The Impact of HIPAA and HITECH Regulations on Couple and Family Therapists PDF

4 The Impact of HIPAA and HITECH Regulations on the Couple and Family Therapist Lorna Hecker, Courtney L. Miner, and Megan J. Murphy At a Midwestern mental health clinic, an employee received an e-mail that informed her that her mailbox was flooded, and that her e-mail service would be suspended unless she clicked on the link provided within the e-mail so that they could provide her with more storage space. When the employee clicked on the link, she unknowingly unlocked Cryptolocker malware, which encrypted all of the data housed on the clinic server, including case notes, but also client social security numbers, birthdates, credit card information, and health insurance information. The clinic had no way to decrypt the data, nor did it have backup files. The clinic was contacted by an anonymous source who offered to decrypt the data for $1000. Because the clinic had no way to get access to the information it needed to run its business, it had no option but to pay the ransom. Further, the clinic lacked basic audit controls such as audit logs, access reports, and data usage reports, so it was unable to ascertain if this information was breached or used by the criminals who extorted the clinic. In Chapter 3, the ethical mandate that client information is kept confidential was introduced; this dictate is also typically codified into state law. However, as more therapists rely on electronic health records (EHRs), and other forms of digital data, electronic storage and transmission of confidential client information brings a changing paradigm of maintaining client confidences, as this scenario illustrates. The clinic in our example potentially exposed its clients to identity theft, as well as medical identity theft. Identity theft includes criminals using social security numbers, and/ or bank or credit card numbers for economic gain (U.S. Department of 59 60 Ethics and Professional Issues in Couple and Family Therapy Justice, 2015). Additionally, loss of the health insurance information makes individuals vulnerable to medical identity theft. Medical identity theft occurs when health insurance information is used criminally to procure medical or mental health services or obtain government benefits. There are several dangers that can occur as a result of medical identity theft; treatment records may now contain health information of someone other than the client, including a false diagnosis, different medications, they may receive bills for someone else’s treatment, or insurance benefits may be exhausted (Synovate, 2007). In addition to identity theft and medical identity theft, there are other concerns when privacy of client treatment information is lost. An organization or practice may suffer loss of clients, loss of customers (those who pay for therapy services), loss of future clients, and loss of staff. The Ponemon Institute (2014) notes that costs for a data breach per record are around $200 per individual record. Although there is no legal cause of action written in Health Insurance Portability and Accountability Act (HIPAA) regulations, state attorneys general may sue and other sources of legal woes include state consumer protection laws, as well as torts for breach of privacy. Case law is still in its infancy with regard to HIPAA regulations; more clarity on legal consequences will occur in the coming decade. However, some lawsuits have prevailed in using HIPAA regulations as the appropriate standard of care in handling of client data. For example, in North Carolina psychiatric and other records were improperly accessed and released in regards to a custody case; a lawsuit was filed in which HIPAA was successfully used as establishing the standard of care (Acosta v. Byrum, 2006). Likewise, in Byrne v. Avery Center for Obstetrics and Gynecology (2014), a successful argument was made with the Connecticut Supreme Court stipulating that HIPAA could be used in establishing standard of care in a breach of contract suit. In this case, the medical center was cited with improper disclosure of records because the center had not followed HIPAA regulations. Of equal importance for couple and family therapists (CFTs) is that breaches can damage the therapeutic relationship. One survey study cited that 21% of patients said they withhold their or their family’s prescription information, mental illness, or substance abuse history from a health care provider due to privacy concerns (Loria, 2015). If clients do not trust their therapist to maintain the privacy and security of their therapy information, therapy suffers and both clients and CFTs lose. When the federal government encouraged the adoption of electronic health records, it recognized that people would be uneasy about the privacy of their private, protected information being placed online. HIPAA was enacted to help to ensure this privacy and maintain client trust in health care The Impact of HIPAA and HITECH 61 providers. In this chapter, we introduce the federal regulations of HIPAA, and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), highlighting how these regulations affect the practice of CFTs. HIPAA compliance is an ethical issue, a risk management issue, a legal dictate, and a progressing standard of care. Becoming educated on HIPAA and HITECH regulations is mandatory to ethical CFT practice (Health Insurance Portability and Accountability Act, 1996; Health Information Technology for Economic and Clinical Health Act, 2009). Enactment of HIPAA and HITECH Regulations In response to the changing landscape, which includes storage, use, and transmission of electronic health information, HIPAA was enacted in 1996 