HIPAA Compliance Enforcement to Escalate
Expect more government investigations of labs for HIPAA compliance. The government is more concerned than ever about the security of patient records and has signaled that it is ramping up enforcement against violators. OCR enforcement to intensify The Department of Health and Human Services’ Office for Civil Rights (OCR), the agency that enforces HIPAA’s privacy and security rules, has announced that it intends to be more punitive with HIPAA violators than it has in the past, according to OCR Director Jocelyn Samuels. "We really do want to work with covered entities and [have their] voluntary compliance. But we have the authority to enforce and have the tools, including civil money penalties," she pointed out, speaking Sept. 2 at the eighth annual HIPAA security conference hosted by OCR and the National Institute of Standards and Technology in Washington, DC. OCR is also more likely to require bigger fines and formal "resolution agreements" with a covered entity than informal corrective action when an investigation uncovers multiple HIPAA violations and little attempt to comply with the law. For instance, OCR’s most recent settlement agreement, with Indiana based Cancer Care Group, a 13-physician radiation oncologist practice, involved "widespread" noncompliance with HIPAA’s security rule. OCR […]
Expect more government investigations of labs for HIPAA compliance. The government is more concerned than ever about the security of patient records and has signaled that it is ramping up enforcement against violators.
OCR enforcement to intensify
The Department of Health and Human Services' Office for Civil Rights (OCR), the agency that enforces HIPAA's privacy and security rules, has announced that it intends to be more punitive with HIPAA violators than it has in the past, according to OCR Director Jocelyn Samuels.
"We really do want to work with covered entities and [have their] voluntary compliance. But we have the authority to enforce and have the tools, including civil money penalties," she pointed out, speaking Sept. 2 at the eighth annual HIPAA security conference hosted by OCR and the National Institute of Standards and Technology in Washington, DC. OCR is also more likely to require bigger fines and formal "resolution agreements" with a covered entity than informal corrective action when an investigation uncovers multiple HIPAA violations and little attempt to comply with the law.
For instance, OCR's most recent settlement agreement, with Indiana based Cancer Care Group, a 13-physician radiation oncologist practice, involved "widespread" noncompliance with HIPAA's security rule. OCR launched an investigation after the medical group reported the theft of unencrypted back up files of 55,000 patients from an employee's car. The agency found that the group had never conducted a risk analysis of vulnerabilities of electronic patient data, a requirement of HIPAA since 2005. The group also had no written policies and procedures regarding the protection of electronic patient data taken out of the office even though employees routinely took laptops and other hardware home or elsewhere. The group agreed to pay $750,000 and enter into a corrective action plan to settle the allegations, according to OCR's August announcement.
And Brighton Massachusetts-based St. Elizabeth's Medical Center agreed in July to pay $218,400 after it exposed electronic records of its patients on the internet by using an unauthorized, unsecured, internet-based document sharing application to store the documents. The medical center, which had suffered at least two other security breaches, then compounded its violation by failing to handle the security breach as required by HIPAA, including timely reporting and mitigating the potential harm to patients whose records had been compromised. OCR launched an investigation after receiving a complaint about the security breach.
More than 1,300 security breaches of 500 or more patient records have been reported to HHS since reporting was required in September 2009, and more than 157,000 reports of breaches affecting fewer than 500 individuals have been submitted, Samuels reported. While most breaches affect just one or two patients, 2015 has been a banner year for very large "high profile" breaches affecting millions at a time, such as the hacking of Anthem's system, compromising 80 million records, and the most recent attack on Excellus Blue Cross Blue Shield, which exposed 10 million records. OCR will open an investigation into all reports of breaches of 500 or more individuals, as well as of complaints filed.
Samuels recommended that covered entities be "vigilant" in protecting patient information, with strong controls, self-auditing, allowing only permissible uses and disclosures of information, and patching out-of-date software. She also noted that patient information on mobile devices is also subject to HIPAA and must be protected.
And while OCR will investigate providers of all sizes, it does recognize that there is not a one-size-fits-all requirement regarding compliance. "Remember the HIPAA rules are flexible and scalable and can be customized [based on the size of the entity]," she noted.
