HME/DMEPOS Suppliers and the Importance of HIPAA Compliance

A number of breaches in the health care industry is rising at an alarming rate. According to OCR, there were more than 200 health care breaches in 2015, affecting 500 individuals. Theft, hacking, and unauthorized access/disclosure represent three top categories of all breaches, together making up for 86% of all health care breaches.

In order to avoid such unpleasantries, medical care providers are encouraged to adopt the best practices, including continuous monitoring and compliance with HIPAA Privacy Rule and Security Rule. The overall purpose of HIPAA Act is to provide patients with better access to health insurance, minor the risk of fraud and abuse, as well as to lower the overall cost of health care in the USA.

Most commonly, HME/DMEPOS equipment is a covered entity that must comply with HIPAA and it is of utmost importance for a supplier to familiarize with the rules and take the necessary steps toward compliance. The following article outlines the basic definition of HIPAA, the description of entities that are required to become HIPAA compliant, detailed steps on how to become HIPAA compliant, as well as what patients can expect from their HIPAA compliant HME/DMEPOS provider.

The Definition of HIPAA

The Health Information Profitability and Accountability Act of 1996 (HIPAA) represents a federal law which prevents a health care provider from releasing individually identifiable PHI (protected health information) without the consent of an individual. The purpose of HIPAA is to protect the confidentiality, integrity and the availability of electronic protected health information (EPHI) when stored, maintained or transmitted.

There are two types of entities affected by the HIPAA compliance:

• Covered entities that include health care providers, insurers or clearinghouses;
• Business associates, who are responsible for receiving, transmitting, maintaining or creating protected health care information on behalf of a covered entity.

The information enclosed within the PHI includes individual’s:

• past, present or future physician/mental health/condition;
• past, present or future payment for the provision of health care;
• health care provision;
• name, address, date of birth and social security number, or any other information that can be used in order to identify the individual.

Exceptions set by HIPAA Act

However, if it happens that this prohibition stands in a way of gaining access to quality health care, then a health care provider is allowed to disclose the patient’s information. This commonly occurs when a health care provider consults with other health care providers regarding the patient’s health care, or completely transfers the patient to another health care provider.

Cases in which a HME/DMEPOS provider is allowed to disclose personal health care information are:

1. To the patient him/herself;
2. In order to carry out treatment, payment or health care operations;
3. When it comes to de-identification of the data;
4. For greater public good.

In particular situations, a HME/DMEPOS supplier is obliged to disclose information to:

1. The patient who is the subject of the records;
2. The US Department of Health and Human Services (HSS) when investigating compliance with the regulations;
3. Federal Drug Administration (FDA) and can be disclosed to law enforcement officials, the medical examiners or coroners upon patient’s passing.

The HME/DMEPOS provider is not required to inform a patient of the disclosure. Still, the record of the disclosures has to be kept so that it is available to patient upon written request for six years.

Who should be in compliance?

Deciding whether a certain medical company should be a business associate or not is challenging due to a number of factors that have to be taken into consideration. Nevertheless, there are specific situations in which medical device companies fall under the category of a business associate and situations when they do not.

Firstly, if a medical company has signed a contract with a covered entity and its medical devices generate protected health information and transmit electronic protected health information directly to the provider, then a company is obliged to be a HIPAA compliant. Secondly, a medical device company is considered a business associate when it shares protected health information with another covered entity. The reason behind this is a situation in which a medical company might require a patient information, their history and condition, in order to conduct an analysis on the usefulness of a particular medical device for the patient in question.

On the other hand, there are instances in which a certain company is not considered to be a business associate, nor is it required to be HIPAA compliant. For example, if a device company sells and maintains medical devices, the compliance is not compulsory, since medical devices do not create, maintain, transmit or receive electronic protected health information on behalf of any covered entity. Additionally, there is no receipt of patient information from a covered entity by the device prior to sale. Finally, cases in which medical devices are primarily used by general public, the HIPAA compliance is not required.

