Imagine discovering an employee’s laptop has been stolen that contained thousands of patient records with protected health information (PHI). Add to it that the laptop was not password protected or encrypted. Now you are faced with having to report the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) who among other things will post your organization’s name on its public website. Furthermore, you will have to also report the breach of PHI to all the patients affected, as well as explain the issue to the media.
For many the above scenario has become a reality. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities (CE), such as hospitals, are mandated to report PHI breaches to the HHS OCR.1,2 As of January 12, 2011, more than 200 covered entities each compromised the PHI of at least 500 patients leading them to report the breach to HHS.3 A recent study reported that data breaches of patient information cost hospitals nearly $6 billion each year.4 The study also found that protecting patient data is not a priority among hospitals and that the majority of healthcare organizations experience data breaches due to inadequate preparation and staffing.5
Think about how this costly mistake will also cause damage to your organization’s image and reputations and ask yourself: (1) Are we ready to endure the cost of PHI breaches both in dollars and cents, as well as loss of reputation; and (2) if we do not want to avoid these problems, has we allotted enough resources to ensure that PHI is properly guarded and secured?
The enactment of the HITECH Act strengthens and expands the Health Information Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules. Essentially, HIPAA protects patient’s health information and establishes a number of administrative, physical and technical safeguards for CEs to follow to ensure the integrity and availability of PHI.6 Under the HITECH Act CEs face more requirements such as disclosing PHI breaches to patients and HHS, extending the HIPAA Privacy and Security Rules to business associates, prohibiting the sale of PHI, and expanding individual rights to access his/her information while restricting certain disclosures of PHI to health plans, all to protect an individual’s health information.7 HHS has also the authority to conduct formal investigations and increase penalties applied to CEs who fail to comply with the new rules.8, 9 According to HHS officials, the OCR plans to issue new rules regarding the HITECH provisions in 2011.10 Thus, hospitals should stay tuned as more stringent rules concerning PHI are anticipated in the near future.
The Challenging Role of the Privacy Officer
In order to avoid negative press and financial loss associated with PHI breaches, hospitals need to designate a HIPAA Privacy Officer (PO) to oversee the organization’s privacy compliance. The PO can be a high-profile position that plays a critical role in maintaining and overseeing the integrity, security, and confidentiality of PHI. Since the HITECH Act creates serious consequences for hospitals when a privacy violation or security breach occurs, it is essential that hospitals have a PO who can be the first line of defense. Hospitals should take time to re-examine the position in relation to the needs of the organization and consider the best approach to address its HIPAA privacy needs.
In most hospitals, the HIPAA PO and Security Officer are two separate roles; the former related more to program compliance and the latter to information technology operations. In many cases hospitals have determined the PO functions to be a part time responsibility. Other hospitals roll the PO function under the Compliance Officer. These decisions do not always create a solution. The PO function as a part time activity is not very realistic and Compliance Officers have a full plate of duties and responsibilities that may not lend them to taking on the added burdens of the PO function. The end result is that often the PO function is relegated to a secondary duty without provision of adequate attention.
The reality of the matter is that the PO is expected to be the focal point for all privacy compliance-related activities and responsibilities are significant and challenging. They include but are not limited to the following:
- Implementing privacy policies and procedures.
- Coordinating the development of privacy risk assessment policies and procedures.
- Developing privacy and confidentiality consent, authorization forms, and information notices.
- Developing, conducting, and ensuring delivery of privacy training and orientation to all covered persons.
- Providing ongoing auditing and monitoring of the privacy program.
- Conducting ongoing privacy compliance monitoring.
- Ongoing compliance monitoring of all business associate agreements.
- Performing initial and periodic information privacy risk assessments.
- Reporting periodically to the Board, CEO and others on the status of the privacy program.
- Providing strategic guidance to corporate officers regarding information resources and technology.
- Providing leadership in the planning, design and evaluation of privacy and security related projects.
- Developing appropriate sanctions for failure to comply with the privacy policies and procedures.
- Mitigating the effects of improper use or disclosure of PHI of the workforce or business partners.
- Establishing an internal privacy audit program.
- Periodically revising the privacy program in light of changes in laws, regulatory or policy.
- Coordinating with the Compliance Officer the documenting and reporting of privacy violations.
- Serving as an information privacy consultant for all departments and appropriate entities.
- Developing a system to tracks qualified individuals access to review or receive PHI.
- Promoting privacy awareness within the organization and related entities.
- Acting as a liaison to the HIPAA Security Officer.
- Working with those involved in any release of PHI to ensure compliance with policies.
- Maintaining current knowledge of applicable PHI federal and state laws and accreditation standards.
- Cooperating with the OCR and other legal entities in any compliance reviews or investigations.
- Submitting periodic reports regarding the status of privacy compliance.
- Revising the privacy program to comply with changes laws, regulations, and accreditation requirements.
It is difficult to imagine how anyone could carry out all these things on a full time let along part-time basis.
