The federal Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of certain protected health information, or PHI. HIPAA applies to “covered entities” and their “business associates.” “Covered entities” are healthcare clearinghouses, health plans, or healthcare providers that conduct certain functions in electronic form. “Business associates” are persons or entities that perform certain functions that involve the use or disclosure of PHI on behalf of a covered entity.
Since its enactment in 1996 and until recently, HIPAA has been rarely enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), which is in charge of enforcing HIPAA. This changed with the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted to promote the adoption and meaningful use of health information technology. Among other things, HITECH amended HIPAA by adding a breach notification rule, increasing the penalties for HIPAA violations and giving state attorneys general the right to enforce HIPAA.
This article describes some recent HIPAA-related initiatives that demonstrate the growing trend of government scrutiny and enforcement of HIPAA following the adoption of HITECH, including the issuance of new audit protocols and guidance and the investigation and settlement of HIPAA violations. This article also discusses some ways healthcare providers and their business associates can be proactive in warding off this increased government scrutiny.
HITECH requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA privacy and security rules and the breach notification standards. To implement this mandate, OCR began a pilot audit program in November 2011 under which it performed 115 audits of covered entities to assess privacy and security compliance. The pilot phase ended in December 2012.
The goal of the audit program was to analyze the policies and procedures of covered entities to determine areas of risk. Full investigations of covered entities were only undertaken if the audit revealed a serious compliance problem. The audit entailed a document request list from OCR to covered entities selected for the audit. OCR then visited the entity to observe its compliance efforts and interview employees. Following the site visit, OCR identified problematic compliance areas and informed the entity of corrective actions it should take to achieve full HIPAA compliance.
Enforcement by State Attorneys General
HITECH gives state attorneys general (SAGs) the authority to bring civil actions on behalf of state citizens against covered entities and business associates for violations of HIPAA. SAGs are required by HITECH to notify HHS at least 48 hours prior to bringing an action. SAGs may seek damages or seek to enjoin defendants from engaging in further violations.
In connection with its auditing obligations under HITECH, OCR has been increasingly vigilant about enforcing the breach notification rule of HITECH. The rule calls for covered entities to report an impermissible use or disclosure of PHI of 500 individuals or more to the secretary of HHS and the media, while smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.
As of December 31, 2012, HHS/OCR has investigated and resolved more than 18,122 cases by requiring various healthcare providers or their business associates to make changes to their HIPAA compliance practices. Some recent examples include the following:
On March 13, 2012, in the first enforcement action under the breach notification rule of HITECH, HHS entered into a $1.5 million settlement and corrective action plan (CAP) with Blue Cross Blue Shield of Tennessee (BCBST). The investigation followed a report that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee, which contained the PHI of over a million individuals. Notably, BCBST’s CAP required periodic monitor reviews, including unannounced visits and interviews with BCBST members to ensure compliance with its policies and procedures.
In April 2012, Phoenix Cardiac Surgery, P.C. (Phoenix), a small provider in Arizona, agreed to settle with OCR for $100,000 and enter into a CAP. OCR’s investigation revealed that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible. The CAP requires Phoenix, for a period of one year, to develop, maintain and revise written policies and procedures consistent with HIPAA; provide such policies to OCR for review and approval; distribute such policies to, and require compliance certification from, all employees who use or disclose PHI. The policies and procedures must include administrative safeguards, an accurate and thorough risk assessment of PHI, and a risk management plan that implements security measures to reduce risk. Phoenix must also submit an “Implementation Report” to OCR summarizing its compliance with the CAP and notify OCR within 30 days if it determines that a violation of its policies and procedures has occurred. The CAP, like most others sought by OCR, further requires Phoenix to maintain for a period of six years all records relating to compliance with the CAP.
In June 2012, in OCR’s first settlement with a state agency, the Alaska Department of Health and Social Services (ADHS) agreed to pay $1,700,000 following an investigation of a breach report that a USB drive possibly containing PHI was stolen from the vehicle of an ADHS employee. ADHS’s CAP requires it to revise its PHI policies and procedures, train employees, and conduct periodic monitor reviews.
In September 2012, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI) agreed to pay $1.5 million after it reported a stolen unencrypted personal laptop containing PHI of patients and research subjects. MEEI’s CAP requires an independent monitor to conduct periodic assessments and render semi-annual reports to OCR for a three-year period.
In December 2012, the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a CAP, after it reported that an unencrypted laptop computer containing PHI of 441 patients had been stolen in June 2010. OCR’s investigation revealed that at the time of the incident, HONI lacked sufficient policies and procedures to address mobile device security and had not conducted a risk analysis to safeguard PHI. This most recent settlement is the first involving breaches of PHI of less than 500 patients.
These recent settlements reveal that no entity is off limits when it comes to OCR’s investigative purview. In addition, in January of 2012, Minnesota’s attorney general brought the first HIPAA enforcement action by a state attorney general against a business associate. The Minnesota attorney general alleged that Accretive Health, Inc., a business associate of two Minnesota hospitals, caused security violations of HIPAA after an unencrypted, password-protected laptop was stolen from an Accretive employee’s car. The laptop contained the PHI of more than 23,000 hospital patients. Accretive settled in August 2012 and agreed to stop doing business in Minnesota for two years, and pay the state $2.5 million, with a portion of the proceeds being used to compensate the affected patients.
As demonstrated by the above-mentioned settlements, an increasing focus area of OCR scrutiny involves HIPAA violations through loss of laptops, smartphones and other mobile devices. In December 2012, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) engaged in a joint effort to educate healthcare providers and other healthcare professionals on ways to protect health information on their mobile devices. The initiative recognizes that while modern technology affords healthcare professionals the convenience of carrying patient information on their laptops, tablets, and smartphones, they face additional burdens to adequately prevent a HIPAA breach. The government recommends measures such as making devices password-protected, installing firewalls, enabling encryption, enabling remote wiping/disabling, refraining from using file-sharing applications, using security software and keeping it updated, always maintaining physical control of devices, using adequate security to send information over public Wi-Fi networks, and deleting all PHI before discarding devices.
In addition, after months of waiting, the HIPAA/HITECH Omnibus Rule or "mega rule", was finally released on January 17, 2013, and will become effective March 26, 2013. Covered entities and business associates will have until September 23, 2013 to comply with its requirements. The rule is a combination of regulations addressing changes to the privacy and security rules, adding new enforcement and penalty requirements, finalizing HITECH's breach notification rule, and adding changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (GINA). The implementation of the "mega rule" will bring a new era of increased HIPAA enforcement in the next several years.
2012 saw an uptick in HIPAA enforcement, not only against covered entities, but also against their business associates. As described above, HITECH’s mandate of self-reporting breaches has allowed OCR to audit and pursue settlements against providers, and OCR has made it clear that the size of the breach is irrelevant. The Accretive settlement demonstrates that SAGs are very likely to follow OCR’s lead, especially if enforcement will bring in additional fines and penalty monies to much-needed state coffers. In light of these recent developments, healthcare providers and their business associates may wish to consider the following recommendations:
Anjana D. Patel is Vice Chair, and Diana M. Giampiccolo is an Associate, of the Health Care Practice Group of Sills Cummis & Gross P.C. in Newark, New Jersey, which represents diverse healthcare providers in healthcare transactional and regulatory compliance matters. The views and opinions expressed in this article are those of the authors and do not necessarily reflect those of Sills Cummis & Gross P.C.