Law360, New York (August 19, 2014, 11:37 AM ET) --
It’s been over a year and a half since the Health Insurance Portability and Accountability Act omnibus rule revisions have been put into place, and the regulators have refrained from issuing any new rules, guidance or interpretations. While the sand is no longer shifting underneath industry’s feet, it is becoming increasingly clear that HIPAA covered entities — as well as health information technology companies that act as their business associates — can no longer assume that lax or incomplete implementation of HIPAA privacy and security policies will go unnoticed.
HIPAA enforcement actions have doubled over the past year, and the price tag associated with federal enforcement actions has tripled. In July 2014, the U.S. Department of Health and Human Services' Office of Civil Rights issued its annual report to Congress on breaches of unsecured protected health information for 2011 and 2012. The report shows a continued trend of large numbers of reported breaches, both large and small, and describes in detail the monetary settlements reached with covered entities to date for HIPAA violations. In addition, the report discusses OCR’s implementation of the pilot phase of its audit protocol, in which it audited 115 covered entities. OCR’s year-over-year enforcement statistics show that the number of enforcement actions jumped from 9,408 in 2012 to 14,300 in 2013.
No Turning Back
Recent enforcement actions have highlighted the fact that OCR takes a particularly dim view of entities that recognize security vulnerabilities but fail to implement corrective measures. For example, in April 2014, OCR announced a $1.72 million settlement with Concentra Health Services Inc. related to a breach involving an unencrypted laptop stolen from one of its facilities. OCR pointed out in its press release that “Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktops, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.” These pointed remarks serve to highlight OCR’s “no excuses” approach to enforcement — in other words, the fact that Concentra had self-identified risk areas and then failed to implement corrective action caused particular consternation.
Recent settlement agreements associated with record-setting multimillion dollar fines — $4.8 million, representing the large HIPAA settlement to date — imposed by OCR in May 2014 against New York- Presbyterian Hospital and Columbia University also highlight the importance of creating a plan with a timeline to correct identified security vulnerabilities. As part of the settlement, the hospital and university agreed to undertake a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports to OCR, with the completion of each element subject to a defined project timeline.
While all federal HIPAA enforcement actions to date have been imposed on covered entities, health IT companies should not assume they are immune from scrutiny. The largest data breaches reported in 2011 and 2012 were traced back to business associates. In addition, OCR announced in March 2014 that 25 percent of the total number of audits conducted in Phase 2 of its audit program will be of business associates — and 70 percent of the business associates audited will be Health IT companies.
Be Prepared: A Good Offense is Your Best Defense
What should Health IT companies do to prepare for and hopefully avoid these audit activities?
- Review your policies and procedures. Are your policies up-to-date and inclusive of omnibus rule requirements and, more importantly, are you actually implementing the procedures required by your policies?
- Have you implemented omnibus rule-compliant business associate agreements? The final compliance date for implementation of revised business associate agreements in connection with evergreen or long-term contracts is Sept. 22, 2014. Given the fact that OCR gave covered entities and business associates more than a year and a half to come into compliance with this requirement, it is anticipated that regulators will not be lenient with companies that have failed to comply with this requirement.
- Have you conducted a risk assessment and when was it last updated? Does it incorporate any new technologies or service offerings you have started to provide to covered entities or other business associates? While not required by law, have you considered having an outside IT security auditing firm take a fresh look and your operations and conduct an independent risk assessment? Have you already implemented a corrective action plan based on weaknesses identified through the risk assessment process? Given the multimillion dollar settlements listed above, creating a corrective action plan project timeline — and actually implementing that plan— could not be more important.
Health IT companies are enjoying a lull in HIPAA regulatory activity. This gives you an opportunity to pause, take stock of your current state of HIPAA compliance and begin in earnest to act upon the risk assessments you have conducted by correcting security vulnerabilities you have already identified.
It is clear that OCR is enforcing — and will continue to enforce — its regulations aggressively, and it is obvious that OCR has little patience with entities that have failed to implement and maintain safeguards that are required by their policies or the law, or were identified in conjunction with their own risk assessments.
The bottom line: Health IT companies should execute on their HIPAA compliance plans with a sense of urgency.