The Health Insurance Portability and Accountability Act (HIPAA) Omnibus rule went into effect in September 2013. As 2015 approaches, orthopaedic practices can expect the Office of Civil Rights (OCR) in the Department of Health and Human Services to increase its random audit program.

The 2013 rule expanded the penalties for privacy and security breaches identified during audits. One area of interest for the audit program is determining whether a medical practice has adopted policies and procedures that define a compliance program. Without these policies and procedures, no compliance program exists.

“Developing a compliance program is critically important for each orthopaedic practice. Such a program needs to include policies dealing with any technology that stores or transmits patient data, including photocopy and fax machines. Policies regarding business associates are also needed,” noted John Cherf, MD, MBA, MPH, the chair of the AAOS Practice Management Committee.

Table 1 shows the fines that can be levied per incident under the final Omnibus rule for the four main types of HIPAA violations. For example, if an audit identified a violation, even if the practice was unaware that it had violated HIPAA laws, the practice could be fined up to $50,000 per incident. Fines for reasonable cause may be assessed if the practice has taken some steps, but neglected to address any problems. For example, a practice may have conducted a gap analysis, but not corrected an identified problem. The violation is due to reasonable cause and not willful neglect.

“Willful neglect, corrected” means that the practice has clearly ignored the HIPAA law but has corrected its mistake within the given amount of time. The second type of willful neglect occurs when a practice ignores the HIPAA law and does not correct its mistake.

Fines can be assessed for multiple violations under any of these categories with a maximum fine of up to $1.5 million per violation per year.

“Lost or stolen laptops are a major cause of data breaches. Any portable device with stored data, including memory sticks, should be addressed in the practice’s policies and procedures. It does not matter if the data are encrypted. Practices need to have these policies in place,” said Dr. Cherf.

Security risk analysis
It is also important that practices document conducting an annual security risk analysis. This documentation is likely to be a focus of many audits because many practices failed this measure during the 2012 pilot random audit program, according to the OCR. A security risk analysis includes the following areas:

• data access management
• patient access to health records
• security incident procedures
• contingency planning
• audit controls
• notice of privacy practices
• movement and destruction of protected health information

Practice documentation also needs to include the name of the security or HIPAA officer. In addition, a practice’s business associates are subject to audit. Orthopaedic practices need to ask business associates for documentation of their security risk analysis.

On-site audits
OCR will conduct two types of audits. In a desk audit, the practice will be requested to submit detailed reports for review. An on-site audit is a more comprehensive review, likely focusing on data transmission security and encryption of stored data.

Staff training is another important item of interest to OCR. Practices must document staff training in HIPAA requirements and practice policies and procedures. Dr. Cherf recommends updating HIPAA-based policies and procedures every three years.

The Omnibus rule authorizes criminal penalties for HIPAA violations, including both fines and incarceration, enforced by the Department of Justice. Both the orthopaedic surgeon and the practice staff can be found culpable for a data breach under the rule. For more information on managing patient privacy under HIPAA, visit the online AAOS Practice Management Center at www.aaos.org/pracman

Howard Mevis is the director of electronic media, evaluation programs, course operations & practice management. He can be reached at mevis@aaos.org