Can you afford a $50,000 fine for a HIPAA violation? The healthcare industry is extremely vulnerable to cyber attacks and data theft. According to the HIPAA enforcement rule, penalties can reach up to $1,500,000 per year per violation depending upon the type of HIPAA violation.
In October 2018, Anthem Insurance pays OCR $16 Million in Record HIPAA Settlement after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
A Judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI (electronic Protected Health Information) of over 33,500 individuals.
Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI (Protected Health Information).
CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft status and had not been implemented.
One surprise inspection can expose a HIPAA violation and change your business forever. New legislation now allows patients in Connecticut to sue healthcare providers for privacy violations or PHI disclosure as well. You may say that your job as a healthcare provider is only to treat your patients, that you don't need to worry about Cybersecurity or technology. Bear in mind though - it is a fact that Cybersecurity issues can impact and have impacted patient care on several occasions! Protect the integrity of your business and your patients' private health information to avoid a HIPAA violation that could cost you money, respect and patients!
You may understand that HIPAA violations can lead to fines, but you may also be wondering: What is a corrective action plan? Often, when the Office of Civil Rights (OCR) imposes a fine for a HIPAA violation, they also enforce a Corrective Action Plan with a strict timeline to correct underlying compliance problems and a goal to prevent breaches from recurring.
You may think that HIPAA does not apply to you, take a close look at the requirements to see if you need to comply
Health Care Providers like Doctors, Surgeons, Dentists, Psychologists, Podiatrists, Laboratory technicians, Optometrists, Hospitals, Clinics, Nursing homes, organizations in the life sciences field such as medical devices, biotechnology, Pharmacies, schools when they enroll students in health plans or have health clinics or providers, nonprofit organizations that provide some healthcare services, and even government agencies.
Health Plans like Health Insurance Companies, HMOs, Employer-Sponsored Health Plans, Government Programs like Medicare, Medicaid, Military and Veterans’ health programs.
Healthcare Clearing Houses. These are organizations that collect information from a healthcare entity, process the data in an industry-standard format and deliver it to another entity. Examples of clearinghouses include: Billing services, Community health management information systems.
"Business associate” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI.
Examples of business associates include: Data transmission providers, Data processing firms, Data storage or document shredding companies, Medical equipment companies, Consultants hired for audits, Electronic health information exchanges, External auditors or accountants, Medical transcription companies, Answering services, Data conversion and data analysis service providers, Law firms, Software vendors and consultants, Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing), ISPs, ASPs, Cloud vendors, Researchers (if performing HIPAA functions for a covered entity), etc.
It is an important best practice for every covered entity to have signed business associate agreements with your vendors who need access to protected health information (PHI) in order to do their jobs. A business associate agreement is a contract that defines the roles of covered entities and business associates when it comes to handling PHI. We recommend that you contact your lawyer for a business associate agreement as it is a legally binding document that lays out all the responsibilities of business associates regarding use, access, disclosure and destruction of PHI and the rules that the business associate must abide by with respect to training, breach notification, reporting, etc.
Many organizations offer standard Business Associate Agreements that they will sign. Examples are Electronic Health Record systems, secure email providers, secure file sharing/ file transfer companies, cloud backup services, secure fax providers, etc. Be sure to get a signed copy of this.
With so many critical systems moving to the cloud these days, be sure to keep an accurate inventory of all your vendors or business associates, especially those who have access to your PHI or ePHI, and maintain a file with all these business associate agreements so that you have them handy if needed at any time.
The Minimum Necessary Standard of the HIPAA Privacy Rule is based on the sound practice that PHI should not be disclosed unless it is necessary to carry out a particular function. A covered entity must take reasonable steps to limit the use and disclosure, and requests for protected health information. Only those who need access to PHI may receive such access, and even so, the PHI should be restricted to the minimum necessary information to carry out the job. For instance, if a healthcare provider's office is being cleaned by a janitorial company, then the provider must take reasonable precautions to ensure that no PHI is accidentally available for access by one of the janitorial staff.
Very simply, any data that can identify an individual is considered individually identifiable protected health information (PHI).
