HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

It Was An Active Year for HIPAA Enforcement: Is It the New Norm?

It Was An Active Year for HIPAA Enforcement: Is It the New Norm? | HIPAA Compliance for Medical Practices | Scoop.it

It was  an active year for the federal government’s enforcement of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, their implementing regulation, HIPAA. So far in 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has entered into settlement arrangements with seven covered entities to resolve alleged violations of HIPAA. While at first glance this may not seem like substantial enforcement activity, it represents the greatest number of HIPAA settlements by OCR in any calendar year to date.

Skagit County, Washington (March 6, 2014)

OCR’s first HIPAA settlement of the year was entered into on March 6, 2014, with a county government. OCR opened an investigation of Skagit County, Washington, upon receiving a December 9, 2011, breach notification that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the county.

OCR’s investigation revealed a broader exposure of the ePHI of 1,581 individuals whose information was accessible on the county’s public web server. Many of the accessible files involved ePHI of a sensitive nature, including information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security and Breach Notification Standards (e.g., failure to notify the affected individuals of the breach, lack of sufficient policies and procedures, failure to train county workforce). The investigation was settled through the execution of a resolution agreement that included a payment of $215,000 and a corrective action plan (CAP). The CAP has a three-year term and requires Skagit County to take the following actions, among others:

  • post a notification of the breach on the home page of the county’s website for 90 days and in major print or broadcast media;
  • update its privacy, security and breach notification policies and procedures subject to OCR’s review;
  • submit hybrid entity documents designating its covered health care components to OCR, and implement hybrid entity and related safeguards;
  • report to OCR any violations of its HIPAA policies and procedures by workforce members, and
  • submit annual compliance reports to OCR.

QCA Health Plan, Inc. (April 14, 2014)

On April 14, 2014, OCR entered into a resolution agreement and CAP with QCA Health Plan, Inc., to settle alleged violations of the HIPAA Privacy and Security Standards. OCR began investigating QCA after receiving a breach notification from the insurer on February 21, 2012, that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.  In addition to the unauthorized disclosure of ePHI, OCR’s investigation revealed that QCA had not: implemented policies and procedures to prevent, contain and correct security violations; conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI it held; implemented security measures sufficient to reduce any identified risks and vulnerabilities to a reasonable and appropriate level, or implemented appropriate physical safeguards for workstations that accessed ePHI.

The investigation was settled through the execution of a resolution agreement that included a payment of $250,000 and a CAP. The CAP has a two-year term and requires QCA to take the following actions, among others:

  • provide OCR with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI;
  • retrain its workforce;
  • report to OCR any violations of its HIPAA policies and procedures by workforce members, and
  • submit annual compliance reports to OCR.

Concentra Health Services (April 21, 2014)

On April 21, 2014, OCR entered into a resolution agreement and CAP with Concentra Health Services to settle alleged violations of the HIPAA Privacy and Security Standards. The settlement resulted from an investigation initiated by OCR upon receiving a December 2011 breach report that an unencrypted laptop was stolen from a Concentra physical therapy center.

The total number of affected patients was unclear. OCR alleged that Concentra failed to remediate and manage its lack of encryption, which was identified as a potential source of vulnerability in Concentra’s HIPAA risk assessment. For instance, only 434 out of the covered entity’s 597 laptops were encrypted. OCR also alleged that Concentra had failed to implement policies and procedures to prevent, detect, contain and correct security violations. Prior to this incident, Concentra had been subject to two security breaches involving stolen, unencrypted laptops that each affected more than 500 individuals, as well as 16 additional breaches affecting fewer than 500 individuals. The investigation was settled through the execution of a resolution agreement that included a payment of $1,725,220 and a CAP. The term of the CAP is two years and requires Concentra to take the following actions, among others:

  • conduct and submit for OCR’s approval periodic risk analyses, including assessments of potential risks and vulnerabilities to the confidentiality of Concentra’s ePHI;
  • implement risk management plans and provide OCR with evidence of such implementation and timelines for any expected remediation actions;
  • provide to OCR periodic encryption status updates;
  • provide security awareness training to its workforce members, and
  • submit annual compliance reports to OCR.

