Recent reports, statements and actions from the government emphasize the need for all covered entities and business associates (“HIPAA Entities”) to take a look in the mirror, assess the status of their HIPAA policies and procedures and either implement or modify as necessary. The government is done offering guidance and letting entities off the hook without any financial harm. Now, based upon settlements and other indications, the gloves are off and any and all HIPAA Entities are fair game for the imposition of penalties.
The government, in particular of Office of Civil Rights (“OCR”) in the Department of Health and Human Services has apparently used the past few years to offer lessons to the industry and emphasize the areas of HIPAA where better compliance is required. One method was the initial round, or pilot phase, of HIPAA audits. Slightly over one hundred covered entities were audited with very few of those passing the audit. OCR, through an outside contractor, released partial results to demonstrate that no pattern of non-compliance existed. Instead, violations or failures fell across the full spectrum.
The second tool used by OCR has been the somewhat gradual and arguably judicious imposition of monetary penalties to date. In each settlement, it appears that OCR chose a particular HIPAA compliance issue, whether it be encrypting a mobile device or implementing breach notification policies, and found a HIPAA Entity that failed to meet the desired standard.
The other big development was the promulgation of the HIPAA Omnibus Rule. The Omnibus Rule put into place modifications to the HIPAA regulations called for by the HITECH Act. Once the Omnibus Rule came out and created the “final” standards, at least for the time being, HIPAA Entities could fully implement all necessary and required policies and procedures. A HIPAA Entity, ostensibly, could no longer claim that it was waiting for the government’s final rule, since it had arrived. OCR also provided some limited guidance on significant aspects of the Omnibus Rule.
With that background, three recent occurrences demonstrate that OCR is serious in enforcing HIPAA and making sure that HIPAA Entities are fulfilling all of their obligations. On June 10th, OCR posted its 2011 and 2012 reports to Congress about the breach notification program and compliance with the privacy and security rules. Each report was mandated by the HITECH Act, but seem to play a role in OCR’s overarching scheme of educating entities. The reports provide a glimpse into the issues that OCR sees with HIPAA compliance. There is a description of the types of breaches that occurred and the number of individuals affected. As the reports demonstrate, millions of people were impacted, which highlights the need to have a robust compliance plan and program in place.
The report is not the only indication of compliance problems. One need only review all of the breaches and associated settlements that OCR has announced and posted on its website. As with the audit findings and other reports, violations are fairly widespread. However, it is possible to find at least one common theme, which is lack of security and encryption on mobile devices. In the settlements, HIPAA Entities have been hit with a wide range of penalties.
However, at a recent American Bar Association Health Law Section conference, a chief regional civil rights attorney from OCR warned that enforcement can be expected to increase dramatically. Not only will enforcement be going up, but the fines will also rise. Tolerance of violations while never very high is clearly shrinking even further.
Following the attorney’s statement, OCR announced its latest settlement on June 23rd. Parkview Health System, Inc. was fined $800,000 for dumping medical records on a physician’s driveway. In September 2008, Parkview took custody of medical records from a retiring physician in order to assist in transitioning those patients to new providers. In June 2009, for unstated reasons, Parkview employees left 71 cardboard boxes full of medical records on the retiring physician’s driveway. The employees knew that the physician had refused delivery and knew that the physician was not home when the drop off occurred. The physician, upon discovering the boxes on her driveway, reported the violation to OCR. While Parkview’s violation occurred back in 2009, the security requirements of HIPAA were still not new back then. It should have been common and accepted knowledge that protected health information in such a situation was subject to HIPAA. As such, there was a clear obligation to protect the information, which obligation was not met by Parkview.
In light of all of these events, what should HIPAA Entities do? The first step is assess what policies and procedures, which should hopefully be many, are in place. Then, a HIPAA Entity should look at the HIPAA regulations to see what is needed and get moving. While that statement is somewhat glib, compliance with HIPAA can be driven to a large degree right from the regulations. The regulations indicate what policies and procedures are needed, so there is a roadmap that entities can follow. Security may be one of the harder aspects to figure out, but HIPAA Entities can always seek assistance.
Getting help when it necessary is key. HIPAA Entities should not feel as though it is necessary to do everything alone. Advisors, peers, consultants and many others can help lend their expertise and get a HIPAA Entity’s compliance program into shape.
As should be very clear at this point, HIPAA Entities must act now. OCR will begin a new audit program in the fall with every likely intention of trying to recover enough money to keep the audit program running. There will be no free passes and the time of limited tolerance is certainly at an end. HIPAA Entities should not be surprised though given all of the material that OCR has produced in the recent years. Now it is up to each person to take a look in the mirror and do what is necessary.