It’s been a long time coming, but it looks like the federal government is upping its enforcement game when it comes to HIPAA privacy and security.
“I do think it’s fair to say that the HIPAA enforcement environment appears to be tightening up,” said Travis Lloyd, who practices healthcare law in Nashville, Tenn., with Bradley Arant Boult Cumming. Several headline-making actions by Health and Human Services and the Office of Civil Rights (OCR) last year illustrate the fact, he added.
In February 2011, HHS imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for refusing to provide patients with access to their medical records as required under the Health Insurance Portability and Accountability Act. It was the first civil penalty handed out since HIPAA went into effect in 1996. That same month, Massachusetts General Hospital agreed to a $1 million settlement. Then in July, the University of California at Los Angeles Health System agreed to pay an $865,000 fine and institute a corrective action plan – not an inexpensive proposition – as a result of two patient complaints that UCLA Health System employees “repeatedly and without permissible reason” looked at the patients’ electronic protected health information. The patients were reportedly celebrities.
In the press release announcing the UCLA settlement, OCR’s then-director Georgina Verdugo said, “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.” Since the UCLA decision, Verdugo stepped down as OCR chief. Taking her place is Leon Rodriguez, who has publicly pledged to take an even tougher stance against HIPAA privacy and security violations.
With respect to the UCLA case, Lloyd acknowledged that it’s difficult “to constrain human curiosity,” then he added, “But that’s not what HIPAA is really out there to try to police. HIPAA says you need to train folks so that they resist that temptation, and you need to have some sort of auditing procedure in place so that you can detect when people are doing record snooping. Then when you realize that something is awry, you need to look into it and take appropriate action. It’s a common-sense approach at the end of the day.”
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, expanded the applicability and penalties for HIPAA privacy and security rules and also added a breach-notification rule. It requires covered entities and business associates to give notice when there’s a breach of unsecured, protected health information if there’s “significant risk of financial, reputational or other harm.”
An OCR report last fall delineated breaches reported to date, and theft or loss of electronic media or paper records topped the list. “You can’t really stop someone from losing a laptop, and laptops are always going to be stolen; however, you can encrypt the protected health information on those laptops. If you do that properly, which is a technical thing under the rules, then the information will not be said to be ‘unsecured’ under that breach-notification rule,” Lloyd explained. “Then you wouldn’t have to go through the hand-wringing analysis of whether to disclose, and you wouldn’t have to go to the great expense of disclosing and providing notice to all those who were affected.”
Gina Greenwood, a health law attorney in Georgia with Baker Donelson Bearman Caldwell & Berkowitz, said, “We are advising our clients to go back and audit their HIPAA privacy and security policies and to make sure that they do a security risk assessment under each calendar year. They should amend their policies and procedures to reflect any gaps in their IT system security. Most of the breaches that are happening are related to electronic information. Although not technically required by HIPAA, encryption in compliance with the approved NIST standards is essential in this day and age and auditing for breaches is important for any HIPAA security compliance program. ”
Greenwood said Baker Donelson is also encouraging clients to beef up their processes for destroying paper records and stressing the importance of using shredders.
Also part of HITECH is an audit program, and OCR has pledged to audit 150 providers and business associates by year’s end. That’s why it’s important for covered entities “to have their house in order,” Greenwood added.
Lloyd surmised that the goal of the audit program is to “identify compliance trends and areas where future guidance would be helpful.” While covered entities would stand to benefit from such guidance, he noted that they are “understandably concerned about being audited, of course, and the bare threat of this auditing program gives reason for entities to take a hard look at what they have on paper and what they’re doing and make sure that they have policies that work.”
The provider community is still awaiting the final HITECH rules, which HHS now says should be out in the first half of this year. Lloyd predicted that enforcement actions may shift into a higher gear once those finals rules are out. He noted that HITECH also empowers state attorneys general with formal HIPAA enforcement authority. “We haven’t really seen that play out too much, although it’s a wild card, I think,” he said.
Cooperation is the name of the game, Greenwood said. If, for instance, a provider voluntarily discloses a breach, it’s best to then respond in a timely manner to any document requests from OCR. “Sometimes litigators tend to be a little bit too aggressive when dealing with agency representatives. They tend to try to fight the regulatory agency rather than working with them,” she said. “This has caused numerous providers a lot of hardship. It’s much easier to work amicably with OCR to try to resolve the matter quickly and with as little heartache as possible.”