with two purposes: the first was to make health information portable so that individuals can maintain health insurance between jobs, and the second was to ensure that health care plans and providers are held accountable with regard to keeping health information private. U.S. Health and Human Services (HHS) established the regulations, which are administered by the Office of Civil Rights (OCR). HIPAA provided federal privacy protections for physical and mental health information, which it termed protected health information (PHI). PHI is any health information used to identify a client that relates to physical or mental health, relating to a past, present, or future condition, for both living and deceased individuals (HIPAA, 45 C.F.R. §160.103). HIPAA regulations protect PHI that is written, oral, or electronic (transmitted or maintained) through privacy and security regulations. HIPAA privacy regulations relate to all forms of PHI, but specifically focus on written and oral PHI. The security regulations focus on protection of electronic PHI (ePHI). In 2009 the HITECH Act was passed, which increased patient rights over their PHI, increased restrictions over disclosure of PHI, increased fines and penalties for HIPAA violations, and brought funding for compliance audits. How Do Therapists Know If They Need To Be HIPAA Compliant? If a therapist furnishes, bills, or receives payment for health care in the normal course of business, and any transactions are sent in electronic form, the practice is considered a covered entity (CE). Likewise, if an entity or organization creates, receives, maintains, or transmits PHI on behalf of a CE, that entity is considered a business associate (BA) of the CE. Both CEs 62 Ethics and Professional Issues in Couple and Family Therapy and BAs are required to comply with HIPAA regulations. CEs include a health care provider (including therapists), a health plan, or a health care clearinghouse, which transmits PHI in electronic form. For therapists, typically HIPAA is triggered when they bill insurance electronically. BAs are entities that create, receive, maintain, or transmit PHI on behalf of a CE. Common BAs for therapists include billing services, claims processors, attorneys, accountants, outside consultants (e.g., supervisors), or accreditation bodies. CEs must obtain satisfactory assurances that their BAs are abiding by HIPAA regulations, which is done by using a BA agreement (BAA), or another type of written contract. BAs who use subcontractors are responsible for obtaining satisfactory assurances from their subcontractors. Technically, a therapist who does not bill third-party payers but instead takes private pay clients only is likely not a CE. However, HIPAA is quickly becoming a standard of care for how healthcare providers treat PHI (Hecker & Edwards, 2014); therapists will want to understand the regulations and protect their clients’ PHI accordingly. Upon a breach of client PHI, it would be difficult to justify why a therapist did not follow HIPAA guidelines for protecting client information. Additionally, state regulations are beginning to evolve to include HIPAA requirements. Privacy Regulations Therapists who are CEs must abide by both HIPAA privacy and security regulations; one requirement of the privacy regulations is that each CE must designate a privacy official (BAs are not required to do this) who oversees administration of and compliance with the privacy rules. Because a full analysis of the privacy regulations is well beyond the scope of this chapter, we cover a few of the regulations that are most salient to CFTs. For more information, see Hecker (2016). Next we discuss the uses and disclosures of PHI, the HIPAA definition of psychotherapy notes, the interplay between state and federal regulations with ethical codes, the Notice of Privacy Practices (NPP), authorizations for release of PHI, the minimum necessary standard, and the accounting of disclosures requirement. Use and Disclosure of PHI The privacy rule (Health and Human Services, n.d.b) regulates both use and disclosure of PHI. Use includes the sharing, application, utilization, The Impact of HIPAA and HITECH 63 examination, or analysis of PHI within a CE or BA. Disclosure refers to the release, transfer, provision of, access to, or divulging PHI in any other manner to any outside entity. With the exception of psychotherapy notes, most treatment information may be shared for purposes of treatment, payment, or health care operations (TPO). Treatment includes consultation between providers. Payment refers to payment or reimbursement (e.g., claim submission, authorizations, payment postings), and health care operations include quality assessment, competency assessment, performance evaluations, credentialing audits, and so on. State law may be more prohibitive to sharing PHI. Because a therapist can share for purposes of TPO, when discussing payment information with an insurance company, a release of information from the client is not needed. However, remember if state law is stricter it will preempt this release of information. Though many states do make exceptions that release of PHI can occur for TPO, state statutes must be consulted. Psychotherapy Notes In some ways, HIPAA brings additional federal protection to our clients’ sensitive treatment data. Psychotherapy notes are given higher level of privacy protections under HIPAA than most other types of PHI. HIPAA also buttresses federal protection of client privilege established in Jaffee v. Redmond (1996) (see Chapter 3). However, HIPAA regulations only protect what it defines as psychotherapy notes, which are limited in scope. Psychotherapy notes are defined as notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record (HIPAA, 45 C.F.R. §164.501). They are to be kept separate from the medical (i.e., case) record, and cannot be used to substantiate billing. Psychotherapy notes specifically: • Include the practitioner’s impression of the patient, • Include details of the psychotherapy session inappropriate for the medical record, • Are solely for the use of the practitioner, for example, for planning future sessions, 64 Ethics and Professional Issues in Couple and Family Therapy • Are kept separate to limit access (including in electronic records) to qualify as psychotherapy notes, and • Are only accessed by the therapist and possibly a supervisor. If psychotherapy notes are released at the client’s written request, they lose their heightened protection once they are released (and, for example, are kept by another treating entity). Testing also does not qualify for heightened protection. If a therapist is part of an integrated health care network and psychotherapy notes are routinely shared with others, they also lose heightened protection. Thus, psychotherapy notes must be maintained and used only by the originator of the notes (i.e., the therapist), with few exceptions. Psychotherapy notes do not need to be shared with clients upon their request, unless state law dictates the disclosure. HIPAA does not require a therapist to keep psychotherapy notes (state law may differ). General Treatment Information Although psychotherapy notes are given special protection under HIPAA, most people are surprised at what treatment information is not considered psychotherapy notes, and thus is not afforded special protection under HIPAA. This includes: • • • • • • • • • • Summary information, such as the current state of the patient, Summary of the theme of the psychotherapy session, Medications prescribed and side effects, Any other information necessary for treatment or payment, Treatment plan, symptoms, and progress, Diagnoses and prognosis, Counseling session start and stop times, The modalities and frequencies of treatment furnished, Results of clinical tests, and Any other information necessary for treatment or payment. Although this seems like bad news, it generally does not have as much impact for therapists as most states have stricter laws regarding mental health information than what HIPAA does. When state laws are stricter, that is, when state laws give clients more rights or privacy protections, state laws are to be followed (with some regulated exceptions). There are some The Impact of HIPAA and HITECH 65 exceptions when psychotherapy notes may be disclosed without an authorization. They are: • For one’s own training or supervision, • For defense in legal proceedings brought by the client or client’s representative, • For HHS to investigate or determine the CEs compliance with the regulations, • To avert a serious and imminent threat to public health or safety (e.g., reporting abuse), • To a health oversight agency for lawful oversight of the originator of the psychotherapy notes, and • For the lawful activities of a coroner or medical examiner or as required by law. If psychotherapy notes are kept in a second location, they are not considered psychotherapy notes and are not afforded a higher level of protection. Clients may not have access to their own psychotherapy notes under HIPAA; if state law allows client access, state law preempts HIPAA. The Interface of HIPAA, State Law, and Ethical Codes As noted previously, psychotherapy notes are narrowly defined under HIPAA, although psychotherapy notes are afforded an increased level of confidentiality. However, state mental health laws typically are stricter than HIPAA and often protect much more information than what the government defines under the “psychotherapy notes” provision. Under HIPAA, information not considered psychotherapy notes could be freely shared for purposes of TPO; this is a significant amount of treatment information! Fortunately, state laws are typically more “stringent” with regard to protection of therapy information. A state law is considered more stringent if it either provides more privacy protections for a patient or gives a patient more access to their own PHI. For example, although HIPAA gives a CFT permission to disclose much psychotherapy information without an authorization, if state law does not, state law preempts HIPAA because of its increased protection. Be aware, however, that some state laws do give therapists the right to release information for TPO. To further add confusion, CFTs may rely on their ethical codes for more stringent rules with regard to confidentiality, but mental health ethical codes often are written 66 Ethics and Professional Issues in Couple and Family Therapy such that client confidences should be maintained except where mandated or permitted by law. A good rule to follow is “When in doubt, don’t give information out.” This is where a CFT may want to consult an attorney to clarify both client confidentiality and privilege rights and limitations. Additionally, with regard to case records, some states include mental health records under medical records statutes, whereas others have separate record requirements. Last, CFTs should be aware of other regulations that may affect or interact with confidentiality requirements. These include the Federal Confidentiality of Alcohol and Drug Abuse Patient Records regulations (HIPAA, 42 C.F.R. Part II), the Family Education Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (which regulates personal financial information), Sarbanes-Oxley (financial reporting), and/or the payment card industry data security standard (credit card security). Medicaid or Medicare rules may also