The Health Insurance Portability and Accounting Act of 1996 ("HIPAA"), is an exceptionally important healthcare law that Direct Care providers need to be aware of. In this article, we’ll walk you through the nuts and bolts of the law, how to be compliant with HIPAA, how to evaluate tech companies to partner with, and why Direct Primary Care providers should be particularly vigilant about its enforcement.
HIPAA, as a federal law, was designed to “allow portability of protected health information for billing purposes, so that we could engage in proper billing around the country,” explains one legal expert. “Plans and providers couldn't deal with fifty states having fifty different laws protecting privacy applicable to healthcare billing that just would not be workable.” In connection with enabling billing data portability, HIPAA also created certain privacy protocols and procedures that all “covered entities” (and now “business associates”) must follow.
The Privacy Rule
The Privacy Rule, as its name suggests, requires that covered entities (generally: plans and healthcare providers) with electronic personalized health information keep that health information private. Since a Direct Primary Care practice is a covered entity, it has the same duty that all medical practices have--to maintain the privacy of their patient health information. Because Direct Primary Care practices are typically even more connected with patients, engaged in more frequent communication (electronic or otherwise), these practice must pay close attention to HIPAA.
“I think everyone acknowledges that, whether it's a photocopier that's not only copying, but storing data images, or an EMR, or some other device, literally all medical practices have electronic personalized health data. And once you have that electronic data, the Privacy Rule protects everything--including paper files.” One legal expert says they have seen some physicians get confused, thinking that it doesn’t matter how they organize their files in their office or whether they talk about patient information within earshot of someone else. “But that’s not accurate,” he says. “Once there is electronic protected health information, then there's an obligation to maintain as private everything--file boxes, verbal communications, and data too.”
So is it enough to try to maintain privacy? No, you need an internal privacy plan that is documented.
The Security Rule
HIPAA requires that all covered entities engage in commercially reasonable efforts to consider various options, document that assessment in an internal memo or report called a “risk assessment,” and then implement a protocol or a program of protecting patient privacy for the practice. HIPAA's Security Rule is intended to be flexible; what is commercially reasonable for a small practice can vary from large medical providers. The Security Rule compliance requirements of a large major hospital will be different than the security protocol requirements of a solo physician practice.
There’s no single hard and fast security compliance process or approach other than the requirement to reasonably consider different options and then implement a reasonable approach. One legal expert explains: “Whether you're a large hospital chain or a small medical practice, you need to document your Security Rule compliance in what's called a risk assessment memo.”
The risk assessment memo lays out a number of scenarios and protection actions for their patient’s security. These may include, but are not limited to, how the provider protects their mobile devices, what authentication measures they use, what kind of encryption their e-mails have, how they will protect portable storage devices (offsite, under lock and key, etc), who has access to files, and how and where they store patient files. The risk assessment serves as evidence of a covered entity’s consideration of different privacy protection measures while also documenting implemented solutions.
The Accounting Rule
Under the Accounting Rule, adopted as part of HITECH (a federal component of HIPAA), a patient who pays cash for certain medical services may request to have their data related to those private fee services segregated from plan-reimbursed data and not provided to plans. This rules reflects the original goal of HIPAA--increasing the portability of “plan” billing information. “When plans are handling billing, they need necessary patient data. However, when a patient is paying cash for certain services, HIPAA (as amended by HITECH) allows patients paying privately for services to segregate the health data from those services, because there's no reason for the plans to receive that information if it has no connection to plan reimbursement.”
The rule makes most sense in context. For example, if a psychiatric patient has a condition that they would like to pay their provider in cash for, that patient may be sensitive to the inclusion of that data in their general health care records shared with health plans, especially if their employer is reimbursing their health care.
Typically, for DPC practices that engage in primary care, the way the cash or the private fee is allocated don't typically generate a huge amount of patient interest in privacy. Of course, there's always going to be patients that are very interested in privacy, and they might ask for their data to be segregated. A DPC practice's EMR/EHR platforms, and internal medical files, should be able to accommodate that request.
“DPC practices need to be mindful that their patients do have the right to request a segregation of their data,” one legal expert explains. “Providers need to ensure that their health care data platforms or systems have the ability to segregate that data, so it’s essential for them to ask their EMR or their EHR whether they can comply with the accounting rule when their patients pay cash or privately for certain amenities.”
How to Become HIPAA Compliant
There are several ways to become HIPAA compliant. Going it alone is a bad idea, says Chas Ballew, an attorney who co-founded of healthcare developer startup, Aptible. Hiring an expert like a consultant or attorney saves providers a massive headache and, in most cases, minimizes the likelihood of fines. Alternatively, Ballew suggests using service providers or business associates to provide services to the provider, like handling personal health information (PHI) on their behalf.
