On May 21, 2013, the U.S. Department of Health and Human Services (“HHS”) released details regarding a $400,000 settlement with Idaho State University (“ISU”) for alleged violations of the HIPAA Security Rule. The settlement involves the breach of unsecured electronic protected health information (“ePHI”).
ISU notified HHS in 2011 that the ePHI of approximately 17,500 patients was accessible because a server firewall was disabled at one of its medical clinics. The HHS Office for Civil Rights (“OCR”) determined that, for a period of approximately five years, ISU: (1) did not conduct a risk analysis of its ePHI as part of its security management process, (2) did not implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level, and (3) did not implement procedures to regularly audit records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.
This settlement is one of many over the past few years. The OCR has dramatically stepped up its enforcement efforts and penalties for HIPAA violations. The settlement amounts have ranged from a few thousand dollars to more than a million dollars. The allegations have included various violations of HIPAA and the violators have ranged from a small physician practice to large health care systems and health plans. The variety in enforcement actions leaves covered entities and business associates with a great deal of uncertainty about potential risk.
With OCR’s heightened enforcement of HIPAA, now is a perfect time for covered entities and business associates to review their HIPAA compliance efforts and take proactive steps to achieve compliance with the new HIPAA requirements which go into effect September 23, 2013. To prepare for the new HIPAA requirements, we recommend taking the following steps to better position yourselves to demonstrate compliance:
- Update your Notice of Privacy Practices and your HIPAA policies and procedures impacted by the new HIPAA requirements.
- Update your business associate agreement forms to comply with the new HIPAA requirements and confirm you have business associate agreements in place with all business associates (e.g., IT vendors, coding consultants, billing companies, attorneys, auditors).
- If you are a business associate, make sure that you have subcontractor business associate agreements in place with the necessary subcontractors and that you understand your newly imposed liability for compliance with HIPAA.
- Ensure you have all required HIPAA privacy and security policies in place and that these policies are effective and enforced.
- Perform a risk assessment of your organization's information security and set up reasonable safeguards as necessary.
- Provide periodic training to personnel on your updated HIPAA policies and procedures.
- Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if you detect non-compliance or ineffective processes.
- When the organization’s HIPAA policies and procedures are violated or a data breach occurs, take appropriate and prompt corrective actions, and document the actions taken.