The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) as amended by the HIPAA Omnibus Rule in 2013 define the regulations for the private and secure management of health information. Covered entities and business associates that neglect adhering to these regulations can face rigid sanctions from a multitude of agencies, including the U.S. Department of Health and Human Services (HHS), its Office for Civil Rights (OCR), the Federal Trade Commission and state Attorneys General.

Each regulatory agency can impose fines against covered entities and business associates that fail to document, investigate and remedy HIPAA and HITECH violations. Without the proper compliance planning, covered entities and business associates can be slammed with heavy financial penalties and regulatory oversight, as happened to Cignet Health of Prince George's County in Maryland.

Learning from the Past

According to Healthcare ITNews, Cignet denied 41 patients access to their medical between September 2008 and October 2009, a right guaranteed by the HIPAA Privacy Rule. Cignet further failed to cooperate with OCR's investigation of the patients' complaints and with HHS' subpoena for the records, which was enforced by the District Court.

The court levied a $1.3 million fine against Cignet for failing to grant access to the patients' records, and an additional $3 million for willful neglect of the HIPAA Privacy regulations.

The time for proper HIPAA and HITECH compliance planning is now.

Training Modules Available

"HIPAA and HITECH, Pathway to Compliance" is a four-part do-it-yourself instructional series that guides its users in drafting a HIPAA/HITECH Compliance Plan. Each part provides regulatory information and resources necessary to build a customized plan. Documentation developed in this series can be used when faced with OCR investigations and/or audits to demonstrate compliance efforts.

In this series, Patricia Wynne, Esq., CIPP, a seasoned HIPAA/HITECH subject matter expert familiar with the day-to-day challenges of compliance, presents guidelines for drafting a Compliance Plan that are easy to understand and practical to implement - not bogged in technical jargon. Each course is one hour in length and includes case studies and questions to enhance learning, as well as resources that can be downloaded and used in the compliance planning process. Now is the time to build your HIPAA/HITECH Compliance Plan with the professional insight of Merit Career Development.

HIPAA and HITECH, Pathway to Compliance on Udemy
Click here to access Part 1: Policies & Procedures
Click here to access Part 2: Complaints & Breaches
Click here to access Part 3: Assessments & Risk Analysis
Click here to access Part 4: Workforce Training

HIPAA and HITECH, Pathway to Compliance on Arbington
Click here to access Part 1: Policies & Procedures
Click here to access Part 2: Complaints & Breaches
Click here to access Part 3: Assessments & Risk Analysis
Click here to access Part 4: Workforce Training

With all the talk about HIPAA over the past decade, most people in the U.S. now expect their confidential health care information and records (collectively “PHI”) to be just that…confidential. We expect our providers to assure its privacy and security. But this is not always the case. Read about this incident.

In September 2008, Parkview Hospital in Ohio took custody of approximately 5,000 to 8,000 patient records pertaining to a retiring physician’s medical practice. Parkview was considering purchasing some of the physician’s practice and was assisting the retiring physician to transition her patients to new providers. By taking custody of the PHI, Parkview assumed the responsibility for the private and secure management of the retiring physician’s PHI. However, on June 4, 2009, despite having custody of the records and with knowledge that the retiring physician was not at home at the time of the incident, Parkview employees left 71 cardboard boxes of medical records on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. This action exposed the PHI to unauthorized access and constituted a HIPAA breach.¹

The retiring physician reported the breach to the Department of Health and Human Services (HHS), resulting in an investigation by its Office of Civil Rights (OCR). Parkview cooperated with the OCR investigation. The outcome was an $800,000 civil money sanction and a corrective action plan requiring the revision of Parkview’s policies and procedures, staff training and regular reports to OCR on compliance with the corrective action plan. The extended regulatory oversight and related costs for auditors can be a greater sanction and intrusion into daily operations than any sanction check that has to be written.

HIPAA and HITECH mandate that healthcare providers and managing healthcare entities are responsible for the privacy and security of PHI from the time it is created until the time it is securely destroyed. This includes implementing and monitoring PHI policies and procedures as well as training and monitoring staff compliance with them. Failure to do so can subject healthcare providers or entities to sanctions and regulatory oversight through corrective action plans. HIPAA regulations have been in effect since 2003. HITECH regulations, enacted in 2009, have heightened sanctions for failing to protect PHI, including added sanctions up to $1.5M per year for willful neglect levied against covered entities that can demonstrate no reasonable efforts towards HIPAA/HITECH compliance.

It’s hard to believe that breaches such as the above incident are still taking place. But the OCR confirms that it is quite busy with similar investigations. It is starting up its random audit program again in October 2014 to get the message across that HIPAA/HITECH compliance is mandatory. The message from HHS is that sanctions will increase when non-compliance is identified such as in the case cited above and those noted on its Wall of Shame at www.hhs.gov.

¹See $800,000. HIPAA Fine- Blatant Violations Continue to Occur, www.Medlaw.com, posted June 25, 2014

May 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients^[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance - from even one employee - can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html