If you were watching, 2016 was a banner year for Health Insurance Portability and Accountability Act (HIPAA) enforcement. The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) set a department record last year with a total of 12 health care organizations fined and violation payments amounting to over $22.8 million. Seven of those settlements were over $1.5 million – with the $5.5 million settlement with Advocate Health Care Network marked as the largest settlement ever agreed upon with a single covered entity (see OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements).
And, if you have spent the first couple of months of 2017 watching for new fines and settlements, you haven’t had to wait long. In January, Chicago-based Presence Health paid $475,000 to the United States Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) to settle the claim that the behavioral health service network didn’t report a breach of unsecured patient information quickly enough (see Presence Health to pay $475k HIPAA settlement fine). Also in January, MAPFRE Life Insurance Company of Puerto Rico agreed to pay HHS’ OCR $2.2 million because the company failed to conduct a HIPAA risk analysis. In February, Memorial Healthcare System (MHS) in South Florida agreed to a $5.5 million settlement for potential HIPAA violations, matching the all-time largest settlement set in 2016 (see Florida Health System Pays $5.5 Million HIPAA Settlement).
How did OCR get to these record levels? The answer is simple: audits. According to reporting from Healthcare IT News, OCR currently has more than 200 ongoing audits for 2017 (see OCR: Onsite HIPAA Audits Coming In 2017). In the last couple of years, we’ve seen OCR roll out two different phases for audits as part of the HIPAA Privacy, Security, and Breach Notification Audit Program to “widen the net”:
Phase 1 is already complete. HIPAA established important national standards for the privacy and security of protected health information (169 total protocols) and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk (see HIPAA Privacy, Security, and Breach Notification Audit Program).
Phase 2 is underway. Launched in 2016, in this phase OCR is reviewing the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules (see OCR Launches Phase 2 of HIPAA Audit Program).
The reaction to possible HIPAA audits among provider organization executives has largely been to ignore the whole issue. But, prudent course of action would be to prepare for more audits. TechTarget notes that OCR’s focus last year (and most probably in 2017 as well – see HIPAA Audit Protocol Signals Audit Process Underway) has been on eight primary topics:
Breach notification procedures: Does your organization have timely procedures for reporting breaches to OCR and the public?
Data protection procedures: Does your organization have procedures for protecting data after a breach occurs?
Risk-assessment procedures: Does your organization have a risk-assessment analysis for how susceptible you are to data breaches?
Business associates compliance procedures: Does your organization know if your business associates are all HIPAA compliant?
Employee training procedures: Does your organization have the training policies in place to make sure your staff understands what it means to be, and remain HIPAA compliant?
Security officers: Does your organization have a security officer?
Consumer data request procedures: Does your organization have a way to provide health data to consumers in a safe and timely fashion?
Control over electronic protected health information (ePHI): Does your organization have policies for controlling staff access to ePHI?
For another perspective, I reached out to my colleague and OPEN MINDS Senior Associate, Robert Cartia who noted it’s not just about being HIPAA prepared – it’s about having a complete compliance program. He writes.
In many organizations, HIPAA preparedness takes a backseat to that of the organization’s overall compliance program. I mention the compliance program because often the HIPAA organizational plan is embedded in the greater compliance plan. In many organizations, the Compliance Officer and the Privacy and Security Officer are the same person. The Healthcare Compliance Association (HCCA) is the most widely known training and certification body for both Privacy and Security and Compliance. Therefore it is relatively easy to have someone on staff that has professional certification in Privacy and Security.
That being said, it is crucial that all health care organizations have a certified Privacy and Security professional who develops an organizational Privacy and Security plan with all associated policies. Although having a plan in place that addresses most if not all of the above topics, it is important that there is evidence that the organization breathes life into that plan by conducting internal audits (more accurately reviews) of all existing policies. The Privacy and Security professional is the person who owns the organization’s privacy and security program.
The following are several additional things that I found as issues that could be overlooked, or those I believe are simply good practice that may keep HIPAA issues at the forefront of an organization’s daily activities:
Make sure that the Privacy and Security Officer provides monthly reports to executive leadership – These reports should cover any concerns brought to their attention or that they have independently identified. The same reporting should be provided to the Board of Directors quarterly and is usually done in conjunction with overall compliance activities or issues.
Be vigilant – Multi-systemic care, integrated care, and other care activities that require a great deal of interaction with parties outside of the organization have eroded general vigilance for confidentiality. It is all too easy for provider staff to say things or put things in writing that they should not. I have been privy to a number of circumstances where information about a consumer was shared in seemingly innocent conversation, however that information was not critical for that consumer’s treatment, or health care operations, or payment.
Demand business associate agreements – Many organizations have contractual relationships with many other organizations, including new and old contracts. Pharmacy, laboratories, physician agreements, and even outsourced activities such as billing, housekeeping, maintenance, and others should all have a business associates’ agreement. It is also wise to contact an attorney to make sure the business associate agreement meets all applicable law.
Consider privacy for mobile technology carefully – Mobile technology privacy and security is an issue that needs careful consideration. EHR vendors are certainly helpful in this regard and it is also helpful to understand where vulnerabilities may lie not only with the technology (software, hardware, cloud) but also with staff utilization. There are many more devices that are now used to share consumer information on a regular basis and policies must exist so that staff comply with best practice.
Always beware email – This issue sounds dated but encrypted email is simply a prudent component that all provider organizations can use to help keep peace of mind. Many staff and many recipients of encrypted email do not like the perceived inconvenience of an encrypted system. Technology is improving the ease of use of encryption and it adds another layer of privacy and security that only makes sense to implement.
Always follow-up breaches – Always listen and follow up on any consumer and/or family member complaints that their personal health information was breached. Always investigate the claim as part of your service to consumers. Trust is essential for good care and to maintain a reputation that consumer privacy is paramount.
The simplest test of preparedness is to go through the list above and ask yourself — are we doing these things? Just remember, it will take a much tighter audit preparedness operation to assess just how ready you are, even if you answer yes to all the above questions. For the latest from OPEN MINDS on HIPAA, check out these resources from the OPEN MINDS Industry Library: