With all the talk about HIPAA over the past decade, most people in the U.S. now expect their confidential health care information and records (collectively “PHI”) to be just that…confidential. We expect our providers to assure its privacy and security. But this is not always the case. Read about this incident.

In September 2008, Parkview Hospital in Ohio took custody of approximately 5,000 to 8,000 patient records pertaining to a retiring physician’s medical practice. Parkview was considering purchasing some of the physician’s practice and was assisting the retiring physician to transition her patients to new providers. By taking custody of the PHI, Parkview assumed the responsibility for the private and secure management of the retiring physician’s PHI. However, on June 4, 2009, despite having custody of the records and with knowledge that the retiring physician was not at home at the time of the incident, Parkview employees left 71 cardboard boxes of medical records on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. This action exposed the PHI to unauthorized access and constituted a HIPAA breach.¹

The retiring physician reported the breach to the Department of Health and Human Services (HHS), resulting in an investigation by its Office of Civil Rights (OCR). Parkview cooperated with the OCR investigation. The outcome was an $800,000 civil money sanction and a corrective action plan requiring the revision of Parkview’s policies and procedures, staff training and regular reports to OCR on compliance with the corrective action plan. The extended regulatory oversight and related costs for auditors can be a greater sanction and intrusion into daily operations than any sanction check that has to be written.

HIPAA and HITECH mandate that healthcare providers and managing healthcare entities are responsible for the privacy and security of PHI from the time it is created until the time it is securely destroyed. This includes implementing and monitoring PHI policies and procedures as well as training and monitoring staff compliance with them. Failure to do so can subject healthcare providers or entities to sanctions and regulatory oversight through corrective action plans. HIPAA regulations have been in effect since 2003. HITECH regulations, enacted in 2009, have heightened sanctions for failing to protect PHI, including added sanctions up to $1.5M per year for willful neglect levied against covered entities that can demonstrate no reasonable efforts towards HIPAA/HITECH compliance.

It’s hard to believe that breaches such as the above incident are still taking place. But the OCR confirms that it is quite busy with similar investigations. It is starting up its random audit program again in October 2014 to get the message across that HIPAA/HITECH compliance is mandatory. The message from HHS is that sanctions will increase when non-compliance is identified such as in the case cited above and those noted on its Wall of Shame at www.hhs.gov.

¹See $800,000. HIPAA Fine- Blatant Violations Continue to Occur, www.Medlaw.com, posted June 25, 2014

In this era of HIPAA enforcement, it is important to understand the fundamental role of the privacy regulations. Privacy outlines the big picture for compliance. Failing to understand and implement privacy's administrative, technical and physcial safeguards can be a costly miscalculation.

Privacy regulations have been in effect since 2003 and are updated regularly on the Department of Health and Human Services’ (HHS) website.

These regulations list compliance requirements for protected health information (PHI) in all formats (oral, paper or electronic). Security regulations are a subset of privacy limited to PHI in electronic format (ePHI). Privacy encompasses the big picture for compliant access, use, and disclosure of all PHI, including ePHI. Investing the staff, resources and time necessary to meaningfully implement privacy regulations is the entrée to compliance and a prudent business decision.

Prior to 2009, regulated organizations were primarily self-monitoring. The lack of outside accountability precipitated the major investment of staff and resources allocated for HIPAA compliance being directed towards building and supporting electronic health records systems. Fewer resources were dedicated to the less concrete, yet more comprehensive, role of privacy. Responsibility for patients’ and clients’ rights; uses and disclosures of PHI; role-based access issues; business associates; and other privacy issues were disbursed over many departments. This resulted in insufficient compliance, lax oversight and a high occurrence of violations.

HITECH’s enactment in 2009 refocused HIPAA enforcement on the privacy regulations.

HITECH mandates the implementation of complaint and breach report procedures, requires accountability for management of PHI, establishes higher sanctions for violations including a new category for willful neglect, and initiated a random audit program for an expanded list of regulated organizations by HHS’ Office of Civil Rights (OCR).

More federal and state regulatory agencies, including FTC and states’ attorney generals, now coordinate with HHS’ enforcement actions. Their websites regularly post results of enforcement actions as notice and guidance for regulated organizations. Most violations settle with corrective action plans (CAPs); some include fines tipping millions of dollars.

Many CAPs require hiring auditors to monitor and report to HHS on CAP compliance, particularly revising policies and procedures and workforce training programs (basic privacy administrative safeguards) over a period of years. As the following three cases from HHS’ website confirm, HHS is serious about privacy compliance.

Continue reading "HIPAA Privacy and Security, Perfect Together"

Managing risk to confidential patient health information (PHI) is not only a critical component of healthcare today; it is also a mandate of the HIPAA Omnibus Rule (HIPAA).

