HIPAA Enforcement: Unleashing the Dogs
Prosecutors are a fun bunch and they love their jobs and their mission – to prosecute law-breakers for violating the law. Prosecutors especially enjoy when they are charged with increasing enforcement of a specific law and watching the reaction of the industry to their prosecutorial impact.
HIPAA enforcement is a perfect example of this principle. HIPAA has been on the books for nearly 20 years, yet there has been very little enforcement against companies for violating the law. The HITECH Act added new security obligations to HIPAA entities requiring protection of personal health information (“PHI”). Privacy and security have now become the focus for hospitals, physicians and other healthcare entities.
Add to this mix, HHS’ decision to assign responsibility for a new HIPAA/HITECH enforcement initiative to a former prosecutor, and you have the perfect mix for a new and significant risk which companies have to address in order to stay out of trouble.
Since 2003, HHS’ Office of Civil Rights (“OCR”), which is responsible for investigating HIPAA violations, has received approximately 77,000 complaints and investigated 27,500, 18,600 of which have resulted in corrective actions. Since 2008, OCR has imposed nearly $15 million in civil penalties for violations.
Health care providers face significant HIPAA risk relating to impermissible uses and disclosures of PHI, safeguards to protect health information, and access to health records. Also, health care providers must now conduct a risk analysis for security of their health records, develop security awareness and training programs and maintain proper incident reporting and response procedures.
In the last four years, OCR has received reports of over 500 security breaches involving PHI in entities with 500 or more employees. Most often, these breaches involve theft, unauthorized access or disclosure, and loss of PHI information. Theft is involved in approximately half of all data breaches of PHI information.
In 2012, OCR’s major enforcement actions for data breaches were against Tennessee Blue Cross-Blue Shield ($1.5 million); Alaska Department of Health and Human Services ($1.7 million); and the Massachusetts Eye and Ear Institute ($1.5 million).
OCR also has conducted an audit program for HIPAA and HITECH compliance. The audit pilot program was completed in December 2012. Around 115 entities were audited. The results of the audits were interesting – only 13 percent of the companies had no findings or observations; nearly 300 violations of privacy regulations were noted; and almost 600 violations of security regulations were noted.
The Omnibus regulations were issued in the beginning of 2013 and the effective date was March 26, 2013; the compliance date was set for September 23, 2013, and an additional year, September 22, 2014, was given for compliance with the specific Business Associate regulations.
Healthcare providers have it hard enough these days in this regulatory and enforcement environment. With the rising concerns for privacy protection in all business areas, healthcare companies have a new and significant threat to address. Privacy and data security are issues which are here to stay and require significant compliance attention.