Few physicians realise the new liability they now face since 23 September 2013, the date when the US Department of Health and Human Services (HHS) released the new omnibus rule to expand the existing Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA was enacted by the US Congress and signed by President Clinton in 1996 to help establish the national standards for handling electronic healthcare transactions for physicians, employers, and health insurance plans.
The rapidly expanding adoption of mobile and web-based technologies in the healthcare industry brought new challenges to the original set of HIPAA rules that no longer account for the range of privacy breaches possible today.
In this article I will give an overview of the regulatory updates, discuss specific HIPAA-related risks that aesthetic physicians face today, offer means to mitigate these risks, and introduce digital technology opportunities for aesthetic practices.
The omnibus rule introduced strict new guidelines on how to handle patient health information (PHI) and what to do if, or when, a breach occurs. HHS introduced a steep increase in penalties for non-compliant individual providers or large health organisations. An individual provider can now be fined up to $1.5 million per year for non-compliance.
Before the omnibus rule, providers were required to report a breach only if it involved ‘significant risk of harm’. Today, HHS regards any unauthorised disclosure of PHI a reportable breach. The new rule requires providers to notify all patients involved in a HIPAA breach within 60 days of the breach and, most importantly, if 500 or more patients were affected, local media must also be notified within 60 days.
In case of a breach, asking a number of targeted questions will help determine the severity of the situation. For example, did the breach include:
- A list of patients?
- Identifiable data such as Social Security Numbers?
- Any financial information?
- Any intimate medical records such as photos?
A study for HHS performed by accounting and consulting firm Kaufman, Rossin & Co.1, identified important facts and highlighted the severity of breaches that have recently occured. For example, from 2010 to 2011, the total number of patients affected by breaches doubled to 16.2 million. Most of these were owing to theft (53%), followed by unauthorised access (20%), and loss (14%).
The alarming fact is that even with these new stringent rules in place, over 95% of physicians are not compliant2. HHS is now paying much closer attention to individual providers as opposed to large healthcare organisations, as was the case before the omnibus rule was introduced.
To help better describe the range of enforcement cases pursued by HHS, I will briefly discuss a few examples.
Adult & Pediatric Dermatology (APDerm), a Massachusetts-based provider, agreed to settle with HHS in December 2013 following a potential violation of HIPAA privacy, security and breach notification rules by paying a fine of $150000. The provider was required to implement corrective measures to satisfy the HIPAA compliance.
Another example of a provider violation is Massachusetts Eye and Ear Infirmary (MEEI), which was fined in September 2012 by HHS for $1.5 million to settle potential violations resulting from the theft of an unencrypted personal laptop containing the electronic health information of MEEI patients and research. The stolen laptop also included patient prescriptions and clinical information.
In July 2013, WellPoint was fined $1.7 million by HHS for leaving information accessible over the Internet and not adequately implementing policies and procedures for authorising access to the online application database or any technical safeguards to verify the person seeking access to electronic protected health information — a risk that most aesthetic physicians face today. As a result, WellPoint was found to have disclosed the PHI of over 600000 patients by allowing access to the database to unauthorised individuals.
HIPAA risks for aesthetic physicians
I will next discuss specific examples of patient engagement methods used today that expose aesthetic physicians to risk. We are all familiar with the standard ‘Contact us’ forms that most aesthetic practice websites use today (Figure 1). Most websites are not encrypted and PHI is being collected using non-secure methods when a patient contacts the office. Such PHI includes easily identifiable facts about this person, such as their name, contact information, desired procedure, and private comments. Furthermore, vendors managing the websites of aesthetic physicians have unrestricted access to the PHI of hundreds or even thousands of patients without a strict HIPAA compliance process in place. This constitutes a HIPAA breach.
A solution is to amend your websites and stop collecting PHI using the standardised forms. Vendors building websites are generally not qualified to create and implement the multiple security measures required in addition to encrypting the website.
In addition, the use of smart phones is now a universally-accepted method of communication to follow-up with patients. Physicians often provide their personal phone numbers to patients who text or email post-procedure follow-up information containing PHI, including photos. Phones can be lost or stolen, potentially giving access to patients’ PHI. Multiple such cases already exist, as illustrated by the article published on 30 June 2013 in the Lincoln Journal Star3, describing the loss by an individual provider of a thumb drive containing thousands of patient medical records. As a result, the provider had to send individual letters to all patients involved in the breach, as well as report the incident to the Federal Government.
Popular personal email providers (e.g. Gmail, Aol, Yahoo) are also at risk given the high number of accounts being hacked. For example, in December 2012 a British Columbia physician’s email was hacked and patient healthcare information was compromised, resulting in a breach.
Remember, it only takes one violation to have a potential HHS fine and a lawsuit from your patients, as well as a damaged reputation.
Means to mitigate risk
There are a number of measures aesthetic physicians should implement immediately to minimise their risk of being fined. To comply, your practice needs to:
- Establish policies and procedures on how to handle situations when PHI is lost, stolen, or improperly disclosed. Your staff needs to be trained on these policies and procedures
- Ensure PHI is encrypted
- Patients have the right to instruct their physician not to share information with insurance companies about a treatment for which the patient paid out of pocket. Your electronic health record needs to support flagging information
- Patients have the right to obtain an electronic copy of their record within 30 days of requesting it. Your practice needs to be able to provide such a copy electronically
- Never text PHI to your staff
- Never take photos of your patient on your smart phone
- Never allow your child to use a phone that contains PHI
- Report a lost or stolen device that contains PHI.
Digital technology opportunities for aesthetic practices
With the advent of new technologies, aesthetic practices can benefit from a number of enhancements to their work‑flow in addition to having HIPAA‑compliant means to engage patients online. AestheticLinkTM (www.AestheticLink.com) is the leading HIPAA‑compliant patient relationship management software provider for aesthetic physicians with patented technology developed in Silicon Valley, California.
AestheticLink provides a secure bridge between patients and their physicians. Running within any browser and also offered as an iPhone app, AestheticLink empowers aesthetic practices to increase their revenue, decrease loss to follow-up, and increase patient satisfaction. Used by leading plastic and cosmetic surgeons throughout the US, AestheticLink is rapidly transforming the aesthetic industry by helping address the HIPAA compliancy need as well as making aesthetic practices more efficient.