HIPAA Omnibus Challenges for Third Party Billers
Prepare for Increased Tracing of PHI Disclosures
An article by Ron Sterling taken from the September/October issue of HBMA Billing
The HIPAA Omnibus Rules, released in January 2013, dramatically change the HIPAA Security and Privacy challenges for your third party billing organization in a way that will affect how you serve your clients and also redefines what constitutes quality services.
Under the original HIPAA Privacy and Security Rules, third party billing organizations had to sign a Business Associate Agreement (BAA) that recognized the applicability of the HIPAA rules to the handling of Protected Health Information (PHI), but did little to penalize a business associate who violated HIPAA Privacy or Security. The biggest exposure was that the practice or healthcare organization could fire the BA. The HITECH rules extend penalties to BAs for violation of HIPAA Privacy and Security, and the Omnibus Rules extend penalties to the BA subcontractors who are handling PHI to perform their work. Of course, the BA can still be fired.
A more serious operational challenge is that the third party biller BA has to support and manage the updated HIPAA Omnibus Rules on impermissible uses and disclosure of PHI and on breaches of PHI.
Under the "old" HIPAA/HITECH breach rules, a breach required a significant risk of financial, reputational, or other harm to the patient whose PHI was compromised. Under the "new" HIPAA Omnibus Rules, a breach is based on a much lower standard of PHI disclosure or use. This standard specifies that a breach has taken place if there is not a low probability that the PHI has been compromised.
Under the old rules, the determination of harm was based on good faith analysis, but you were not required to document decisions or incidents that were not breaches.
Under HIPAA Omnibus, you should assume that the event is a breach or analyze and document your review of impermissible disclosures and uses of PHI. The evaluation is based on four factors:
- PHI nature and extent – You evaluate the sensitivity of the impermissible disclosure as well as the ability to identify the patient or even the possibility of access. For example, a list of dated, de-identified claims disclosed with a separate list of patient appointments for the day of the claims would present a higher probability of impermissible disclosure or use. Similarly, PHI scanned images may include patient identifiers and present a higher probability of disclosure.
- Unauthorized person received or used PHI – You must evaluate the recipient of the impermissible disclosure or use to determine the extent of the problem. For example, impermissible disclosure to a covered entity that complies with HIPAA Security and Privacy may present a lower probability than mailing a patient claim to the wrong patient.
- Actual acquisition or viewing of PHI – In evaluating the problem, you can determine if there was an opportunity to access the PHI. For example, a file of information that requires a special reading program presents a lower probability than a patient record in a PDF file. Similarly, if a device was lost, but upon recovery you can determine that the device was not accessed, you have a low probability of disclosure or use.
- Mitigation factors – In the final step of you evaluation, you can determine if there were mitigating issues that led you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient that is lost in your office but recovered in a non-public area may present a mitigating factor.
The evaluation of these four factors has to be documented along with your good faith and reasonable conclusion. If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements.
The analysis and logging of impermissible disclosures and uses will provide a window into the effectiveness of your third party billing company policies and procedures. Clients may reasonably request the right to review the log of impermissible disclosures and uses as a window into the ability of your procedures, policies, and operations to protect their PHI. Indeed, an extended list of problems or an analysis of impermissible disclosure and use that the client may consider aggressive could trigger a reconsideration of your services regardless of whether you maintain a clean AR. Indeed, the extended list of breach near misses may result in a lower confidence in the long-term viability of your organization if the client begins to question whether their PHI is being adequately protected.
At the end of the day, you have to avoid the occurrence or impermissible disclosures and/or uses by improving supervision, procedures, policies, and training. A serious handling of impermissible disclosures and uses may help you avoid recurrences of the same problems and convey to clients that you are diligently working to protect their PHI.
- Examine the events that lead to the impermissible disclosure and use in light of your HIPAA Privacy and Security policies and procedures. The event should trigger an analysis of the relevant policies and procedures as well as supervision and training of employees.
- Analyze your impermissible disclosures (across all clients) to determine if there are patterns that may reveal a more serious problem or failure. For example, just because you have not graduated to a breach for a number of impermissible disclosures and uses does not mean that you do not have a weakness. Indeed, continuing PHI disclosure and use problems could be an indication of a potential problem and higher risk profile than your breach log shows.
- Review HIPAA Security and Privacy issues with your clients as well as the efforts that you are engaged in to track emergent problems and protect their PHI. These issues could be reviewed on a quarterly basis and may present another service opportunity for working with clients who will be struggling with the same HIPAA Security and Privacy issues.
The updated breach rules in the HIPAA Omnibus Rules lower the barriers for a breach and increase the work that you and your clients need to do to track impermissible uses and disclosures of PHI. The analysis of impermissible disclosures and use can help you identify weaknesses and strengthen your privacy and security strategies. Alternatively, a history of impermissible uses and disclosures may unfavorably reflect on your services and risk your client relationships even if you have avoided an actual breach.
Recognizing these challenges and improving management of your compliance efforts may avoid disclosure and use problems as well as help your clients cope with a more demanding HIPAA Security and Privacy standard.
Ron Sterling (800-967-3028, www.sterling-solutions.com) publishes the popular EHR Blog Avoid-EHR-Disasters.blogspot.com and authored the HIMSS Book of the Year Award winning Keys to EMR/EHR Success. He is an independent EHR consultant. © Sterling Solutions, 2013.