BREAKING NEWS - Feds Impose Penalties For HIPAA Violations

Well, years have literally come and gone since covered entities first scrambled to comply with HIPAA's Privacy Rule and Security Rule requirements, yet there continued to be no formal penalties assessed by the government for HIPAA violations.  Many believed that such a day would never come . . . but, they were wrong.

In its July 17, 2008 e-mail Press Release, the U.S. Department of Health & Human Services (HHS) announced that it has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential privacy and security violations of HIPAA. 

In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable e-PHI against theft or loss.  The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

Winston Wilkinson, the director of the OCR, stated in the Press Release that “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”  

The Press Release confirms that this is the first time HHS has required a Resolution Agreement from a covered entity.  Providence’s cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil money penalty.

Once the e-mail Press Release is formally posted on the government's website, I will link it here.  Otherwise, you can also keep checking http://www.hhs.gov/ocr/privacy/enforcement/.

To read more about the facts in this case, read on . . . .

Continue Reading...

New Enforcement Data Added to HHS' Web Site on HIPAA Privacy Compliance and Enforcement

Last week, the Office for Civil Rights (OCR) added a new data section on its Compliance and Enforcement Web Site.  The new section can be viewed at www.hhs.gov/ocr/privacy/enforcement/data.html.  The public can now access enhanced information about several aspects of OCR's enforcement program, including:

  • Charts showing state-specific case investigation results;
  • Calendar-year enforcement-results graphs and charts;
  • Calendar-year graph showing complaint receipts; and
  • Yearly variation in the issues in cases resolved through corrective action.

Below is a chart posted on OCR's new data section illustrating enforcement results for New Jersey:

pie chart showing enforcement results for New Jersey:No Violation:  13%.Corrective Action Obtained: 20%.Resolved after Intake and Review:  67%.

 Another interesting chart lists the top five types of complaints for each of the last 5 years.  It is worth noting that between 2003-2007, the top 4 types of complaints were exactly the same, in the following order: 

  • #1 - Impermissible Uses and Disclosures
  • #2 - Safeguards
  • #3 - Access
  • #4 - Minimum Necessary

The last spot has changed from 2003 through 2007, with last year's number 5 spot being taken by "Notice" issues.

 

 

You CAN Go To Jail for HIPAA Violations

On May 8th, 2008, John C. Richter, United States Attorney for the Western District of Oklahoma, announced in a press release that a 30-year old Oklahoma City woman who pled guilty to violating HIPAA may face up 10 years in prison and a fine of up to $250,000!  

As part of her plea, the woman admitted that in the summer of 2007, while she was employed by a counseling center in Oklahoma City, she knowingly allowed two individuals to take patient files from her place of employment which contained individually identifiable health information with the intent to obtain personal gain.  The press release provides more details of the circumstances of the case.

U.S. Attorney John C. Richter states in his Department of Justice press release:                  

“This case illustrates how easily an illegal disclosure of patient files can be used by others to commit identity theft causing financial trauma to many victims.”

A sentencing hearing is supposed to be set in approximately 90 days.

Sanctions May be Imposed Due to Stark-Struck Snoopers

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

CMS to Audit 10-20 Hospitals In Next 9 Months

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

 

Helen's HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 


So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.


 

Ho-Ho-Ho...Contractor Hired to Audit the Naughty

HcPro reports that the Center for Medicare and Medicaid Services (CMS) has contracted with Pricewaterhouse Coopers to conduct security audits of covered entities, according to Karen Trudel, deputy director of CMS' Office of E-Health Standards and Services.  Pricewaterhouse's job will be to audit covered entities against which CMS has received a complaint.  The audits conducted by Pricewaterhouse will be in addition to those that are not complaint-driven, such as the random security audit completed of Atlanta's Piedmont Hospital in March of 2007.  It is being said that at least two more similar "random" audits are planned for the near future. 

Currently, if a complaint contains information about an incident or problem that could also be a violation of the HIPAA Security Rule, the Office of Civil Rights (OCR) coordinates its investigation with CMS, which is the agency within HHS that is responsible for enforcing the Security Rule.  By contracting with Pricewaterhouse, CMS will likely increase its ability to respond to complaints regarding potential security breaches and to audit potential offenders.  

Providers who continue to question whether keeping their HIPAA Security compliance program updated and alive is "worth it" should note that CMS's decision to contract with Pricewaterhouse Coopers is just another indication that the federal government is not likely to simply sit back and ignore enforcement.  

Helen's HIPAA Hint:  Keep your HIPAA Security compliance program alive.  At a minimum, covered entities should: (1) periodically review their HIPAA security policies and procedures; (2) respond to internal complaints with internal investigations and appropriate actions; and (3) providing refresher training to employees.  Also, keep an eye on CMS's enforcement website where CMS hopes to put more information regarding security rule enforcement. The ability to demonstrate that your organization has an active and effective HIPAA Security compliance program can help if there ever becomes a need to respond to an audit by CMS or OCR.

Is the HIPAA Enforcement Tide Turning?

Final regulations setting forth how the Office of Civil Rights (OCR) should enforce HIPAA became effective back in March of 2006.  As of the end of August 2007, there have been 29,994 complaints filed with the government alleging violations of privacy.  Yet, to date, the OCR has not issued a single civil monetary penalty.  As a result, I am asked by providers and others if it is really necessary for them to continue spending resources to stay on top of maintaining their HIPAA compliance program, to which I always respond with an unwavering "yes."  

In addition to the more obvious reasons why compliance with HIPAA is a good idea, the enforcement tide may be turning.  In February of 2007, the Department of Health and Human Services (DHHS) through the Office of Inspector General announced its first audit, which was of Atlanta's Piedmont Hospital's compliance with the HIPAA Security Rule.  On April 16, 2007, DHSS then delegated to the OCR additional authority to issue subpoenas.   Most recently, on April 20, 2007 HHS launched an enforcement Web site, which provides information regarding the Privacy Rule and how OCR enforces health information privacy rights and standards.  

Some say that these are signs that the federal government is gearing up for increasing its national enforcement efforts.  Also worth noting is that the OIG acknowledges in the 2007 Work Plan that "the wider use of electronic medical records and personal health records raises concerns over privacy and security of patient data," which may suggest more audits are on the horizon.  So, keep your HIPAA policies current, alive and on your lower shelf!