Outsourcing Privacy Officer Functions
In meeting the challenges of an effective privacy program, there are a number of approaches that can be considered. For example, hospitals that do not have the necessary internal resources to ensure the integrity, security, confidentiality of PHI should consider outsourced assistance. This approach has been recognized by the DHHS OIG at a jointly sponsor roundtable with the Health Care Compliance Association. The OIG further noted in its Compliance Program Guidance recognized that, “[f]or those companies that have limited resources, the compliance function could be outsourced to an expert in compliance.” This same principle applies to a PO function.11 Needless to state that among the advantages of outsourcing the PO function is economic. A firm providing PO services can amortize all the effort of keeping current with the every changing laws, regulations, and accreditation requirements across a number of clients whereas this would be a significant burden for a hospital to do individually. There are also great advantages in having established experts available rather than trying to develop them internally.
Moving forward, hospitals may wish to consider the following questions when determining what functions of the PO could be outsourced.
- How complex is the organization with respect to privacy and security systems?
- Is the PO position currently vacant, either due to temporary leave (i.e. maternity, extended medical) or turnover in the position?
- Has the organization experienced difficulties in recruiting a qualified person?
- Is the hospital equipped to handle a breach of PHI or other unexpected incidents involving PHI?
- How much time does the PO dedicate to regulatory research in order to stay well informed of current and changing rules?
- Does the hospital system have a need for a Corporate PO as well as a PO at the facility level?
- What are the PO’s responsibilities? Does the PO wear “multiple hats” within the organization?
- Does the Compliance Officer responsibilities overlap with PO functions?
Answering these questions can lead your organization into deciding how much of HIPAA privacy functions can be outsourced. For example, if the PO wears multiple hats and divides his or her time, consider outsourcing certain privacy functions, such as development of policies and procedures and training. On the other hand, during any point of time when the PO position is vacant, an organization should highly consider outsourcing until a permanent replacement is found. Outsourcing is not an all or nothing choice; experienced consulting firms can provide a range of support services to help supplement the current work of an organization’s PO. Consider these options for outsourced assistance.
- Option 1: Advisory Services. Contract with an expert for a one-time engagement to handle certain duties related to HIPAA compliance, such as developing and updating HIPAA privacy policies and procedures (i.e. controls on computers/laptops, access to electronic PHI, and proper disposal of PHI) or developing annual or refresher training modules.
- Option 2: Remote Supplementary Interim PO Services. Outsource a portion of the responsibilities of the PO on an ongoing basis to an experienced consulting firm.
- Option 3: Engage an On-site Interim/Designated PO. Hire an Interim/Designated PO. In the absence of a permanent PO, the hospital should considering hiring an interim PO, while looking to fill the position. The Interim PO can maintain the HIPAA privacy activities as well as provide a fresh prospective of the current activities within the hospital.
Take Home Message
Outsourcing can be done in various ways in order to meet the specific needs of the organization. A consulting firm can handle the daily duties of the PO, including carrying out investigations of alleged privacy violations; handling privacy related concerns and issues reported through the hotline; providing regulatory analysis on new and updated laws and rules; advisory and best practices support; and providing support of current duties of the PO without necessarily being at the hospital. A Designated or Interim PO can work either on-site or off-site. Further, the role can be a full or part-time position or can just be available “on call” to support remaining compliance staff when needed. A final factor to consider is the relationship with the Compliance Officer and the strength of the current compliance program.
The authors have been involved in providing various levels of privacy services. In some cases it is merely a matter of developing the infrastructure for the program, including developing privacy related policies and procedures, risk assessment protocols, as well as the confidentiality consent, authorization forms, and information notices. In many cases this extends to developing the necessary educational programs and briefing senior management and the Board on what is required in an effective program. Some smaller hospitals prefer just outsourcing all the duties and responsibilities of the PO function.
1 A covered entity is defined as a health plan, health care clearing house, or health care provider who transmits any health information in electronic form. Additional information concerning covered entities is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html.
2 American Recovery and Reinvestment Act of 2009, Pub. L. No. 11-005, 123 Stat. 226.
3 “Breaches Affecting 500 or More Individuals.” Department of Health and Human Services Office for Civil Rights. 2011. Accessed 12 Jan. 2011. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html>.
4 “Benchmark Study on Patient Privacy and Data Security.” Ponemon Institute. Nov. 2010.
6 45 CFR Part 164.
7 American Recovery and Reinvestment Act of 2009, Pub. L. No. 11-005, 123 Stat. 226.
8 45 CFR Part 160.
9 American Recovery and Reinvestment Act of 2009, Pub. L. No. 11-005, 123 Stat. 226.
10 “HITECH, HIPAA Rules to Launch Simultaneously in 2011.” Health Leaders Media. 2011. Accessed 12 Jan. 2011. < http://www.healthleadersmedia.com/content/TEC-260186/HITECH-HIPAA-Rules-to-Launch-Simultaneously-in-2011>.
11 “Building a Partnership for Effective Compliance. A Report on the HCC-OIG Physician’s Roundtable.” HCCA Conference in Philadelphia, PA. 24 Jul. 2000. Accessed 14 Jan. 2011. < http://oig.hhs.gov/fraud/docs/complianceguidance/roundtable0700.pdf>.