More companies are finding themselves in hot water for privacy violations under the Health Insurance Portability and Accountability Act.

Department of Health and Human Services recently reported that it brought more enforcement actions for violations of HIPAA’s Privacy Rule last year than any other year since that piece of the landmark legislation was enacted in 2003. And all signs indicate that HSS’s Office of Civil Rights, which is responsible for policing the rule, will continue to expand its caseload.

The HIPAA Privacy Rule established a set of federal standards to protect the privacy of patients’ health information maintained by covered entities—which include physicians, hospitals, and other healthcare providers.

According to the healthcare regulator, OCR officials investigated more Privacy Rule complaints last year—4,463 in all—than any other year since 2003. Of these complaints, the agency entered into 3,470 corrective action plans, while the remaining 993 complaints involved no violations. In 2012, the agency conducted 4,342 investigations, resulting in 3,361 corrective action plans.

The increased enforcement activity comes at a time when the agency has continued to receive over the last five years a rising number of complaints for violations of the Privacy Rule. In 2013, OCR received a record 12,915 complaints, significantly more than the 10,454 complaints received in 2012.

Common Errors

According to the OCR, the most common types of violations that have resulted in enforcement actions include:

Prohibited use and disclosure of protected health information (PHI);

Lack of safeguards for protected health information;

Lack of patient access to protected health information; and

Lack of administrative safeguards of electronic protected health information.

During remarks at OCR’s annual HIPAA conference last month, Iliana Peters, OCR’s senior adviser for HIPAA compliance and enforcement, indicated that most large breaches are easily preventable, with the right safeguards in place.

From September 2009 through August 2014, for example, OCR investigated 1,176 reports involving large breaches of PHI involving 500 individuals or more. Of those breaches, 60 percent involved theft or loss of laptops, other portable storage devices, or paper records.

“Covered entities and business associates really need to work on making sure that all mobile devices and laptops have encryption capabilities. That could be a very practical way of mitigating the risk of theft and loss.”
Ryan Blaney, Member, Cozen O’Connor

“Covered entities and business associates really need to work on making sure that all mobile devices and laptops have encryption capabilities,” says Ryan Blaney, a member of the healthcare law group at Cozen O’Connor. “That could be a very practical way of mitigating the risk of theft and loss.”

Peters offered other effective ways to safeguard against privacy breaches: Employ a remote device wipe to remove data when lost or stolen; consider appropriate data backup; and train employees on how to effectively safeguard data and timely report security incidents.

According to OCR, only 8 percent of large data breaches resulted from an IT hack, but many in the healthcare industry anticipate that figure to increase as the threat of cyber-attacks grow more prevalent. “We’re starting to see a little more sophistication in the data breaches that we’re handling on the healthcare side,” Lynn Sessions, a partner with law firm BakerHostetler, says.  Phishing attacks and hacking into the networks of healthcare organizations, in particular, are becoming more commonplace, she says.

HIPAA Audits

Healthcare organizations can expect more enforcement actions in the near future as HHS prepares to launch its new HIPAA compliance audit program, required under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH requires HHS to perform periodic audits of compliance with HIPAA's privacy, security, and breach notification rules.

HHS launched a pilot audit program in 2012, carried out by KPMG, under contract with HHS, which conducted reviews of HIPAA compliance at 115 covered entities. The new program will be permanent and conducted by HHS personnel.

The permanent audit program will also differ from the pilot program in that most of the audits will consist of “desk” audits, as opposed to “on-site” audits. Upon being notified of an audit, the healthcare entity will have a brief, two-week time frame to produce the requested materials.

“Auditors will not have opportunity to contact the entity for clarifications or to ask for additional information, so it is critical that the documents accurately reflect the program,” Peters said. “Failure to submit response to requests may lead to referral for regional compliance review.”

Lessons Learned

During remarks at HHS’s Office of Civil Rights (OCR) annual HIPAA conference, Iliana Peters, OCR’s senior adviser for HIPAA compliance and enforcement, shared three important pieces of advice:

HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.

Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected, as well as the confidentiality of their health data.
Source: Department of Health and Human Services Office of Civil Rights.

The HIPAA audit program also sweeps in third-party affiliates of healthcare businesses, which generally includes any business that provides a service to a covered healthcare entity, and who receives protected health information in the course of providing that service. Business associates may include, for example, healthcare billing companies, Medicare payers, hospital management companies, and cloud computing companies that store PHI. 

To that end, OCR also will require covered entities to identify their business associates and provide their current contact information, which the agency will then use to determine which business associates to audit. “As part of that process, you would want to have a list of all your business associates that you work with, and a description of what they do for you,” Blaney says.

During her remarks, Peters warned that the second—and final—audit phase will be used as an enforcement tool for OCR, which marks a departure from its pilot audit program. “That’s something that business associates and covered entities should be aware of, especially when responding to an audit,” Blaney says.

Healthcare organizations have one more reason to beef up HIPAA compliance: OCR refers certain cases to the Department of Justice for criminal investigation if they involve the known disclosure of protected health information. As of Sept. 9, 2014, OCR made over 536 such referrals.

Compliance Measures

Examples of compliance measures that OCR will look for in the second phase of its audit program will include, most importantly, whether the healthcare company has completed a risk assessment. It also will be looking at whether covered entities have in place encryption capabilities; an up-to-date notice of privacy practices; a breach notification and response plan; and proper documentation of these measures.

Sessions advises that privacy and security officers work together to not only conduct the HIPAA privacy and security risk assessment, but also work together to put in place “administrative, technical, and physical safeguards to help protect the organization.”

“Once you get the risk assessment, implement the findings,” Kenya Woodruff, of counsel in the healthcare practice group of Haynes and Boone, says. “We have encountered some clients recently who had great risk assessments done but didn’t implement the findings, and that’s worth almost not doing a risk assessment at all.”

Exactly when HIPAA audits will begin is still undecided. OCR said it is delaying the second phase of its audit program while it works to develop a Web portal through which healthcare companies and business associates’ entities can submit materials and respond to OCR audits.

The idea is that the Web portal will help streamline the audit process by collecting, collating, and analyzing audit data, “and allow OCR to extend the number of covered entities and business associates that they’re able to audit,” Blaney says.

The good news is that OCR said further guidance is on the way to help healthcare organizations more easily comply with HIPAA. Among the resources OCR is working on is guidance on the HIPAA Omnibus breach notification rule, including tools to assist organizations in assessing whether a security incident is a reportable breach.

Whether further guidance will arrive this year, or next, is not certain, Blaney says. “It will hopefully be in the near future.”  Stay tuned.