Columbia University and New York-Presbyterian Hospital (May 7, 2014)

On May 7, 2014, OCR entered into a resolution agreement and CAP with each of The Trustees of Columbia University in the City of New York (CU) and New York-Presbyterian Hospital (NYP) to settle alleged violations of the HIPAA Privacy and Security Standards. The settlements arose from OCR investigations of CU and NYP following their September 27, 2010, joint notification to OCR of the unauthorized disclosure of ePHI for 6,800 individuals, including patient status, vital signs, medications and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The breach was caused when “a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI.” Deactivation of the server resulted in ePHI being accessible on Internet search engines. The breach was discovered when an individual complained after finding the ePHI of the individual’s deceased partner, a former NYP patient, on the Internet.

OCR stated that its investigation found that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI, and therefore “neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR also alleged that NYP had failed to implement appropriate policies and procedures for authorizing access to its databases and had failed to comply with its own policies on information access management.

In order to resolve the alleged violations, NYP entered into a resolution agreement with OCR that included a payment of $3.3 million and a three-year CAP. Similarly, CU entered into a resolution agreement with OCR that included a payment of $1.5 million and a three-year CAP. Under the CAPs, NYP and CU each agreed to take the following actions, among others:

  • conduct and submit to OCR a risk analysis;
  • implement a risk management plan;
  • develop processes to evaluate environmental or operational changes to information systems that affect the security of ePHI;
  • revise policies and procedures on information access management and device and media controls;
  • develop/update a mandatory privacy and security awareness training program for workforce members with access to ePHI;
  • investigate and notify OCR of any failures by workforce members to comply with HIPAA policies and procedures, and
  • submit annual compliance reports to OCR.

Parkview Health System, Inc. (June 17, 2014)

On June 17, 2014, Parkview Health System entered into a resolution agreement and CAP with OCR to settle alleged violations of the HIPAA Privacy Standards resulting from a June 4, 2009, incident that involved paper medical records. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule when returning approximately 5,000–8,000 of the physician’s medical records. Parkview had taken custody of the records while assisting the retiring physician in transitioning her patients to new providers and was considering purchasing some of the records upon the physician’s retirement. OCR alleged that Parkview did not appropriately safeguard the records when returning them to the retiring physician. To settle the allegations, Parkview entered into a resolution agreement with OCR that included a payment of $800,000 and a CAP. The CAP has a one-year term and, in part, requires Parkview to:

  • adopt and implement a policy governing the safeguarding of non-electronic PHI;
  • train its workforce on the policy;
  • notify OCR of any violations of the policy, and
  • submit a report to OCR regarding its compliance with the CAP.

Anchorage Community Mental Health Services (December 17, 2014)

On December 2, 2014, Anchorage Community Mental Health Services, Inc., (ACMHS) and OCR entered into a resolution agreement and CAP to settle alleged violations of the HIPAA Security Standards. OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012, notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. OCR’s investigation found that ACMHS had never performed an accurate and thorough risk assessment, had never implemented HIPAA security policies and procedures and, since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically by failing to ensure that appropriate firewalls were in place and regularly updated with available patches. ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations. The term of the CAP is two years and, in part, obligates ACMHS to:

  • revise, adopt and distribute to its workforce updated HIPAA security policies and procedures that have been approved by OCR;
  • develop and provide updated, OCR-approved, security awareness training to applicable workforce members;
  • conduct annual risk-assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS;
  • document the security measures implemented to reduce identified risks and vulnerabilities to a reasonable and appropriate level;
  • investigate and report to OCR any violations of its HIPAA security policies and procedures by workforce members, and
  • submit annual reports to OCR describing ACMHS’s compliance with the CAP.

 


All but one of the settlements discussed above arose from unauthorized disclosures of ePHI and serve as reminders to covered entities and business associates to take appropriate steps to implement robust technical, administrative and physical safeguard to protect the ePHI in their possession.

It is also worth noting that the financial payments required under the 2014 resolution agreements do not appear to directly correlate to the number of individuals potentially affected by a breach. This is consistent with settlements in prior years and is likely due to a variety of factors including the egregiousness of the circumstances surrounding a breach, the findings of OCR’s compliance investigation, and the nature of the interactions between the covered entity and OCR.  

It is likely that OCR’s increased HIPAA enforcement activity will continue in 2015. The agency has been increasingly vocal about enforcement being a priority, possibly in response to congressional pressure to meet its statutory enforcement mandate and a recent Office of Inspector General investigation criticizing OCR’s enforcement practices. For example, OCR representatives recently backed away from prior statements that the upcoming round of HIPAA compliance audits are primarily intended to be educational, noting that the audit program will be used as an enforcement tool.

