With all the talk about HIPAA over the past decade, most people in the U.S. now expect their confidential health care information and records (collectively “PHI”) to be just that…confidential. We expect our providers to assure its privacy and security. But this is not always the case. Read about this incident.

In September 2008, Parkview Hospital in Ohio took custody of approximately 5,000 to 8,000 patient records pertaining to a retiring physician’s medical practice. Parkview was considering purchasing some of the physician’s practice and was assisting the retiring physician to transition her patients to new providers. By taking custody of the PHI, Parkview assumed the responsibility for the private and secure management of the retiring physician’s PHI. However, on June 4, 2009, despite having custody of the records and with knowledge that the retiring physician was not at home at the time of the incident, Parkview employees left 71 cardboard boxes of medical records on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. This action exposed the PHI to unauthorized access and constituted a HIPAA breach.¹

The retiring physician reported the breach to the Department of Health and Human Services (HHS), resulting in an investigation by its Office of Civil Rights (OCR). Parkview cooperated with the OCR investigation. The outcome was an $800,000 civil money sanction and a corrective action plan requiring the revision of Parkview’s policies and procedures, staff training and regular reports to OCR on compliance with the corrective action plan. The extended regulatory oversight and related costs for auditors can be a greater sanction and intrusion into daily operations than any sanction check that has to be written.

HIPAA and HITECH mandate that healthcare providers and managing healthcare entities are responsible for the privacy and security of PHI from the time it is created until the time it is securely destroyed. This includes implementing and monitoring PHI policies and procedures as well as training and monitoring staff compliance with them. Failure to do so can subject healthcare providers or entities to sanctions and regulatory oversight through corrective action plans. HIPAA regulations have been in effect since 2003. HITECH regulations, enacted in 2009, have heightened sanctions for failing to protect PHI, including added sanctions up to $1.5M per year for willful neglect levied against covered entities that can demonstrate no reasonable efforts towards HIPAA/HITECH compliance.

It’s hard to believe that breaches such as the above incident are still taking place. But the OCR confirms that it is quite busy with similar investigations. It is starting up its random audit program again in October 2014 to get the message across that HIPAA/HITECH compliance is mandatory. The message from HHS is that sanctions will increase when non-compliance is identified such as in the case cited above and those noted on its Wall of Shame at www.hhs.gov.

¹See $800,000. HIPAA Fine- Blatant Violations Continue to Occur, www.Medlaw.com, posted June 25, 2014

May 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients^[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance - from even one employee - can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html

In this era of HIPAA enforcement, it is important to understand the fundamental role of the privacy regulations. Privacy outlines the big picture for compliance. Failing to understand and implement privacy's administrative, technical and physcial safeguards can be a costly miscalculation.

Privacy regulations have been in effect since 2003 and are updated regularly on the Department of Health and Human Services’ (HHS) website.

These regulations list compliance requirements for protected health information (PHI) in all formats (oral, paper or electronic). Security regulations are a subset of privacy limited to PHI in electronic format (ePHI). Privacy encompasses the big picture for compliant access, use, and disclosure of all PHI, including ePHI. Investing the staff, resources and time necessary to meaningfully implement privacy regulations is the entrée to compliance and a prudent business decision.

Prior to 2009, regulated organizations were primarily self-monitoring. The lack of outside accountability precipitated the major investment of staff and resources allocated for HIPAA compliance being directed towards building and supporting electronic health records systems. Fewer resources were dedicated to the less concrete, yet more comprehensive, role of privacy. Responsibility for patients’ and clients’ rights; uses and disclosures of PHI; role-based access issues; business associates; and other privacy issues were disbursed over many departments. This resulted in insufficient compliance, lax oversight and a high occurrence of violations.

HITECH’s enactment in 2009 refocused HIPAA enforcement on the privacy regulations.

HITECH mandates the implementation of complaint and breach report procedures, requires accountability for management of PHI, establishes higher sanctions for violations including a new category for willful neglect, and initiated a random audit program for an expanded list of regulated organizations by HHS’ Office of Civil Rights (OCR).

More federal and state regulatory agencies, including FTC and states’ attorney generals, now coordinate with HHS’ enforcement actions. Their websites regularly post results of enforcement actions as notice and guidance for regulated organizations. Most violations settle with corrective action plans (CAPs); some include fines tipping millions of dollars.

Many CAPs require hiring auditors to monitor and report to HHS on CAP compliance, particularly revising policies and procedures and workforce training programs (basic privacy administrative safeguards) over a period of years. As the following three cases from HHS’ website confirm, HHS is serious about privacy compliance.

Continue reading "HIPAA Privacy and Security, Perfect Together"

The HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is Key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.