Jeb Molony

The HIPAA Omnibus Rules go into effect September 23, 2013 and will bring a sweeping change to the health care industry. These rules have been described by the head of the Office of Civil Rights as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented." (AMA The HIPAA Omnibus Final Rule Summary). The majority of the changes deal with the protection of electronic protected health information (e-PHI) and the need for a medical practice to safeguard against and report breaches of such data. The key to determining whether data may be classified as PHI is to ask whether a third party who comes into possession of the data could learn about a specific person's health information.

Credit card processing is one of the major forms of payment received by medical practices, and is continuing to grow as the economy becomes more and more paperless. Most people do not consider the information that is transmitted when a credit card is processed nor the potential consequences of a breach. The most basic elements that transmit are who is processing the card (the name of the doctor), the name of the credit card holder (the patient) and the time and date (a means to pinpoint the doctor's visit). A third party who comes into possession of the credit card data could learn information of a specific patient thus knowing the type of doctor and time of visit. For HIPAA purposes this makes credit card data ePHI.

Medical practices must familiarize themselves with their credit card processing companies terms and service in order to determine whether a certain processor is taking precautions within the spirit of HIPAA. With the new Omnibus Rules the two most important events take place before a breach and after a breach. Before a breach a medical practice should review its Business Associate Agreements (BAA) with all of its vendors who have access to any PHI, these should be revised and reconsidered. After a breach the auditing and reporting process becomes tedious if the right systems were not in place prior to the breach. Post breach audits will require review and proof of what occurred during the alleged breach which means data and audit trails. Every medical practice should review the policies of their credit card processor to look for the support or in some cases indemnification for approved expenses during an audit.

The new HIPAA rules make electronic data even more important to safeguard and monitor than ever before. In addition to the new rules is the new economy where virtual wallets and faster payment means new access points for data breach. Medical practices have a lot to consider from a workflow and protection standpoint after the new rules go into effect. However, with a little planning and the proper information a medical practice may be able to prevent and protect itself from many of the issues surrounding e-PHI and credit card processing.