May 20, 2014
To learn more about Lathrop GPM, click here ›
Health Law Alert: HIPAA Enforcement on the Rise, As OCR Audit Program Moves Forward
A recent settlement from New York—involving the largest fine levied to date in the history of HIPAA enforcement, a staggering $4.8 million imposed on two public hospitals—should remind health care providers, health plans and the many business associates that work with these covered entities that the Office for Civil Rights (“OCR”) is continuing to aggressively police HIPAA violations. At the same time, OCR is moving forward with its HIPAA audit program, mandated by the 2009 HITECH law, and will be proactively reviewing compliance by both covered entities and business associates.
Lessons from New York
The New York matter arose when two hospitals (separate covered entities that share a data network that is linked to their respective systems) reported a breach to OCR involving the electronic protected health information (“PHI”) of 6,800 patients. Apparently, the breach arose when a physician at one of the hospitals tried to deactivate his own personal computer. This computer was linked to the shared electronic health records system used by the two hospitals. According to OCR, deficiencies in the steps taken by the hospitals to address their HIPAA Security Rule compliance—specifically concerning the technical safeguards used by the hospitals—resulted in the PHI being available on the Internet. Because of this lapse, a simple search through Google or another online search engine would lead the searcher to uncover PHI. The PHI appears to have been fairly detailed and included things like lists of the medications taken by patients; clinical lab results; and information related to patient vital signs and status at the hospital.
In the fall of 2010, the hospitals received a complaint from the partner of a deceased patient whose PHI was found on the web. After learning of this problem, the hospitals reported a breach to OCR in accordance with HIPAA’s breach notification regulations. The hospitals also notified the affected individuals as well as media outlets.
OCR looked into the matter and uncovered a number of issues at the hospitals. Among the conduct OCR determined to have occurred:
In addition to the $4.8 million fine, the covered entities were required to enter into a detailed corrective action plan that included undertaking a new risk analysis, developing a new risk management plan, revising policies and procedures (on a number of specific topics, such as mobile devices and information access management), training staff and providing ongoing progress reports to OCR.
HIPAA Audits: Ready or Not, Here they Come.
One of the major changes to HIPAA that resulted from HITECH was the creation of a new “HIPAA audit” program at OCR. Readers may remember that “pilot” audits—conducted by KPMG under contract with HHS—already took place in 2012. Those audits involved reviews of HIPAA compliance at 115 covered entities.
The new program is intended to be permanent. The audits will focus on specific areas of HIPAA compliance and will be conducted by OCR personnel (as opposed to KPMG as in the pilot program). OCR is currently in the process of determining which covered entities and business associates it will audit. 1200 organizations (800 covered entities and 400 business associates) have, or soon will, receive “pre-audit surveys” from OCR. These surveys are intended to gather information about recipients so that OCR can assess the size, complexity and fitness of the recipient for an audit. It appears that the business associates who are candidates for auditing will be chosen based on the lists of vendors that the surveyed covered entities produce to OCR. Of the total number of organizations surveyed, it appears that about 350 covered entities and 50 business associates will go through the full audit.
The audits themselves will be divided up into “desk” audits (where OCR personnel review materials provided by the covered entity or business associate) as well as “on-site” audits. After being notified that they are the subject of an audit, it appears that organizations will have about two weeks to produce the materials requested to OCR. Audit results can of course lead to enforcement actions against the covered entity or business associate, if OCR determines that to be an appropriate step.
So what can organizations to do address to their own potential exposure under HIPAA? Here are a few simple steps that covered entities and business associates alike should consider:
Need More Information?
© 2020 LATHROP GPM, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop GPM LLP, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.