Well, HIPAA enforcement is getting off to an active start in 2017. While 2016 saw a record year with 13 HIPAA Enforcement fines amounting to $23.5 Million! 19 days into the New Year, OCR has published 2 HIPAA Enforcement fines amounting to $2.7 Million. It is safe to assume that we are going to see another active year with HIPAA Fines and Enforcement!
2017 HIPAA Enforcement Fine #1 – Lack of Timely HIPAA Breach Notification – $475,000
Presence Health found out about missing operating room paper schedules containing 836 patient’s protected health information on October 22, 2013. Notification was made to the Department of Health and Human Services on January 31, 2014 – approximately 101 days later. This was definitely a flag and the Office for Civil Rights (OCR) went in to investigate the concerns. During the investigation, it was found that Presence Health failed to write timely notification to those affected by data breaches on multiple occasions. In additional, Presence Health did not provide timely notification to the media and to the Secretary of OCR.
The one area I thought was interesting in the corrective action plan was the statement that “Each day on which Presence Health failed to notify each affected Individual of the breach indicates a separate violation of the Breach Notification Rule.” (https://www.hhs.gov/sites/default/files/presence-ra-cap.pdf, Page 2, A). Every day late counted as a separate violation of the HIPAA Breach Notification Law!
Lesson Learned: Create a solid Breach Investigation and Notification Process – don’t be late on notification to any party and don’t delay notification once a decision is made! If you know it is a data breach at day 34 – complete the proper notifications shortly thereafter! Don’t wait until day 60!
2017 HIPAA Enforcement Fine #2 – Failure to Conduct a HIPAA Risk Analysis and Implement Safeguards – $2,200,000
MAPFRE Life Insurance Company of Puerto Rico had a USB data storage device stolen from its IT department. The USB storage device had patient information including name, date of birth, and social security number for about 2,209 individuals! OCR is making a statement that failure to conduct a risk analysis, understand the risks to the organization and PHI, and implement safeguards contributed to the theft on an unencrypted USB storage device with patient information. MAPFRE Life was found out of compliance in the following areas:
- Impermissible disclosures of PHI
- Failure to conduct a thorough risk analysis and implement security measures
- Failure to provide security awareness and training to members of the workforce
- Failure to implement encryption technologies for protected health information
- Failure to implement appropriate policies and procedures to company with the HIPAA Security Rule
Within the press release, OCR Director Jocelyn Samuels stated “Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.” (https://www.hhs.gov/about/news/2017/01/18/hipaa-settlement-demonstrates-importance-implementing-safeguards-ephi.html)
Lesson Learned: Don’t ignore the need to be HIPAA compliant! Any device or media that has protected health information needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!
Struggling with HIPAA Compliance?
First off, you are NOT alone. Many organizations don’t understand what is needed for HIPAA compliance and even where to begin. One of the first areas an organization can start with is to conduct a HIPAA Risk Analysis. This will help an organization understand risks to the organization, understand current controls (technology and administrative) aimed to reduce risks, and create a plan to help increase privacy and security protections to protected health information. If you haven’t conducted a HIPAA risk analysis in the past 12-24 months, it is definitely time to conduct one!
Second, make sure that you have a solid set of HIPAA Policies and Procedures that document how YOUR ORGANIZATION is compliant with HIPAA. Your organization is emphasized as you want to ensure that your policies and procedures reflect your practices and overall statement of what is needed for compliance. Templated policies and procedures serve their purposes, but customization of those templates is a necessity.
Third, make sure that you have a solid training program for your workforce members and that they understand their responsibilities when it comes to protecting patient information. Additionally, reminders should be sent out throughout the year – hearing it multiple ways and at multiple times can help workforce remember and keep protection of the privacy and security of PHI on their mind!
Fourth, don’t panic. If you don’t have a great program or know you are out of compliance – change it. You can take the time to show that you were aware of your lack of compliance and show that you are taking steps towards compliance!
Nobody can go back and start a new beginning, but anyone can start today and make a new ending – Maria Robinson
Cheers to a great year! It will be interesting to watch where HIPAA Enforcement and HIPAA Breaches go in 2017!