AMARILLO, TX – In addition to a general compliance program that deals with preventing, detecting, and remediating fraud and abuse, durable medical equipment (“DME”) suppliers also need a privacy compliance program to ensure compliance with federal and state privacy laws. For those DME suppliers operating internationally, you’ll need to comply with ever increasing international privacy laws as well.
Whether a durable medical equipment supplier is a covered entity, has business associates, or is a business associate, there are lessons to learn from the Office for Civil Rights’ (OCR) settlement agreements.
In particular, the OCR outlines what it considers to be best practices for HIPAA privacy compliance programs in its corrective action plans (“CAPs”). Although this article will focus on the OCR’s best practices for HIPAA compliance, DME suppliers should also review applicable state privacy laws when developing and maintaining a privacy compliance program.
On May 16, 2023, the OCR announced a $350,000 settlement with a business associate (the “BA”), over a breach affecting over 200,000 individuals. According to the Resolution Agreement, on May 4, 2018, the BA discovered that a server containing protected health information (“PHI”) had been unsecured and accessible on the internet since January 1, 2018. The breach affected the PHI of 230,572 individuals spanning two covered entities. The OCR’s investigation found:
- The PHI of 230,572 individuals had been disclosed by being accessible on the internet.
- The BA failed to enter into a business associate agreement with a subcontractor.
- The BA’s assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (“ePHI”) held by it as a business associate was not sufficiently accurate or thorough.
Under HIPAA regulations, “unsecured” PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons. In these types of cases, the PHI is unsecured because it could have been accessed and read by an unauthorized user. While actual access is not required for an incident to be a breach under HIPAA, in this case the OCR found evidence that at least one unauthorized individual viewed the PHI during the time the server was potentially accessible to the public.
In addition to the monetary settlement, the BA agreed to enter and comply with a Corrective Action Plan (“CAP”) for two years; the CAP will end in 2025. From the CAP, we can see what OCR considered to be best practices in a privacy program. While this CAP was focused on the business associate, the key elements are applicable to both covered entities and business associates.
Conduct a Risk Analysis
The CAP requires that the BA conduct an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by the entity or its affiliates that contain, store, transmit or receive ePHI. Note that the OCR expects the analysis to cover the entire organization and not just subparts. The process needs to include a complete inventory of all electronic equipment and data systems, on-site or off-site, and applications that contain or store ePHI. For electronic equipment, an entity should consider mobile devices and workforce-owned devices that have access to ePHI, in addition to company-owned or issued equipment.
The Risk Analysis needs to document the security measures the entity implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable level. It may also be useful to document that security measures employed are consistent with commonly accepted security standards as evidence that the security measures employed were reasonable. The Risk Analysis must be conducted annually and updated as new risks are identified. It is important to update or supplement a Risk Analysis when, for example, a DME supplier implements new technology, equipment, or applications.
Develop and Implement a Risk Management Plan
The CAP requires that the BA develop an enterprise-wide risk management plan to address and mitigate any security risks identified in the Risk Analysis. The OCR expects the risk management plan to cover an entire organization’s operations. The risk management plan needs to include a process and timeline for implementation, evaluation, and revision of the entity’s remediation activities. In our experience, the risk management plan should also identify the people responsible for implementing the remedial actions. Also, periodic reporting on progress of the risk management plan to the DME supplier’s top-level leadership, compliance committee, or governing board can help drive plans to completion and show the DME supplier’s commitment to privacy compliance.
Written Policies and Procedures
The CAP requires that the BA develop and maintain written policies and procedures to comply with HIPAA. The HIPAA regulations include many privacy and security provisions that need to be translated into policies and procedures specific to the DME supplier’s structure and operations. The OCR expects an entity’s privacy and security policies to be revised as needed to address changes in the law or operations. In our experience, privacy policies and procedures also need to take into account the requirements of applicable state law. Some states, for example, may require additional reporting to the state’s attorney general of privacy breaches.
The OCR also expects that the policies and procedures are distributed at least annually to all workforce members who have access to PHI. Many DME suppliers post their policies and procedures on internal websites or systems accessible by workforce members. It’s a good idea to routinely publicize the existence of the policies and procedures so workforce members know where to look when they have policy questions. DME suppliers should also consider routinely highlighting key policies and procedures responsive to the risks of the DME supplier.
Because the OCR found that the BA failed to enter into a business associate agreement with a subcontractor, OCR specified that the BA needs to have policies and procedures addressing business associate agreements. This is a good reminder for DME suppliers to verify that they have business associate agreements with their business associates when they are the covered entity in the relationship, and to have business associate agreements with subcontractors when they are acting as a business associate. Enforcement of the requirement to have business associate agreements is often seen as “low hanging fruit” as the entity either has or lacks the required agreements. A DME supplier should consider maintaining a contracting process that includes:
- An evaluation of whether a business associate agreement is needed for each business relationship;
- An internal process to ensure the business associate agreement, when needed, is signed at the same time as the underlying agreement; and
- An internal mechanism to track the identity of all business associates and whether a signed business associate agreement is on file.
Workforce Training
Lastly, the CAP requires that the BA conduct HIPAA privacy and security training for all workforce members who have access to PHI. Keep in mind that “workforce” includes more than just employees. HIPAA defines “workforce” broadly to mean employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate. A best practice is to include training on compliance with the entity’s specific privacy and security policies and procedures, in addition to more general HIPAA concepts and rules.
OCR also has best practices for the schedule of when training should occur:
- Training of new workforce members should occur within 30 days of their beginning service.
- Re-training of existing workforce members should occur annually.
- Entities should require workforce members to attend training and certify, in electronic or written form, that he or she received the training, and record the date of the training. Entities need to retain training materials to be able to show that training occurred and the content of the training.
The above outlines some key best practices gleaned from a recent CAP document. A DME supplier’s actual privacy compliance program should have other elements described in its policies and procedures. A well-developed privacy compliance program should prevent, detect, and correct privacy and security issues, with tactics tailored to the particular risks of the DME supplier.
Phuong D. Nguyen, JD, CHC is a senior attorney in the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, hospitals, physician groups, DME companies, manufacturers, and other health care providers throughout the United States. Mr. Nguyen can be reached at (806) 345-6307 or [email protected].
Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].