HIPAA: What You Need to Know

HIPAA compliance remains a critical concern for all providers, particularly those in the Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) sector. I understand that as busy as we are with patient care and getting paid, the other regulations that don’t seem so “in your face” can bite you hard. I want to explore some aspects of the HIPAA requirements, common pitfalls, enforcement trends and why understanding how these regulations impact your daily operations is crucial. 

HIPAA's Privacy and Security Rules set stringent standards for protecting patients' Protected Health Information (PHI). For P&O providers, this means implementing robust safeguards to ensure the confidentiality, integrity, and availability of all PHI, whether it's stored electronically, on paper, or communicated verbally. 

Key requirements include: 

• Conducting regular risk assessments 

• Implementing physical, technical, and administrative safeguards 

• Training staff on HIPAA compliance 

• Developing and maintaining policies and procedures for PHI handling 

• Establishing business associate agreements with vendors. 

In the fast-paced environment of a prosthetics and orthotics practice, HIPAA violations can occur unintentionally. For example, a prosthetist discussing a patient's amputation details in a waiting area could inadvertently violate HIPAA. Similarly, an orthotist sending an unencrypted email with a patient's measurements and medical history to a manufacturer could pose a significant risk. Other common mistakes include leaving patient files unsecured in public spaces or exam rooms, discussing patient information with anyone not directly involved or consulting in their care, sending unencrypted emails containing PHI, failing to obtain proper authorization for PHI disclosures and/or neglecting to update and provide training about your security measures. 

The Office for Civil Rights (OCR) and the Office of Inspector General (OIG) have intensified their enforcement efforts in recent years. The OCR's "Right of Access" initiative, launched in 2019, has resulted in numerous settlements, emphasizing the importance of providing patients timely access to their medical records. 

In the DMEPOS sector, "Operation Brace Yourself" serves as a stark reminder of the scrutiny faced by providers. This nationwide fraud takedown in 2019 exposed a $1.2 billion scheme involving the illegal kickbacks and bribes in exchange for medical equipment prescriptions. While primarily focused on fraud, this operation also uncovered numerous HIPAA violations, highlighting the interconnectedness of compliance issues. 

Incentives for whistleblowers and the piercing of corporate veils: 

HIPAA includes provisions to protect whistleblowers who report violations in good faith. These protections extend to workforce members who disclose PHI to oversight agencies or public health authorities, attorneys for the purpose of determining legal options, and accreditation organizations. Incentives for whistleblowers often come through the False Claims Act (FCA), which allows individuals to file qui tam lawsuits on behalf of the government. Successful cases can result in whistleblowers receiving 15-30% of the recovered funds. For DMEPOS providers, this could mean substantial rewards for reporting fraudulent billing practices or HIPAA violations. 

The DOJ reported obtaining $2.68 billion in settlements and judgments from civil cases involving fraud and false claims against the government in fiscal year 2023. Of that, $2.3 billion arose from qui tam lawsuits highlighting the DOJ's heavy reliance on whistleblowers to identify and pursue FCA cases. And there is a new Corporate Whistleblower Awards Pilot Program that the DOJ recently announced which provides additional incentives for individuals to report wrongdoing. And because the DOJ is piercing corporate veils when it comes to fraud, emphasizing individual accountability, the incentive to become a whistleblower may be heightened.  It creates a duty to report the misconduct. 

If you have ever:  

• Shared before and after photos or videos of patients without written authorization? 

• Lost a laptop containing unencrypted patient data? 

• Disposed of old molds or mods with patient information still attached? 

• Shared your login or otherwise allowed unauthorized access to electronic health records? 

• Transmitted patient data in an unsecured manner? 

You might be a breacher! 

If you said yes to any of the above, ensure that your data protection policies are up to date and that your staff is properly trained. If you experience even a potential breach, you have an obligation to conduct an investigation to determine the who, what, when, where, why and how of the incident.  All of this must be documented. 

If a breach occurs: 

• Conduct a thorough investigation to determine the extent of the breach 

• Implement measures to mitigate any potential harm 

• Notify affected individuals within 60 days of discovery 

• Report breaches affecting 500 or more individuals to HHS and local media 

• Document the breach and response efforts 

Navigating HIPAA compliance in the DMEPOS sector, particularly in prosthetics and orthotics, requires a delicate balance of patient care, privacy protection, and regulatory adherence. By understanding the unique challenges faced in this field, implementing robust compliance programs, and staying informed about enforcement trends, you can ensure that you are delivering high-quality care while safeguarding patient privacy. 

Remember, HIPAA compliance is not just about avoiding penalties—it's about building trust with patients and maintaining the integrity of the healthcare system. As technology continues to advance in the field of prosthetics and orthotics, so too must our commitment to protecting patient information.