apply. States may also have specific laws with regard to this type of private information. Notice of Privacy Practices The NPP is probably the most familiar aspect of HIPAA, because everyone gets a copy of it when they initially visit their physician. The NPP educates clients as to their privacy rights, as well as potential uses and disclosures of their PHI. Many therapists fail to integrate stricter state law into their NPP; therapists should educate clients in their NPP when state law guarantees them more rights. There is nothing in the regulations that precludes this inclusion. Model NPPs are available at the HHS website (www.hhs.gov). Therapists should stay abreast of any changes to NPP requirements. HHS offers both privacy and security listservs so that CEs may stay abreast of regulation changes. NPPs must be prominently posted on an organization’s website, as well as in the office(s). CEs are required to give clients an NPP and attempt to obtain their signature acknowledging receipt of the notice. If a client refuses to sign, a therapist may not withhold services as a result of their refusal. Authorizations Psychotherapy notes always require client authorization. There are specific elements set forth by the regulations for authorizations. Authorizations must include (1) a specific description of health information to be The Impact of HIPAA and HITECH 67 disclosed; (2) the name of person or organization authorized to release the information; (3) the name of person authorized to receive the information; (4) a description of each purpose of the requested disclosure, an expiration date or event; (5) signature of the patient or legal representative; (6) a statement that the patient has a right to revoke the authorization, in writing; (7) a statement that the patient’s treatment or payment could not be conditioned on their permission to release private information; (8) a statement of the potential for redisclosure of the information by the recipient; and (9) the form must be written in plain language. State laws may require additional elements to authorizations or what may also be termed in state statutes as “release of information.” A professional’s code of ethics may also have additional requirements. HIPAA does not prevent a CFT from establishing a stricter policy on disclosures than is otherwise allowed under the regulations. Minimum Necessary Information Disclosures that are not for TPO typically require authorization, with some exceptions (e.g., abuse or duty to warn/protect). When sharing information with another CE or BA, information shared is to be the minimum necessary information to accomplish the intended purpose of the disclosure. PHI is not to be shared unless it is necessary to satisfy a particular purpose or carry out a function. For example, office staff should only have access to enough PHI to perform their duties. Minimum necessary information is not relevant when information is shared for treatment purposes. Accounting of Disclosures Clients have the right to ask for an accounting of disclosures (AoD). An AoD is a record of unauthorized disclosures of their PHI covering the prior 6 years to the date of the request. Types of unauthorized disclosures that should go into the AoD include disclosures for: (1) public health purposes; immunizations, infections or communicable disease reporting; (2) vital statistics such as birth or death statistics or teen suicides; (3) poison control; (4) domestic violence, elder abuse, child abuse, abuse of mentally ill or dependent adults; (5) health oversight activities (e.g., Medicare and Medicaid audits, inspections, oversight reviews); (6) judicial or administrative proceedings (court orders, subpoenas, law enforcement 68 Ethics and Professional Issues in Couple and Family Therapy purposes, reporting of gunshot wounds); (7) coroners or medical examiners; (8) cadaveric organ, eye, or tissue donation; (9) some Medicare information; (10) human subject research not subject to previous authorizations, or where a waiver of authorization has been obtained through the institutional review board (IRB); (11) research regarding decedents; (12) to the U.S. Food and Drug Administration for purposes related to quality, safety, or effectiveness of a Food and Drug Administration–regulated product or activity or enable product recalls, repairs or replacements, to report adverse events; (13) for worker’s compensation; (14) to registries such as cancer, trauma, immunizations; (15) a serious threat to health or safety; (16) to advisory boards; (17) state crime laboratories; (18) misdirected fax or e-mail; (19) release of information based on an invalid authorization; and (20) any other disclosures required or permitted by law. Disclosures of PHI that are excluded in the AoD include those: • • • • • • • For TPO purposes, Made to the individual or their personal representative, Made for directory purposes, Made of persons involved in the individual’s care, For national security or intelligence purposes, Made to correctional institutions or law enforcement officials, or Made before the date of compliance with the privacy standards (Dougherty, 2001). Clients may request AoDs only on information for the past 6 years. Software vendors can typically help set up a way for CFTs to compile an AoD. A client may have one disclosure free of charge within a 1-year period. Security Regulations HIPAA was in part enacted to protect privacy and security of PHI (HHS, n.d.b, n.d.c). Security of ePHI has become a concern of epic proportions in the health care industry. In the largest breach of PHI (at the time of this publication), the database of Anthem Blue Cross Blue Shield generated a loss of 8.8 to 18.8 million records (Pepitone, 