With the onset of federally mandated enforcement of patient privacy laws, it’s a good time to review lessons from HIPAA cases announced in 2016. Common themes clearly prevail.
In reviewing these lessons, keep in mind that the feds continue to clarify the stricter rules in place since 2013 under the Health Information Portability and Accountability Act (HIPAA). Since federal audits began only last year, gray areas continue to muddle the murky waters.
Here are some overriding messages from recent federal cases and news releases:
Make this a top priority, and include all remote facilities in your assessment. Also account for the security of mobile devices and databases in the homes and cars of employees, including telecommuters. Multiple settlements drive home this point. Also remember that you need proper policies and procedures in place as part of risk analysis and mitigation.
Example: The case of St. Joseph Health (SJH), which operates hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, Texas and New Mexico. SJH agreed to pay $2.14 million in a settlement with the U.S. Office for Civil Rights (OCR), relating to a report that files containing electronic protected health information (ePHI) became publicly accessible through internet search engines from 2011 until 2012. A server SJH purchased included a file sharing application, and the default setting allowed anyone with an internet connection to access the data, potentially breaching the privacy of nearly 32,000 patients.
The feds said: Although SJH hired a number of contractors to assess risks and vulnerabilities, evidence indicated a “patchwork” approach falling short of “enterprise-wide risk analysis.”
Again, multiple cases reinforce this as a big priority. The point is that if any outside person or vendor can potentially access private information about your patients, then you need to hold those vendors or individuals to the same rules that apply to you. You need formal agreements with them. Also know that HIPAA audits extend to business associates.
Example: The Archdiocese of Philadelphia agreed to pay $650,000 to settle potential privacy violations relating to the theft of a mobile device containing protected health information for 412 nursing home residents. In this case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. The potential breach happened as a result of a theft of a CHCS-issued employee iPhone, which was unencrypted and not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.
The feds said: CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.
Click here to read more about what happened.
You’re on hook, too. HIPAA-covered providers of all types and sizes are subject to audits. Last fall, OCR announced it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.
In a recent newsletter, OCR discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.
According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.
Keep in mind, whenever patient information reaches unauthorized ears and eyes, nothing stops it from getting on social media. And yes, that does happen, especially among patients who are most vulnerable and unsuspecting.
Click here for more about how to guard against insider threats, and recommendations for preventing abuses.
Read about the first criminal charges under HIPAA law, in a commentary by MyHIPAA Guide Publisher Diane Evans, in the June 2016 issue of Compliance Today:
By Diane Evans
If you haven’t been following HIPAA news lately, you may have missed some interesting stories.
One example: In a precedent-setting case, a 64-year-old Massachusetts physician now faces federal charges for allegedly taking money and meals from the drug company Warner Chilcott, with one charge relating to a criminal violation of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA).
A blog post published on the website of the National Law Review notes that the case should be of great interest to the health care community for the “new twist’’ of a criminal charge under HIPAA. You have to wonder: Is HIPAA the new tax evasion fallback for federal investigators?
In another recent case, an affiliate organization of the University of the Washington Medical Center agreed to a $750,000 settlement, as a result of an employee downloading an email attachment that contained malicious malware. The feds concluded that electronic Protected Health Information (e-PHI) was comprised due to the lack of a proper risk assessment and risk mitigation.
With federal audits set to begin in 2016, and with uniform reporting rules for meaningful use of electronic records recently announced, are you ready?
MyHIPAAGuide.com can help. MyHIPAAGuide.com is a news and information service offering:
News updates on HIPAA rules;
Forum boards, where you can compare notes on HIPAA compliance and share experiences – good or bad – different kinds of software and equipment;
A catalog of 40+ carefully-picked federal government resources, including tutorials, templates and how-to videos, organized around a 10-step compliance plan published by the U.S. Department of Health and Human Services.
The 10-step plan, available for public viewing on MyHIPAAGuide.com, organizes compliance around an easy checklist of things you need to do. For example, if you are still using old Patient Privacy Notices, it is likely you will need to upgrade to new consent notices designed to achieve what is called “meaningful consent.” You’ll also want to make sure your Business Associate Agreements (BAAs) are in place, and updated to reflect security precautions for ePHI.
Resources available on MyHIPAAGuide.com include:
Patient Privacy Notices to help achieve meaningful consent, available both in English and Spanish
Short videos that capture the essence of a risk assessment
Self-evaluation tools to help guide organizations large and small
Sample provisions for Business Associate Agreements (BAA)
Guides that address specific issues, such as recommendations for safely reporting patient test results
Risk analysis tools, with both Windows and iPad versions
MyHIPAA Guide helps HIPAA-covered organizations prepare for financial incentives from Medicare and Medicaid -- and avoid penalties.
MyHIPAAGuide.com is published by M.E.D. Media Mart LLC, based in Akron, Ohio.