Hot Topics

HIPAA Compliance: What You Need to Know for 2016

February 5, 2016

1583

By Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates

2015 saw a lot of HIPAA privacy and security enforcement. Let’s take a look at what these settlements can teach us about our own HIPAA compliance programs, and make 2016 a good year.

The OIG told the OCR to get serious about enforcement. In September 2015, the Office of Inspector General (OIG) issued two reports evaluating the Office of Civil Rights, which enforces HIPAA:

In its report, OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities, the OIG recommended that OCR track covered entities with multiple small breaches, and determine whether covered entities reported prior breaches.
In its report, OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With the HIPAA Privacy Standards, the OIG recommended that the OCR, among other things, “fully implement a permanent audit program.”

These reports put providers on notice that there are two agencies concerned with HIPAA enforcement: OCR,and OIG. It is likely that these reports will cause audits – and settlements – to increase.

The OCR got serious about enforcement. Interestingly, half of 2015’s HIPAA settlements came in November and December – after the OIG issued its memos calling for enhanced HIPAA enforcement efforts. These settlements totaled over $5 million. Time will tell if this uptick in enforcement continues in 2016.

Everyone is expected to comply. Last year’s HIPAA settlements reached more than large, for-profit providers:

A 13-physician practice entered a $750,000 settlement after a laptop and unencrypted backup media containing ePHI were stolen from an employee’s car.
A nonprofit teaching hospital entered a $850,000 settlement after an unencrypted laptop containing ePHI for 599 patients was stolen from an unlocked treatment room.
And a small pharmacy with one location paid $125,000 after paper medical records for 1610 patients were discarded in an open container. OCR Director Jocelyn Samuels commented: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters….”

The OCR’s message is clear: everyone must comply with HIPAA.

Encryption saves money. It is well known that providers can avoid dreaded breach notification by encrypting ePHI. However, HIPAA settlements for stolen unencrypted laptops and other devices continue to make headlines. For example, a physician practice entered a $750,000 settlement after a laptop and unencrypted backup media were stolen from a vehicle. Another provider entered an $850,000 settlement after a laptop was stolen.

Those are hefty prices to pay! The next time you get push-back from IT about encryption solutions based on price, remind them that the price of not encrypting is much higher.

HIPAA Security risk assessments are worth it. Many providers haven’t done a HIPAA Security Risk Assessment, simply because they don’t know how to start – or think they can’t afford the expertise to get it done. Recent settlements show that the risk assessment is a crucial part of every HIPAA compliance program. For example, an insurance holding company entered a $3.5 million settlement after it experienced multiple breaches. The OCR found that the company failed to conduct a security risk assessment and failed to implement security safeguards. The good news is that the government provides a free security risk assessment tool, making it easy for providers to complete the assessment themselves.

Your staff will make or break HIPAA compliance. Your Privacy and Security Officers know HIPAA backwards and forwards. But what about the rest of your team? If they are using computers or other sources of ePHI, potential breaches are at their fingertips. Policies and training can mean the difference between a HIPAA-compliant organization, and a 6- or 7- figure penalty. For example:

A hospital entered a $218,400 settlement after employees used an internet document sharing program to store documents containing ePHI. The OCR found that the hospital did not “timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.”
A university teaching hospital employee downloaded an email attachment with malicious software, which compromised the ePHI of 90,000 patients. The university settled with the OCR for $750,000.

Would your staff know what to do? When is the last time your team was reminded about HIPAA Security Do’s and Don’ts?

By paying attention to the latest HIPAA enforcement news, even providers with limited resources can make 2016 a great year for HIPAA compliance.

[clickToTweet tweet=”HIPAA Compliance: What You Need to Know for 2016 @mpaCompliance” quote=”HIPAA Compliance: What You Need to Know for 2016″ theme=”style3″]

3 COMMENTS

Frank Ruelas February 6, 2016 at 4:49 am

I think it is also good to know of the folks within HIPAA that are getting it right.

We often read articles, blogs, postings about Clinic Oops where a laptop with unencrypted ePHI was stolen or where organizational leadership has made the decision not to comply with various HIPAA requirements.

So yes…I think these enforcement actions may serve as a wake up call or at least on some level that little annoying buzzer on the alarm clock that is often followed by a quick tap of the snooze button…but I would like to see more folks share their experiences about how their actions in complying with HIPAA did not result in fines or even an investigation.
Kelly February 8, 2016 at 1:41 pm

I guess I can understand all of these issues, but can anyone explain to me how you can monitor compliance and HIPAA when the information is sent overseas?
Apolonio Garcia (@appsgarciaiii) February 14, 2016 at 2:48 pm

Very good article, but be sure to remind folks that compliance driven security is no panacea. Even though regulatory compliance is often the “stick” behind security initiatives, organizations should adopt a risk based security strategy. Yes, HIPAA does call for Risk Analysis/Risk Management, but based on my experience most of those methodologies used by healthcare providers, including the free risk assessment tool that you reference, fall short in effectively measuring and communicating risk in terms the various stakeholders in an organization can understand and use to make informed decisions. In short, financial loss, in the forms of fines & penalties associated with non-compliance, are but one risk factor in that need to be considered in a properly modeled risk analysis.