2015a). Premera Blue Cross Blue Shield lost data of up to 11 million customers (Pepitone, 2015b). Although mental health data were likely breached in these incidents, mental health agencies and practices have also been targeted. Comprehensive Psychological Services in South Carolina had PHI of 3,500 patients breached when an unencrypted laptop was stolen, containing both psychological records The Impact of HIPAA and HITECH 69 and custody evaluations (Dissent, 2013). PHI of 500 patients was breached from Arizona Counseling and Treatment Services when an employee had an unencrypted laptop stolen from their home (Davis, 2013). Client concern about the privacy of their treatment data is well-founded; CFTs must educate themselves and be good stewards of data management. HIPAA security regulations cover ePHI, with three types of safeguards to ePHI: administrative, physical, and technical. Therapists should be aware that there are 54 safeguards and implementation specifications. Some safeguards are “required” and some are considered “addressable.” Required safeguards are just that—you must implement the safeguard as directed. Addressable means that the therapist may take into consideration their practice or organization’s size, capabilities, and the costs of the security measures. A therapist in private practice for example, would not be required to provide the same security measures as larger companies with more resources (if the measure is cost prohibitive). As with the privacy regulations, the security regulations require that each CE (as well as BAs) must designate a security official. This can be the same person as the privacy official, but need not be. Administrative Safeguards Administrative safeguards include administrative actions, policies, and procedures that a CE puts in place to safeguard ePHI. One administrative safeguard standard is security management process with implementation specifications including completing a risk analysis (required), risk management strategies (required), and information system activity review (required), which includes audit logs, access reports, and security incident tracking reports, among others. A sanction policy (required) is needed for workforce that violates the regulations. “Workforce” includes “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity” (HIPAA, 45 C.F.R. §160.103). Workforce security (required) must be addressed, which includes three addressable specifications: authorization and/or supervision (e.g., determining when a particular user or system has the right to carry out an activity), workforce clearance procedure (e.g., determining access to ePHI by person or role), and termination procedures (e.g., when access ends because of a workforce member quitting or being terminated). An individual or entity must be assigned as the security official (required) who oversees implementation of the security regulations. 70 Ethics and Professional Issues in Couple and Family Therapy The standard “information access management” has three implementation specifications. The first is access authorization (addressable), when a CE or BA defines who has the right to carry out a certain activity, which involves ePHI, such as reading electronic health records of a client. The second is access establishment and modification (addressable), which are policies and procedures that “establish, document, review and modify a user’s right to access a workstation, program, or process” (HHS, 2007, p. 13). Third, in the unlikely event an organization is housing a Healthcare Clearinghouse (which processes health care claims), the clearinghouse functions must be separated from the rest of the organization (required). Security awareness training is an administrative safeguard with four addressable specifications: Workforce must receive security reminders, that is, reminders of the various security safeguards within the organizations policies and procedures. These may take the form of printed or electronic materials, discussions at staff meetings, and bulletin board postings. Retraining should occur whenever environmental or operational changes affect the security of ePHI. For example, retraining should occur if the following changes occur: • • • • • There is new or upgraded software or hardware, There is new security technology, There are changes to the security rule (HHS, n.d.c) There are new or updated policies and procedures, or There are environmental or operational changes that affect the security of ePHI. Measures to protect the entity from malicious software also need to be taken, and third, login monitoring must occur, which signals the user when login attempts are inappropriate and block access after a designated number of access attempts. Last, training must include password management. Password management training includes creating strong passwords, safeguarding passwords, the importance of not sharing passwords, etc. Another administrative safeguard that is required is that the CE/BA must implement policies and procedures to address any security incidents (i.e., HIPAA violations or incidents that lead to, or could have led to a breach of PHI). The Contingency Plan standard includes plans for data backup (required), disaster recovery (required), emergency mode operations plans (required), and testing and revision procedure (addressable). In our case scenario, had the agency properly backed up client data as required, it would not have been forced to pay “ransom” for retrieval of its data. The Impact of HIPAA and HITECH 71 Emergency plans need to be in place for instances such as power outages, natural or man-made disaster, or computer system failures. Last, the standard regarding business associate agreements