CPAs working in many capacities are affected by changes in federal law that expand the requirements for maintaining patient health care data security:
- When providing consulting services to health care entities, CPAs may receive protected patient information.
- Patient data may come into possession of CPAs providing litigation support—including in divorce cases and claims by or against health care providers.
- CPAs testing internal controls as part of audit procedures may receive patient health care data.
The recent revisions to a federal law best known for its patient privacy and data security rules have important implications that CPAs will need to consider carefully in the context of the services they provide. Violators of these new regulations may be subject to civil and criminal penalties, so developing an understanding of the new rules is a must.
The Health Insurance Portability and Accountability Act (HIPAA), P.L. 104-191, is a far-reaching piece of legislation that originated in 1996, when it was known as the Kennedy-Kassebaum Act, named after the two U.S. senators who sponsored it. HIPAA contained important sections on fraud and abuse enforcement, income taxation (including expansion of the repatriation tax), and, notably, health insurance and limitations on preexisting condition exclusions and other antidiscrimination rules. Thus, it is integral to an understanding of the context of the Patient Protection and Affordable Care Act (PPACA), P.L. 111-148, as well.
As part of a comprehensive overhaul of electronic data storage and transmission requirements, 2009’s Health Information Technology for Economic and Clinical Health (HITECH) Act (passed as part of the American Recovery and Reinvestment Act of 2009, P.L. 111-5) significantly expanded the reach of HIPAA’s privacy rules beyond “covered entities,” which are defined as health plans, health care clearinghouses, and health care providers that electronically transmit health information. Regulations under the HITECH Act’s revisions to HIPAA were published as part of the HIPAA Omnibus Final Rule in January 2013 and went into effect in September 2013.
The notable changes wrought by the HITECH Act include expansion of the patient protection provisions, and more importantly for CPAs, the expansion of the requirements for maintaining patient health care data security beyond health care providers and to their “business associates.” Understanding HIPAA is thus more important than ever for CPAs with clients in the health care industry, or with clients who deal with health care industry clients.
HIPAA coined a number of defined terms that CPAs need to be familiar with to implement appropriate practices in their firms.
Protected health information
Protected health information (PHI) is individually identifiable health information that is held or transmitted by a covered entity. Individually identifiable health information is defined as information, including demographic data, that identifies the individual (or that could reasonably be used to identify the individual), relating to at least one of the following:
- The individual’s past, present, or future physical or mental health or condition;
- The provision of health care to the individual; or
- The past, present, or future payment for the provision of health care to the individual.
PHI includes individually identifiable health information transmitted by electronic media, maintained in any medium described in the definition of electronic media, or transmitted or maintained in any other form or medium. Merely knowing of the provision of health care to an individual through an engagement is considered PHI, and, for purposes of HIPAA, conversations about a patient constitute transmission of PHI. Dentists, physical therapists, home health aides, and many social workers are covered by HIPAA, in addition to physicians, hospitals, nursing facilities, imaging centers, and all forms of health care providers.
The definition of PHI is quite expansive and could include a patient’s name, names of relatives, address, names of employers, email address, fax number, telephone number, birthdate, fingerprints or voiceprints, photographic images/X-rays, Social Security number, internet address, vehicle/device serial number, medical record number, health plan number, account number, and certificate/license number.
The security rule is arguably the most important HIPAA provision. Under the security rule, electronic information must be protected during electronic exchange, technically protected against unauthorized access, and physically protected against unauthorized access. The regulations contain five general requirements for conforming to the security rule, including (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) organizational policies and procedures and documentation requirements; and (5) risk analysis and risk management.
The key thing for a CPA to recognize is that once he or she has HIPAA-covered electronic PHI, he or she is required to comply with the security rule. “Electronic exchange” includes email, for example, and HIPAA requires that the sender’s email be secure and that the sender confirm that the recipient’s email is secure. Generally, any PHI transmitted must be encrypted in accordance with HIPAA’s specific encryption requirements, including authentication of the PHI recipient’s identity.
The security rule requires not only a plan for securing PHI but also regular security evaluations and training of employees and consultants who will have access to PHI. Technically, the security rule does not apply to PHI on paper, unless it was previously in electronic format. As a practical matter, because the privacy rule applies to both electronic and paper PHI, CPAs will find it necessary to physically secure paper documents to prevent unauthorized disclosure of PHI.