There are 18 such identifiers that can identify an individual - these are:
|Name||Address||Dates relating to an individual, e.g. date of birth, admission date, discharge date, date of death, etc.|
|Phone numbers||Fax numbers||Email addresses|
|Social security numbers||Medical record or chart numbers||Health insurance numbers|
|Account numbers||Certificate/ license numbers||Vehicle serial numbers or license plate numbers|
|Device identifiers or serial numbers||Web URLs||IP addresses|
|Biometric identifiers, including fingerprints, facial scan, voice prints and retinal scans.||Full face photographs||Any other unique identifying code.|
HIPAA requires that if PHI is disclosed without authorization for purposes such as research, then it must be de-identified first. As long as the information is masked to the extent that it cannot identify specific individuals, it is not considered as PHI.
During a site walkthrough at a security risk assessment of a large hospital a couple of years ago, we found a bunch of CDs stashed in an open drawer on the hospital floor in the hallway. These CDs had patient names, date of birth and other PHI on them. They had discontinued the system using CDs and the data had been ported to the new system, so they had no use for these CDs. This was a breach just waiting to happen, fortunately, the hospital security staff took action immediately after these CDs were discovered and securely destroyed them.
On September 18, 2018, another hospital The University of Texas Health Science Center at Houston notified the Department of Health and Human Services of a breach affecting 500 patients, caused by theft of paper/ films.
On August 9, 2018, Anne Arundel Dermatology, P.A., a dermatology practice in Maryland, reported a breach to the Department of Health and Human Services, caused by the theft of paper/ films affecting over 1300 patients.
All these examples go to show how valuable any form of PHI can be, even if it is stored on films, paper or CDs or any other form. It is every covered entity's responsibility to take all reasonable steps to secure your patients' PHI and to prevent the PHI from being disclosed accidentally or deliberately to any unauthorized personnel.
The Office of Civil Rights (OCR) has published guidance on a patients' right to access their paper or electronic health data. Patients have the right to request a copy of their health records or to give consent to have their health records provided to someone else. This is all part of the process to empower patients to manage their health care.
A covered entity is required to honor the patient's request for a copy of his or her health records within a reasonable time such as 30 days. The covered entity may require that such a request be made on a signed request form. A reasonable fee may also be charged. If the patient does not receive the health records from the provider within a reasonable time of requesting it, the patient may choose to report this issue to the office's HIPAA Privacy Officer or may escalate it to the Department of Health and Human Services.
If you are a patient and would like to access your health records, you may contact your doctor's office to do so. The law gives you the right to your health information.
In February 2019, the Department of Health and Human Services (HHS) proposed a new rule focusing on a patient’s ability to access all of their Electronic Health Information at no cost. The new rule supports seamless and secure access, exchange, and use of electronic health information (EHI).
According to the Office of the National Coordinator for Health IT (ONC), “The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications.”
The Center for Medicare and Medicaid Services (CMS) is also proposing changes to increase the seamless flow of health information, requiring that enrollees be provided with immediate electronic access to medical claims and other health information electronically by 2020.
With this new rule, if a patient asks for access to their electronic health record, and if it is not given to them electronically and for no cost, that will be considered “information blocking”, with penalties involved. Standardization in interoperability between systems will need to become the norm, thereby transforming the way healthcare data can be made available to patients.
The Health Insurance Portability and Accountability Act (HIPAA), is a Federal legislation that was put into effect in 1996. This law requires the US Department of Health and Human Services (HHS) to develop and enforce national standards which protect the privacy and security of patients’ medical records and other personal health information (PHI). The most recent change to HIPAA was ratified in 2013 - this change is referred to as the “Final Omnibus” rule. This change to HIPAA now includes Enforcement and Civil Penalties for HIPAA violations.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act)legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. HITECH introduced the "Meaningful Use" program incentivizing healthcare organizations just like yours to maintain the Protected Health Information (PHI) of your patients in electronic format, rather than in paper files. HITECH empowered OCR to enforce the HIPAA privacy and security rules.
Get a free HIPAA Compliance Flow Chart. By downloading this HIPAA Compliance Flow Chart, get answers to questions like:
What should my HIPAA Compliance strategy look like?
Where do I need to start to get my organization HIPAA compliant?