Samuels also reported that OCR is "hard at work" on the launch of the permanent audit program, and that most of those audits will be desk audits. OCR will soon post an audit protocol on its website, which entities can use to conduct a self-audit. The permanent audit program, required by the HITECH Act of 2009 which amended HIPAA, is slated to begin early in 2016.
OIG blasts OCR's performance
OCR's enforcement will likely be fueled further by the Office of Inspector General's (OIG) recent criticism of OCR's HIPAA enforcement. In two reports issued in September, the OIG chastised OCR for both its inadequate oversight of compliance with HIPAA's privacy rule and poor follow up of reported breaches of protected health information. The OIG found, among other things, that:
- OCR was primarily reactive, investigating in response to complaints, and should be more proactive;
- Documentation of corrective actions and follow up of security breaches was incomplete;
- Its case tracking system had limited search functionality;
- Many providers were noncompliant with HIPAA; and
- OCR staff were not always checking to see if an entity being investigated had previously been investigated or if one reporting a breach had reported one in the past.
The OIG recommended that, among other things, OCR get a permanent audit program up and running, improve its current investigatory process, and increase its education and outreach to improve HIPAA compliance.
FBI issues warning about 'Internet of Things'
If that was not enough, the Federal Bureau of Investigation (FBI) issued an alert September 10 warning providers and consumers that devices and objects that connect to the internet to send and receive data are vulnerable to cyber attack. While some of the devices the FBI referenced in its alert are more consumer oriented, such as "smart" televisions, wearable fitness devices and baby monitors, some of the objects of concern include ones common in labs and other businesses, such as printers, security systems and thermostats.
"Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety," the FBI says in the alert. The cyber criminals can also take advantage of these devices by rendering the device inoperable or interfering with business transactions.
The FBI recommended that steps be taken to reduce the risk of being a victim of such cyber crime, including:
- Protect wireless networks with strong passwords
- Isolate devices on their own protected networks
- Use security patches when availableUse security patches when available
Revisit HIPAA compliance
Now is a good time for labs to review whether they're in compliance with HIPAA. Consider these six tips:
- Conduct a self-appraisal of compliance with HIPAA's privacy and security rules. For instance, conduct a risk analysis of patient information in electronic form to check for vulnerabilities, such as lack of firewalls or weak passwords. Take steps to reduce or eliminate any vulnerabilities identified. Make sure that staff are trained in HIPAA compliance. Some safeguards are required by HIPAA; others are "addressable" but not necessarily required to be implemented.
- Make sure you've entered into business associate agreements with any entity or individual handling patient protected information on the lab's behalf, such as a billing company. HIPAA requires labs and other covered entities to enter into business associate agreements with business associates to ensure that the business associate will safeguard the patient information adequately. OCR has provided sample business associate agreement language on its website.
- Consider encrypting patient information. Encryption is technically not required by HIPAA. However, a lab that opts not to encrypt has to at least address why it isn't encrypting and document what alternative it will use instead to protect the data, according to Deven Mc- Graw, deputy director, health information privacy division for OCR, also speaking at the OCR/NIST conference. "'Addressable' does not mean optional. It never has. We expect you to address it," she explains. Note that patient data that is lost or stolen but has been encrypted in accordance with NIST standards is "secure" and does not need to be reported to patients or HHS.
- Have an action plan to handle a breach of unsecured patient information. There are steps a lab needs to take, such as conducting an assessment of the likelihood that the information was compromised, timely notifications to HHS, patients and in some cases the media, and corrective action to forestall future breaches. You don't want to be caught scrambling to comply once a breach has occurred.
- Don't forget state law. State laws are often broader than HIPAA. For instance, labs suffering a breach of patient information may have to report it more quickly to state authorities than to HHS.
- Keep an eye out for future developments. There's a lot of activity concerning the privacy and security of patient data. In addition to the revised audit protocol expected this year, OCR is planning on releasing new guidance on patient access to their data. Other guidance or rules that are still forthcoming include clarification on what disclosures of patient information are the "minimum necessary" and a proposed rule on how individuals that have been harmed by a data breach should receive a portion of the penalty imposed on the violator. Both of those are part of the HITECH Act of 2009 that amended HIPAA.
Takeaway: Labs should make sure that they have a robust HIPAA compliance program, especially since even the most diligent lab may suffer a breach of patient information via hacking, user error or other event.
Subscribe to view Essential
Start a Free Trial for immediate access to this article