Healthcare Compliance Isn’t Just About Providers and Payers Anymore

What is PHI and is Your Business Responsible for its Security?

If your organization works with Protected Health Information (PHI), it doesn’t matter what industry you’re in. Businesses and entities like grocery chains, pharmacies, life insurance, and city governments are being fined for HIPAA violations alongside traditional healthcare “covered entities” – health systems, renal dialysis clinics, physician practices, and health plans. Learn what PHI is and which entities must comply with privacy and security requirements.

Who’s Being Fined for Health Data Breaches?

Recently, New Jersey regulators fined a supermarket cooperative for $235,000 as a settlement for violations of HIPAA (the Healthcare Insurance Portability and Accountability Act enacted in 1996) as well as state consumer fraud charges in a case involving improper disposal of electronic devices used to collect customers’ signatures and pharmacy information.

Entities that you might not think of as required to comply are actually using, storing, and transferring PHI. These could include retail stores that provide pharmacy or other healthcare-related services, telemedicine platforms connected to health systems, mental health apps, app-based drivers that provide medical transportation, city governments, and others.

The key questions to ask include:

1. Is your organization a Covered Entity or a Business Associate?
2. Is the data you work with considered PHI?
3. Which healthcare compliance requirements should you meet?
4. And, if your organization is not required to protect PHI, what other privacy and security compliance rules might apply to you?

Is Your Organization a Covered Entity or Business Associate?

HIPAA only applies to covered entities and their business associates, as well as hybrid entities.

A covered entity is a person or organization that provides treatment, payment, or operations in the healthcare sector. That includes healthcare providers, health plans, and healthcare clearinghouses. Providers typically include hospitals, doctors, clinics, dentists, phycologists, pharmacies, nursing homes, dialysis clinics, and others.

Business associates are individuals and businesses that act as subcontractors and vendors, have access to PHI, and make use of it, or disclose it, to perform services for covered entity.

The U.S. Department of Health and Human Services (HHS.gov) gives the following examples of business associates:

• A third-party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• A consultant that performs utilization reviews for a hospital.
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.

A hybrid entity is a single covered entity that conducts business activities with covered and non-covered functions, meaning some components of the organization are healthcare-related and utilize PHI.

HHS provides a handy tool to help you decide if you are a covered entity.

What is Protected Health Information?

Protected health information (PHI) includes any information within the medical record, or a designated record set, that can be used to identify an individual and is created, accessed, or disclosed as part of providing healthcare services, i.e., diagnosis or treatment.

The simplest litmus test is to determine if your organization stores, records, or transmits any of 18 identifiers of personally-identifiable health data for any covered entity.

In 2005, the HIPAA Security Rule outlined how to deal with electronically stored PHI (ePHI), laying out three security safeguards – administrative, physical, and technical. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule and the HITECH Act (The Health Information Technology for Economic and Clinical Health Act which amended HIPAA in 2009) mostly relate to ePHI.

Which Healthcare Compliance Requirements Apply to Your Organization?

There are more regulatory requirements than HIPAA. In addition to HIPAA, there are other federal laws and regulations that organizations, working in and around healthcare data, may need to achieve compliance, including, but not limited to:

• Federal Food, Drug, and Cosmetic Act (FD&C Act)
• Federal Trade Commission Act (FTC Act)
• FTC’s Health Breach Notification Rule

And, if your product includes a mobile health app, any or all of these regulations could apply. The FTC has a simple questionnaire to help you decide. The states where your organization conducts business may have their own laws to protect health information because HIPAA sets a baseline from which states can create stronger laws.

Is Your Business Compliant with HIPAA?

Once you’ve determined if you handle PHI and are regulated under HIPAA, one of its requirements – a security risk assessments (SRA) – is a good place to start.

You can use a tool designed for providers that’s available on HealthcareIT.gov or you can work with a cybersecurity advisory firm, like CyLumena. We provide customized solutions and a personalized approach to guide you through the assessment process, offering specific recommendations to mitigate risk and meet compliance requirements.

As an example of the kinds of measures needed to avoid penalties, like those faced by Wakefern and ShopRite supermarkets, here are some of what was required going forward as part of their settlement aimed at creating and maintaining a more comprehensive and compliant security program:

• Appoint a chief privacy officer
• Execute business associate agreements
• Designate a HIPAA privacy officer and HIPAA security officer where needed
• Provide online training for those officers on HIPAA security and privacy rules