With the onset of federally mandated enforcement of patient privacy laws, it’s a good time to review lessons from HIPAA cases announced in 2016. Common themes clearly prevail.

In reviewing these lessons, keep in mind that the feds continue to clarify the stricter rules in place since 2013 under the Health Information Portability and Accountability Act (HIPAA). Since federal audits began only last year, gray areas continue to muddle the murky waters.

Here are some overriding messages from recent federal cases and news releases:

1. Risk Assessment

Make this a top priority, and include all remote facilities in your assessment. Also account for the security of mobile devices and databases in the homes and cars of employees, including telecommuters. Multiple settlements drive home this point. Also remember that you need proper policies and procedures in place as part of risk analysis and mitigation.

Example: The case of St. Joseph Health (SJH), which operates hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, Texas and New Mexico. SJH agreed to pay $2.14 million in a settlement with the U.S. Office for Civil Rights (OCR), relating to a report that files containing electronic protected health information (ePHI) became publicly accessible through internet search engines from 2011 until 2012. A server SJH purchased included a file sharing application, and the default setting allowed anyone with an internet connection to access the data, potentially breaching the privacy of nearly 32,000 patients.

The feds said: Although SJH hired a number of contractors to assess risks and vulnerabilities, evidence indicated a “patchwork” approach falling short of “enterprise-wide risk analysis.”

2. Business Association Agreements

Again, multiple cases reinforce this as a big priority. The point is that if any outside person or vendor can potentially access private information about your patients, then you need to hold those vendors or individuals to the same rules that apply to you. You need formal agreements with them. Also know that HIPAA audits extend to business associates.

Example: The Archdiocese of Philadelphia agreed to pay $650,000 to settle potential privacy violations relating to the theft of a mobile device containing protected health information for 412 nursing home residents. In this case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. The potential breach happened as a result of a theft of a CHCS-issued employee iPhone, which was unencrypted and not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

The feds said: CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

Click here to read more about what happened.

3. Smaller providers

You’re on hook, too. HIPAA-covered providers of all types and sizes are subject to audits. Last fall, OCR announced it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.

4. Insider threats

In a recent newsletter, OCR discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

Keep in mind, whenever patient information reaches unauthorized ears and eyes, nothing stops it from getting on social media. And yes, that does happen, especially among patients who are most vulnerable and unsuspecting.

Click here for more about how to guard against insider threats, and recommendations for preventing abuses.

Published in Blog

Read about the first criminal charges under HIPAA law, in a commentary by MyHIPAA Guide Publisher Diane Evans, in the June 2016 issue of Compliance Today:

June2016 OpEd

Published in Blog

By Diane Evans
Publisher, MyHIPAAGuide.com

If you haven’t been following HIPAA news lately, you may have missed some interesting stories.

One example: In a precedent-setting case, a 64-year-old Massachusetts physician now faces federal charges for allegedly taking money and meals from the drug company Warner Chilcott, with one charge relating to a criminal violation of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA).

A blog post published on the website of the National Law Review notes that the case should be of great interest to the health care community for the “new twist’’ of a criminal charge under HIPAA.  You have to wonder: Is HIPAA the new tax evasion fallback for federal investigators?

In another recent case, an affiliate organization of the University of the Washington Medical Center agreed to a $750,000 settlement, as a result of an employee downloading an email attachment that contained malicious malware. The feds concluded that electronic Protected Health Information (e-PHI) was comprised due to the lack of a proper risk assessment and risk mitigation.

With federal audits set to begin in 2016, and with uniform reporting rules for meaningful use of electronic records recently announced, are you ready?

MyHIPAAGuide.com can help. MyHIPAAGuide.com is a news and information service offering:

  • News updates on HIPAA rules;

  • Forum boards, where you can compare notes on HIPAA compliance and share experiences – good or bad – different kinds of software and equipment;

  • A catalog of 40+ carefully-picked federal government resources, including tutorials, templates and how-to videos, organized around a 10-step compliance plan published by the U.S. Department of Health and Human Services.

The 10-step plan, available for public viewing on MyHIPAAGuide.com, organizes compliance around an easy checklist of things you need to do. For example, if you are still using old Patient Privacy Notices, it is likely you will need to upgrade to new consent notices designed to achieve what is called “meaningful consent.” You’ll also want to make sure your Business Associate Agreements (BAAs) are in place, and updated to reflect security precautions for ePHI.

Resources available on MyHIPAAGuide.com include:

  • Patient Privacy Notices to help achieve meaningful consent, available both in English and Spanish

  • Short videos that capture the essence of a risk assessment

  • Self-evaluation tools to help guide organizations large and small

  • Sample provisions for Business Associate Agreements (BAA)

  • Guides that address specific issues, such as recommendations for safely reporting patient test results

  • Risk analysis tools, with both Windows and iPad versions

  • Patient education

MyHIPAA Guide helps HIPAA-covered organizations prepare for financial incentives from Medicare and Medicaid -- and avoid penalties.

Questions? Contact Diane Evans at This email address is being protected from spambots. You need JavaScript enabled to view it.

MyHIPAAGuide.com is published by M.E.D. Media Mart LLC, based in Akron, Ohio.

myhipaa guide

Published in Blog

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    • Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access