HIPAA Law and HITECH/Omnibus Conformance – Small Medical Practice

August 14th, 2017

As the owner of a small to medium-sized medical business (a 1-19 physician practice, say, with 5-50 employees) you have many concerns – how to hire and retain competent staff, how to deal with your vendors such as office payroll, billing and collection services, and, above all, how to serve your patients’ needs in the most economical and expeditious way.  I.e., by speeding up scheduling, quickly accessing medical records, coordinating treatment with other doctors, etc. Time spent managing your information and communications infrastructure for HIPAA or HITECH compliance may not seem to be the most critical aspect of your work.

HIPAA / HITECH

However, the use of ICT – information and communications technologies –  in the healthcare industry has become increasingly pervasive and has special relevance for every medical practitioner, given the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which adds more substance to the original Health Insurance Portability and Accountability Act (HIPAA)  privacy and security rules.  HITECH also incentivizes medical practitioners to step up their use of electronic health records (EHR) to “exchange electronic health information with, and integrate such information from, other sources.”

In addition to promoting the secure use of health information technology, HITECH extended the reach of HIPAA to also include the “business associates” of “covered entities” (such as your practice) within the regulations, and tightened the conditions for reporting security breaches to government agencies and affected individuals.  In 2013, HIPAA/HITECH was updated by the Omnibus Rule to require, among other things, that business associates are also mandated to report security breaches and be directly liable for any non-compliance with the regulations. (Prior to this, they were only liable to their clients.)

Given all these changes, the last thing you probably want is an audit by the Health and Human Services (HHS) investigating a security breach of (electronic) Protected Health Information (ePHI) by you or one of your vendors, and probing your compliance to the HIPPA/HITECH provisions. After almost fifteen years since the original HIPAA legislation, ignorance of the law on health information security and privacy is no longer seen as an excuse.  Ignorance is now “willful neglect” and with that comes stiff penalties when problems arise.

To get a feel for the scope of HIPAA/HITECH, consider the following picture which shows the sorts of interactions with external entities and the types of information flow typical for a small to medium-sized medical practice.  While not showing all types of information exchanges that occur, and omitting for simplicity other entities with which interactions are possible, even a cursory look at this figure shows the many instances where ePHI is stored and transmitted.

 

Consider, for example, the use of a web-based portal to make patient-doctor/office staff communications time- and cost-efficient as well as productive. Or take the ability to retrieve, distribute and store medical records with other supporting partners such as test labs, imaging centers, other physicians and pharmacists. Even a simple medical bill may have ePHI, which is subject to protection under HIPAA.

The rise of wireless technology adds another level of security concern to what is already a complex area. Medical devices might use in-house WiFi to transmit a patient’s health data, while laptops and other mobile devices might make use of the same wireless network to connect to internal and external servers. HIPAA/HITECH does not mandate specific encryption technologies, but here again the devices must be chosen so as to be able to use the latest state-of-the-art in wireless encryption technologies (WPA2 Enterprise); otherwise these connections are easily hacked.  Authentication and access controls are equally important.

Increasingly, the ubiquitous mobile phone is used to access patient medical records, or to run medical apps as a matter of convenience. Apart from theft or loss, even the availability of the cell phone camera can be a serious source of ePHI breach if photography is not monitored and images are not properly secured. Even seemingly simple actions like texting an appointment reminder to a patient or answering a patient’s questions via email might open a practice to the potential for a HIPAA/HITECH violation if care is not taken to ensure appropriate security of the device, the mobile platform, the app as well as the communications channel. The availability of a variety of medical apps that allow patients to monitor aspects of their health also leads to an uncharted area. Might perhaps a practice be indirectly liable for a loss of medical data from a patient’s medical app on his device which was shared with the doctor?

Thus, each interface and interaction has the potential for a HIPAA/HITECH protected information breach. All these aspects remind us of the need for clear policies about the use of technology and their HIPAA/HITECH ramifications. These policies cannot just be in a book somewhere, but must be a part of every employee’s work habits. Also, given the chain of liability that is now in place owing to the Omnibus Rule, a medical practice can be audited after a breach for non-compliance by one of its vendors.

So what then is a small health care practice to do under these circumstances?

We offer a high level view of the choices available for your IT infrastructure, before recommending a path through this thicket of regulations and technology choices.

Types of IT solutions

There are three options for the basic IT infrastructure of a small medical practice. (Large organizations also have these options; however, they also have the resources to run their own IT operations and can command the services of outside vendors/partners to try out different solutions or create bespoke ones.)

  • A bundled architecture, where a healthcare-specific software bundle is purchased and installed in each desktop/laptop. This is analogous to buying licenses for office productivity software such as Microsoft’s Office 2013 and earlier releases.
  • A thin client architecture where the software on the desktop/laptop (client) is basically the web browser, having only the ability to read/write/update data stored/maintained at on- or –off premise server(s) under the control of the organization.
  • A cloud-based architecture, which maintains a thin client behavior on the client side while changing the server-side solution: instead of dedicated servers maintained by the organization, this solution offers a utility-like model where the software, data storage, and computing resources are maintained by a third party.  This is often referred to as a “Software as a Service” (SaaS) model.

