Conduro Ventures
Healthcare Information Security Consultants


News & Insights

Troublesome Areas of HIPAA Your Organization Needs to Know About

The Office for Civil Rights’ Phase 2 HIPAA audits are now underway, and though organizations have had a longer time than expected to prepare, they may come unstuck when it comes to some of the more complex areas of HIPAA compliance.

Know who qualifies as a Business Associate

By HIPAA definitions, a Business Associate (BA) is an organization or individual working in association with, or providing services to a covered entity that handles PHI.

This means that any organization or individual that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity qualifies as a BA – this may include any of the following:

  • Medical billing companies
  • Health information exchanges and e-prescribing gateways
  • Medical transcription companies
  • Law firms
  • Consulting firms
  • Software vendors and consultants
  • Answering services
  • Document storage or disposal companies
  • Patient safety or accreditation organizations
  • Data conversion, de-identification and data analysis service providers
  • Accounting firms
  • Auditors
  • Researchers (if performing HIPAA functions for a covered entity)

Because HIPAA is so heavily associated with being a problem exclusively for the healthcare industry, many companies wrongly assume that HIPAA compliance does not apply to them. If Business Associates (and their subcontractors) do not have a Business Associate Agreement (BAA) in place with covered entities, they are putting everyone in the chain at risk of noncompliance.

Understand the HIPAA Conduit Exception Rule

Because of the huge fines associated with noncompliance, some organizations that handle PHI will attempt to avoid signing a BAA, and cite the HIPAA conduit exception rule as the reason for doing so.

However, the conduit exception rule would apply to the United States Postal Service, some internet service providers (ISPS) and couriers, as though these entities come into contact with PHI, they don’t have routine access to it and disclosure isn’t intended.

Any organization that manages PHI, whether it is creating, receiving, maintaining or transmitting the data on behalf of a covered entity, is a Business Associate and must therefore sign a BAA. Without it, if something does go wrong and the company who is performing any of these services experiences a breach, the buck stops with the covered entity, as it is their responsibility to ensure these contracts are in place.

Ignoring addressable standards increases the risk of noncompliance

There are a number of standards that are classified as ‘addressable’ standards within the HIPAA safeguards. While the wording within the rules may suggest certain standards are not a necessity, by ignoring standards classified as addressable, covered entities and business associates increase the risk of fines for noncompliance and leave themselves more vulnerable to breaches.

Within the Technical Safeguards, a number of standards are listed as addressable, including those around encryption during the transmission of PHI. By not encrypting PHI in transit, fines are very likely to be handed to organizations should they experience a data breach, even if a risk assessment is in place. These areas of the Technical Safeguards are expected to be one of the key areas OCR focus on when conducting phase 2 HIPAA audits due to high levels of noncompliance being detected during the phase 1 audits.


When does PHI stop being PHI?

Under HIPAA, Protected health information (PHI) is determined by any of the following 18 identifiers:

  1. Names;
  2. Geographic information;
  3. Dates (e.g. birth date, admission date, discharge date, date of death);
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. URLs;
  15. IP address numbers;
  16. Biometric identifiers (e.g. finger and voice prints);
  17. Full-face photographic images and any comparable images; and
  18. Other unique identifying numbers, characteristics, or codes.

It is possible to remove information that makes an individual personally identifiable, at which point an entity is able to disclose health information. These identifiers need to be removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule for the information to no longer be treated as PHI. It can be very difficult to remove all traces of this information, and if in doubt, organizations should consult a qualified de-identification specialist to assist.

Know what the consequences of noncompliance are

HIPAA can feel like a bit of a minefield to navigate, but it is crucial that everyone in your organization is aware of HIPAA, and what happens should someone fail to comply.

Depending on the type and severity of a violation, penalties can be both civil and criminal. Civil penalties are monetary and vary from $100 to $1.5 million, while criminal penalties can result in imprisonment for 10 years or more. Added to this, there are data breach laws that vary by state, and fines and prison terms may vary depending. HIPAA violations are also incredibly damaging to the reputations of the organization or individuals involved.

Understanding some of the less talked about areas of HIPAA may prevent an organization from experiencing a breach or being found to be noncompliant. Only time will tell how many will fail the phase 2 audits due to overlooking the ‘fine print’.

By Gene Fry

Originally Published May 16, 2016
The Compliance & Ethics Blog
Troublesome Areas of HIPAA Your Organization Needs to Know About