A New Age of HIPAA Enforcement – What it Means for EMS
by Ryan Stark-Page, Wolfberg & Wirth, LLC
(Originally featured in the Zoll Data Blog on March 23, 2017; shared to benefit our clients and readers.)
In 2016, the Heath Insurance Portability and Accountability Act (HIPAA) police levied far more penalties than ever before, and government enforcers are on a record pace in 2017. The focus has shifted from education to prosecution, and small healthcare providers are no longer immune from big penalties. What does all this mean for EMS? And how can you make sure your agency isn’t penalized?
Update Policies and Risk Analysis
First, EMS providers can no longer pay lip service to HIPAA compliance. Failure to do basic things – such as update your Notice of Privacy Practices or have a business associate agreement in place – could get you more than a slap on the wrist. Providers need comprehensive HIPAA policies that have been updated to account for the big HIPAA changes in 2013.
Second, both covered entities and business associates need to step up their game when it comes to security. Most of the agencies penalized last year had one thing in common – they didn’t have an updated risk analysis. A risk analysis is an “accurate and thorough assessment of the potential risks and vulnerabilities [to health information].” We recommend taking four steps in your risk analysis:
- Identify sources of protected health information (PHI) at your agency. Inventory everywhere that your PHI lives.
- Determine risks to your PHI, considering everything from internal threats (e.g., snooping) to external threats (e.g., hacking or acts of god).
- Analyze the likelihood and impact of risks. This is called “gauging” your risks so that you know what to tackle first.
- Implement appropriate measures to address the risks you have identified.
Documentation of your most recent risk analysis is one of the first things the government will ask for in an investigation. Now is the time to do one!
Make a Plan for Your PHI
Another lesson agencies should heed is to have a plan to combat new risks, such as ransomware and other cyberattacks. According to Reuters, medical information is worth at least 10 times more than a credit card number on the black market. If you’re not encrypting and backing up your data appropriately, you’re setting yourself up for a potentially devastating breach.
One thing the government made clear in 2017 is that agencies that report breaches of PHI to the federal government, as all covered entities and business associates are required by law to do, will almost certainly be investigated. An Office of Civil Rights (OCR) investigation can include anything reviewing policies to a full scale government on-site audit.
Finally, EMS agencies need to address ways their staff members are putting PHI at risk every day. For example, at many organizations:
- Super users are abusing privileges. Just because someone has access to a record doesn’t mean they have a right to see it. There’s a difference between quality assurance/quality improvement (QA/QI) and snooping under HIPAA.
- PHI is being captured on personal devices. Providers sometimes snap photos to show the ER doc mechanism of injury. But what happens to that image? You need to have a policy.
- PHI is improperly being shared with the media or law enforcement. HIPAA does not permit disclosures to the media without patient authorization. And, there are limited circumstances under which providers can share PHI with law enforcement.
About the Author
Ryan Stark is an associate attorney with Page, Wolfberg & Wirth, LLC. He has been with the firm since 2007 and concentrates his legal practice in HIPAA, labor, Medicare reimbursement, contracting and related areas of the law that affect the emergency medical services industry. For more information on HIPAA compliance, visit www.pwwemslaw.com or www.pwwmedia.com.