How the HIPAA Omnibus Rule Affects Email, Web, FAX, and Skype
We have written extensively in the past about the impact of HIPAA regulations on email services, web hosting, faxing, and Skype use. The recent HIPAA changes reflected in the Omnibus rule have a significant impact on the use of these types of services. Here, we examine the new and important considerations based upon the HIPAA Omnibus Rule.
The Omnibus rule finally requires that all of your Business Associates be fully HIPAA compliant themselves and that they establish Business Associate agreements with all of their vendors/partners that are involved in PHI. This establishes a big chain of custody where everyone at every level is equally responsible.
Previously, many/most vendors would:
- Say that their services have security that allow you to meet your compliance needs
- Say that as they are not medical entities, that they do not need to be compliant themselves
- Never consider entering into HIPAA Business Associate Agreements with their own vendors … let alone choosing vendors based on HIPAA compliance needs.
- Signed Agreements: You have signed HIPAA Business Associate Agreements with all vendors who may access your PHI.
- Updated Agreements: Your vendors are themselves being HIPAA compliant, including entering into agreements with their vendors/partners. You do not want to use a vendor whose head is in the sand with “HIPAA Compliance” statements made years ago. That viewpoint places as much of a liability burden on you as it does on them.
For example, LuxSci follows HIPAA compliance procedures for PHI stored on and passing through its systems, requires that you sign Business Associate agreements with it, has signed Business Associate agreements with relevant vendors, and takes steps to lock down your account to minimize the possibility of a breach.
- Email & Web Services: Get or verify updated contracts
- FAX services: Be sure you have contracts with any services that you use that processes your FAXes for you.
- Skype: Microsoft will not sign a BAA for Skype. It seems less debatable now that this is needed … so we would recommend choosing some other more specialized vendor for video conferencing.
Strict Definition for Breach Reporting
Previously, you only had to report a breach if was determined that there is significant risk that the breach would harm the patient’s finances or reputation.
Now, with the Omnibus Rule, you have to report any breach, unless a risk analysis shows that there is a very low probability that the breached data will be improperly used.
This means that you and your vendors must tighten up your ships and be very careful about what happens!
The risk analysis works based on these criteria:
- Was the data seen/used? If the data was destroyed before being seen or used or if a lost asset was recovered and you can show that it was not accessed … then the probability is low and there is no breach. If an email was sent to the wrong person and it did not bounce … then the risk is high and there is a breach. If documents are sitting on a FAX machine where unauthorized people can and do look, then the risk is high and there is a breach.
- Who got the information? If another business associate received the data, then the risk is likely low. If you do not know who accessed it or it was someone who is not bound by law to protect it, then the risk is high.
- What kind of information? Information that could damage a person’s reputation (e.g. medical test showing embarrassing results) or financial status (e.g. credit card information) would be high risk.
- How were things fixed? If the issue was mitigated well, with proper assurances of disposal or return of data, then the risk may be low. You must consider the reliability of the recipient in this determination, or course.
- Email: Sending PHI without encryption must be assumed to be a breach in many cases. Email systems that use “opt in” for encryption are probably a bad idea now, as it is all too easy to accidentally cause reportable breaches just though inaction. LuxSci, for example, has always taken the opposite tact — all email is encrypted unless you explicitly say that encryption is not needed. This is a little more work in some cases, but very much safer in terms of HIPAA.
- Web: Having public web sites or file shares where ePHI may be posted or exposed accidentally must be avoided at all costs. Even if you are moderating and take things down very quickly, a breach must be assumed. All web design decisions must be carefully made.
- FAX: FAXes that contain PHI must be protected and you must avoid the possibility that someone unauthorized might see a FAX laying around. We would recommend ending use of FAX and switching to secure email instead.
- Skype: It is known that Microsoft logs all Skype chats … so any PHI going over Skype is probably an automatic breach. What really happens to Skype audio and video is not so clear — and since clarity must win over assumptions with the Omnibus rule … you probably should not use Skype for PHI transmissions at all.
Penalties and Enforcement
Ok, so if that was not enough, we have the double whammy for violations:
- The penalty limit has been doubled to $50,000 per violation (with a yearly cap of $1.5 million/yr in fees)
- HIPAA is now going to be enforced vigorously … companies have already been fined extensively and that is just going to continue.
- Get your head out of the sand.
- Don’t think that you are too small for HIPAA to apply or to get dinged.
- Pay for services that ensure your compliance.
- Get insurance to cover you if you are unwittingly out of compliance.
You can no longer do “business as usual” … you need to do things securely and compliantly. You will have to spend time ensuring that your organization is internally compliant and that the vendors that you use are similarly compliant. You will likely have to change the way that you do things in some areas to achieve a higher level of security and a lower level of risk.
According to the Omnibus Rule … its time to “buck up” and get compliant before September 23rd, 2013!