Each of these options involves balancing their security ramifications, especially in the ePHI protection context, against other factors such as cost, efficiency and convenience of operations.

The bundled software solution requires you and your staff to understand how to use the proprietary software. This may or may not be a major issue, but it does tie you to a particular vendor as the learning curve to switch to another software product may be steep. Also, when the software needs to be upgraded, technical support may be required and the activities at each workstation disrupted. Most desktop/laptops contain other software, for example web browsers and email programs. These are often are the direct conduits for cyber-security attacks, such as malware installations arising from unsafe browsing or the opening unknown attachments to emails. These can spread within the system and siphon off ePHI. Unless your staff can be kept constantly alert to security threats, and the security components of their workstations such as antivirus and malware filters regularly updated, this type of a solution remains fraught with opportunities for breach.

Moreover, unless the USB ports of your workstations are disabled (some use glue!) and the laptops locked down, there is little one can do to prevent data theft by a determined rogue insider. Most of the ePHI hacks to date have been the loss of data through supposed negligence – an employee’s laptop left in and stolen from a car, for instance. The walking laptop or portable storage theft/loss data breach problem can be mitigated by ensuring full disk, or volume or virtual disk encryption.  An IT security professional can guide you on the differences and circumstances where each is appropriate.

The thin client approach has the benefit of removing any disruptions from software updates. It happens on the server side and is typically transparent to the user – unless there are major updates to a familiar user interface. Careful password management, client side certificates and similar techniques can prevent rogue devices from connecting to the server. Thin clients are considerably cheaper than desktops/laptops, which savings can go towards hiring qualified IT staff to run the server(s) and hardening these and the gateways to external entities. If using a thin client model, office productivity software cannot be maintained on the client and needs to move to “cloud based solutions” like Google Apps, Office 365, etc. Happily, from a security viewpoint, many thin clients come with no external ports, making siphoning off data more arduous.

And, as always, HIPAA/HITECH requires maintaining medical records for a period of time which leads to finding a secure and reliable backup and storage solution, including disaster recovery. Thus, storage solutions like Dropbox or Box which are HIPAA/HITECH compliant can be used for these purposes after signing their business associate agreement.

The cloud-based (SaaS) solution may have advantages for organizations of all sizes.   Software-as-a-service solutions are particularly good because

  1. Price: the price point can be very attractive,
  2. Less work: your staff do not have to setup or maintain the software or hardware,  and
  3. Less risk: many of the HIPAA/HITECH burdens (e.g. regular updates, media disposal, encryption standards, etc.) are moved from your organization to the software provider.

SaaS solutions often use a public cloud infrastructure and enable a pay-for-what-you-use model which is easy to swallow compared to the capital and operational costs of maintaining an in-house IT solution with a private server farm. Cloud solution providers use various techniques to ensure that their computing infrastructure is able to securely partition different customers’ data. A cloud solution can readily meet the HIPAA/HITECH challenges of storage with disaster recovery.  There is no official certification for HIPAA/HITECH compliance as yet, but independent auditors have verified that the most popular cloud providers do satisfy the regulations. Note however, as the HHS points out, that a cloud provider, even if retained by another vendor you have contracted for IT services, remains your “business associate” and must be covered by a business associate agreement (BAA). Most major cloud providers have hardened their platforms to accommodate running HIPAA-HITECH conformant applications, and offer BAAs, but it would be well to check that such agreements are in place even if your IT needs are outsourced.

What then must a small practice do for HIPAA and HITECH law compliance?

We have written extensively in previous posts about the HIPAA/HITECH landscape and its ramifications for medical practitioners. One previous post is particularly relevant, with advice for the small provider market to get HIPAA compliant and is worth reading in full. We reiterate its key messages here as it reinforces the point we made in the previous sections of this post –an understanding of the nuances of HIPAA/HITECH combined with the complexity of technology choices requires expert advice and this can best be done by establishing a dedicated role in your company and taking steps that go beyond the duties normally associated with a medical practice:

  1. Compliance officer: Identify a security and compliance role within the organization, so that the associated person can be the go-to person on explaining, implementing and policing the different aspects of HIPAA/HITECH compliance;
  2. Risk analysis: Analyze all aspects of your current and planned IT infrastructure to identify points where PHI is at risk if there is a security breach;
  3. Documentation: Improve your processes, based on such assessments and take steps to mitigate weaknesses. Have the person document all the measures taken to comply with the regulations, to be readily available in case of a potential HHS audit; in particular, document your rational for various technology choices;
  4. Outsource Risk and Work: Outsource business functions that are accomplished via IT to vendors who have demonstrated their understanding of the security and privacy requirements of HIPAA/HITECH and with whom you should have business associate agreements;
  5. Repeat: Continuously monitor your operations for adherence to your defined policies and remember that maintaining security and privacy is an ongoing process and not a hire-and-forget activity.

Companies such as LuxSci provide secure SaaS web hosting, email and other services for just such situations.