By Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates
2015 saw a lot of HIPAA privacy and security enforcement. Let’s take a look at what these settlements can teach us about our own HIPAA compliance programs, and make 2016 a good year.
The OIG told the OCR to get serious about enforcement. In September 2015, the Office of Inspector General (OIG) issued two reports evaluating the Office of Civil Rights, which enforces HIPAA:
- In its report, OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities, the OIG recommended that OCR track covered entities with multiple small breaches, and determine whether covered entities reported prior breaches.
- In its report, OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With the HIPAA Privacy Standards, the OIG recommended that the OCR, among other things, “fully implement a permanent audit program.”
These reports put providers on notice that there are two agencies concerned with HIPAA enforcement: OCR,and OIG. It is likely that these reports will cause audits – and settlements – to increase.
The OCR got serious about enforcement. Interestingly, half of 2015’s HIPAA settlements came in November and December – after the OIG issued its memos calling for enhanced HIPAA enforcement efforts. These settlements totaled over $5 million. Time will tell if this uptick in enforcement continues in 2016.
Everyone is expected to comply. Last year’s HIPAA settlements reached more than large, for-profit providers:
- A 13-physician practice entered a $750,000 settlement after a laptop and unencrypted backup media containing ePHI were stolen from an employee’s car.
- A nonprofit teaching hospital entered a $850,000 settlement after an unencrypted laptop containing ePHI for 599 patients was stolen from an unlocked treatment room.
- And a small pharmacy with one location paid $125,000 after paper medical records for 1610 patients were discarded in an open container. OCR Director Jocelyn Samuels commented: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters….”
The OCR’s message is clear: everyone must comply with HIPAA.
Encryption saves money. It is well known that providers can avoid dreaded breach notification by encrypting ePHI. However, HIPAA settlements for stolen unencrypted laptops and other devices continue to make headlines. For example, a physician practice entered a $750,000 settlement after a laptop and unencrypted backup media were stolen from a vehicle. Another provider entered an $850,000 settlement after a laptop was stolen.
Those are hefty prices to pay! The next time you get push-back from IT about encryption solutions based on price, remind them that the price of not encrypting is much higher.
HIPAA Security risk assessments are worth it. Many providers haven’t done a HIPAA Security Risk Assessment, simply because they don’t know how to start – or think they can’t afford the expertise to get it done. Recent settlements show that the risk assessment is a crucial part of every HIPAA compliance program. For example, an insurance holding company entered a $3.5 million settlement after it experienced multiple breaches. The OCR found that the company failed to conduct a security risk assessment and failed to implement security safeguards. The good news is that the government provides a free security risk assessment tool, making it easy for providers to complete the assessment themselves.
Your staff will make or break HIPAA compliance. Your Privacy and Security Officers know HIPAA backwards and forwards. But what about the rest of your team? If they are using computers or other sources of ePHI, potential breaches are at their fingertips. Policies and training can mean the difference between a HIPAA-compliant organization, and a 6- or 7- figure penalty. For example:
- A hospital entered a $218,400 settlement after employees used an internet document sharing program to store documents containing ePHI. The OCR found that the hospital did not “timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.”
- A university teaching hospital employee downloaded an email attachment with malicious software, which compromised the ePHI of 90,000 patients. The university settled with the OCR for $750,000.
Would your staff know what to do? When is the last time your team was reminded about HIPAA Security Do’s and Don’ts?
By paying attention to the latest HIPAA enforcement news, even providers with limited resources can make 2016 a great year for HIPAA compliance.HIPAA Compliance: What You Need to Know for 2016Click To Tweet