(E-Book Download) HIPAA Compliance in the Sleep Center
How should you handle HIPAA compliance in the sleep center?
This article was originally published in the Summer 2006 edition of A2Zzz Magazine. To view the original article, sign up to download our free e-book bundle. We also published a similar article that pointed out how to manage infection control issues within the pediatric sleep center.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has impacted sleep centers in how they provide services to patients. HIPAA has also changed how sleep centers do business. While the HIPAA privacy rules have been in effect for years expanded HIPAA security regulations become effective annually. Sleep centers should continue to monitor and maintain their compliance with HIPAA privacy and security regulations in order to safeguard patient information and reduce liability exposure.
This column will provide an overview of the HIPAA regulations and focus on the key issues sleep cebters should consider regarding compliance issues and business associate agreements.
And don't forget! We have a risk management course coming up on March 11-12 in Louisville, Kentucky. Laura Linley, AAST President will be giving a talk on infection control in the sleep center. Sign up by clicking here.
HIPAA Privacy and Security Regulations
HIPAA creates national standards to protect individual’s protected health information (PHI) and gives patients increased access to their medical record. Sleep centers should also check state regulations because many states have regulations regarding confidentiality and medical records which are similar to the HIPAA regulations, and in some states these rules are more encompassing.
The HIPAA regulations set forth mandatory standards for electronic transactions and code sets, security, and privacy. The HIPAA privacy rule requires mandatory compliance by a “covered entity” which is a health care provider, health plan, or health care clearinghouse that transmits health information in electronic form. The Centers for Medicare & Medicaid Services (CMS) has adopted these standards. HIPAA impacts how sleep centers use and disclose patient information to third parties. The HIPAA security regulations address the use and disclosure of electronic protected health information via the Internet.
If your sleep center is treating Medicare patients and transmitting PHI electronically via the Internet, make sure your center has implemented the following policies and procedures:
- Patients who receive treatment from the sleep center must give specific written authorization before PHI is used or disclosed for any purpose other than treatment, payment or health care operations.
- Patients must receive written notice of the sleep center’s privacy practices and patient privacy rights, and the sleep center should obtain each patient’s written acknowledgment of his or her receipt of the privacy notice.
- Patients have greater access to their medical records and can request changes to correct any errors. Patients can also request an accounting of the use and disclosure of their health information by sleep centers.
Sleep centers are also required to enter into written agreements with their business associates. A business associate agreement must contain specific provisions as required by the HIPAA privacy and security regulations. The HIPAA regulations impose stiff criminal and civil penalties for non-compliance.
For civil violations of the HIPAA standards, the Office for Civil Rights, a division of the Department of Health and Human Services which administers and enforces the HIPAA regulations, may impose monetary penalties up to $100 per violation to a $25,000 cap per year for multiple violations of the same provision. A $25,000 fine can be applied for each violation of each provision of the law. Criminal penalties can include a $50,000 or higher fine, imprisonment for up to one year, or both.
Criminal penalties for an offense committed under false pretenses may result in a fine of up to $100,000, imprisonment for up to 5 years, or both. Penalties for an offense committed with the intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm may be a fine of up to $250,000, imprisonment for up to 10 years, or both.
Business Associate Agreements
HIPAA requires sleep centers to have written business associate agreements with vendors, outside entities, and individuals who provide services to the sleep center who have access to the center’s PHI. Sleep centers should make sure that their business associate agreements specifically provide that these business associates do not release any PHI to a third party without authorization; as this is a violation of the HIPAA privacy and security regulations.
The threshold question that sleep centers should ask is: What is the center’s exposure in relation to the actions or omissions of the center’s business associate? The sleep center’s exposure has been difficult to assess due to the lack of regulatory guidelines and clarification. However, last year the Department of Health and Human Services published proposed regulations to complete the HIPAA enforcement rules.
These regulations address a covered entity’s liability (sleep center’s liability) in relation to the actions or inactions of their business associate. The proposed rule indicates that shared liability between a sleep center and its business associate is unlikely if the sleep center followed all of the requirements of the HIPAA regulations, which include executed agreements with business associates to safeguard PHI and the sleep center has performed due diligence to oversee and ensure that such protections are carried out.
If your sleep center has signed business associate agreements with technology vendors, consultants, accountants, lawyers, or any other entity or individual who needs to have access to your patients’ PHI in order to provide your sleep center with the services required, your center should revisit these agreements in light of the newly implemented HIPAA security regulations. If your center’s business associate agreement involves access to or transmission of electronic PHI, the agreement should include how a risk assessment will be conducted by the business associate to identify system vulnerabilities.
The business associate should also have its own security policies and procedures.
When reviewing your sleep center’s business associate agreements, you should avoid the following pitfalls:
- Limitation of Liability. Business associate agreements are often attached as addendums to underlying agreements that might predate the HIPAA regulations. Make sure that your business associate does not limit their liability under the terms of the main contract or any subsequent addendums. Your sleep center should specifically look at the terms that relate to limitation of liability, insurance, and indemnification.
- Monitoring the Activities of Business Associates. It is imperative that sleep centers take steps to monitor and oversee all services being provided by their business associates. Include provisions in your business associate agreements which give your lab the right to request and receive information and documents from your business associates that will enable the sleep center to monitor HIPAA compliance.
Evidence of Safeguards. Your center’s business associate agreements should contain terms to ensure that your associates agree not to use or disclose your patients’ PHI or electronic PHI in any way other than is permitted by the agreement or as required by law. Make sure that the agreement requires your business associate to provide your sleep center with evidence of safeguards and written notice if any of these safeguards are breached or discontinued.
In order to avoid potential liability and resulting civil and criminal monetary penalties, make sure that your sleep center continues to allocate the appropriate resources to monitor and maintain compliance with the HIPAA privacy and security regulations. Your center should continually provide education and training for all of its employees and independent contractors.
The sleep center’s privacy officer should periodically conduct an assessment of the technical, security, and privacy measures in place and identify all authorized users of PHI and electronic PHI to determine appropriateness of all authorized user’s access to PHI. Make sure that the center’s compliance with its policies and procedures, notice of privacy practices, and business associate agreements are monitored and reviewed on an ongoing basis.
HIPAA compliance remains a hot issue in sleep technology, to better inform yourself on the topic download our e-book below.