HITECH and HIPAA are separate and unrelated laws, but they do reinforce each other in certain ways.
Some people mistakenly believe that a HIPAA risk assessment is a one-time practice. Not only is it a recommended practice to conduct a risk analysis or assessment on an annual basis, but for some agencies and incentive programs, it is a requirement for attestation. Is it time to conduct your annual HIPAA risk assessment?
The Federal Government has specific HIPAA (Health Insurance Portability and Accountability Act) requirements that include annual HIPAA training. According to the U.S. Department of Health and Human Services, as part of HIPAA Administrative Safeguards, all covered entities, must train on an annual basis, all workforce members regarding your security policies and procedures.
By Training your employees annually, you not only remain HIPAA Compliant, but also guarantee every staff member is following your policies and procedures. As a covered entity it is your responsibility to educate your employees about cyber risks that can affect your practice and clients.
Your team at all levels, should be knowledgeable on the value of medical data to criminals in the black market. They should know the risks to patients if their personal medical data is stolen. Annual HIPAA training regarding your institution’s policies and procedures keeps your staff up to date on HIPAA policies and procedures and security and privacy policies, including escalation procedures, contingency plans and reporting HIPAA Violations.
Choose a HIPAA training program that is engaging to ensure your employees understand the importance of demonstrating HIPAA compliance in their everyday jobs. Keep a record of Each training that is held and all attendees.
Policies and procedures are an important component of your security program for HIPAA Compliance. These policies explain to both your staff and patients what steps you will take to protect PHI, and how you will handle incidents such as a data breach.
According to the Privacy Rule all covered entities must adopt reasonable and appropriate policies and procedures to be in compliance. These policies and procedures must be maintained and updated until 6 years after the last effective date of the entity.
Your HIPAA Policies should contain security policies and privacy policies, and policies related to breach notification. One of the main purposes of maintaining and following HIPAA policies and procedures is to try and prevent breaches of PHI.
Security policies are rules or guidelines that your organization follows on a regular basis. For instance, as part of your HIPAA policies, you would have a password management policy, an encryption policy, a policy for email, a policy for data backups, a policy for disposal, and many more. All aspects of the HIPAA Security rule must be covered within your policies, specifically the administrative safeguards, technical safeguards and physical safeguards. Your HIPAA security policies must show what your organization is doing to protect your patients' Protected Health Information (PHI) and all accesses to it.
Privacy policies are rules or guidelines that your organization follows as you establish and maintain a culture of privacy within your organization to protect your patients' privacy. For instance, you may have policies that dictate how, where, when and with whom patient information may be discussed, who has access to PHI, with whom you can share PHI with, and such topics related to the HIPAA Privacy Rule. If your office uses telemedicine to treat your patients, your security and privacy policies apply to all such interactions too.
Breach notification policies are rules or processes that your organization should follow in the event of a data breach. See the section below on breach notification for more information about reporting a breach and about incident management.
Procedures are detailed instructions on how your organization and staff need to implement your policies. For instance, a security policy may state that you will use anti-virus software, and that you will update it periodically. The corresponding procedure might talk about specific type or brand of anti-virus, frequency of update, who is responsible to maintain or troubleshoot issues, and such related items.
Be sure to review your security and privacy policies and procedures at least once a year, and if your office undergoes any major change. Not only that, there are yearly revisions of HIPAA Law that requires all covered entities to be made aware of any new rule changes that can affect one's practice. Examples of major changes are a physical move, change of your EHR system, major re-organization of your office structure.
Ensure that you instill and maintain a culture of privacy within your healthcare organization at all times. Employees and business associates must be trained and reminded periodically about the importance of patient privacy. All interactions with and about the patient must always be handled in confidence, while ensuring that only authorized personnel receive the patient's health information. Elements of this culture of privacy range from small actions such as not speaking about patients loudly in common areas, to modes of sharing information using electronic methods such as email, and to ensuring that patient consent forms are signed and maintained in your records.
A notice of privacy practices must be clearly displayed so that your patients can see and read it in your facility. This notice must also be displayed prominently on your website. Patients may also request a copy of these privacy practices at any time, so be prepared to provide a copy to any patient that requests it. Model notices of privacy practices are available for free download from the Health and Human Services (HHS) website.
