Protected health info and HIPAA focus of HHS discussion

With 2017 just beginning, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) need to be aware of current trends in the realm of protected health information (PHI). In a Health Care Compliance Association webinar titled “What’s New on the HIPAA Front?” Vaniecy Nwigwe and Debbie Campos of HHS Office for Civil Rights presented an overview discussion of PHI designation and authorization, PHI breaches, enforcement matters, and marketing.

The HIPAA Privacy Rule generally requires covered entities, i.e. health plans and most health care providers, to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice, as described in 45 C.F.R. Sec. 164.524(c)(3).

PHI designations

Designation occurs when an individual directs the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. Conversely, authorization occurs when an individual gives permission to another person to direct the covered entity to transmit the PHI to another person (or entity) designated by the authorized individual (or entity).

The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.

According to the speakers, this distinction matters because of fees. The fee limitations only apply to individuals who direct a covered entity to send PHI to another person or entity. Under the Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.


From September 2009 through November 2016, approximately 1,738 instances involving a breach of PHI affecting 500 or more individuals were reported. Of that, 60 percent of the breaches initiated through theft or loss. In addition, there were over 58,000 reports of breaches of PHI affecting less than 500 individuals during calendar year 2016 alone.


Highlighting some of HHS’ enforcement actions, the speakers noted that over 125,445 complaints had been received as of December 31, 2015, and over 30,000 cases have been resolved with corrective action or technical assistance. HHS expects to receive 22,000 complaints in 2017.

In one prime example of a major breach, the speakers noted that nonprofit health system, St. Joseph Health’s ePHI was publicly accessible on the internet from February 1, 2011, to February 13, 2012, affecting the records of over 31,800 individuals. St. Joseph Health agreed to adopt a comprehensive corrective action plan and pay $2.4 million to settle allegations that the health system violated the HIPAA Privacy and Security rules (see Health system slammed over searchable internet server, Health Law Daily, October 19, 2016). St. Joseph Health also agreed to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on the revised policies and procedures.


Generally, a communication about a product or service that encourages recipients of the communication to purchase or use the product or service is considered marketing. In the case of covered entities, if the communication rises to this level, the covered entity must obtain an individual’s authorization to do so. Another form of marketing communication is an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

Webinar helps covered entities with third-party risk management

Third-party risk management requires a comprehensive vendor risk management program capable of verifying that vendor security controls are effective, according to a Health Care Compliance Association (HCCA) webinar presented by Nadia Fahim-Koster, of Meditology Services, and Alex Masten, of CORL Technologies. Masten noted that risk management is ultimately about “assurance” and, therefore, the development of a risk management program requires data and monitoring designed to assure covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L 104-191) that vendors are adequately safeguarding protected health information (PHI).


Fahim-Koster detailed the scope of third-party breach risks, including: HIPAA violations, negative media coverage, undermined patient trust, undermined employee trust, HHS Office for Civil Rights (OCR) penalties, lawsuits, breach notification costs, and the uncertainty of business associate reimbursement. Additionally, all of the risks are developing as technology changes. For example, Fahim-Koster reminded providers that third party breach risks have increased in complexity with the expansion of disruptive technologies like the Internet of Things (IoT) and migration to the cloud.


Masten noted that part of the problem with third-party risk management stems from the fact that the majority of vendors with access to PHI are small. Masten explained that this fact is unfortunate because small vendors are vastly more likely, when compared to a larger vendor, to be involved in a breach. Additionally, small vendors are more likely to enter subcontracts, leaving CEs confused or ignorant of the subcontractor’s breach protection measures. Masten also noted that only 26 percent of vendors have a security certification and many vendors don’t have designated security personnel. In fact, only 39 percent of vendors have at least one designated security personnel. Above all, Masten cautioned that breaches can happen at any time to any kind or size of vendor.

Vendor security program

To implement a vendor security program, Masten said CEs should take the following four steps: (1) profile vendors and rank them by risk; (2) conduct due diligence through risk assessments; (3) apply a risk strategy based upon the results of gaps identified by the risk assessment; and (4) monitor vendors for breaches, third party assurances, and implementation of the risk strategy. Due to the complexity of monitoring what can be as much as thousands of vendor contracts, Masten suggested that entities may need multiple full-time employees dedicated to the data collection and monitoring of third parties. He also suggested that providers increase efficiency by developing a comprehensive vendor questionnaire to assess the risks associated with each vendor.

Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.