The HIPAA security rule requires covered entities, including health care providers and health plans, and their business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Many compliance plans require this assessment on an annual or periodic basis. If your organization has not updated its risk assessment recently, a review of recent enforcement activity by the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates that now may be the time to do so.
2016 was a busy year for OCR. According to the agency’s website, OCR entered into 12 settlement agreements with health care providers, plans, and business associates for breach of the HIPAA privacy and security rules, and obtained one favorable judgment from an Administrative Law Judge. OCR also issued several new guidance documents, launched Phase 2 of its HIPAA Audit Program, and announced a new initiative to more widely investigate smaller breaches of protected health information. Altogether, OCR imposed $23.51 million in fines for HIPAA violations in 2016. As a point of comparison, OCR imposed only $6.19 million in 2015, and $7.94 million in 2014. Continuing the trend, OCR has already surpassed its 2014 and 2015 totals in the first two months of 2017, announcing four enforcement actions, resulting in civil money penalties totaling $11.375 million so far this year.
Almost all of the enforcement actions were the result of investigations begun after the covered entities self-reported breaches as required by the HIPAA breach notification rule. Causes of breach included theft, unauthorized access and/or disclosure of protected health information, hacking and other technology incidents, loss of devices such as flash drives or smartphones containing protected health information, and improper disposal of protected health information. In addition, penalties were imposed for failure to conduct accurate and thorough risk assessments, failure to implement risk management plans, failure to execute or update business associate agreements prior to disclosing PHI to business associates, failure to implement appropriate policies and procedures, failure to encrypt ePHI, failure to safeguard unencrypted devices, and failure to restrict access to unauthorized users. Penalties were imposed upon large health systems, smaller hospitals, physician practices, business associates, a life insurance company, a research institution, and a physical therapy practice.
In reviewing OCR’s announcements of enforcement actions, one recurring theme is evident: the covered entity or business associate often either failed to conduct an adequate, enterprise‑wide risk assessment, failed to take appropriate action to address risks identified in a risk assessment, or both. While many covered entities and business associates may have conducted risk assessments when initiating their HIPAA privacy and security compliance plans, it is imperative that these assessments be periodically updated. In its announcement of its settlement with Children’s Medical Center of Dallas, an OCR representative stated: “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
If it has been more than a year since your organization conducted a HIPAA risk assessment, now may be a good time to perform a new assessment. In doing so, here are some questions to consider, in light of the recent enforcement actions:
Has the organization added new health care components or new information systems that were not considered in previous risk assessments?
Has the organization contracted with new business associates since the previous risk assessment, and if so, have the entities executed the appropriate business associate agreements?
Has the organization’s standard business associate agreement been updated to include 2013 revisions to the HIPAA privacy and security rules, including breach notification provisions?
Does the organization have comprehensive policies addressing mobile devices that contain ePHI? Are there sufficient physical and technical safeguards in place to protect these devices?
What policies and procedures have been put in place to prevent and detect employee “snooping” in patient records for purposes unrelated to the employees’ job duties? Are employees aware of these policies and procedures, and of the consequences for violating these policies and procedures?
What new technologies and business operations are planned, and how can security risks be addressed in the planning stages?
In addition, OCR and the Office of the National Coordinator for Health Information Technology have jointly launched a HIPAA Security Risk Assessment Tool for small and medium-sized health care practices and business associates, which may be found here, and OCR has issued a document entitled “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule,” which may be found here.