HIPAA Enforcement

Subscribe to HIPAA Enforcement

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

I’m sure fellow bloggers Bill Maruca and Michael Kline join me in giving three cheers for the recent growth in our firm’s health care practice (welcome, Minneapolis!) and ever-deepening pool of attorneys dealing with clients’ privacy and data security issues. But one recent addition to our team, Margaret (“Margie”) Davino, gets a fourth cheer for jumping into her new position as a partner practicing out of our New York City and Princeton, NJ offices and immediately leading a HIPAA webinar for HFMA’s Region 2 (metro NY) entitled “HIPAA: What to Expect in 2016”.

Margie covered a wide range of HIPAA topics, discussing how OCR investigations arise, preparing for Phase 2 of OCR’s audits, and how HIPAA might overlap or interplay with other laws (the FTC Act, state law causes of action, and the Telephone Consumer Protection Act, to name a few). For HIPAA nerds like me, it was a satisfying smorgasbord of HIPAA tidbits, past, present and future.  But several of Margie’s take-aways are particularly useful additions to the 2016 HIPAA compliance “To-Do” list:

  1. Make sure your security risk analysis encompasses all entities within your “family” – in other words, don’t just analyze your electronic health record, but focus on each entity and location from which protected health information (PHI) might be stolen or lost.
  2. If you are a small entity, make use of HHS’s Security Risk Assessment Tool to identify whether corrective action should be taken in a particular area. (In other words, there’s no excuse for ignoring item #1 on this list!)
  3. Encrypt data, if at all possible (and make sure it’s up to NIST encryption standards).
  4. Check that you have updated Business Associate (BA) Agreements in place for all BA relationships (and check first to make sure it’s really a BA relationship).
  5. Have a mobile device policy – and include mobile devices in your security risk analysis.

I like this short “To-Do” list because it helps prioritize HIPAA compliance tasks for 2016 based on what we have learned from breaches and enforcement actions in 2015 and prior years.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.

For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).

After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.

Our predictions that were quoted by Marla follow.

Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.

In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.

Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability

In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.

Kline Prediction: OCR will examine business associate relationships.

The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention.   According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”

We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared.  Proposed rules published by CMS in the December 8, 2014 Federal Register (the “Proposed Rules”) tweak the data sharing “opt-out” process slightly, but significantly.

Under the current MSSP regulations, a Medicare beneficiary that is a “preliminarily prospective assigned beneficiary” (meaning the beneficiary’s primary care provider participates in the ACO, but the beneficiary has not yet sought primary care services during the ACO performance year) may get a letter from his or her provider’s ACO informing the beneficiary that the ACO “may request [from Medicare] personal health information*  about the beneficiary for purposes of its care coordination and quality improvement work… .”  The beneficiary has 30 days from the date the letter is sent “to decline having his/her claims information shared with the ACO.”

*          Interestingly, the regulation references “personal health information”, rather than “protected health information”, the term used by the Office for Civil Rights (which, like CMS, resides in the Department of Health and Human Services) in the HIPAA regulations, but the widely-used PHI acronym works for both, so what the heck?  But I digress… .

The current regulation only allows the ACO to request “identifiable claims data” (aka “personal health information” /“claims information”) from this “preliminarily prospective assigned beneficiary” if the beneficiary does not decline the data sharing within 30 days after the ACO letter is sent.

Under the Proposed Rules, Medicare fee-for-service beneficiaries will be “notified about the opportunity to decline claims data sharing through materials such as the CMS Medicare & You Handbook and through the notifications” received at the point of care.  These notifications are deemed “received” by the Medicare beneficiary when posted as signs at the ACO provider’s facility or office (and, in settings in which primary care is provided, when given to the beneficiary in writing upon request).  The beneficiary can still opt-out, but the notice itself will make it clear that data sharing may have already occurred:  “The notifications … must state that the ACO may have requested beneficiary identifiable claims data about the beneficiary for purposes of its care coordination and quality improvement work… .”

Data sharing is a key aspect of any successful ACO and can certainly be achieved in a HIPAA-compliant manner.  Notably, as CMS explains in the preamble to the Proposed Rules, care coordination and quality improvement activities, when performed by an ACO that is a covered entity or, by an ACO that is a business associate, on behalf of a covered entity, qualify as “health care operations” functions or activities under HIPAA.  The elimination of the ACO letters and 30-day opt-out period for “preliminarily prospective assigned beneficiaries” is likely to reduce beneficiary confusion and ACO administrative expense.

As noted in the preamble to the Proposed Rules, only 2% of beneficiaries have historically opted out of ACO claims data sharing, anyway.  Perhaps only 2% of Medicare beneficiaries care about claims data sharing.  If the Proposed Rules are adopted, hopefully the “preliminarily prospective assigned beneficiaries” in the (however small) pool of future opt-outs will find the “Medicare & You” website and the ACO information (currently located on page 138) buried deep within it.

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!