We suggest that you review your HIPAA compliance requirements at least once a year, and if your office undergoes any major change. Examples of major changes are a physical move, change of your EHR system, major re-organization of your office structure. If for any reason, you undergo an audit or if you are subject to a data breach and a subsequent OCR investigation, then it would be best if you could show the auditors your evidence of the last risk analysis having been completed within the last year.
HIPAA Training - Train your staff at least every year. Many physicians and office managers believe that if they undergo HIPAA training once a year, that makes them HIPAA-compliant. This is a falsehood. HIPAA Training alone is not HIPAA compliance, it must be accompanied at least by your annual risk assessment and an annual review of your policies and procedures.
Lack of Business Associate Agreements with vendors who have access to your PHI.
Loss or theft of unencrypted portable devices containing PHI.
Failure to complete an enterprise-wide risk analysis.
Insufficient physical safeguards or keeping PHI unlocked or easily accessible.
Lack of HIPAA Security and Privacy policies and procedures.
Delays in reporting breaches as per the Breach Notification Rule.
Read more about these violations and how you can mitigate the risk in our blog post on this subject.
The HIPAA Security Rule was instituted in February 2003. It applies to covered entities and establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. It was set up by HHS when the practice of holding patient records in electronic form started becoming more common. Covered entities regularly use web-based portals, electronic health record (EHR) systems, physician order entry systems, health plan systems, mobile applications and radiology, laboratory and pharmacy systems.
Covered entities need to ensure that they abide by the necessary physical, technical and administrative safeguards to protect the ePHI they manage. Physical safeguards are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. You can read more about physical safeguards in our blog post: “Understanding the HIPAA Security Rule: Part I – HIPAA Physical Safeguards”.
Technical safeguards are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted. You can read more about technical safeguards in our blog post: “Understanding the HIPAA Security Rule: Part II – HIPAA Technical Safeguards”.
Administrative safeguards refer to the administrative functions that should be implemented to meet security standards. These include assignment or delegation of security responsibility to an individual and security training requirement. You can read more about administrative safeguards in our blog post: “Understanding the HIPAA Security Rule: Part III – HIPAA Administrative Safeguards”.
The HIPAA Privacy Rule was instituted in August 2002. It applies to covered entities and establishes national standards to protect individuals’ medical records and other personal health information. It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule only covers PHI that is in electronic form, that is, ePHI.
Permitted uses and disclosures under the HIPAA Privacy Rule:
To the individual: The covered entity may disclose the patient’s own health information to the patient.
Treatment, Payment and Healthcare Operations: Commonly known as TPO, this means that a covered entity may use and disclose protected health information for its own treatment, payment and healthcare operations activities. Under Treatment, this refers to sharing information to a referral or a consultation between providers regarding treatment provided to a patient. Under Payment, this refers to the information needed so that a health plan may obtain payment of premiums and provision of information to a health plan in order to obtain reimbursement for health care provided to an individual. Healthcare operations refer to case management, case coordination, quality control, audit reviews, and other activities such as administrative activities of the covered entity.
Mental health and privacy
When addressing mental health issues, HIPAA rules provide guidance on sharing patient information to ensure that the patient receives the best treatment and care possible. Disclosure of information is also acceptable when the health and safety of the patient and others are at risk. There are many specific cases where protected health information may be shared without consent. You can read about some such cases in our blog: “HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent?”.
The Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR performs such enforcement actions by conducting reviews, by performing outreach and education activities, and by investigating complaints filed. If the investigation reveals that the covered entity or business associate was not in compliance, OCR may determine the following courses of action:
Corrective Action Plans, and/or
Resolution Agreements and Civil Monetary penalties
In 15 years from 2003-2018, OCR has levied almost $80 million dollars of fines for HIPAA Privacy Rule violations.
For criminal violations, OCR works in conjunction with the Department of Justice (DoJ).
In 2013, HHS published the Final Omnibus Rule, where they announced changes to the HIPAA Privacy, Security and Enforcement Rules. Changes were made to the Breach Notification Rule as well, under the HITECH Act. A tiered structure was determined for levying civil monetary penalties.