or other written contracts has one required implementation specification. “Written contracts or another arrangement” must be made between a CE and a BA. CEs are responsible for doing due diligence on their BAs to assure the BA is also complying with HIPAA. A BA contract outlines requirements for the BA to protect PHI and be compliant with the security regulations. Physical Safeguards Every CE must put physical safeguards in place to protect ePHI from unauthorized intrusion, as well as natural, human, and environmental hazards. Natural threats include floods, earthquakes, tornadoes, landslides, fires, and so on. Human threats include network and computer-based attacks, hacking, malicious software, and unauthorized access to ePHI (intentional or unintentional). It may also include advertent or inadvertent unauthorized data entry. Environmental threats include issues such as power failures, liquid leakage, pollution, floods, and chemical damage (HHS, n.d.c). Physical safeguards include: contingency operations (addressable), a facility security plan (addressable), access control and validation procedures (addressable), and maintenance records (addressable). Generally these safeguards refer to the physical facilities of an organization, including physical access to the building and operations, and keep ePHI safe from physical hazards and intrusions. Physical safeguards also require policies and procedures for protecting workstations (e.g., computer and surrounding area), and policies around workstation security; both are required standards. Last, device and media controls are also considered physical safeguards. These safeguards include disposal of ePHI (required), media reuse (required), accountability (addressable), and data backup and storage (addressable). All physical safeguards are meant to counteract threats or potential threats to ePHI. Technical Safeguards Technical safeguards are policies and procedures put into place to control access to ePHI. The first standard is access control, with specifications 72 Ethics and Professional Issues in Couple and Family Therapy that CEs and BAs have the following: unique user identification (required), emergency access procedure (required), automatic logoff (addressable), and encryption and decryption (addressable). All of these procedures confirm that the person or entity trying to access the ePHI is indeed authorized for access to that data. Audit controls are a required standard, which means ePHI controls are needed to monitor ePHI, such as hardware, software, and procedural mechanisms to examine information system activity. Note that if the Midwestern clinic in the initial case scenario had audit controls in place, it could have examined whether or not data had been accessed or altered, which would have given an indication of the level of breach that occurred. The Integrity Standard directs that there be mechanisms to authenticate ePHI (addressable), ensuring both the accuracy of the data and protecting it from improper alteration or destruction. Person or entity authentication is a required standard, requiring policies and procedures be in place to ensure that the person or entity who is accessing ePHI has been confirmed with proof of identity (e.g., password, PIN). Transmission security is a required standard, whereby a CE or BA needs to address integrity controls (addressable) and encryption (addressable). Integrity controls ensure that ePHI has not been modified until end stage disposal, typically addressed by network communication protocols (such as monitoring access methods). Although encryption of PHI is an addressable standard, it is important to note that if a data device is encrypted, chances of having a breach greatly decrease. That is, when a device is encrypted, such as a desktop, laptop, USB flash drive, and so on, and the device is lost or stolen, the breach falls under the “safe harbor exemption.” This means that you are not required to report the loss to HHS or to the client. Policies and Procedures and Documentation Policies and procedures on the security standards are required and are accompanied by a documentation requirement. The documentation requirement has three implementation specifications: the first is a time limit (required) for documentation; documentation regarding compliance efforts must be kept for 6 years from the time or origin or revision. Second, policies and procedures documentation must be made available to the workforce (required). Third, policies and procedures updates are required when the regulations change, or there is a material or operational change in an organization. The Impact of HIPAA and HITECH 73 Security Risk Assessment A security risk assessment (SRA) is at the nexus of HIPAA compliance. A SRA is a process whereby a CE/BA must evaluate security measures that are currently in place to protect PHI/ePHI. This is an intensive process whereby CEs/BAs must assess vulnerabilities and threats, and prioritize remediation of the threats based on the level of risk (from high to low), and take steps to remediate threats to PHI. The SRA allows CEs/BAs to develop strategies to prevent, correct, and contain security risks. HHS does not expect perfection; they understand some breaches are unavoidable, however, an entity must evidence risk management strategies, decreasing vulnerabilities to a “reasonable and appropriate” level, based on the size of the organization, capabilities, and costs of security measures. Breach of PHI Breach is an impermissible acquisition, use, access, and/or disclosure of PHI, and compromises the security of PHI. There are numerous consequences that occur when PHI is breached; first and foremost is the damage that may occur to the