://www.hhs.gov/about/news/2023/06/28/hhs-office-for-civil-rights-settles-hipaa-investigation-ihealth-solutions-regarding-disclosure-protected-health-information-unsecured-server-for-75-000.html.
[32] https://www.hhs.gov/sites/default/files/cancercare-racap.pdf.
[33] https://www.hhs.gov/about/news/2023/06/15/snooping-medical-records-by-hospital-security-guards-leads-240-000-hipaa-settlement.html.
[34] https://public3.pagefreezer.com/content/HHS.gov/31-12-2020T08:51/https://www.hhs.gov/about/news/2020/09/21/orthopedic-clinic-pays-1.5-million-to-settle-systemic-noncompliance-with-hipaa-rules.html.
[35] https://public3.pagefreezer.com/content/HHS.gov/31-12-2020T08:51/https://www.hhs.gov/about/news/2020/07/23/small-health-care-provider-fails-to-implement-multiple-hipaa-security-rule-requirements.html