The benefits are obvious. Instead of manually writing down patient health information, keeping it in a filing cabinet, and buying locks for storage and badges for the physical environment, a provider can seek out a third party software to handle security for them. “If they sign a business associate agreement (“BAA”), they can use that service and their third party access controls. Providers can use their security and keep PHI out of our their own physical office, which makes it much easier for providers to prove that you don't really have a whole lot of information for anybody to be worried about,” explains Ballew.
On a smaller scale, being HIPAA complaint requires that practices give notice of privacy practices given to their patients. Obviously, the provider needs to make sure that the notice of privacy practices includes everything mandated by the Privacy Rule. “You've got to make sure that you and your entire office only uses personalized health information (“PHI”) for permissible purposes,” says Ballew. These permissible purposes include treatments, operations, and payments.
Unfortunately, Ballew explains, there's no super simple formula like "Do these three things and you're HIPAA compliant." To his mind, the best way to become HIPAA compliant is to partner with somebody “who's done it before and understands all the moving parts. Partnering with a compliance expert and then also partnering with software companies and other technology companies can shoulder some of the burden.”
How to Evaluate Tech Companies
If you’re a provider that is going to partner with a technology company, then Ballew recommends making them sign a BAA to ensure that they can handle patient and protected health information. “The BAA imposes contractual liability between the covered entity and the provider, or the covered entity and their business associate,” explains Ballew. “It checks a bunch of the regulatory boxes.” A BAA is the bare minimum that a provider needs to be compliant. The BAA itself serves as evidence that a party has satisfactory assurances that the business associate is meeting their obligations under HIPAA. Providers are not required to audit a business associate themselves and they are allowed, as far as the government is concerned, to trust that BAA and are not obligated to look further than that.
For Ballew, though, a BAA isn’t enough of evaluation of a tech company’s worth. It’s also important to ask a tech company who else they do business with. “You want to see if they've been evaluated by all of the larger entities,” Ballew says. Have they passed a security assessment? Or have they gone through security reviews with larger customers?
“You'd like to see some sort of reassurance of that, because as a provider, you're not really equipped to evaluate their security practices. You're good at practicing medicine,” Ballew says. After all, providers seek vendors to free up their time so they can focus on what they do best.
To get more information, a provider can ask for a risk assessment, though this may require the provider to sign a nondisclosure agreement. Similarly, they can ask for a copy of a security assessment. “You can ask for a copy of their security plan or their security policies and procedures,” Ballew suggests. “That's how you would evaluate them from a compliance perspective.” Ballew also recommends requesting and reviewing customer reviews to see if other DPC providers have been satisfied with their services.
One legal expert has observed that some companies receive PHI but are unaware that under the HIPAA Final Rule (also called the “Omnibus Rule”) that business associates now are essentially like a “covered entity”--they must comply with the Privacy Rule and the Security Rule like a covered entity and are subject to regulatory action if they breach their obligations. One legal expert notes: “Companies that receive PHI but refuse to sign a BAA or acknowledge their HIPAA obligations are raising a red flag--be very careful and think about steering clear of companies that are not serious about accepting their PHI obligations.”
Graham Melcher, Chief Security Officer at Hint Health talks about the level of commitment required to maintain HIPAA compliance like this: "For a technology partner, being HIPAA compliant requires a significant investment in time and resources, and becoming HIPAA compliant can be a difficult and expensive transition. That's why we invested in our HIPAA compliance very early on. It's more than just encrypting your database, it's a culture and mindset around the security and privacy of PHI that reaches across an organization."
Why is HIPAA Compliance Challenging for DPC Practitioners
By its nature, Direct Primary Care eliminates obstacles between the patient and the provider, and as a result, providers are much more likely to engage in electronic communication like text messages and e-mail. “They're much more likely to be implement electronic scheduling, and they're much more likely to be communicating electronically after hours, which sometimes can involve mobile devices, like iPads,” explains one legal expert. Direct private practices need to really carefully examine HIPAA requirements, because they--more than a standard practice or a plan reimburse practice--are going to be engaging in electronic communication.
If you need further motivation, consider that HIPAA compliance is in the interests of national security. “If you believe in a strong security apparatus for the United States, then you should believe in HIPAA. Why is that? Our enemies are hacking and penetrating our data systems, in part to defraud our country by false or fraudulent Medicare billing.”
While Direct Primary Care providers may want to be free of regulations, one legal expert sees HIPAA as one that should be followed. In fact, he doesn’t want people to think of it as overreaching federal interference. “Think of it as our country coming together to better protect data and our national interests. I think if we could shift the paradigm or reframe HIPAA compliance from a unreasonable intervention into a, ‘Hey, this is good for all of us. This is protecting our country,’ then I think that we could achieve a higher degree of compliance.”
In summary, to comply with HIPAA regualtions, Direct Primary Care Providers should:
Give notice of privacy practices to patients.
Produce a risk assessment memo detailing the various security measures considered and enacted.
Consider using a third party service to handle securing personal health information on their behalf.
Be thoughtful when selecting tech companies to partner with, ask for a copy of the companies risk assessment, and have all partners sign a BAA