therapeutic relationship when personal information is lost or stolen. There are also consequences set by OCR in the forms of fines and penalties. Additionally, for breaches that affect more than 500 individuals, the organizations’ name and type of breach is publicized on the HHS website, often termed the “wall of shame.” Breaches of less than 500 records get reported to HHS within 60 calendar days of the end of a calendar year in which the breach was discovered. For breaches of more than 500 individuals, HHS must be notified within 60 days of discovery, local media must be notified, and information about the breach must be posted on the organization’s website. The highest amount of breached data occurs through hacking (Redspin, 2015). The most common reason for breach of PHI is theft of unencrypted computing devices such as laptops, tablets, smart phones, or storage devices such as flash drives or CDs (Ponemon Institute, 2014). A few examples of breaches include the following. Consider the following examples of loss of ePHI, starting with loss of laptops: Aspire Indiana, a nonprofit community mental health center based in Noblesville, had a breach of approximately 45,000 patients when several laptops were stolen from its administrative offices (Dissent, 2015). 74 Ethics and Professional Issues in Couple and Family Therapy Cancer Care Group, P.C., had a laptop bag with an unencrypted laptop and unencrypted backup media with identity and health information of 55,000 patients. HHS fined the company $750,000, and required it to adopt a corrective action plan (HHS, 2013b). An employee at the Alaska Department of Health and Human Services had a USB drive that may have contained PHI stolen from the employee’s vehicle. When OCR investigated, it found that DHHS had not completed a risk analysis or implemented sufficient risk management measures, or completed security training for its workforce members, and not implemented device and media controls, or addressed encryption as required by the security rule. It was fined $1,700,000 (HHS, n.d.a). Any source of an electronic memory can be a source of breach, depending upon the technology. For example, both copiers and fax machines can have digital memories, upon which PHI will be written with each use. Consider the following breaches: Affinity Health Plan, Inc., returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives, breaching records of upwards of 344,579 individuals. They were fined $1,215,780 (HHS, 2013a). Malware and software glitches can also be source of breach of PHI. For example: Anchorage Community Mental Health Services suffered a breach affecting 2,743 individuals due to malware; the company failed to identify basic risks, and failed to update their information technology resources with available patches, and were running outdated, unsupported software. They were fined $150,000 (HHS, 2014). Milwaukee Froedtert Hospital is alerting patients that up to 43,000 patient files may have been accessed by unauthorized people after an employee’s computer was infected with a virus (WISN.com Staff, 2013). Lack of risk analysis, risk remediation, investigation of a breach, and subsequent follow-up has led to some CEs/BAs being assessed fines by OCR. For example: St. Elizabeth’s Medical Center (SEMC) was investigated after a workforce member complained that staff was using an Internet-based document sharing application to store documents containing ePHI. SEMC did not report this incident as a breach or take action to address the breach of PHI. Approximately 2 years later, SEMC notified OCR of unsecured PHI on a workforce member’s personal laptop and USB containing data on 595 individuals. The settlement with OCR was $218,400 whereby OCR cited disclosure of PHI of at least 1,093 individuals, lack of sufficient securing measures regarding transmission and storage of ePHI, The Impact of HIPAA and HITECH 75 and failure to identify and respond to the incident, mitigate harmful effects of the breach, and document the incident and outcome in a timely manner (HHS, 2015). In Columbia St. Mary’s Ozaukee Hospital of Mequon, Wisconsin, a janitor sold patient records to gang members. The janitor was able to use a master key to access boxes of sensitive information that were due to be shredded (Superadmin, 2011). Fines and Penalties HIPAA fines range from $100 to $50,000 with an annual maximum of $1.5 million. Penalties can include jail time for more egregious and malicious violations. For example: In 2003, Dr. Huping Zhou, a researcher in Los Angeles received notice he was being fired from the UCLA School of Medicine. On the same day, he accessed and read his immediate supervisor’s medical records, as well of those of celebrities UCLA had treated—Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio; accessing records 323 times for no legitimate reason. He was sentenced to 4 months in prison, and fined $2,000 (Dimick, 2010). Individuals are not allowed to bring suit for violations, but states’ attorneys general are able to. However, CFTs may be subject to state breach statutes, accrediting body sanctions, and state consumer protection laws. Additionally, some states have specific laws regarding reporting of loss of social security numbers and other types of private information. Case law is just beginning to be established over security and privacy issues, and lawsuits are beginning to occur for breach of privacy. Breach Notification The HITECH Act compels CEs to provide notification to a client if a breach has occurred (Breach Notification for Unsecured Protected Health Information, 2009). Additionally, BAs must notify a CE of a breach. Both must occur within 60 days after the discovery of the incident. If a risk