At the risk of killing (or at least maiming) the “Breach Parade” metaphor we have used in this blog series by over-stretching it, I wanted to write about two tools being used by the federal Office of Civil Rights (“OCR”) and individual State Attorneys General (“SAGs”) to deter and catch HIPAA privacy and security breaches that remind me of the red light cameras designed to deter and catch traffic violations.
If a Covered Entity (“CE”) or Business Associate (“BA”) has already experienced a breach of Protected Health Information (“PHI”), it has probably already taken (or has been required by regulators to take) steps to prevent future breaches. However, all CEs and BAs should be aware of the tools available to the federal and state governments to check HIPAA compliance, investigate potential breaches, and bring enforcement actions for a variety of HIPAA violations, including, but not limited to, PHI breaches.
Linda Sanches, OCR Senior Advisor and the lead on HIPAA Compliance Audits, recently presented on the progress of an OCR tool, the 2012 HIPAA Privacy and Security Audit Program (the “Audit Program”) being conducted for OCR by KPMG, Inc. One stated objective of the Audit Program is to “[e]ncourage renewed attention to compliance activities.” The Audit Program is being conducted utilizing Generally Accepted Government Auditing Standards (aka “Yellow Book Standards”).
While OCR states that the Audit Program is not meant to be “punitive,” it also notes that the Audit Program currently being conducted will “feed into decisions” related to future audits. OCR lists “Non-Compliance Risks” as including loss of contracts, criminal and civil investigation, federal penalties and state fines, public harm and reputational risk, legal costs, and costs of notification.
In particular, three of the tips to avoid the consequences of joining the marchers in the Breach Parade that were listed on the last slide of Ms. Sanches’ presentation, struck me as particularly noteworthy for their obviousness and simplicity:
- Determine your various lines of business that are affected by HIPAA.
- Map/Flow PHI movement within your organization, as well as flows to/from third parties.
- Find all of your PHI.
Yes, if you are a CE or BA and don’t know where your PHI resides or travels, you may have already joined the Breach Parade without even realizing it.
As another enforcement tool, OCR has published guidance for SAGs looking to investigate HIPAA violations and drum up revenue for the states and individuals affected by the violations. CEs and BAs can view this guidance and see how states can investigate and prosecute potential HIPAA violations, as well as how OCR and SAGs can estimate the daunting potential penalties that may be imposed:
SAG Penalty Estimate
Amount of penalty = [number of violations] X [up to $100] per violation; and
A SAG may obtain damages as high as $100 per violation and up to $25,000 for violations of the same requirement in a calendar year.
OCR Penalty Estimate
OCR may collect civil money penalties of up to $50,000 per violation, depending on the level of culpability; and
The calendar year OCR maximum is $1.5 million, for a single CE, for violation of identical provisions.
One example of HIPAA violations, which did not involve a PHI security breach, worthy of SAG prosecution involves a pharmacy’s disclosure of the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.
The unfortunate pharmacy in this example is described as having otherwise compliant HIPAA policies and procedures, but is subject to a state penalty of $50,000 and an OCR penalty of up to $3 million.
The astronomical penalties that are potentially assessable by OCR and SAGs for HIPAA violations should act as a red light or at least a bright amber light of caution to those who may already be approaching or on the road to HIPAA violations. All CEs and BAs should heed the OCR warnings and guidelines before they become new unwilling marchers in the Breach Parade.