In light of the increased HIPAA enforcement activity, covered entities and business associates should review their existing HIPAA Privacy and Security safeguards to determine if you sufficiently protect Protected Health Information (PHI). If applicable, the safeguards should address how to protect PHI taken off your premises either on paper or electronically (for example, on a laptop computer). Also, covered entities and business associates should confirm that any employees with access to PHI have received the necessary HIPAA training. In addition, to avoid HIPAA’s breach notification requirements, PHI should be secured (that is, encrypted or destroyed), to the extent possible.
The Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is responsible for enforcing the HIPAA Privacy and Security Rules. Although OCR has been enforcing HIPAA’s rules since 2003, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, significantly enhanced OCR’s enforcement authority.
Given this enhanced authority, there has been increased enforcement of the HIPAA Privacy and Security Rules recently with some costly outcomes for covered entities. As of April 2013, OCR has investigated and resolved over 19,726 cases by requiring changes in HIPAA privacy practices and other corrective actions by covered entities. In addition, OCR has reviewed 115 covered entities under its pilot audit program. It is expected that the pilot audit project will be replaced by a permanent audit program at some point.
Below you’ll find a summary of frequent compliance issues and a highlight of select HIPAA enforcement actions.
Frequent Compliance Issues
OCR has investigated complaints against many different types of covered entities, including national pharmacy chains, major medical centers, group health plans and health insurance issuers, hospital chains, and small provider offices.
According to OCR, the following compliance issues are investigated most often (in order of frequency):
- Impermissible uses and disclosures of PHI;
- Lack of safeguards on PHI;
- Lack of patient access to PHI;
- Uses or disclosures of more than the minimum necessary PHI; and
- Lack of administrative safeguards to protect electronic PHI (ePHI).
Recent Enforcement Actions
Hospice of North Idaho
On Jan. 2, 2013, OCR announced that the Hospice of North Idaho (HONI) agreed to pay the U.S. government $50,000 to settle potential violations of the HIPAA Security Rule. According to OCR, this is the first settlement involving a breach of unsecured ePHI affecting fewer than 500 individuals. OCR began its investigation after HONI reported that an unencrypted laptop computer containing the ePHI of 441 patients was stolen. Over the course of the investigation, OCR discovered that HONI failed to conduct a risk analysis to safeguard ePHI and did not have policies and procedures in place to address mobile device security, as required by the HIPAA Security Rule.
Blue Cross Blue Shield of Tennessee
On March 13, 2012, OCR announced that it entered into a resolution agreement with Blue Cross Blue Shield of Tennessee (BCBST) to resolve a violation of the HIPAA Privacy and Security Rules. Under this agreement, BCBST agreed to pay the U.S. government $1.5 million to settle potential violations. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program.
OCR’s investigation followed BCBST’s breach notification that 57 unencrypted computer hard drives were stolen from a leased facility. The drives contained PHI of over one million individuals, including names, social security numbers, dates of birth, diagnosis codes and health plan identification numbers.
According to OCR, BCBST failed to implement appropriate administrative safeguards to adequately protect the hard drives because it did not perform the required security evaluation in response to operational changes. Also, according to OCR, BCBST failed to implement appropriate physical safeguards by not having adequate facility access controls.
Cignet Health
On Feb. 22, 2011, OCR announced that it issued a notice of final determination against Cignet Health of Prince George’s County, Md. (Cignet Health). OCR concluded that Cignet Health violated the HIPAA Privacy Rule and imposed a $4.3 million penalty on Cignet Health for the violations.
OCR found that Cignet Health violated 41 patients’ rights by denying them access to their medical records between September 2008 and October 2009. These patients filed complaints with OCR, which triggered OCR’s investigation. Cignet Health’s penalty for not responding to the patients’ requests for records was $1.3 million.
In addition, Cignet Health refused to respond to OCR’s requests for the patients’ records, and failed to cooperate with OCR during the investigation. On April 7, 2010, Cignet Health produced the medical records to OCR, but made no other efforts to resolve the HIPAA complaints through informal means. OCR determined that Cignet Health’s failure to cooperate was due to its willful neglect to comply with the HIPAA Privacy Rule, which increased Cignet Health’s penalty amount by $3 million.
Massachusetts General Hospital
On Feb. 24, 2011, OCR announced a resolution agreement with Massachusetts General Hospital (Mass General), where Mass General agreed to pay $1 million to settle potential HIPAA Privacy Rule violations. On March 9, 2009, a Mass General employee left documents containing patients’ PHI on the subway train during a commute to work. The documents, which were never recovered, contained the PHI of 192 Mass General patients. The documents contained patient names, medical record numbers, health insurance and policy numbers, billing encounter forms and diagnosis and provider information.
OCR opened its investigation after a complaint was filed by a patient whose PHI was lost on the commuter train. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when it was removed from Mass General’s premises. OCR’s investigation also indicated that Mass General impermissibly disclosed PHI on the commuter train in violation of the HIPAA Privacy Rule.
In addition to the $1 million penalty, Mass General agreed to develop and implement policies and procedures to ensure that PHI is protected when it is removed from Mass General’s premises, train its workforce on these policies and procedures and designate an internal monitor to assess Mass General’s compliance with these requirements.
State Attorney General Action
Under the HITECH Act’s authority, state Attorneys General may take action to enforce HIPAA’s Privacy and Security Rules. In January 2012, the Minnesota Attorney General filed a lawsuit against a health care provider’s business associate for failing to adequately safeguard patients’ PHI. The business associate, Accretive Health, Inc. (Accretive) lost a laptop computer containing unencrypted health data for about 23,000 patients. The laptop contained personal information, such as patients’ names, addresses, dates of birth and social security numbers and information on patients’ medical conditions.
Accretive had control of this PHI because it contracted with hospitals to provide revenue cycle management activities (such as patient access, billing and collections) and quality and total cost of care activities. As part of these functions, Accretive accessed patients’ PHI for “data mining” and “consumer behavior modeling.”
In the lawsuit, the Minnesota Attorney General alleged that Accretive violated state and federal health privacy laws, including HIPAA, as well as state debt collection and consumer protection laws. On July 30, 2012, the Minnesota Attorney General announced that it settled the lawsuit against Accretive. Under the settlement, Accretive agreed to pay nearly $2.5 million to the state of Minnesota and refrain from conducting business in the state for a period of six years without the agreement of the Attorney General.
Additional Resources
More information on HIPAA Privacy and Security enforcement is available through OCR at: www.hhs.gov/ocr/office/index.html.
Image credit: stylephotographs / 123RF Stock Photo
