The Department of Health and Human Services is issuing a stern warning to healthcare providers to take patient privacy issues seriously or suffer hefty fines and penalties.
The healthcare regulator issued its largest monetary penalty last month for privacy violations under the Health Insurance Portability and Accountability Act since the law’s enactment 18 years ago. With the new HIPAA compliance audit program set to launch in the coming months, more frequent enforcement actions and larger fines may become the new normal.
HHS’s Office for Civil Rights (OCR) fined New York and Presbyterian Hospital and Columbia University a record total $4.8 million for HIPAA violations on May 7. NYP will pay $3.3 million, while CU will pay $1.5 million.
CU faculty members frequently serve as attending physicians at NYP, and both organizations operate a shared data network, which links to NYP patient information systems, and a shared network firewall that is administered by employees of both organizations.
In 2010, 6,800 patients’ electronic protected health information (ePHI) was compromised when a CU-employed physician attempted to deactivate a personally owned computer server on the network containing patient health information. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines,” HHS stated.
HHS also charged NYP and CU with failing to develop an adequate risk-management plan that addressed potential security weaknesses. NYP took the brunt of the charges for additionally failing to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
Bigger Fines and Penalties
Although the penalty was the largest HIPAA fine to ever be levied in a single case, the violation that led to it wasn’t all that unusual, say HIPAA experts. “The facts surrounding this particular situation really were not unique,” says Ryan Blaney, a member of the healthcare law group at Cozen O’Connor. Additionally, “there was no intentional wrongdoing by either covered entity,” Blaney adds. Nothing about the HIPAA violations appeared to be any more egregious than similar enforcement actions brought in the past that have resulted in much smaller penalties, he says.
Many privacy and security experts say large settlements will become increasingly common as a result of the OCR’s increased enforcement efforts. It used to be that healthcare regulators would issue fines in the $1.5 million to $1.7 million range on the high end. “Those were really designed to get covered entities’ attention,” says Lynn Sessions, a partner with law firm BakerHostetler.
HHS has recently indicated, however, that those smaller penalties may soon become a thing of the past. “In the future, if covered entities haven’t embraced HIPAA’s privacy and security rules, they’re more likely to see fines more in the range of $5 million initially, and then perhaps, depending on the organization, going up even more than that,” Sessions says.
The NYP and CU settlement is also important for the compliance lessons it offers. As part of the settlement, both healthcare businesses have entered into a three-year corrective action plan in which each has agreed to:
Undertake a risk analysis;
Develop a risk-management plan;
Revise policies and procedures on information access management and device and media controls; and
Develop a privacy and security awareness training program.
Blaney says healthcare businesses should take a close look at the corrective action plans, because they serve as a “blueprint” for healthcare providers to follow to ensure compliance with HIPAA.
The broader lesson to be learned from NYP’s mistake, in particular, is that “you have to go beyond having glossy policies in place,” Blaney says. “You really have to implement them and spend time and effort following them.”
In the settlement agreement, HHS further stressed that joint healthcare arrangements will result in joint liability. “When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” Christina Heide, OCR’s acting deputy director of health information privacy, said in a prepared statement.
More enforcement actions and larger fines may be on the way as HHS prepares to launch its new HIPAA compliance audit program, mandated under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH requires HHS to perform periodic audits of covered entity and business associate compliance with HIPAA’s privacy, security, and breach notification rules.
Prior to the HITECH Act, HHS would leave it up to individuals to bring a privacy complaint against a healthcare provider before conducting an audit. “It was more of a reactive model to compliance,” says Jessie Berg, a principal with the law firm Gray Plant Mooty.
That approach began to change in 2012, when HHS launched a pilot audit program carried out by KPMG, under contract with HHS, which conducted reviews of HIPAA compliance at 115 covered entities. The new program will be permanent and conducted by HHS personnel.
In a Feb. 24 notice in the Federal Register, HHS explained that it will be sending out pre-audit surveys to “up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates,” in the coming months as the first step toward determining suitable candidates for the audits.
Information that will be collected includes, “recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations,” the notice stated.
The HIPAA audit program also sweeps in third-party affiliates of healthcare businesses, which generally includes any business that provides a service to a covered healthcare entity, and who receives protected health information in the course of providing that service. Business associates may include, for example, healthcare billing companies, Medicare payers, hospital management companies, and cloud computing companies that store PHI.
Unlike hospitals and physician practice groups, business associates traditionally haven’t been exposed to HIPAA audits and likely are not doing everything they need to do to comply with the law’s privacy and security rules, Berg says. “The audit program should be viewed by business associates as a big wake-up call,” he says.
As part of its resolution agreement, the New York and Presbyterian Hospital (NYP) agreed to the following:
Payment. NYP agrees to pay HHS the amount of three million three hundred thousand dollars ($3,300,000.00) (“Resolution Amount”).
Corrective Action Plan. NYP has entered into and agrees to comply with the Corrective Action Plan (CAP):
Modify Existing Risk Analysis Process
Develop and Implement a Risk Management Plan
Review and Revise Policies and Procedures on Information Access Management
Implement Process for Evaluating Environmental and Operational Changes
Review and Revise Policies and Procedures on Device and Media Controls
Develop an Enhanced Privacy and Security Awareness Training Program
Source: NYP Resolution Agreement.
HHS has said in the past that many breaches are caused by business associates not having policies and procedures in place, “so I expect that’s where you’re going to see a lot of the audits,” Blaney says. “It’s a low-hanging fruit for the government.”
The audits themselves will be divided up into “desk” audits, in which the covered entity provides review materials to HHS and “on-site” audits. Upon being notified of an audit, the healthcare entity or business associate will have a brief, two-week time frame to produce the requested materials.
To help healthcare entities and business associates in this process, OCR has created an audit program protocol that organizations can use to better understand what an audit might look like.
As far as other steps that healthcare businesses and business associates should take to prepare for a potential HIPAA audit, “get organized,” Blaney says. “Know where all your policies and procedures are. Have them all in one location.”
It’s also a good idea to have in place a point person to respond to the audit, Blaney adds. “You want to appear to be as organized and as professional as possible,” he says.
Healthcare organizations can also limit their potential exposure under HIPAA by using the “security risk assessment tool” issued by HHS as a guide to assist healthcare providers as they perform risk assessments. “That’s a really good place to start,” Sessions says. Assuming a covered entity has all the required security and privacy measures in place, “they should pass an audit with little trouble.”