It has been 21 years since the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. HIPAA was designed to improve the portability and accountability of health insurance coverage. In effect, the law secures and protects Personal Health Information “PHI” and enforces standards for electronic transactions in healthcare. Although the law is about Information Protection, interestingly, the “I” and “P” in the acronym are about Insurance Portability.
Since the effectiveness period, 2003-2005, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled 41 cases for $48.9 million.
HIPAA has three primary rules: The Privacy Rule (81 requirements); The Security Rule (78 requirements); and The Breach Notification Rules (10 requirements). Understanding the 169-criteria/requirements will be helpful in navigating the OCR periodic audits, or an investigation.
HIPAA Privacy Rule
The HIPAA Privacy Rule covers national standards on the protection, access, and disclosure authorization related to PHI. It governs when and how PHI is disclosed. As noted above, the HIPAA Privacy Rule gives patients ownership of their health records, as well as the right to access and copy them and request corrections to their health records.
HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect electronic PHI, or ePHI. The Security Rule generally prescribes the technology security standards for the creation, receipt, use, and maintenance of ePHI by a Covered Entity. Under the regulation, a Covered Entity can be an individual, organization, or agency that acts as a Health Care Provider, A Health Plan (payer), or A Health Care Clearinghouse (process claims).
If a Covered Entity uses a third party to access, transmit, process, or store ePHI, the third party is considered a Business Associate because it helps the Covered Entity to carry out its health care activities and functions. A Business Associate cannot skirt regulatory obligations by subcontracting. The Covered Entity requirements apply to entities that provide services to business associates.
HIPAA Breach Notification Rule
The final primary rule is the Breach Notification Rule. The HIPAA Breach Notification Rule requires Covered Entities to provide notification following a breach of unsecured ePHI.
So what about the price that will be paid if a Covered Entity does not comply with HIPAA? Let’s look at a recent case
Data Breach Today recently reported that Children’s Medical Center of Dallas “CMC Dallas” received a $3.2 million civil fine from the HHS OCR “based on its impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with multiple standards of the HIPAA Security Rule.” In February 2014, CMC Dallas received kudos for being “the first hospitals in the U.S. to implement true, untethered export of patient health data to a Personal Health Record (PHR)”. In 2007 and 2008 CMC Dallas was put on notice through various self-assessments, and reports and had actual knowledge that it maintained ePHI in an unencrypted manner.
Subsequently CMC Dallas filed a breach report with OCR on Jan. 18, 2010, citing the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on Nov. 19, 2009. The device contained the ePHI of approximately 3,800 individuals. However, CMC Dallas did not implement encryption on all devices through April 9, 2013. On July 5, 2013, the CMC Dallas filed another breach report with OCR after an unencrypted laptop containing the ePHI of 2,462 individuals went missing in April 2013. Additionally, OCR found that CMC Dallas “did not implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility”. Based on CMC Dallas prior history of non-compliance with the Privacy and Security Rules, the OCR imposed the above referenced fines.
The following compliance mitigation strategy could be used to prevent similar sanctions.
- Update Policies and Procedures. Covered Entities should review and revise HIPAA related policies and procedures with a focus toward clearly outlining an escalation process and defining compliance roles and responsibilities. Based on the facts, CMC Dallas did not appear to have a path in its polices and procedures to escalate and resolve breaches. To avoid inaction like the one identified in CMC Dallas, Covered Entities should ensure that policies and procedures define roles and responsibilities. Policies and Procedures should be reviewed as often as necessary, but at least annually.
- Training. Provide up-to-date HIPAA training to employees. The training must address HIPAA, privacy, and/or security awareness training.
What does the future hold for HIPAA? Accordingly to David Holtzman, a fomer senior adviser at the Department of Health and Human Services’ Office for Civil Rights, “Look for 2017 to be a year when OCR continues to exercise its HIPAA enforcement muscle – just not at the record pace seen in 2016.” If HHS OCR doesn’t get to you, great! If it does, make sure you are prepared, or you will be fined.
Recent Comments