HIPAA mandates that organizations conduct a regular risk analysis to identify and mitigate risks to patient records and the PHI they manage in their electronic health records systems (EHRs). Failure to secure PHI and mitigate the threats and vulnerabilities identified in a risk analysis can result in investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies. These agencies have authority to impose millions of dollars in penalties and fines as well as extended regulatory oversight, and can do so simultaneously for the same offense.

The Situation

According to the HIPAA Omnibus Rule (HIPAA Omnibus Rule)¹, Failing to protect patient records and prevent disclosure of PHI can damage patients’ financial status, job prospects, and reputation, far exceeding the impact of their medical conditions.

The HIPAA Omnibus Rule requires Covered Entities and Business Associates to conduct regular risk analyses² to identify and address threats and vulnerabilities to the confidentiality, integrity and availability of patient records and the PHI they manage and maintain in electronic health information systems.

Millions of dollars in penalties and fines as well as extended regulatory oversight can result from these failures, levied after investigations by the Department of Health and Human Services (HHS) and other federal and state regulatory agencies.

Nearly 30 million patient records have been reported to HHS as compromised in breaches since 2009, according to surveys conducted by healthcare IT security consultants as recently as February 2014[3]. The report states that “(i)n 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.” These statistics do not include breaches that have not been reported to HHS.

Furthermore, HIPAA requires notification of HHS and the patients whose PHI has been breached. Such notification can negatively impact patients’ confidence in as well as the reputation of the service provider. The flip side is that patients build trust in and strengthen their loyalty for their healthcare providers when their PHI is securely managed. A reputation for private and secure management of health information can also serve as a marketing tool for the provider.

In the early roll-out of HIPAA, HHS’ history of lax oversight and few consequences for non-compliance resulted in minimal implementation of the privacy and security standards. Covered Entities lacked comprehensive compliance planning, allocating responsibility over multiple departments to provide workforce training and accountability programs and taking the position that electronic health records systems (EHRs) successfully producing electronic records and bills was sufficient to demonstrate HIPAA and HITECH compliance.

Meanwhile, reports of patient complaints and breaches poured into HHS by the millions. Eighty-three per cent of all large HIPAA privacy and security breaches are the result of theft, according to surveys from HHS sources reported by Healthcare IT News. More specifically, the surveys report that approximately 22% of breaches since 2009 were due to unauthorized access to PHI, 35% were attributed to theft or loss of unencrypted devices containing PHI, and 6% were due to hacking¹.

The results of HITECH’s pilot audit program demonstrated that covered entities lacked understanding of the actual privacy and security standards as well as grounding in the specific implementation requirements the standards impose on internal systems, operations and resources necessary to meet HIPAA compliance requirements.

The HIPAA Omnibus Rule amendments confirm that anything short of a comprehensive, documented and implemented risk management process will not meet HIPAA compliance requirements today. It also requires that risk management program incorporate the results of a comprehensive complaint and breach investigation procedure focused on identifying and addressing workforce errors and patient complaints within the organization. Finally, the HIPAA Omnibus Rule extends these compliance requirements to Business Associates performing services or functions for or on behalf of covered entities.

The Solution

Risk management begins with an organization-wide risk analysis- i.e. an accurate and thorough assessment and mapping out of actual use and disclosure procedures in place for PHI in all formats throughout the whole organization. This includes satellite and multi-state offices, subsidiaries, patient portals, remote access to its PHI/ePHI, and PHI/ePHI disclosed to its Business Associates.

A key component of the assessment involves identifying and planning for mitigation of reasonably anticipated human, natural and environmental threats and vulnerabilities to the organization’s internal and external processes and systems. To be most effective, a risk analysis should be conducted regularly and at key intervals when changes, upgrades and/or mergers take place. The findings from the risk analysis should be incorporated into a document comprehensive and regularly updated risk management strategy for the organization. This documentation is what the OCR will likely request during investigations or audits to evaluate the organization’s compliance efforts.

The next round of OCR audits is scheduled to begin in October 2014. Covered Entities’ and Business Associates’ compliance with the HIPAA security standard’s risk analysis and risk management standard is in the OCR’s cross hairs. Failure to take affirmative steps towards compliance before the OCR comes a’knocking can add additional sanctions for willful neglect to corrective action plans and/or settlement agreements.

Whether the OCR is knocking on your door or not, the private and secure management of the Covered Entity’s or Business Associate’s health information is a critical aspect of quality healthcare services today. Leaders in the industry have this as a critical core value for their organizations, making compliance with the HIPAA Omnibus Rule just par for the course. The availability of secure and reliable healthcare information and data to support quality treatment and services requires the practice of good IT governance and due diligence². Continue reading "Risk Analysis: Prepare Now or Pay Later"