Healthcare providers and businesses that store or process protected health information ("PHI") face increased scrutiny and significant fines for data privacy breaches and security lapses in the coming months. In the past 12 months, the U.S. Department for Health and Human Services Office for Civil Rights ("OCR") has recovered more than $10 million in fines for alleged violations of HIPAA. Enforcement is likely to become even more aggressive in the next year, according to Jerome Meites, a chief regional civil rights counsel at HHS, who spoke last month at the American Bar Association Physician Legal Issues Conference. "Knowing what's in the pipeline, I suspect that number will be low compared to what's coming up," Meites said during his presentation.
Meites noted that companies need to ensure the security of laptops and other portable devices that carry patient information. "Everywhere in your system where [patient information] is used, you have to think about how to protect it." Meites also noted the importance of performing a comprehensive risk analysis. Most of the cases in which breaches led to financial settlements, and not just corrective actions, involved entities who had not performed the required risk assessment.
The need to analyze risks, adopt safeguards, and train staff extends beyond healthcare providers and applies to anyone who stores, processes or has access to protected health information. Covered entities should ensure they have Business Associate Agreements with those who handle, process or have access to protected health information. All of the foregoing will be increasingly important as OCR turns up the heat on enforcement efforts.
Recent HIPAA Settlements
In the past two months, two healthcare organizations agreed to pay $4.8 million to settle charges that they potentially violated HIPAA Privacy and Security Rules. These organizations failed to secure thousands of patients' electronic protected health information (ePHI) held on their network. A third organization agreed to pay $800,000 after its employees left 71 boxes of patient records in a departing physician's driveway.
These recent settlements are a reminder that covered entities and businesses who handle or have access to patient information cannot ignore the need to safeguard the privacy of all records in their possession. Healthcare providers not only must consider how to store and dispose of paper records that have been transferred to electronic health records, but also how to ensure that IT professionals involved in the conversion have been properly trained on HIPAA.
Second Round of HIPAA Audits
The next round of HIPAA audits will begin this fall. OCR already has sent questionnaires to approximately 800 covered entities to screen them for selection for the audit. These upcoming audits will be much more targeted than the first round of HIPAA audits and will be conducted as "desk audits" by OCR staff, rather than as field audits by outside accounting firms. Approximately 100 covered entities will be audited on their compliance with the requirements for notices of privacy practices and providing individuals with access to PHI; 100 covered entities will be audited to evaluate whether they have a risk analysis and have implemented a corresponding risk management plan; and 150 covered entities will be audited for their policies related to the content of and timeliness of notice of a breach. OCR will use information gleaned from the audit responses to identify business associates that will be audited beginning in early 2015.
To prepare for this increased scrutiny, healthcare providers and their business associates should:
Conduct a thorough risk analysis of the threats and vulnerabilities to their electronic PHI and update that risk analysis annually or more often if there is a significant change in the operations of the entity.
Implement security measures to reduce the risks identified in the risk analysis. It is not enough to do the risk analysis: covered entities and business associates must follow up on the findings to reduce risk.
Remember to address risks associated with PHI that is in paper format, including methods of storage and disposal of the paper. As recent and not-so-recent HIPAA settlements have shown, leaving paper records in public areas such as driveways or open dumpsters or trash bins is not an appropriate way to dispose of records.
Make sure your breach notification policies and procedures are current. As part of this assessment, identify potential vendors, i.e., forensic experts, vendors to assist with mitigation efforts, outside law firms to conduct the investigation and to assist in the event of a breach.
Make sure your Notice of Privacy Practices is current and review your policies and procedures for responding to requests from individuals for access to their PHI.