Under the Omnibus Rule, business associates are independently responsible to the OCR for compliance with HIPAA Privacy, Security and Breach Notification rules. OCR may levy fines directly on business associates in the event of non-compliance.
The Privacy Rule was modified prohibiting health plans from using or disclosing genetic information for underwriting purposes, under the Genetic Information Nondiscrimination Act (GINA).
Business Associate Agreements and Notices of Privacy Practices were required to be updated to reflect the new requirements of the Omnibus Rule.
The Omnibus Rule also expanded patients rights to get access to their electronic medical data.
In addition to the Privacy Rule and Security Rule, providers are also subject to the HIPAA Breach Notification Rule. Covered entities should notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI. Please note the key word here - "unsecured". If the lost or stolen data is properly encrypted, the Office of Civil Rights (OCR), a department within Health and Human Services (HHS), does not consider such lost data as a breach.
In the event of a data breach of unsecured PHI, the covered entity must report the breach as soon as possible to the affected individuals. How do you report a breach of unsecured PHI?HHS must be notified no later than 60 days of the discovery of a breach. If the breach occurred at a business associate's premises or the data was breached by a business associate, then the business associate must notify the covered entity of such a breach. All this should also be clearly specified in the business associate agreement that the covered entity should have signed with the business associate. The business associate is jointly liable for the security and privacy of PHI with the covered entity and must take this responsibility seriously. There have been incidents where OCR has instituted enforcement actions against business associates.
It is a useful practice to have an incident response plan that covers all sorts of disasters and adverse incidents that might occur to a healthcare practice, including a data breach. A data breach could also occur due to a hacking incident like ransomware, not just a loss of equipment or storage drives. A breach could even occur accidentally. In all such cases, since the timelines for breach notification are stringent and tight, a detailed incident response plan could come in very handy to a healthcare office whether its an individual doctor's practice, or a medical service organization, or a group of hospitals or health plans. An incident response plan should highlight the detailed steps that the covered entity staff should take when an incident occurs, including who is responsible, timeline, if someone external such as an attorney should be contacted, phone numbers, addresses, and more.
Cybersecurity and HIPAA compliance go hand in hand as mitigating a healthcare office against Cybersecurity risks is a key part of HIPAA compliance. A security risk assessment or analysis is a baseline requirement from OCR and other enforcement organizations.
Many organizations are using standard proven Cybersecurity and IT frameworks as part of the process of getting compliant with HIPAA. The advantage of using a known framework is that partners, customers and agencies can now be satisfied that you have performed a comprehensive assessment of your risks in alignment with a tried and tested framework. Examples of such frameworks are:
NIST-CSF (National Institute of Standards and Technology Cyber Security Framework)
ISO/ IEC 27001 (International Organization for Standardization and the International Electrotechnical Commission - 27001 Standards)
MACRA (Medicare Access and CHIP Reauthorization Act) is the regulation that came out in 2017 changing how physicians will be paid. The Merit-based Incentive Payment System (MIPS) under MACRA moves away from the previous fee-for-service payment system to a performance-based payment adjustment. This means that instead of simply receiving a payment from Medicare and Medicaid for providing service, your payments will be linked to patient outcomes or the quality of care provided.
MACRA/MIPS and HIPAA are closely tied together. A key piece of this is the importance of performing an annual HIPAA Security Risk Analysis. By completing an annual HIPAA security risk analysis, you can receive larger reimbursements for your medicare billing under MACRA/MIPS. In order to adhere with MIPS requirements, an attestation for the security risk assessment and proof to show compliance is required. This security risk assessment must include all devices (Including Medical Devices), connecting interfaces, and other systems involved in creating, storing, transmitting, and receiving patient data. You must file an Evidence of Compliance report and keep it on file for 6 years in order to meet the MIPS compliance requirement. This report must include dates, user and computer information, and other source material to support your compliance activities
What are the consequences? If you do not conduct and properly document your Security Risk Assessment and remediation plan for risks identified, it'll cost you! Aside from not receiving a reimbursement at all, you may receive a bad score for MIPS reimbursement overall.
Discover whether or not you need to comply
Quickly identify your obligations
Ensure you meet the requirements
Avoid costly non-compliance penalties