Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HIMSS 2023
  • Opinion
    • Breaking Bias
    • Commentaries
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - AI and Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Providers
September 21, 2013 12:00 AM

HIPAA hurdles

New rules pose complex challenges for providers

Joe Carlson
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    Safeguarding patients' personal health information has become a more complicated job—and potentially more punitive—thanks to a raft of new federal rules going into effect this week for healthcare companies and an untold number of their subcontractors.

    Healthcare providers say most of the provisions governing data privacy and security in the 563-page Omnibus HIPAA Final Rule are workable, commendable even. But a few areas will create headaches for years to come, including bigger penalties, a strong push for systemwide data encryption, and drafting contracts assigning new liabilities to hospitals' “business associates,” which now include contractors and subcontractors.

    One particularly vexing provision requires providers to honor requests from patients to withhold sensitive records from insurance companies if the bills are paid out of pocket. Experts in the industry say modern electronic health-record systems make such data-segregation all but impossible, raising the possibility of mass noncompliance among thousands of hospitals and doctors offices when the rules go live Sept. 23.

    “You may be able to stop a bill from going to a particular payer, but all the other pieces that we have put in place are so tightly wound together,” says Pamela McNutt, senior vice president and chief information officer for seven-hospital Methodist Health System, based in Dallas. “How are you going to stop an insurance company that wants to do a chart audit from seeing one visit that the patient wanted to mask?”

    HHS' Office for Civil Rights, which enforces healthcare data-privacy rules, continues to say the out-of-pocket opt-out rule will be enforced along with the rest of the new privacy and data-security regulations that were included in the HITECH provisions of the American Recovery and Reinvestment Act of 2009 and published in final regulation form last January.

    “Overall, compliance is an ongoing effort and it is something that entities should be thinking about every day,” says Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights. “It needs to be on everyone's mind, and not something that they will think about once a year.”

    Secret services

    Federal health information privacy law has long given patients the right to request that information not be shared with other entities, whether they be insurers, doctors or other hospitals.

    But until Sept. 23, hospitals and doctors offices had the legal right to decline requests to shield information from insurers.

    Now, healthcare providers must honor requests not to send records to insurance companies, but only in cases where the patient makes arrangements to pay for the service out of pocket. (Hospitals and doctors can still decline requests to withhold information from other entities, such as specialty doctors, regardless of how they're paid for.)

    The out-of-pocket provision for insurers is intended to give self-pay patients some ability to control whether insurers can learn about—and send bills in the mail regarding—sensitive healthcare services such as reproductive and mental health services, substance-abuse treatment or genetic disorder screenings.

    The out-of-pocket rule for insurers remains problematic because healthcare providers say no commercial EHR system is yet on the market that can segregate the data the way that federal law requires. While the new provision isn't expected to be used to an extensive degree, penalties for violations can add up quickly.

    “I haven't talked to anyone who has a system that can check a box to do this,” says Jim Sheldon-Dean, a longtime compliance expert and founder and director of Lewis Creek Systems, a data-security consultancy based in Charlotte, Vt.

    Systems are still being developed to allow clinicians to designate a record as “secret from insurer,” and then have that status communicated downstream to other providers, particularly pharmacies, which risk communicating with an insurer about drugs related to a service that the patient had otherwise paid for himself and declared off-limits.

    But since no system is on the commercial market that can do that today, federal officials used the preamble to the final rule to suggest hospitals and doctors could forgo electronic systems and write prescriptions on paper. According to the rule, the self-pay patient, not the hospital or doctor, is responsible for notifying downstream entities such as pharmacies and specialist doctors of privacy restrictions.

    “We are constantly providing guidance,” the OCR's McAndrew says. “This is a topic that we provided a lot of guidance on as part of the preamble and will continue to provide guidance as things come up.”

    Mahmood Sher-jan, vice president of product management with data-breach consulting firm ID Experts in Portland, Ore., says he's heard clients say the rule could force them to stop providing services to these self-pay opt-out patients, rather than risk breaching their security.

