Kusserow’s Corner: HIPAA Enforcement Update and Compliance Tips

HHS’ Office for Civil Rights (OCR) has been enforcing the Privacy and Security Rules, since April 14, 2003 for most HIPAA covered entities. Since 2003, OCR reported it has received over 95,588 HIPAA complaints. It investigated and resolved over 22,497 cases by requiring changes in privacy practices and other corrective actions by the covered entities. OCR investigated and found no violations with 10,114; 57,800 were closed for not being eligible for enforcement. Currently OCR is posting 5,177 active investigations.

To date the order of frequency of compliance issues investigated by OCR were as follows:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of safeguards of PHI
  3. Lack of patient access to their PHI
  4. Uses or disclosures of more than the minimum necessary PHI
  5. Lack of administrative safeguards of electronic PHI (ePHI).

What this information does not tell you is that the most common violation occurs as result of lost and stolen laptop computers, computer tablets, and external drives (particularly flash drives) that have not been properly encrypted.

Recent Notable Enforcement Actions

OCR entered into settlements with two New York-based hospitals, New York-Presbyterian Hospital ($3.3 million) and Columbia University ($1.5 million), totaling $4.8 million for their joint breach of the HIPAA Privacy and Security violations for allowing Columbia faculty members to serve as attending physicians. The breach occurred when a physician employed by Columbia attempted to deactivate a personal computer server that was on the shared network and contained Presbyterian patient ePHI resulting in the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

Two entities settled with OCR for $1,975,220 collectively to resolve potential violations of the HIPAA Privacy and Security Rules. Concentra Health Services (Concentra) had a breach report that an unencrypted laptop was stolen from one of its facilities. OCR’s investigation revealed a lack of encryption on its laptops, desktop computers, medical equipment, tablets, and other devices containing ePHI. Concentra paid $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence its remediation of these findings. In a similar type case, OCR settled with QCA Health Plan, Inc. of Arkansas, which had an unencrypted laptop computer containing the ePHI of 148 individuals stolen from a workforce member’s car. QCA paid $250,000 in monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.

The latest enforcement action involved Parkview Health System, Inc., which agreed to pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. Parkview took into custody medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. When the physician did not answer the door, an employee left 71 cardboard boxes of these medical records unattended on the driveway of the physician’s home, within 20 feet of the public road.

Tips to Ensure HIPAA Compliance

With increased penalty authority and the latest settlements, failure to take steps to ensure compliance can result in severe financial penalties. In order to mitigate the risks of potential breaches, the following should be considered:

  1. Conducting a thorough risk assessment to address the potential threats and hazards to the security of PHI and thereafter annual reviews to account for changes in technology and/or new risks with special attention on encryption of systems and external drives.
  1. Using an outside expert conduct the initial detailed HIPAA compliance assessment, and thereafter doing it internally following the same review path.
  1. Verifying all the necessary HIPAA policies and procedures addressing workforce member access to databases and network security are in place.
  2. Ensure that all employees and workforce members with access to PHI have been trained on the HIPAA policies related to PHI.
  1. If resources are too limited meet HIPAA obligations internally, consider using an outside expert firm to be the Designated HIPAA Privacy and/or Security Officer (most likely on a part time basis).

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.