Free Webinar! Personal Health Information: Hospitals, Health Plans, and Human Resources

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This webinar will provide employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and will cover GINA, the FMLA, and the ADA.

Join this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

REGISTER NOW

Thursday, October 13, 2016
2:00-3:00 p.m. EDT
1:00-2:00 p.m. CDT
12:00-1:00 p.m. MDT
11:00-12:00 p.m. PDT

Registration is open to the first 1,000 approved registrants and requires a complete name, title, organization, and valid business email address.

Kusserow on Compliance: Enforcement update from OCR

The HHS Office for Civil Rights (OCR) reports that HIPAA Privacy and Security breaches of Protected Health Information (PHI) continue to increase. From OCR published data, it is estimated  that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, the true number is much greater because most breaches involve less than 500 and therefore are not subject to public disclosure.   Since the compliance date of the Privacy Rule in April 2003, the OCR reported receiving over 137,770 HIPAA complaints that resulted in nearly 1,000 compliance reviews. The following summarizes the results of review and investigation:

  • 70 percent were determined to be (a) not warranting enforcement as untimely or withdrawn by complainant; (b) entities not covered by HIPAA; and (d) absence of a violation.
  • 17 percent led to requirements for changes in privacy practices and corrective actions
  • 10 percent involved early intervention with only the need to provide technical assistance
  • 37 cases involved financial settlements of $39,989,200.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance in order of numbers of occurrence were Private Practices, Hospitals, Outpatient Facilities, Pharmacies, and Health Plans. To date, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Use or disclosure of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

OCR thinks small to stop data breaches

Reports of breaches impacting the protected health information (PHI) of 500 or fewer individuals will be more widely investigated by the HHS Office for Civil Rights (OCR), beginning August 2016. Previously, the OCR’s regional offices investigated all breach reports involving the PHI of 500 or more individuals and only investigated smaller breaches when resources permitted the additional oversight. Under the new initiative, regional offices will retain discretion to investigate smaller breaches, but each office will increase investigative efforts to identify smaller breaches and obtain necessary corrective action.

Considerations

Covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), are required to report breaches of PHI to affected individuals and the HHS Office for Civil Rights (OCR), consistent with the Breach Notification Rule; in instances of breaches involving at least 500 individuals, they must also notify the media. To decide which breach reports affecting fewer than 500 individuals will be investigated, the OCR plans to consider the following factors:

  • the size of the breach;
  • the presence of theft or improper disposal of unencrypted PHI;
  • unwanted intrusions into information technology IT systems (hacking); and
  • instances where numerous breach reports from a single entity raise similar issues.

Prior breaches

The OCR has already investigated some smaller breach reports, which have led to settlements. Those investigations include breaches resulting from a business associate’s failure to safeguard the PHI of skilled nursing facility residents, an insurance company’s failure to implement adequate PHI security measures, a medical center’s improper use of a data-sharing internet application, and the theft of two unencrypted laptops—one from a hospice provider and another from an employee’s car at a physical therapy center.

Other threats

Data breaches and cybersecurity threats of all kinds continue to plague the health care industry. For example, in July 2016, Banner Health experienced a breach of PHI and payment card data of 3.7 million patients, members, beneficiaries, and food and beverage outlet customers (see Banner Health breach potentially affects millions, Health Law Daily, August 4, 2016). Additionally, health systems are facing new threats, like ransomware, where hackers “kidnap” data and demand ransom payments for the data’s release (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).