Understanding HIPAA Privacy and Security Rules and the Ramifications of Non-Compliance

The healthcare industry is being forced to navigate something of a “perfect storm” brewing in and around patient privacy and the drive to dramatically increase efficiency in the U.S. healthcare delivery system through digitization.

New Health Insurance Portability and Accountability Act (HIPAA) rules kicked in earlier this year that affected privacy and security rules. Changes to the HIPAA privacy and security rules were dictated by requirements in the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act.

Privacy and the Internet Age

Moving protected health information (PHI) from traditional files to electronic formats (ePHI) has the effect of increasing possible noncompliance exposure. In fact, not too many years ago, consultants were weighing the costs of IT systems and software against the cost of the penalty for noncompliance, which was then set at $25,000 maximum per incident.

Discussing various industries and their exposure to penalties due to mishandling materials governed by federal privacy laws, Mike Fratto, writing for Network Computing in 2005 said:

“Pick your industry, and chances are a law like HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley, GLBA (Gramm-Leach-Bliley Act) or FISMA (Federal Information Security Management Act) applies. Failure to comply can mean big fines. But don’t beat that drum too hard. The fines levied for noncompliance may be a pittance compared with the cost of purchasing and deploying products. The fine for unknowingly violating a HIPAA regulation, for example, is capped at $25,000 per incident.”

Today’s headlines, however, tell an entirely different story. Now companies in the healthcare industry are finding themselves suffering through breeches in data privacy that had previously been restricted to Internet-based retailers or financial institutions with a major online presence.

Fines increase

Recently the U.S. Department of Health and Human Services (HSS) announced a $1.7 million settlement with WellPoint for “potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules.” Following the requirements of HITECH, WellPoint reported a breech of unsecured ePHI. An online application database had left the ePHI of more than 600,000 individuals accessible over the Internet.

Explaining the problem WellPoint experienced, HSS pointedly remarked that when implementing or upgrading electronic databases, companies are not only responsible for the work they do directly, but also for their contractors and subcontractors; in other words, the IT firm or consultants installing software, providing backup services, or performing upgrades.

According to HSS, they expect “organizations to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information – especially information that is accessible over the Internet.”

Up until 2011 HSS had taken a “relatively soft approach to enforcing HIPAA’s security requirements,” Tatiana Knelling and Brian Balow relate in the May-June 2011 issue of the Journal of Health Care Compliance. Before 2011 the Office for Civil Rights (OCR), which is charged with enforcing HIPAA privacy violations, was more concerned about violators taking corrective action than imposing monetary penalties. That changed with a $4.3 million civil penalty imposed on Cignet Health of Prince George’s County in February 2011. That case marks a watershed point when HHS started taking its HITECH responsibilities very seriously, which include the imposition of mandatory fines that are significantly higher than HIPAA’s original schedule of fines.

Responsibility grows

HITECH added another enforcement twist regarding HIPAA’s privacy and security provisions. No longer did OCR have the sole responsibility of enforcement. Congress gave each state’s attorney general the power to bring action in cases of suspected noncompliance. To add to the possible exposure experienced by healthcare companies and others who work with PHI and ePHI, OCR seemingly expanded its definition of “willful neglect” in the handling of these data. Now the phrase “not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur but also encompasses a conscious intent or degree of recklessness with regard to its compliance obligations.”

As examples, OCR cited tossing hard drives containing ePHI into an unsecured dumpster and a company that failed to have any procedures or policies in place to deal with an individual’s request regarding the handling of his or her own PHI.

Compliance plans and strategies

As these examples make abundantly clear, HIPAA privacy and security rules are attached at the hip and companies are wise to treat them in conjunction with one another. And when attempting to demonstrate compliance to HSS, it’s critical to have a comprehensive and cohesive program, and one that is thoroughly documented. The following guidelines should prepare an organization to effectively deal with HIPAA and HITECH privacy and security compliance issues:

  • Do an organizational risk assessment.
  • Identify and document all PHI and ePHI within the organization.
  • Develop procedures to control ePHI with eternal sources: vendors, contractors, etc.
  • Review the adequacy of contractual relationships with vendors and contractors with regards to control of ePHI and liability
  • Establish procedures and policies that cover the internal safeguarding, proper use, and disclosure of both PHI and ePHI.
  • Institute consistent training programs throughout the organization.
  • Document all HIPAA privacy and security compliance activities.
  • Institutionalize methods to distribute new regulations and requirements.
  • Establish methods, such as a hotline, to receive security and privacy complaints along with a best practices system of investigation and follow-up.
  • Regularly review compliance programs; enhance and update as required.
  • Have documented corrective actions plans to deal with any noncompliance issues.

Related Posts

Enter your keyword