Merit Career Development Blog | Entries from April 2014

Risk Analysis: Prepare Now or Pay Later

Meeting Managing risk to confidential patient health information (PHI) is not only a critical component of healthcare today; it is also a mandate of the HIPAA Omnibus Rule (HIPAA).

HIPAA mandates that organizations conduct a regular risk analysis to identify and mitigate risks to patient records and the PHI they manage in their electronic health records systems (EHRs). Failure to secure PHI and mitigate the threats and vulnerabilities identified in a risk analysis can result in investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies. These agencies have authority to impose millions of dollars in penalties and fines as well as extended regulatory oversight, and can do so simultaneously for the same offense.

The Situation


According to the HIPAA Omnibus Rule (HIPAA Omnibus Rule)1, Failing to protect patient records and prevent disclosure of PHI can damage patients’ financial status, job prospects, and reputation, far exceeding the impact of their medical conditions.

The HIPAA Omnibus Rule requires Covered Entities and Business Associates to conduct regular risk analyses2 to identify and address threats and vulnerabilities to the confidentiality, integrity and availability of patient records and the PHI they manage and maintain in electronic health information systems.

Millions of dollars in penalties and fines as well as extended regulatory oversight can result from these failures, levied after investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies.

Nearly 30 million patient records have been reported to HHS as compromised in breaches since 2009, according to surveys conducted by healthcare IT security consultants as recently as February 2014[3]. The report states that “(i)n 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.” These statistics do not include breaches that have not been reported to HHS.

Furthermore, HIPAA requires notification of HHS and the patients whose PHI has been breached. Such notification can negatively impact patients’ confidence in as well as the reputation of the service provider. The flip side is that patients build trust in and strengthen their loyalty for their healthcare providers when their PHI is securely managed. A reputation for private and secure management of health information can also serve as a marketing tool for the provider.

In the early roll-out of HIPAA, HHS’ history of lax oversight and few consequences for non-compliance resulted in minimal implementation of the privacy and security standards. Covered Entities lacked comprehensive compliance planning, allocating responsibility over multiple departments to provide workforce training and accountability programs and taking the position that electronic health records systems (EHRs) successfully producing electronic records and bills was sufficient to demonstrate HIPAA and HITECH compliance.

Meanwhile, reports of patient complaints and breaches poured into HHS by the millions. Eighty-three per cent of all large HIPAA privacy and security breaches are the result of theft, according to surveys from HHS sources reported by Healthcare IT News. More specifically, the surveys report that approximately 22% of breaches since 2009 were due to unauthorized access to PHI, 35% were attributed to theft or loss of unencrypted devices containing PHI, and 6% were due to hacking1.

The results of HITECH’s pilot audit program demonstrated that covered entities lacked understanding of the actual privacy and security standards as well as grounding in the specific implementation requirements the standards impose on internal systems, operations and resources necessary to meet HIPAA compliance requirements.

The HIPAA Omnibus Rule amendments confirm that anything short of a comprehensive, documented and implemented risk management process will not meet HIPAA compliance requirements today. It also requires that risk management program incorporate the results of a comprehensive complaint and breach investigation procedure focused on identifying and addressing workforce errors and patient complaints within the organization. Finally, the HIPAA Omnibus Rule extends these compliance requirements to Business Associates performing services or functions for or on behalf of covered entities.

The Solution


Risk management begins with an organization-wide risk analysis- i.e. an accurate and thorough assessment and mapping out of actual use and disclosure procedures in place for PHI in all formats throughout the whole organization. This includes satellite and multi-state offices, subsidiaries, patient portals, remote access to its PHI/ePHI, and PHI/ePHI disclosed to its Business Associates.

A key component of the assessment involves identifying and planning for mitigation of reasonably anticipated human, natural and environmental threats and vulnerabilities to the organization’s internal and external processes and systems. To be most effective, a risk analysis should be conducted regularly and at key intervals when changes, upgrades and/or mergers take place. The findings from the risk analysis should be incorporated into a document comprehensive and regularly updated risk management strategy for the organization. This documentation is what the OCR will likely request during investigations or audits to evaluate the organization’s compliance efforts.

The next round of OCR audits is scheduled to begin in October 2014. Covered Entities’ and Business Associates’ compliance with the HIPAA security standard’s risk analysis and risk management standard is in the OCR’s cross hairs. Failure to take affirmative steps towards compliance before the OCR comes a’knocking can add additional sanctions for willful neglect to corrective action plans and/or settlement agreements.

Whether the OCR is knocking on your door or not, the private and secure management of the Covered Entity’s or Business Associate’s health information is a critical aspect of quality healthcare services today. Leaders in the industry have this as a critical core value for their organizations, making compliance with the HIPAA Omnibus Rule just par for the course. The availability of secure and reliable healthcare information and data to support quality treatment and services requires the practice of good IT governance and due diligence2. Continue reading "Risk Analysis: Prepare Now or Pay Later"

Merit's May 2014 Book Giveaway

Thinking, Fast and Slow At Merit, we read a lot. From current thought leaders, to the latest research on critical management skills and adult learning theory. The concepts in these books inform our professional education programs. This month we will give away another of our favorites.

In the international bestseller, Thinking, Fast and Slow, Daniel Kahneman, the renowned psychologist and winner of the Nobel Prize in Economics, takes us on a groundbreaking tour of the mind and explains the two systems that drive the way we think. System 1 is fast, intuitive, and emotional; System 2 is slower, more deliberative, and more logical. The impact of overconfidence on corporate strategies, the difficulties of predicting what will make us happy in the future, the profound effect of cognitive biases on everything from playing the stock market to planning our next vacation-each of these can be understood only by knowing how the two systems shape our judgments and decisions. Engaging the reader in a lively conversation about how we think, Kahneman reveals where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking. He offers practical and enlightening insights into how choices are made in both our business and our personal lives-and how we can use different techniques to guard against the mental glitches that often get us into trouble. (Amazon.com)

The deadline for entries is May 15, 2014.

$6.8 Million Dollar Fine Levied for HIPAA Violation

ID Fraud The HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is Key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.