In addition, six of the seven settlements discussed above arose from self-reported breach notifications, the latest of which was made in March of 2012. Accordingly, OCR likely has a large pipeline of active investigations which will only increase due to the lower breach reporting threshold that was adopted in the final HIPAA Omnibus Regulations and became effective on September 23, 2013.

Finally, while there has recently been a notable amount of turnover in top-level HIPAA staff at OCR, there is nothing to suggest that the new leadership will divert from making enforcement an ongoing priority in the years to come. One might also expect an uptick in the level of enforcement by state Attorneys General as they increasingly assert their HIPAA enforcement authority granted under the 2009 HITECH Act.

Conducting a thorough risk assessment, addressing any identified vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to PHI are all steps that covered entities and business associates must take to comply with HIPAA and to protect the PHI in their possession.


more...
No comment yet.
Scoop.it!

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it
A five-facility mental health organization in Alaska has agreed to pay up and shape up its HIPAA compliance program after a Department of Health and Human Services investigation found the group failed to appropriately safeguard patient data.
 
Anchorage Community Mental Health Services will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS back in March 2012.


 
Following the investigation by the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization's employees for a seven-year period, from 2005 to 2012.
 
The data breach of electronic protected health information resulted after ACMHS failed to "identify and address basic risks," OCR officials wrote in settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software. 
 
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels, in the December bulletin. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
 
In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and subsequently report to OCR on its compliance program. 


 
To date, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to the most recent HHS data. 
 
In its most recent settlement before ACMHS, HHS in June slapped the six-hospital Parkview Health System in Fort Wayne, Indiana, with an $800,000 settlement after Parkview dumped 71 boxes of patient records in the driveway of a retiring physician's home while she was away. According to the complaint, the medical records were "unattended and accessible to unauthorized persons" on the physician's driveway, located in a "heavily trafficked" area.


 
Earlier this year, OCR also set records after announcing its largest monetary settlement ever with New York-Presbyterian Hospital and Columbia University Medical Center, who together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010. 
 
To date, OCR has levied some $26 million in monetary settlements against 24 HIPAA-covered entities found to have violated privacy, security and breach notification rules



more...
No comment yet.
Scoop.it!

What Can You Expect in 2015 Regarding HIPAA Enforcement?

As of earlier this month, 1, 170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices or theft of patient data by former employees, do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.


more...
No comment yet.
Scoop.it!

Ebola Outbreak Prompts HHS Bulletin on Application of HIPAA During Emergencies

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nationwide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records and to request corrections.

The HIPAA Privacy Rule places restrictions on the use and disclosure of patients’ protected health information, but also ensures that appropriate uses and disclosures of the information may occur for critical purposes, including when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Prompted in part by the recent Ebola outbreak, the HHS’s Office for Civil Rights (OCR), issued a November 10, 2014 bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation. “BULLETIN: HIPAA Privacy in Emergency Situations” also was issued to “serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

The bulletin, which can be accessed on the HHS’ Health Information Privacy page, addresses obligations imposed by the rule when “Sharing Patient Information” and in “Safeguarding Patient Information.” It also describes basic restrictions for sharing protected health information during treatment for the purposes of public health activities, for notification to family and friends, and for notification to media and business associates.

While the HHS bulletin specifically mentions that the HIPAA Privacy Rule is not suspended during a public health or other emergency, the bulletin goes on to say that the Secretary of HHS may waive certain provisions of the Privacy Rule under certain circumstances. Those circumstances include declaration by the President of the United States of an emergency or disaster or by the Secretary of a public health emergency. In those instances, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with provisions of the Privacy Rule to obtain a patient’s agreement before speaking to family members about the patient’s care—however, that waiver would apply only to hospitals that have instituted a disaster protocol and only would apply for 72 hours after that protocol begins.

The bulletin states that a hospital may release limited “facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

The Privacy Rule applies to disclosures made by employees, volunteers, and other members of a “covered entity” or its “business associates.”

Covered entities comprise “health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.”

Business associates are defined in the bulletin as “persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.”

The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. Therefore, HIPAA does not prevent managers, supervisors, or HR professionals from asking for a doctor’s note if the note is needed to implement or administer sick leave, workers’ compensation benefits, or health insurance. However, a health care provider may not give such information directly to an employer without an authorization from the employee.



more...
No comment yet.