This article and infographic was originally published by the Maurice A. Deane School of Law at Hofstra University’s Online Master’s in Health Law and Policy program.1
The Gravity of HIPAA
HIPAA compliance is aimed at maximizing privacy and data security when it comes to patient records. It prescribes the minimum storage and sharing standards for Protected Health Information (PHI). HIPAA must be in effect for Covered Entities which include healthcare organizations, physicians, and health plans, along with their Business Associates and Business Associate Subcontractors such as managed IT service providers.
Compliance with HIPAA is a serious matter that requires you to follow specific guidelines to avoid fines and penalties. The Department of Health and Human Services (HHS) conducts regular audits through the Office for Civil Rights (OCR). If a Covered Entity or Business Associate is found to be noncompliant, the entity can be slapped with fines of up to $50,000 per violation. The fines can reach $1.5 million annually for each category of HIPAA violation.
Attracting these hefty penalties can be catastrophic for an organization’s bottom line and operational viability. For this reason, Covered Entities and Business Associates need to make HIPAA compliance a priority and treat HIPAA with the gravity it deserves.
The HIPAA Security Rule
Recent changes compel all Business Associates and Subcontractor to adhere to the requirements of the Security Rule. The rule encompasses the implementation of security procedures, risk analysis, training, and the adoption of a breach response plan. It has three key components, administrative, physical, and technical safeguards.
Physical safeguards include the use of access badges, door locks, surveillance cameras, security guards and more. Technical safeguards, on the other hand, are designed to control electronic access to the electronic Protected Health Information (ePHI). Examples of technical safeguards include multi-factor identification, use of passwords and encryption.
A comprehensive backup and disaster recovery plan is an additional component of the HIPAA compliance security rule. It does not focus on prevention and protection. It is aimed at ensuring that healthcare facilities are well-prepared for any eventuality. A backup disaster recovery solution consists of data backup, disaster declarations, alternate site guides, a comprehensive disaster list, and an ePHI recovery plan. Total HIPAA’s Security Rule Compliance Checklist provides a viable way to understand the security requirements.
HIPAA Phase 2 Audit Protocol
OCR uses Phase 2 audits to establish best practices for ensuring security and privacy of Protected Health Information. The process involves the implementation of desk audits, which are used to review submitted documentation.
Selected entities are served a notice and a document request letter. The entities are required to respond by submitting to OCR the required documents within 10 days from the receipt of the letter. The submission process is carried out via a secure online portal. Once the entire process is complete, the auditor will issue a report within 30 days.
Phase 2 audits also encompass on-site reviews that are conducted over the course of three to five working days. These audits are more comprehensive than desk audits. The site visits are aimed at reviewing the procedures and policies implemented by organizations and Business Associates to meet selected standards.
Auditors employ a comprehensive audit protocol that is in line with the updated Omnibus Final Rule. The audits address Security, Privacy, and Breach Notification Rules separately. The nature of audits performed by OCR officers may vary based on the type of organization.
Covered Entities are required to submit only the specified document and not compendiums relating to all procedures and policies. This is aimed at simplifying the review process and reducing the workload for the auditor. In the event that the requested documents are not available, organizations are required to submit instances within the applicable time periods.
Preventing HIPAA violations
Although no system is perfect, Covered Entities and Business Associates are expected to demonstrate best efforts and reasonable care when it comes to standards of compliance.
Some of the most common HIPAA violations include failure to release information to patients in a timely fashion, not adhering to the authorization expiration date, and improper disposal of patient records. In addition, many entities are fined for insider snooping, releasing the wrong patient’s information, missing a patient’s signature, insecure data storage, releasing unauthorized health information and more.
Fortunately, the majority of healthcare information systems available today include automated reminders, procedures, and alerts to remedy these issues before they cause a violation. Reputable medical IT service providers generally identify these instances when evaluating the system.
Office for Civil Rights Imposes Stiffer HIPAA Fines
In recent years, OCR has been using the new tiered penalty structure stipulated by Health Information Technology for Economic and Clinical Health (HITECH) Act to impose stiffer non-compliance fines. It took the enforcement body considerable time to start imposing the multi-million dollar penalties that many in the healthcare sector had predicted since 2010.
OCR has since heightened enforcement activity. As a result, Covered Entities and Business Associates have witnessed higher dollar HIPAA settlements.
Notable HIPAA Settlements
Some of the high-profile cases involve entities, such as Triple-S Management Corporation (Triple-S), Lahey Hospital and Medical Center (Lahey), and the University of Washington Medicine (UWM).
Triple-S Management Corporation
Triple-S is one of the leading medical insurance providers in San Juan, Puerto Rico. In 2015, the company was slapped with a $3.5 million fine for several HIPAA breaches. The violations occurred over a period of five years. They included sharing of ePHI data on employees’ computers and improper access to the entity’s database by a former member of staff whose access was not immediately terminated.
In addition, OCR discovered unauthorized disclosures that involved health plan beneficiary mailings. In some instances, insurance identification cards were delivered to the wrong recipients. The mailings displayed ID numbers on envelope labels.
Lahey Hospital and Medical Center
Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts. Lahey notified OCR that a laptop was stolen from an unlocked room inside the hospital’s radiology department on August 11, 2011. The laptop hard drive contained the PHI of 599 individuals.
The OCR investigation prompted by the data breach revealed additional HIPAA violations including the lack of a process within the facility for protecting online patient health information, failure to physically safeguard a workstation, and a lack of unique usernames for identifying and tracking user identities. Lahey settled with OCR to pay $850,000 for the violations.2
University of Washington Medicine
The University of Washington Medicine is an affiliate Covered Entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center.
UWM agreed to a $750,000 settlement with OCR for violations connected to a breach report on November 27, 2013. The breach occurred after an employee downloaded an email attachment containing malicious malware that compromised the ePHI of approximately 90,000 individuals.
OCR’s investigation found that UWM failed to ensure that all affiliated partners were overseeing risk assessments of their own systems. This occurred in spite of the fact that UWM’s Security Policies and Procedures stated that its affiliated entities are required to have up-to-date, documented risk assessments and to implement safeguards.3
