Kusserow on Compliance: Tips and lessons learned from new OCR findings and settlements

The HHS Office of Civil Rights (OCR) has begun its second round of HIPAA audits by notifying randomly selected covered entities (CEs) and business associates (BAs) that they have been selected for review to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules. While doing this, the agency has also been reporting recent record settlements with HIPAA violators.

Recent settlements

The most recent action is the $2.2 million settlement with New York Presbyterian Hospital for disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. The OCR will monitor this hospital for two years to ensure they remain compliant with its HIPAA obligations.

This settlement followed on the heels of a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. of North Carolina for potential violation of the HIPAA Privacy Rule by handing over PHI of approximately 17,300 patients to a potential business partner without first executing a BA agreement. The clinic was also required to revise its HIPAA policies and procedures to: (1) establish a process for assessing whether entities are BAs; (2) designate a responsible individual to ensure BA agreements are in place prior to disclosing PHI; (3) create a standard template BA agreement; (4) establish a standard process for maintaining documentation of a BA agreements for at least six years; and (5) limit disclosures of PHI to any BA to the minimum necessary to accomplish the purpose for which they were hired.

These are only the latest in a series of settlements in the last 60 days and follow the $3.9 million settlement with the Feinstein Institute for Medical Research, a not-for-profit corporation biomedical research institute, for violating HIPAA privacy. This settlement was the result of losing a laptop with 13,000 names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. A few days earlier the OCR announced another settlement with North Memorial Health Care of Minnesota of $1.5 million, which settled allegations that HIPAA was violated when the organization failed to enter into a BA agreement with a major contractor and failed to address the risks and vulnerabilities to its patients’ information.

 Tips and lessons learned

Based on these actions by the OCR, entities should:

  • Ensure that this subject is included in reports to executive and board oversight committees;
  • Conduct a complete a security risk analysis that addresses PHI vulnerabilities including issues of confidentiality, integrity, and availability;
  • Ensure that security management processes are adequate to address potential PHI risks and vulnerabilities;
  • Ensure laptops and mobile devices are properly encrypted and password protected;
  • Keep track of mobile devices and employee access to such;
  • Follow the basics in reviewing compliance for information security risks PHI breaches;
  • Implement safeguards to restrict access to unauthorized users;
  • Maintain a list of all BAs including contact information;
  • Verify that all have signed BA agreements;
  • Note that research programs meet HIPAA compliance standards for participating patients;
  • Implement adequate policies and procedures for authorizing access to PHI;
  • Train the workforce on all policies and procedures developed or revised;
  • Implement policies and procedures governing receipt and removal of laptops containing PHI and for controlling access to PHI by workforce members and users; and
  • Develop a corrective action plan to promptly address any weaknesses identified.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.