Knowing when a CPA becomes a business associate of a covered entity (or a covered entity’s existing business associates) is critical to understanding HIPAA responsibilities. HIPAA defines a business associate as an individual who, on behalf of a covered entity, creates, receives, maintains, or transmits PHI. Thus, CPAs can come into contact with PHI in the conduct of an audit through testing of internal controls, while consulting on a health care provider’s revenue cycle activities, or even in providing bookkeeping and accounting services. Something as simple as a client’s patient refunds account in the general ledger can constitute PHI and create security obligations.
The definition of business associate also applies to a business associate’s subcontractors. Thus, if a CPA uses independent contractors that have access to PHI, the CPA must obtain a business associate agreement (BAA) from that subcontractor. Similarly, if a CPA firm becomes a business associate of a health care provider’s existing business associate, it will need to have a BAA.
Obligations of a business associate
HIPAA’s security rule is at the heart of protecting PHI from unauthorized use and disclosure. Business associates must limit the uses and disclosures of PHI to what is permitted under the privacy rule, subject to what is allowed under the BAA. This includes compliance with the minimum necessary standards, providing breach notification to the covered entity, and providing an accounting of any disclosures.
Business associate agreement
CPAs who provide services to covered entities or other users of PHI are likely to encounter a need to sign a BAA; in fact, covered entities that share PHI with CPAs (including patient payment and demographic data) are required to obtain a BAA. Although the U.S. Department of Health and Human Services has a sample BAA on its website, in practice, BAAs vary considerably and can impose legal and indemnity obligations on a CPA that are beyond the minimum requirements. Further, such obligations can implicate the coverage provisions of a CPA’s professional liability insurance and other forms of liability insurance coverage. Thus, a CPA should never sign a BAA before thoroughly reviewing and understanding its terms. CPAs may wish to seek legal advice and consider having their own standard BAA prepared if their client base warrants it.
The minimum necessary rule provides that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the covered entity. Of all the terms defined in the statute, “minimum necessary” is among the most important, because anyone needs a reason to have PHI as a condition precedent to receiving it. As suggested by the definition, it is incumbent upon the covered entity (client) not to provide a CPA with PHI unless necessary, but many unnecessary disclosures occur.
One colleague observed that HIPAA PHI is toxic, in the same manner as hazardous waste subject to the Environmental Protection Act: If you have it, you are responsible for it. Thus, a CPA should consider adding a provision to the engagement letter specifically dealing with the improper provision of PHI by a client and the related costs of securing or destroying the PHI.
Civil penalties for HIPAA violations
The statute provides four categories, or tiers, of violations that reflect increasing levels of culpability. The corresponding tiers of penalties significantly increase the minimum amount for each violation, and the maximum annual penalty is $1.5 million for all violations of an identical provision.
The tiers of violations are (1) the offender did not know it violated the provision; (2) the violation was due to reasonable cause and not willful neglect; (3) the violation was due to willful neglect but was corrected; and (4) the violation was due to willful neglect and was not corrected.
Criminal penalties for HIPAA violations
Individuals who knowingly violate the HIPAA rules also may be subject to criminal penalties. Penalties range from a fine of not more than $50,000 and/or imprisonment for not more than one year. Moreover, if the offense is committed under false pretenses, the individual can be fined up to $100,000 and/or imprisoned for up to five years. More severe penalties apply if the offense is committed with the intent to sell, transfer, or use the health information for commercial advantage, personal gain, or malicious harm. In those circumstances, monetary penalties may be as high as $250,000, with possible imprisonment for up to 10 years.
HIPAA in practice
Today’s accounting profession is as specialized as the physicians who provide patient care. PHI abounds in accounting practice, and CPAs can encounter it in many types of engagements and with clients where it may be unexpected.
PHI in auditing
Audits of the revenue cycle of a covered entity are more than likely to require access to PHI since testing compliance with billing health insurers and payers requires evaluating the services provided, the underlying diagnosis, primary and secondary insurance coverage, and a host of other data that fall squarely within the definition of PHI.
PHI in accounting and taxation
As suggested above, even the provision of routine tax and accounting services to a health care client can result in the receipt of PHI. The most common occurrence would be in a QuickBooks or other general ledger containing a patient refund account, because the definition of PHI includes merely knowing the name of a patient who received treatment from a health care provider. This simple fact creates an unexpected complexity for many small firms that otherwise receive no PHI.
PHI in consulting
CPAs provide a variety of services to health care provider entities. Many firms specialize in this area and provide revenue cycle evaluation, accounts receivable management, office work flow consulting, valuation and mergers-and-acquisitions consulting, personnel and compensation evaluation, and even billing services. These types of engagements often warrant the receipt of PHI, but the CPA should carefully consider how he or she might avoid receiving PHI.
