|CPA Firms: Are you providing accounting services to health care providers?
The American Recovery and Reinvestment Act of 2009 (Public Law 111-5) (ARRA) which became law on February 17, 2009, includes provisions relating to Health Information Technology. Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), made significant changes to the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), extending their reach and imposing breach notification requirements on HIPAA-covered entities and their business associates, which can include certain CPA firms. Business associates will become fully and directly subject to the HIPAA Privacy and Security Regulations as of February 17, 2010.
Additionally, it increased enforcement of, and penalties for, violations of privacy and security of protected health information (PHI). While Department of Health and Human Services (HHS) regulations effectuating the new law became effective September 23, 2009, it will not impose sanctions for failure to provide notice with respect to breaches discovered before February 22, 2010.
Under established HIPAA rules, a CPA firm providing accounting services to a health care provider which involves access to protected health information is considered to be a business associate and thus subject to these new breach notification requirements. These services may include:
- Mergers, acquisitions and sales of medical practices
- Valuation of medical practices
- Structuring and negotiating associate agreements
- Medical practice management
- Preparation of audited financial statements
- Claims processing or administration
- Data analysis, processing or administration
- Utilization review and quality assurance
- Medical billing
- Review and analysis of fees
It is thus important for CPAs who satisfy the definition of “business associate” to review their relationships, policies and procedures to ensure that they are in compliance with these new privacy and security requirements. They should also ensure that their business associate agreements are updated.
Privacy and Security Rule Obligations
The HITECH Act requires business associates to only use or disclose PHI consistent with its obligations under its business associate agreement with a covered entity, the provisions of which are dictated by HIPAA’s Privacy Rule. There are no significant new obligations under the Privacy Rule; however, the risks of non-compliance have substantially increased.
The HITECH Act also requires business associates to comply with HIPAA Security Rule’s administrative, technical, and physical safeguard requirements and to implement security policies and procedures in the same manner as a covered entity. (Previously, a business associate had limited obligations under the Security Rule, which were to implement safeguards that reasonably and appropriately protected the confidentiality, integrity, and availability of electronic protected health information). For many, this change will have the biggest impact. A business associate will also need to implement written policies and procedures that address each Security Rule standard, implement a security awareness and training program for workforce members, designate a security official, and conduct an accurate and thorough security risk analysis along with a security management process.
Breach Notification Requirements
The HITECH Act’s security breach notification provisions now require that covered entities notify individuals if their health information has been breached. In determining whether or not notice is required, two questions are important: (1) did the event qualify as a defined “breach”, and (2) was the information protected by an encryption‐like technology. Even if the access or release of information constituted a breach, individuals are not required to be notified if the information was protected by the use of a technology or methodology specified in guidance from the Secretary of the HHS (see Guidance on Securing PHI).
If a breach is deemed to have occurred at or by a business associate, the business associate must notify the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach, as well as any information required to be provided by the covered entity in its notification to affected individuals.
It is critical for business associates to implement a program to identify these breaches, investigate them promptly, and report them to customers. These new requirements apply to breaches involving both electronic and paper records. Guidance on Securing PHI (such that new requirements do not apply).
Because notification is required for all breaches involving unsecured PHI, HIPAA-covered entities can relieve themselves from reporting requirements by ensuring that their PHI is unusable, unreadable, or indecipherable to unauthorized individuals. The HHS outlines two methods for properly securing PHI, encryption and destruction:
Electronic PHI has been encrypted by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes have been identified and tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard:
- Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices
- Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52 , Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.
What Should CPA Firms Be Doing Now?
CPA firms who believe they are covered by these new rules should review their business associate agreements. They might want to modify their business relationships and the nature of the services they provide to healthcare entities so as to eliminate the firm’s access to PHI, and possibly eliminate the need for a business associate agreement. If a business relationship can be rearranged so that access to PHI is eliminated, or at least minimized, the risk of experiencing a reportable breach or other violations can also be reduced, if not entirely eliminated.
CPA firms should improve their security and consider encryption wherever possible. The new breach notification rules will only apply to information that is unsecured. Accordingly, firms can reduce, if not eliminate, the likelihood that they will be involved in a reportable breach by, to the extent possible, encrypting all PHI.
CPA firms should ensure that all employees have appropriate training about the firm’s policies and procedures for ensuring the privacy and security of all PHI.
CPA firms should also develop an incident response plan. All firms should have a written incident response plan so that they will be prepared to take prompt action in the event of a breach. An incident response plan should address both the requirements of the HITECH Act and the terms that have been agreed to with covered entities in their business associate agreements.
Enforcement and Nature of Penalties
The HITECH Act strengthens enforcement of the HIPAA rules in several ways. It establishes categories of violations that reflect increasing levels of culpability, requires that a penalty determination be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation, and establishes tiers of increasing penalty amounts that establish the range of the Secretary’s authority to impose civil monetary penalties. The penalties range from $100 - $50,000 per violation depending upon the violation category, subject to a $1,500,000 cap for multiple violations of an identical requirement or prohibition in a calendar year. More importantly, business associates that violate the HIPAA Security Rule or the terms of the business associate agreement are now subject to the same civil and criminal penalties as covered entities. The HHS issued an interim final rule (45 CFR Part 160) which amended HIPAA’s enforcement regulations on October 30th. The rule became effective November 30th, 2009.
The HHS issued interim final rules (45 CFR Parts 160 and 164) on HIPAA’s new security breach notification requirements on August 24, 2009, and they became effective September 23, 2009. The HHS acknowledges that it will take considerable effort for health plans to become compliant with the new requirements and to allow organizations to become compliant, so the HHS will not impose sanctions for failure to provide notice with respect to breaches discovered before February 22, 2010, as outlined in paragraph K, Effective/Compliance Date (pgs. 42756 - 42757) of the interim final rules.
Definitions – A glossary of terms used in this article.
Incident Response Plan - This Incident Response Plan template can be used to help you design, develop, or adapt your own plan and better prepare you for handling a breach of personal information within your organization.
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – A Special Publication from NIST which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule.
Breach Notification Rule – Guidance on breach notification from the Department of Health & Human Services.
DISCLAIMER: This document has not been approved, disapproved, or otherwise acted upon by any senior technical committees of, and does not represent an official position of the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this document. If legal advice or other expert assistance is required, the services of a competent professional should be sought.