If the conditions for classification as a business associate have been met, then signing a business associate agreement is compulsory for the two entities. The agreement states that the two parties are obliged to protect personal health information in accordance to HIPAA compliance. The agreement outlines the manner in which the compliance will be conducted and how protected information will be secured. Additionally, HIPAA compliant company must inform of a possible breach.

How to become HIPAA compliant?

Although some consider the process of becoming HIPAA compliant time-consuming and overwhelming, it is actually not as demanding. The complexity of an organization affects and determines the complexity of the process, as well as the way the company handles a number of procedures. If an organization regularly carries out risk analysis, formally documents security policies and procedures and conducts regular workforce training, it is bound to go through the process of compliance with ease.In any case, regardless of the size and complexity of the organization, if it fulfills all the requirements and is a covered entity, going through seven key steps is mandatory:

1. Obtain and maintain senior management support
2. Develop and implement security policies
3. Conduct and maintain inventory of EPHI (Electronic Personal Health Information)
4. Be aware of political and cultural issues raised by HIPAA
5. Conduct regular and detailed risk analysis
6. Documentation
7. Prepare for ongoing compliance

HME/DMEPOS and HIPAA compliancy

According to HIPAA, HMA/DMEPOS suppliers are required to maintain the privacy of the health care information of the patient. What HME/DMEPOS providers are obliged to do is provide patients with a copy of Privacy Note which outlines the privacy practices and ways in which the information that identifies the patient is protected.

The requirements of a HIPAA compliant providers are:

1. Notify patients of their privacy rights and explain the ways in which their information can be used;
2. Adopt and implement privacy procedures for the organization;
3. Train employees to understand the privacy procedures;
4. Select an individual to be responsible for checking whether the privacy procedures are adopted and followed;
5. Secure patient’s records containing individually identifiable health information and ensure they are not readily available for those who could exploit the data.

Actions a patient can expect from a HIPAA compliant HME/DMEPOS supplier

Patients who purchase HME/DMEPOS equipment from a HIPAA compliant provider can rest assured that their health information will be used for their treatment. All the personal information regarding the patient’s health care will be used to provide them with durable medical equipment and supplies and prescription medications. The prescription provided by the physician is recorded and determines the equipment and prescription medication a patient receives.

Furthermore, the patient can expect from their HME/DMEPOS supplier to use their health information for payment. The provider is allowed to contact the patient’s insurance company and disclose their health care information. HME/DMEPOS supplier possess the patient’s health care information, diagnosis, equipment and supplies, as well as medications on the bill.

Moreover, the patient’s health care information can be used in order to conduct health care operations. HME/DMEPOS provider often evaluates the quality of care the patient receives from them, conducts cost management assessments and plans business activities according to the patient’s health information. Namely, the provider uses this information in order to continually improve the quality and effectiveness of health care services they provide.

Penalties for HME/DMEPOS supplier for HIPAA violation

In the end, it is highly essential for HME/DMEPOS providers to familiarize themselves with possible penalties if they intentionally violate the Act. According to the requirements provided by HIPAA, a HME/DMEPOS supplier is forbidden from uncovering any personal health care information of a patient except with the patient’s consent or as otherwise permitted by HIPAA. However, if it happens that a HME/DMEPOS provider violates the HIPAA compliance, they face a multitude of unfavorable consequences, alongside with negative publicity, as well as loss of business partners and customers. Depending on the type of violation, HME/DMEPOS provider might be required to pay a fine which ranges from $100 per violation up to $50,000 per violation or even more. In certain cases, a provider might even be sanctioned with a prison sentence or lose the right to participate in Medicare.

HIPAA compliance act has been introduced to the medical industry in order to improve the quality of health care and achieve optimum level of privacy when it comes to patient’s PHI. Such changes both protect personal privacy and provide valuable benefits to the society in general. Taking everything in consideration, HME/DMEPOS providers and other companies which provide medical services and are considered business associates are advised to immerse themselves in the intricate process of HIPAA compliance. Only by implementing this act can they ensure higher level of patient privacy.