OCR Reports on Enforcement of HIPAA Rules at HCCA Compliance Institute

From 2008 through December 31, 2012, the HHS Office of Civil Rights (OCR) imposed $14.9 million in civil money penalties (CMPs) as part of its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules, according to David Holtzman, Senior Health Information Technology & Privacy Specialist. From September 2009 through March 20, 2013, the OCR received 556 reports of breaches involving over 500 individuals (large breaches) and over 78,000 reports involving under 500 individuals (small breaches). Holtzman presented the update of the OCR’s HIPAA rule enforcement activities on April 22, 2013, at the Health Care Compliance Association’s (HCCA’s) annual Compliance Institute held at the Gaylord Resort & Convention Center in National Harbor, Maryland.

According to Holtzman, to understand the scope and type of breaches, the OCR has identified the areas to be reviewed.  For complaints related to breaches of the privacy rule, the OCR most frequently reviews whether the organization: (1) engaged in impermissible uses and disclosures of protected health information (PHI), (2) has appropriate safeguards to protect health information, (3) has policies and procedures in place related to access to health record; (4) restricts access to PHI to employees who need the information to perform their jobs (the “minimum necessary rule”); and (5) has policies and procedures related to notice of privacy practice.  For complaints related to the security rule, OCR reviews the organization’s policies and procedures related to (1) routinely conducting  risk analyses, (2) security incident response and reporting, (3) security awareness and training, (4) access controls, and (5) encryption and decryption. Holtzman stressed that risk analysis is the foundation to demonstrate compliance with the HIPAA rules. Risks analysis identifies weaknesses in the system, for which the organization can develop and implement controls for mitigation, he added.

Holtzman reported that the number of large breaches reported annually hasn’t changed and that the focus should be on small breaches. The top types of large breaches involved theft, unauthorized access or disclosure, or loss of data located in laptop, paper records, desktop computers, or a portable electronic device. The largest breaches in 2012 involved hacking a network server and hacking a database stored on a network server; backup tapes stored at a hospital could not be found and are presumed lost, theft of a laptop from an employee’s vehicle, and unauthorized access to electronic PHI stored  in a database. Smaller breaches were more likely to involve access to paper rather than electronic records. Holzman noted that although hacking has not impacted health care on a large scale, it has increased and, currently, is more of a problem in other industries. He also pointed out the mobile devices are not protected. Office of the National Coordinator for Health Information Technology (ONC) and OCR have developed a Mobile Device Program Instructional Video Series  that explores mobile device risks and discusses privacy and security safeguards providers and professionals can put in place to mitigate risks, covering topics such as securing a mobile device, protecting PHI when using a public WI FI network, and using a mobile device at work.

A pilot audit program, which was mandated by Sec. 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to conduct periodic audits to ensure covered entities and business associates comply with HIPAA and HITECH requirements, resulted in 979 audit findings and observations of noncompliance with the HIPAA rules as follows: 203 privacy, 592 security, and 94 breach notifications. Notably, smaller entities had the most difficulty and struggled with all three areas.

Holzman also addressed the provisions of the Omnibus Final Rule, which was published in the Federal Register on January 25, 2013. The Final Rule expanded the liability of business associates (BAs), requiring BAs to comply with use and disclosure requirement in the privacy rule as well as the technical, administrative, and physical safeguard requirements of the Security Rule. The Final rule also amended the definition of BA.  Under the enforcement provisions, CMPs have been adopted from the interim final rule, the term reasonable cause has been modified,  and intentional wrongful disclosures may be subject to civil rather than criminal penalties. Absent willful neglect, HHS will seek compliance through informal voluntary action.