analysis determines a low probability that PHI has been breached, notification need not occur. The risk analysis must examine the nature and extent of the PHI, whether the PHI was acquired or viewed, and to whom it was impermissibly disclosed or accessed. Extremely low-risk breaches do not need to be reported to clients or HHS. Some incidents qualify as exceptions to the definition of breach. One is incidental disclosures (a byproduct of permissible or required disclosures). For example, calling a client’s name in the waiting 76 Ethics and Professional Issues in Couple and Family Therapy room is not considered a breach. A second is unintentional or inadvertent access or disclose of PHI within a CEs/BAs organization, such as if an internal e-mail is sent to the wrong person and not further disclosed. The third occurs when the information is impermissibly accessed or disclose outside of an organization, but the individual would not be expected to retain the information. For example, if assessment results are handed to the wrong client, but the error is quickly discovered and the document retrieved, it is not considered a breach. Summary This chapter is only a summary of HIPAA requirements, giving an overview of the more salient compliance issues of which a CFT needs knowledge of to satisfy the regulations. There are numerous aspects to HIPAA regulations, with privacy and security regulations of most concern to CFTs. Privacy regulations deal with uses and disclosures of PHI, minimum necessary information, the notice of privacy practices, and psychotherapy notes, among others. Security regulations cover administrative, physical and technical safeguards, as well as documentation and organizational requirements. CEs are required to be compliant with the privacy and security regulations, BAs need only be compliant with the security regulations, and any privacy requirements set forth in the business associate agreement. Each CE and BA must assign a privacy official; CEs and BAs both must assign a security official. The privacy and security officials can be the same person, but this is not required. For CFTs, there is a convergence of numerous requirements with regard to privacy of PHI; therefore, they must be cognizant of state statutes, other federal laws, and our codes of ethics as they converge on the handling of confidentiality of client PHI. Most breaches of PHI must be reported to HHS; larger breaches are publicized through the news and the HHS website. Hacking is responsible for the largest number of breached records, with portable data devices such as laptops or USB flash drives account for the most common type of breach. HITECH clarified fines and penalties for noncompliance with the regulations and increased client’s privacy rights. Breach notification rules outline what needs to occur should client(s) PHI be breached (i.e., impermissibly used or disclosed). Fines and penalties can occur for noncompliance; penalties can include jail time when there is malicious intent (such as for financial gain). Although implementing HIPAA can seem daunting, it is an extension The Impact of HIPAA and HITECH 77 of client confidentiality, helping CFTs to protect clients’ right to privacy, but also aiding in maintaining the electronic security of this information as well. References Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246 (North Carolina, 2006). Breach Notification for Unsecured Protected Health Information, 45 C.F.R. § 164 & §161 (2009). Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/ administrative/Breach%20Notification%20Rule/index.html. Byrne v. Avery Center for Obstetrics and Gynecology, No. 18904, 2014 WL 5507439 (Conn. Nov. 11, 2014). Davis, H. (2013, April 16). Laptop with patient info stolen from employee’s home. Yuma Sun Retrieved from http://www.yumasun.com/laptop-withpatients-info-stolen-from-home/article_71ff7535-ff5d-5aa3-afa4-8a2e70f 89a2c.html. Dimick, C. (2010). Californian sentenced to prison for HIPAA violation. Journal of the American Health Information Management Association. Retrieved from http://journal.ahima.org/2010/04/29/californian-sentenced-to-prisonfor-hipaa-violation/. Dissent. (2013, December 17). Psychological assessments provider notifies patients after laptop with PHI stolen in office burglary. Retrieved from http://www. phiprivacy.net/psychological-assessments-provider-notifies-patients-afterlaptop-with-phi-stolen-in-office-burglary/. Dissent. (2015, February 9). Aspire Indiana notifies over 45,000 employees and clients after burglars nab office laptops. Retrieved from http://www. databreaches.net/aspire-indiana-notifies-over-45000-employees-andclients-after-burglars-nab-office-laptops/. Dougherty, M. (2001). Accounting and tracking disclosures of protected health information. Journal of AHIMA, 72(10), 72E–H. Health and Human Services. (n.d.a). Alaska DHSS settles HIPAA security case for $1,700,000. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/alaska-agreement.html0. Health and Human Services. (n.d.b). The privacy rule. Retrieved from http://www. hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/. Health and Human Services. (n.d.c). The security rule. Retrieved from http://www. hhs.gov/ocr/privacy/hipaa/administrative/securityrule/. Health and Human Services. (2007). Security standards: Administrative safeguards. HIPAA Security Series, 2 (paper 2), 1–29. Health and Human Services. (2013a). HHS settles with health plan in photocopier case. Retrieved from https://wayback.archive-it.org/3926/20150618191048/ http://www.hhs.gov/news/press/2013pres/08/20130814a.html.

The Impact of HIPAA and HITECH Regulations on Couple and Family Therapists PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue