What do these actions have in common? Violations of the Health Insurance and Portability Accountability Act (HIPAA)’s Privacy and Security Rules, costing covered entities millions of dollars so far in 2014.
After several years of the U.S. Department of Health and Human Services (HHS) working collaboratively with covered entities to achieve compliance, the agency’s Office for Civil Rights (OCR) has announced fine after record-setting fine in recent months. And attorneys said the trend won’t slow down any time soon.
“We went from five years with essentially not a dollar changing hands under HIPAA to multiple settlements per year,” Washington, D.C. attorney Adam Greene said. And because it can take two years or more for a matter to go from the start of an investigation to settlement agreement, “we expect the number of settlements to continue to rise.”
Glen Allen attorney William H. Hall, Jr. noted that OCR has received “a big uptick” in the number of complaints received, which has contributed to the rise in enforcement. “There is also more of an expectation that this is something that has been around for some time now…so OCR is taking a harder line in terms of pursuing fines,” he added.
Broadening the landscape even more: OCR is expanding its audits beyond covered entities to business associates, encompassing an even larger pool of companies ranging from IT service providers to law firms.
Between striving for HIPAA compliance, attempting to get medical records in electronic form, and meeting the requirements of the Affordable Care Act – not to mention providing health care – covered entities are under an extraordinary amount of stress, said Ruth Griggs of Richmond. “This is like a perfect storm of events coming together and putting a ton of pressure on health care providers.”
OCR began enforcement of the HIPAA Privacy and Security Rules last fall. Under the Security Rule, entities are required to use physical, technical, and administrative safeguards to ensure that protected health information, or PHI, remains private and secure, whether on paper or in electronic form. The Privacy Rule sets forth rights for individuals regarding their PHI and limits on who can view or access the information.
In recent enforcement actions, the agency has enforced both Rules. Parkview Health System of Indiana and Ohio settled with OCR last month for $800,000 after an employee left 71 boxes of medical records unattended at a physician’s house – in her driveway and within 20 feet of a public road and a short distance from a heavily trafficked area. Parkview knew the doctor was not home at the time the boxes were dropped off, the OCR said. The company also agreed to revise its policies and procedures and train its staff.
Also in June, the OCR announced a $1.7 million settlement with the Alaska Department of Health and Human Services. The state agency self-reported a breach when a thumb drive was stolen from an employee’s car, but, during an investigation, the OCR uncovered evidence that the state agency lacked adequate policies and procedures, failed to complete a risk analysis, and conducted insufficient workforce training.
In the largest settlement to date, two health care organizations agreed in May to pay a total of $4.8 million for violating both Rules. New York and Presbyterian Hospital and Columbia University disclosed the electronic PHI of 6,800 individuals – including data like lab results and medications – when a physician tried to deactivate a personally owned computer server on the network.
A lack of technical safeguards resulted in leaving the PHI accessible on Internet search engines. Both entities will undertake a substantive corrective action plan, from a risk analysis to revised policies and procedures, more staff training, and the development of a risk management plan – as well as payments of $3.3 million for New York and Presbyterian Hospital and $1.5 million for Columbia University.
In addition to scaring some companies into compliance, the OCR’s recent enforcement actions provide covered entities with some valuable lessons and tips.
•?A risk analysis is critical. Several of the OCR settlements involved a covered entity’s failure to conduct a risk analysis, Greene noted, which provides a foundational understanding of where the PHI is located and what different threats it faces. “There is a return on the investment with doing a good risk analysis,” he said. “The better the risk analysis, the lower the chance of a breach.” A breach alone without an enforcement action is a costly matter to deal with, but a breach followed by an investigation and enforcement action is even more expensive.
•?Get employees on board. “Employee training is essential,” Griggs said. “Every single person in the workforce should understand the need to avoid exposure and the importance of compliance.” Give HIPAA-specific training and ensure that new hires are educated when they start. Hall cited an example of employees who believed having an access password on their laptop constituted encryption. “But if the laptop is stolen, someone can just pull the hard drive and drop it on another computer with access to everything,” he said. Employee training on encryption could prove beneficial.
•?Policies should be in place – but documentation is just as important. After ten years of attempting to reach compliance with HIPAA, covered entities likely have policies and procedures in place to comply with the statute. But one mistake many still make: failure to document. “If you are doing great things but you haven’t documented what you are doing, then it doesn’t matter,” Greene said. Being able to demonstrate that specific actions were taken could make or break the outcome of an investigation by OCR. Employee training is a great example, Griggs said. Many employers will conduct a seminar or provide educational materials to employees without creating any kind of a record that they did so. “Get it in writing,” she said.
•?Keep a close eye on mobile devices. “Mobile is a particular risk area for providers and there have been a fair number of settlements that involved stolen laptops or other mobile devices,” Hall said. While keeping PHI off of laptops is a laudable goal, Greene advises clients to “encrypt, encrypt, encrypt.” “There is no reason not to encrypt all laptops and if you don’t encrypt desktops at least have documentation of why you determined it was reasonable or appropriate not to do so,” Greene said. “Even desktops find a way to walk out the back door.”
•?Change is hard. It might also violate HIPAA. When something changes at the office – a software upgrade, the purchase of new laptops for employees, or moving to a new location – covered entities need to consider the implications for PHI. “Use privacy and security by design,” Greene suggested. For example, in the case of a software upgrade, “have checklists and systems in place to make sure the firewalls are configured and put back up.”
•?Business associates, brace yourselves. Covered entities were given roughly five years of voluntary compliance before HHS turned up the throttle on enforcement efforts. “But I don’t know if business associates will be given a stay of execution,” Greene said. OCR has indicated that its second round of audits will begin in the coming months and after being excluded in the first round of audits, business associates are now included as possible targets. The breadth of business associates – from court reporters to debt collection law firms to IT service providers – “makes this the area to watch,” Greene added.
Consider a safety net
Compliance with HIPAA and meeting all the requirements of the Privacy and Security Rules may not be enough. Increasingly sophisticated hackers present a real cyber threat for covered entities. And while a company that did all the right things will be unlikely to face a fine from OCR, the cost of a breach can be prohibitive and could result in a private class action.
One consideration: cyber insurance. “Insurance is increasingly common and definitely can be helpful for individual physicians in particular and physician practices,” Hall said. Many of the professional liability carriers offer at least some form of breach-related policy or endorsement, he added, which can help with an OCR investigation or the possibility of a civil suit.
Greene agreed that insurance is increasingly important but emphasized that companies “really need to understand what they are purchasing” as “no two policies look the same.” Some policies contain exclusions for encrypted devices while others may limit a policyholder’s use of outside counsel or breach response firms, he explained.
In the meantime, keep up with compliance as attorneys expect the current settlements to pale in comparison to what is in the pipeline. “I have every expectation that the record-setting settlement with New York Presbyterian and Columbia University will be eclipsed fairly soon,” Greene warned.