    “They are to the point that they were going to refuse to provide (out-of-pocket) services to a patient because that puts them in a bind,” Sher-Jan says. “This is an ongoing concern, and I don't think it has been addressed.”

    Understanding that section of the law has been one of the more stressful aspects of implementing the rule, but by no means the only challenge or lingering concern.

    Another concern is the question of whether all computers—including desktop units—should have their data encrypted as a safeguard against security threats and potential government sanctions.

    Encryption is not required, but compliance lawyers call it a “magic bullet” that can prevent data breaches. That's because if stolen data is encrypted consistent with guidelines certified by the National Institute of Standards and Technology, a breach is not considered to have taken place. In other words, the provider does not have to report a breach to patients or the government if the data is encrypted in ways that thieves should not be able to read it.

    However, encryption can be costly, slow down network speeds, and make sensitive computers accessible to only one employee. While the majority of providers are already requiring it on laptops, experts say recent incidents involving stolen desktop units or even central computer servers have put the issue under a spotlight.

    Meanwhile, lawyers and consultants have been busy addressing other issues in the law, particularly the updating of thousands of contracts with “business associates”—an expanded definition of which now imposes new data-security responsibilities and liabilities on virtually any entity that comes into contact with patients' protected health information, including subcontractors that do business with hospitals' partners.

    That would include hospital contractors' cloud-computing providers, who might not even be aware yet that they are now liable under the expanded rules in the Health Insurance Portability and Accountability Act.

    All told, the Office for Civil Rights estimated that U.S. healthcare providers and their contractors will spend about 620,000 hours preparing organizations for the new rule, and 32 million more hours complying with its various provisions each year, much of it on contracting.

    Enforcement leeway

    The rule also includes stepped-up penalties.

    When a breach of patient data is found and reported, healthcare providers and legal business associates can be exposed to up to $1.5 million for violations of a single HIPAA provision. It's the first time business associates have been exposed to direct liabilities, but HHS officials were careful to note in the preamble that breaches by outside entities do not create liabilities for hospitals “because such third parties are not its agents.”

    Despite the regular drumbeat of news regarding data breaches, relatively few providers are ever punished financially, and that's not expected to change. That's because the OCR will continue providing leniency when hospitals, doctors, insurers and other “covered entities” under the law can demonstrate they had working compliance programs to prevent, detect and investigate breaches of patient data.

    “Despite fully compliant policies and procedures, events do happen. And I think in most of those cases, if they have properly addressed the particular cause of that event, there would be no need for additional corrective action or any kind of a fine,” McAndrew says.

    The key is to prepare well in advance of a breach. Healthcare providers have to be able to show that they have analyzed their systems for privacy and security gaps, and that they have policies to address them. If encryption is not used, the provider has to show other means to the same end, such as limiting what data is being stored on computers vulnerable to a breach.

    Providers also have to demonstrate that employees actually knew about the policies through training programs, and that procedures were followed after the breach, starting with a thorough investigation of the incident.

    “Don't have a policy-signing party right before OCR comes in, because they'll figure it out,” says Angela Rose, director of health information management practice excellence at the American Health Information Management Association. “Then you'll be audited based on what policy was in effect two weeks ago, not what you just signed.”

    Follow Joe Carlson on Twitter: @MHJCarlson

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Patrick Blair InnovAge
    PACE could expand amid possible nursing home closures: InnovAge CEO
    Rob Allen Intermountain 23
    Intermountain's Graphite Health may be AI 'grounding point,' CEO says
    Most Popular
    1
    CMS tries luring providers to revamped Medicare ACOs
    2
    Oregon joins other states in setting ratios for nurse staffing
    3
    Blue Shield CA taps Amazon, Mark Cuban, CVS for new PBM model
    4
    A health innovation hub grows in Lake Nona Medical City
    5
    Hospital-at-home providers push for Medicaid coverage
    Sponsored Content
    Modern Healthcare A.M. Newsletter: Sign up to receive a comprehensive weekday morning newsletter designed for busy healthcare executives who need the latest and most important healthcare news and analysis.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HIMSS 2023
    • Opinion
      • Breaking Bias
      • Commentaries
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - AI and Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing