Watch out for state-law violations.
Maybe you know that your general surgery practice is on the ropes for compliance with the Health Insurance Portability and Accountability Act (HIPAA), or maybe you think you have it all figured out.
Either way, you might have a thing or two to learn, so we’ve gathered comments from experts’ public postings to identify major trends for HIPAA compliance in 2015.
1. Expect Tougher OCR Audits
One of the biggest trends for HIPAA compliance in the year ahead will be the HHS Office for Civil Rights’ (OCR) stepped-up audit program.
“The attention and enforcement actions from OCR are likely to be on an order that U.S. providers and other covered entities [CEs] simply haven’t seen before, and it’s going to take many by surprise,” cautioned Mark Fulford in a blog posting for LBMC Security & Risk Services. “We expect OCR to exercise new levels of scrutiny and enforcement in order to identify healthcare organizations’ particular risks,” Fulford said.
Also, use of the OCR online complaint system will continue to increase this year, thanks to a $2-million budget increase for OCR in fiscal year 2015, noted attorney Elizabeth Litten in an assessment posted by the law firm Fox Rothschild LLP. This will result in increased OCR compliance investigations, audits, and enforcement actions.
2. Watch for Lawsuits Based on State Law Claims
Despite HIPAA’s lack of private right of action, plaintiffs haven’t shied away from bringing lawsuits in state courts following breaches — and plaintiffs have won several of these cases.
Last year, individual plaintiffs prevailed in several cases with settlements and jury verdicts for alleged HIPAA violations, pointed out attorney Linn Foster Freedman in a recent analysis for the law firm Nixon Peabody LLP. These cases were “presumably based on state law claims.”
3. Protect Against Cybercriminals
“We anticipate that [2015] will be another year of damaging and costly cyber-attacks,” Fulford warned earlier this year.
In fact: At least two major healthcare data breaches have occurred already this year: a cyberattack involving records of up to 80 million members and former members of Anthem, Blue Cross and Blue Shield plans; and a breach of 11 million customers of Premera Blue Cross. These breaches possibly involved data such as names, birth dates, Social Security numbers, addresses, phone numbers, employment information, and medical claims data, including clinical information.
Result: HIPAA enforcement efforts will likely increasingly focus on employee training, review of systems security, and third-party review to verify that you are as protected from cyber threats as you can be. You and your business associates (BAs) must prepare for these risks to mitigate or avoid them altogether, Fulford stressed.
Pitfall: Remember, “with more data storage on ‘cloud’ based servers, healthcare data makes for an attractive target for cybercriminals,” cautioned attorneys Bruce Platt and Robert Slavkin in a recent blog posting for the law firm Akerman LLP.
4. Beef Up Your BAAs
With so many CEs getting into hot water lately due to their BAs’ mistakes, BA Agreements (BAAs) will likely become more sophisticated, detailed and frequently negotiated, Litten predicted.
For example: CEs may require their BAs to implement very specific security controls, perhaps relating to particular circumstances, or comply with a specific state law’s privacy and security requirements, Litten posited. Also, BAAs may limit the creation or use of de-identified data, or require the BA to purchase cybersecurity insurance.
“In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow,” Litten noted.
5. Comply with the TCPA
Yet another concern for the healthcare industry in terms of privacy and security is compliance with yet another federal law: the Telephone Consumer Protection Act (TCPA).
Due to the rising trend of using technology, such as text messaging to patients’ mobile phones for appointment reminders, providers need to be wary of their compliance with the TCPA, Freedman said.
Tip: Be sure to comply with TCPA if you’re using the telephone to transmit private health information. For instance, “TCPA requires that the express written consent of the patient must be obtained prior to texting a patient,” Freedman instructed. “If you plan to text patients at all, take the time now to update your patient intake form to include ‘express written consent’ to text the patient on their cellphone.”