Reading Between the Lines of HIPAA Compliance
Read more from the latest issue of Billing.
It's no surprise that the rules and regulations governing how we do business are complex and, at times, difficult to read. The same is true for the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (even the title is a mouthful!) – or, as you may know them, the HIPAA Rules.
Indeed, understanding what your billing company's required versus recommended compliance practices are for the HIPAA Rules can be confusing. There is, in fact, a simple reason for this. The HIPAA Rules were not created for, nor are they geared toward, billing company compliance, except for stating that the HIPAA Rules govern conduct by covered entities. Covered entities under the HIPAA Rules are health plans, healthcare clearinghouses, and healthcare providers that conduct certain financial and administrative transactions electronically.
So where do billing companies come in? Billing companies are a special case. They fall squarely in the middle of many covered entity relationships, so much so that the federal government has carved out a classification under the HIPAA Rules which most – if not all – billing companies qualify for: business associate.
Under the HIPAA Rules, a business associate is a "person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information."1 (Protected health information [PHI] is any patient information that is individually identifiable to that patient – for example, name, social security number, picture, driver's license identification, or any combination of information that may be individually identifiable, such as date of birth, gender, and diagnoses.)
In order to understand the business associate's role in protecting patient information and complying with the HIPAA Rules, you must read between the lines – parsing out covered entity requirements that impact business associates and uncovering areas of potential exposure. This article, then, will help you do just that. We will review the requirements that impact covered entities and billing companies. Finally, I will summarize these requirements along with best practices for implementing them (if you read only one section of this article, be sure to read the final section on best practices).
1. Business Associate Agreements
Covered entities are required to enter into contracts with their business associates. The purpose of these contracts, as intended under the HIPAA Rules, is to lay out what the permissible uses and disclosures of PHI are for the business associate – thereby creating standards for the business associate. According to the HIPAA Rules, business associate agreements must:
- Establish the permitted and required uses and disclosures of PHI by the business associate;
- Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
- Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
- Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
- Require the business associate to disclose PHI as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
- To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
- Require the business associate to make available to the Department of Health and Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule;
- At termination of the contract, if feasible, require the business associate to return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity;
- Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
- Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.
While the HIPAA Rules do not place requirements on the business associate through statute for internal compliance, the required contractual terms between the covered entity and the business associate do create an obligation for preventive HIPAA compliance by the business associate. Specifically, the contract creates a duty to "implement appropriate safeguards to prevent unauthorized use or disclosure," "report," and/or "disclose" upon certain happenings. Additionally, these contracts mean the business associate must adhere to the minimum necessary standard – requiring the business associate to request and utilize only the minimum amount of PHI necessary in the course of its operations.
Other ambiguities arise from these agreements. Most business associate agreements, and certainly the standard form on the Office for Civil Rights website,3 do not offer further guidance on what "appropriate safeguards" are required or recommended for business associates. Reference is made to required compliance under the Security Rule, which would indicate written policies and procedures are, in fact, required for business associates, creating a contradiction to prior statements in the HIPAA Rules that applicability is to covered entities only. The way around the contradiction from the government's perspective (and for any would-be attorneys reading this) is the assertion that the obligation created on the business associate is by contract, not by law.
There are ways for billing companies to address the items in these contracts. You can modify which appropriate safeguards your company agrees to adhere to by listing in your business associate agreements what your company already has in place and agrees to do to safeguard PHI. Accepting default language, which means you will adhere to all general requirements of the HIPAA Rules, will most likely obligate you to conform to standards of operation you may not have in place and may be completely unaware of. In this case, you will be held responsible should PHI be disclosed in a manner that is not authorized by your business associate contract. And, while the HIPAA Rules may not explicitly govern business associates and dictate compliance requirements, they do state that a "business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law [including compliance with the HIPAA Security Rule, discussed below]."4
You should view your business associate agreement as an opportunity, not an obligation. The HIPAA Rules authorize parties to utilize their business associate agreements as risk-defining or risk-shifting legal documents. This means each of the parties is authorized by contract to explicitly state what they agree to be responsible for, and what they agree not to take responsibility for – financial or otherwise. Don't miss out on this opportunity to protect your company. Utilize your business associate agreement as a tool for protection, define what risks you agree to take on and what protections you agree to have in place, and require the covered entity to take responsibility for any liability outside of your agreed upon realm. Keep in mind that I give this same advice to my covered entity clients – so, when both parties are aware of this opportunity, mutual language that outlines each party's responsibility must be accepted. This risk shifting is typically accomplished through an indemnification provision, which is a recommended provision defining who is responsible for what risks, and is not necessarily a standard provision in a business associate agreement.
2. Internal Risk Assessment
As you have seen, the HIPAA Rules were not created to dictate the terms of a billing company's obligations; however, whether by contract or implicitly by statute, requirements exist in the HIPAA Rules that pertain to your operations. Similarly, while not explicitly stated, careful analysis reveals that business associates are required to conform with the HIPAA Security Rule, a recent addition to the HIPAA Rules requiring certain safeguards for electronic PHI. Compliance with the HIPAA Security Rule requires you to complete two items, the second of which we will discuss in this section. First, you must have a written policy addressing the administrative, technical, and physical safeguards for keeping PHI safe (discussed next), and second, you must conduct a regular risk assessment of internal compliance and areas of potential exposure. We will discuss risk assessment first because without an initial risk assessment, you cannot start the policy.
Risk assessment does not have to be a complex or overwhelming process, depending on the scale and support your company has during the process. Similarly, risk assessment standards have been promulgated by the federal government. For help, you can use the Security Risk Assessment Tool that The Office of the National Coordinator for Health Information Technology, in collaboration with the HHS Office for Civil Rights and the HHS Office of the General Counsel, have made available online.
Through risk assessment (which we will address in more detail in a future article), you will identify the areas of your billing company that require greater protection, including creation of policy. For example, let's say you have employees working from home. You can determine from your risk assessment that you are not tracking what hardware is being used, or you do not have secure access to your system, or you do not have a policy for the employees who work from home dictating their responsibility to properly protect patient information. In this example, you and your company may have some exposure. As stated above, exposure under HIPAA may be significant – potentially leading to substantial fines, an investigation by the Office for Civil Rights, for which you will have to retain competent healthcare counsel, and even criminal exposure.
3. Recommended Internal Policies
If you adopt compliance without a written policy, have you adopted compliance? If you ask the Office for Civil Rights, they will likely say "no." Still, knowing which written policies to adopt is a fluid question, as your operations may be in flux or expanding at any given time.
View your written policies as a constitution for operating your business, not as a necessary evil that you file away in a cabinet, only to bring out again during an audit. Your written policies are required to be in the hands of your company's security officer, who should use the policies for training and tracking purposes as they relate to your day-to-day operations. If you have purchased policies you do not regularly use and do not necessarily understand, the policies may not be the right fit for your organization. Make sure you adopt policies that you understand (i.e., are written in plain English) and can use.
4. Recommended Best Practices
The following is a summary of the requirements discussed above, followed by a best practice for implementing that item.
Requirement: Have agreements in place between your company and covered entities governing the treatment of PHI.
Best practice: Take advantage of the opportunity to protect your company and shift your risk in your business associate agreements.
Requirement: Assess the risk of unauthorized disclosures of PHI by your company.
Best practice: Regularly (approximately every year) perform a risk assessment with the help of your healthcare attorney.
Requirement: Have written policies applicable to your company.
Best practice: Use the information you gain from your risk assessment to address your areas of potential exposure with written policies so that you can prove attempted, if not actual, compliance.
In general, it is also a good practice to accept that you cannot control every area of potential exposure in your company. Also accept that the best you can do for your own best practices is continue to educate yourself and your staff, and protect yourself and your company through regular education and preventive compliance activity. Conducting regular risk assessments and adopting written policies are a great start.
It can be tempting to shy away from the complexity of the HIPAA Rules. But in doing so, you are putting yourself at risk for potential exposure. And although compliance with HIPAA Rules requires reading between the lines, you can follow the steps above to help you become – and remain – compliant.