We have seen numerous indications over the last several months that the Department of Health and Human Services’ Office of Civil Rights, the agency responsible for enforcing HIPAA regulations, plans to take an increasingly aggressive approach to enforcement.
Throughout 2014, fines and penalties levied for HIPAA violations have been increasing in a clear attempt to draw attention to the serious implications of non-compliance and the magnitude of consequences a covered entity or business associate may face as the result of a breach. HSS official, Jerome Meites, told the American Bar Association last June not to expect a relaxing of the intense enforcement by OCR any time soon because “they think they can affect the industry with high-impact cases.”
OCR has reported that the compliance issues investigated most are:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information and ePHI;
- Lack of patient access to their protected health information; and
- Uses or disclosures of more than the minimum necessary protected health information.
With OCR focused on these issues and a new round of HIPAA Audits anticipated for early next year, we strongly advise clients, and any covered entity or business associate subject to HIPAA regulation to be aware of necessary steps to avoid compliance gaps that may trigger an investigation or lead to a breach.
Impermissible Uses and Disclosure of ePHI
Speaking to the ABA, Mr. Meites went on to declare that “portable media is the bane of existence for covered entities…It causes an enormous number of the complaints that OCR deals with.”
We have seen several cases where the loss of a laptop or misuse of an external hard drive can lead to a costly or even crippling fine. Organizations must know where their data is being stored and how it is being accessed. Strong encryption; a must for all mobile media should also be strongly considered across all systems and, for any data is left unencrypted, the organization must clearly justify and document the risk analysis. Working with clients, we find that many struggle to identify where PHI and ePHI are stored and exactly who has access. This is not only a high risk of data breach but it is also a hot button for investigators that can result in stiff penalties.
One unencrypted laptop or mobile device left unguarded, lost or stolen can be like leaving a stack of patient files lying on the table in the hospital cafeteria. It is more likely akin to leaving the whole file cabinet or virtually all the data managed within your organization exposed in a public place. With the convenience of mobile and remote access comes greater risk and, if your organization is not careful, greater liability.
Lack of Safeguards to Manage ePHI
Again, speaking to members of the ABA and reported by Law360, Mr. Meites noted that:
Failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the cases involving monetary settlements. “You really have to think carefully about what a risk analysis involves, and it can’t just be the obvious,” Mr. Meites said. “Everywhere in your system where [patient information] is used, you have to think about how to protect it.”
To perform a thorough risk assessment, we have to help clients drill down into their systems and processes to answer these difficult, but critical questions. Not fully understanding your organization’s risk can actually multiply the risks unnecessarily. As Mr. Meites stated, a risk assessment must go beyond the obvious. This is often a challenging task but neglecting to do can frustrate officials and lead to heavier penalties as well.
Lack of Patient Access to their ePHI
Subsequent to HIPAA, the Affordable Care Act mandates that patients have access to their own health data. Until now, the government has largely overlooked enforcement on this issue but that has begun to change.
Former White House CTO Aneesh Chopra recently spoke at VentureBeat’s HealthBeat Conference and reported that “HHS is issuing fines of $20,000 a day on average if they don’t give patients their data.”
This new focus of HHS/OCR may present technical and procedural challenges for many healthcare providers and facilities. But it seems clear that the grace period is over and compliance with this provision of the ACA is to be enforced.
Unnecessary Uses and Disclosures of PHI
OCR also reported the disclosure of “more than the minimum necessary protected health information” as a top trigger for corrective action. An example of this that many organizations could fall into is found in the inappropriate, often inadvertent, sale or sharing of PHI in marketing.
Attorney Brad Rostolsky explained to HealthcareInfoSecurity.com that:
“When it comes to marketing, if a party out there is being paid by a covered entity or is paying a covered entity, if the covered entity is involved in sending various communications out to patients marketing the product made by the initial company, there are various ways for some of that to be OK, but it becomes more challenging as the business relationships become more complex,” he said.
Rostolsky calls these marketing arrangements, with loose parameters around the use of PHI, the “low hanging fruit” for enforcement targeting certain Business Associates arrangements. As with any BA agreement, healthcare providers cannot enter into such third party arrangements assuming that the vendor will understand or respect HIPAA regulated information that they may have access to. It is the responsibility of the covered entity to ensure that the appropriate lines are clearly drawn.
I often say that “compliance is more than a checklist.” The steps required to reach and maintain compliance vary by organization and change as each organization grows and changes. HIPAA allows for a degree of ambiguity to allow organizations to reach compliance by the path that makes the most sense for their situation. But, if I were pressed to give a list of priority compliance steps to take in this current compliance enforcement climate, I would encourage covered entities and business associates to begin by focusing on these four most common areas. Not only do these areas encompass a great deal of the risk your organization may be facing but they are also where your organization may receive the most scrutiny from officials in 2015.
It is important to note that HIPAA is a law. There are legal considerations and implications that only an attorney can address for you, especially if your organization finds itself the target of an investigation. However, there are technical aspects which should be addressed, making every effort to avoid becoming part of an investigation. If your organization cannot readily identify where your PHI and ePHI may be stored and all points of access, or if you have not had a recent risk assessment as required by HIPAA, please contact us to get your organization on the road to compliance.