HIPAA Compliance for Portable Devices: Are You Protected?
Not only do healthcare providers need to ensure patient safety when providing health care services, but federal law requires the safety of patient health information.1 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets forth federal protections for personal health information and gives patients an array of rights with respect to that information.2
In addition to HIPAA, the Department of Health and Human Services (”HHS”) implemented the Privacy Rule, which establishes a set of national standards for the protection of certain health information.3 The Privacy Rule standards address the use and disclosure of individuals' health information, or "protected health information," by organizations subject to the Privacy Rule. The Privacy Rule also addresses standards for individuals' privacy rights to understand and control how their health information is used.
Patient health information is defined as information about a patient's medical condition or medical history that can be used to identify a patient. It can include "protected health information" as defined by HIPAA. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.4
"Individually identifiable health information" is information, including demographic data, that relates to the individual's past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.5 Examples of health information include a patient's name, medical information, medical record number, billing information, insurance information, email address, phone number, mailing address, birth date, texts or emails from or to patients, and texts or emails to or from providers and other professionals regarding patients.
Because many physicians, health care providers and health care professionals are using various types of technology in their day to day work, such as smartphones, laptops and tablets, it has become increasingly more important to ensure compliance with HIPAA and the Privacy Rule. One way to do so is to draft policies and procedures for the internal handling and external sharing of patient health information. The HHS gathered suggestions and other information to help covered entities protect and secure health information.6
To maintain compliance with HIPAA and the Privacy Rule, covered entities, as defined, must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.7 In addition, covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices.8
Internal training must be conducted for all workforce members on the privacy policies and procedures, as necessary and appropriate for them to carry out their functions.9 Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).10
The failure to follow the requirements set forth in HIPAA and the Privacy Rule can result in severe consequences. For example, on January 2, 2013, HHS fined the Hospice of North Idaho $50,000 for violations of the HIPAA11. The main basis for the violation was related to the loss of an unencrypted laptop containing personal health information. The laptop in question contained protected data for 441 patients. HHS found that the provider also failed to perform a risk analysis and lacked mobile device security policies and procedures.
Over the last three years, over 500 breaches of the Privacy Rules and HIPAA have been reported to HHS, involving more than 500 patients, with 57,000 breaches involving less than 500 patients.12 Health care providers of all sizes need to be prepared. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties, as well as criminal prosecution.
Penalties may vary depending on factors such as the date of the violation13, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity's failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
- For violations prior to 2/18/09: Up to $100 per violation, not to exceed $25,000 in a calendar year.
- For violations after 2/18/09: $100 to $50,000 or more per violation, not to exceed $1,500,000 in a calendar year.
Note, however, that a penalty will not be imposed for violations in certain circumstances, such as:
- Failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or
- The Department of Justice imposed a criminal penalty for the failure to comply (see below).
A penalty may be reduced if there is a finding that the failure to comply was due to reasonable cause, and the penalty would be excessive given the nature and extent of the noncompliance. A covered entity found in violation will be given an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted within 30 days of receipt of the notice.
In addition, a covered entity notified of a violation has the right to request an administrative hearing to appeal the proposed penalty. In an age of technology and portable devices, if workforce members of a healthcare provider, physician or healthcare professional subject to HIPAA and the Privacy Rule use smartphones, laptops and tablets, not only do procedures and policies need drafted, but training and security must be ensured and documented to avoid potentially severe penalties. If you have questions about whether your HIPAA and Privacy Policies are compliant or whether your security measures adequately protect your facility from liability and/or civil penalty, please contact an attorney in our Healthcare Practice Group at WWR-HealthCare@weltman.com.
1 The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.
2 Standards for Privacy of Individually Identifiable Health Information, "Privacy Rule"
3 45 CFR Part 160 and Part 164, Subparts A and E.
4 45 C.F.R. § 160.103
5 45 C.F.R. § 160.103
6 45 C.F.R. §§ 160.102, 160.103; see Social Security Act § 1172(a)(3), 42 U.S.C. § 1320d-1(a)(3). The transaction standards are established by the HIPAA Transactions Rule at 45 C.F.R. Part 162.
7 45 C.F.R. § 164.530(i).
8 65 45 C.F.R. § 164.530(a).
9 45 C.F.R. § 164.530(b).
10 45 C.F.R. §160.103.
11 http://www.hhs.gov/news/press/2013pres/01/20130102a.html
12 December 2012 U.S. Healthcare Data Breach Trends report
13 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html