For example, in valuing health care provider entities, it is necessary to obtain reports from the revenue cycle system that show the units, charges, payments, and adjustments by service and by insurer, as well as an aged accounts receivable. It is not necessary, however, for any of these data to contain patient-identifying information in the ordinary course.
When no PHI is necessary in the engagement, CPAs should carefully structure their data requests and be certain that the client understands that no PHI should be provided. If the CPA needs direct access to the client’s revenue cycle system containing PHI during the engagement, a BAA will be required, but the CPA should consider whether maintaining any written or electronic patient-identifying information in workpapers is necessary or whether de-identified information would permit the CPA to accomplish the engagement goal. Leaving all physical and electronic PHI in the client’s office may result in the CPA avoiding having to implement a costly physical and electronic security plan, while still being responsible for maintaining the confidentiality of any PHI seen.
PHI in litigation support
The number of possible litigation engagements where PHI might be involved is perhaps limitless, but common examples include divorce matters and claims for damages by or against health care providers. CPA experts should realize that lawyers who specialize in marital dissolution matters or damages litigation may be completely unaware of HIPAA. Due to the broad reach of legal discovery, it may be relatively easy for legal counsel to obtain PHI, even when it is not necessary for the expert’s engagement; opposing counsel may be unaware of HIPAA as well.
HIPAA provides specific rules for court orders to obtain PHI, but many judges are unfamiliar with the rules as well. Many attorneys provide experts with a “data dump” so that the expert needs to sort through the material and determine what is relevant. CPAs attending depositions or obtaining deposition transcripts will often see PHI. Clearly, where PHI is concerned, the expert should see only those data, if any, constituting the minimum necessary for the task.
Forensic experts should be extremely cautious with any health care engagement. Searching for unreported income is more than likely to require access to significant levels of PHI, requiring a BAA and implementation of a security plan, training, and ongoing evaluation.
PHI in the CPA’s office
HIPAA imposes obligations on a CPA firm beyond those that seem readily apparent. For example, modern copiers and fax machines use computer hard drives. If a copier maintenance person has access to a hard drive that has been used to copy PHI for inclusion in workpapers, the CPA firm is likely required to obtain a BAA from the maintenance person. Of course, selling or trading in a copier with a hard drive requires removal of all PHI in accordance with HIPAA’s data security rule, which means that any PHI is unrecoverable using modern forensic data reconstruction techniques.
Another example arises when document shredding companies are hired to destroy workpapers that are outside the firm’s retention period. If these workpapers contain PHI, the CPA firm is likely required to obtain a BAA from the shredding company.
PHI outside the health care industry
It is not necessary to be servicing covered entity clients to come into contact with PHI. As the term “business associate” demonstrates, a CPA providing services to a business associate of a health care provider can easily become a business associate as well. A CPA firm might audit a company that provides medical billing services and writes refund checks to patients on behalf of its health care clients that are part of an internal controls testing program. A firm might specialize in providing consulting, accounting, and tax services to law firms and come into contact with PHI as a result of designing a document retention and retrieval system. The possible engagements are nearly endless.
Firms: Avoid liability
The modifications to HIPAA provide significant challenges and obligations for CPAs who come into contact with protected health information. Firms can protect themselves from unnecessary liability by being certain to avoid any PHI that is not the minimum necessary, or by requesting the health information be de-identified by removing identifiers, to accomplish their engagement. Engagement letter provisions should be considered that cause the client to be liable for costs and damages for unwarranted disclosure of PHI to the CPA firm.
New regulations have caused many CPA services to become subject to patient health care data security rules under the Health Insurance Portability and Accountability Act (HIPAA).
Under HIPAA, electronic information must be protected during electronic exchange, technically protected against unauthorized access, and physically protected against unauthorized access.
Where possible, CPAs should try to limit their liability by minimizing exposure to patient health care data and structuring engagement letters to make the client liable if patient health care data are unnecessarily provided to the CPA. When exposure to these data is necessary, appropriate data security controls must be implemented.
Mark O. Dietrich (email@example.com) is the owner of Mark O. Dietrich CPA PC in Framingham, Mass.
To comment on this article or to suggest an idea for another article, contact Ken Tysiac, editorial director, at firstname.lastname@example.org or 919-402-2112.
- “The Sec. 4980H Assessable Payment for Large Employers,” July 2014, page 24
- “Health Care Reform Essentials,” July 2014, page 30
- “Claiming the Small Employer Health Insurance Tax Credit,” Feb. 2014, page 48
- “Planning for ‘Play or Pay’: New Employer Health Care Rules,” June 2013, page 58
- Health Care Reform Act: Critical Tax and Insurance Implications (#745814, text; #155813, one-year online access)
For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.