Need a cure for ‘HIPAA Surprise’ ?


The HIPAA Privacy Rule included the requirement for Business Associate management … back in 2003. The HIPAA Security Rule required a Risk Analysis… starting in 2005.  So why are health care providers scrambling to get a handle their Business Associates, and why were so many unprepared when a Risk Analysis was required to earn the incentives for implementing Electronic Health Record systems?

Business Associates: a 10-Year Old Requirement

The new HIPAA Omnibus Final Rule goes into effect in March, and Business Associates must comply by September.  The next couple of months will be interesting as companies are asked to sign Business Associate Agreements (BAA) for the first time, after providing services to health care clients for many years. I have spoken to large groups of IT providers and always hear them say they have health care clients who have never asked them to sign BA Agreements, a requirement since 2003.

Security Risk Analysis: 8 years old

In 2012 we performed the Meaningful Use Core Measure 15 Security Risk Analysis for health care providers. The information from the Office of the National Coordinator (ONC) said that the eligible practitioner should “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1)…”  That section of the Code of Federal Regulations describes the requirements of the HIPAA Security Rule, which had gone into effect in 2005 (after the interim rules were published in 2003.)

The practices surprised by the EHR Incentive Program Meaningful Use requirement should have had risk analyses going back eight years. They knew what a Notice of Privacy Practices (NPP) was, and that they should be careful with patient information, but little else. They had complied with the Privacy Rule, but the Security Rule contained a lot of technical requirements and was largely ignored. The good news for these practices was that the HIPAA enforcers were strapped for resources and were not aggressive with enforcement.

When we started each Meaningful Use Risk Analysis we asked to talk with the HIPAA Security Officer and to see the most recent HIPAA risk analysis. Neither was forthcoming, so we included the compliance components in the remediation required after our risk analysis.

Enforcement: 1 year old

In 2012 the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued several large fines for incidents that resulted in breaches of confidential patient data. In several of the cases (including $ 1.5 million and $1.7 million penalties) the agency said the large fines were not just for the events that caused the loss of patient data, but the ‘willful neglect’ of HIPAA. These health care organizations had not complied with the most basic requirements of policies, procedures, end-user training, and documentation showing ongoing HIPAA compliance. The breaches of patient data were considered the end result of their non-compliance.

If your Meaningful Use Security Risk Analysis did not meet the requirements of the EHR Incentive Program, and you attested anyway, you risk penalties under the federal False Claims Act. Audits are being done now and enforcement will be handled by the Medicare Office of the National Coordinator.

Compliance is Easy?

The Director of the Office for Civil Rights has said that he believes that complying with HIPAA should not be a big burden for Business Associates because they have always had to comply with the requirements of their Business Associate Agreements.  He is assuming that practices have been compliant since 2003, which is not our experience.

A Solution for Many Years of Neglect

We have experience both as a Covered Entity and a Business Associate.

If you are a health care organizations, Semel Consulting can help you ‘jump-start’ your HIPAA compliance by providing you with a complete solution including policies, procedures, end-user training, Business Associate management, and the ongoing tasks of maintaining and documenting compliance. You assign a HIPAA Security Officer and we do the rest.

Business Associates, we can help you quickly develop a compliance program so you can keep your health care clients and increase your sales to others. We provide you with the same tools as a medical practice, plus guidance on how you can provide your services with an eye on compliance.