This article looks at the year ahead for HIPAA enforcement:
- Anchorage – First official case of HIPAA “neglect”
- Stats & expectations for 2015
- Phase 2 auditing
- Compliance tips
Anchorage – First official case of HIPAA “neglect”
Alaska’s Anchorage Community Mental Health Services has received a dubious distinction from the federal government, per Tim Mullaney of McKnight’s Long-Term Care News. In early December, the five-facility healthcare provider reached a settlement with the HHS OCR (the agency that polices the healthcare law).
Tim writes that the ACMHS will pay the federal government $150,000 as a penalty for neglect of the Privacy and Security Rules contained within HIPAA Title II. This announcement is noteworthy mainly because it is the first time the OCR has punished a healthcare “covered entity” for lack of action regarding fundamental data safeguards, including:
- disregard for software patching
- failure to update applications consistently.
According to OCR Dir, remaining compliant involves taking a practical perspective toward ongoing and vigilant ePHI vulnerability assessment. Jocelyn Samuels stated, “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
The breach, dwarfed in mainstream media (for obvious reasons) by the Sony #GOP hack, was enabled by a malware infection. Almost 3000 patients’ records were compromised, per OCR analysis. The Anchorage behavioral health firm is working with the OCR to reach compliance and is taking steps to prevent the possibility of recurrence.
The settlement between ACMHS and the United States does not explicitly make the provider liable for any patient loss resulting from the breach.
Stats & expectations for 2015
We have mentioned several times on this blog that HIPAA enforcement is on the rise, per comments made at a Chicago conference of the American Bar Association. At the event, a senior attorney with the HHS, Chief Regional Civil Rights Counsel Jerome B. Meites, said that enforcement would be significantly amplified throughout the ensuing year (meaning that the period between June 2013 and June 2014 would involve greater fines than the $10 million of settlements logged between June 2012 and June 2013).
We should reasonably expect severe enforcement activities in 2015, then. Let’s look at the bigger picture of healthcare breaches over the last half-decade.
According to Lynsey Mitchel of the National Law Review, getting a sense of the last five years is helpful because September 2009 was the month it became legally required to notify the government of breaches. Here are the statistics she compiled:
- 1170 data breaches, September 2009 – early December 2014
- 31 million health record exposures, September 2009 – early December 2014
- 4463 HIPAA complaints, year total for 2013.
The 2013 complaint total is the highest yet, and the OCR has not yet posted 2014 figures. Looking at the situation from a statistical perspective, Mitchel comes to the same conclusion expressed directly by the OCR attorney above: “It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.”
The federal budget for 2015 does not boost the budget of the Office of Civil Rights. Still, the OCR seems unfazed, advancing confidently with its efforts to enforce the various consumer protections of Title II (which apply to business associates such as Atlantic.Net as of September 2013).
One state is especially hurting. Alaska is well aware of the OCR’s redoubled efforts, with a $150,000 settlement, discussed above, joining a $1.7 million monster agreement with the Alaska Department of Health and Human Services (which, like the fourth biggest breach of 2013 by the Indiana Family & Social Services Administration, shows that the OCR is targeting both the public and private sectors).
Phase 2 auditing
One specific project that is moving forward with the OCR is Phase 2 of auditing, according to Joseph J. Lazzarotti, also of the National Law Review. These audits of healthcare businesses, which will be underway soon if they aren’t already, are centered on three elements of healthcare law:
- vulnerability assessment and risk administration
- breach notification (contacting the OCR and patients)
- privacy notices.
These audits should extend beyond covered entities to include some business associates, the latter of which have been directly responsible for compliance since the Final Omnibus Rule went into effect last year.
Repeatedly, companies have been found non-compliant for failing to encrypt laptops and mobile devices. So first and foremost, note that if you encrypt the data accessible on laptops, you will remain compliant even if the laptop is stolen.
Beyond encryption, Lynsey provides a couple of quick suggestions to stay legal:
- Review and update your organizational policies and procedures.
- Perform vulnerability assessments frequently.
You can also ease your burden by partnering with a HIPAA Compliant Hosting associate that Complete Healthcare Solutions praises for “secure infrastructure and expertise in Healthcare IT.” Get a quote and a free consultation today and consider any of our other VPS hosting options.
By Kent Roberts