TDMR presents the second in a series of articles on health care compliance penned by TDMR President Greg Ewing. Greg is a health care lawyer with over fifteen years of experience in transactional health law; health information technology; privacy and security compliance, assessment, and remediation. His law degree is from Boston University School of Law and he holds a Masters in Public Health from the Harvard School of Public Health. He completed his coursework and qualifying examinations toward a Ph.D. in health policy at Brandeis University’s Heller School for Social Policy and Management.
I guess that it is safe to say that covered entities and business associates alike have experienced three phases of HIPAA enforcement.
The Early Days
Originally, during the early days of HIPAA, there was little or no enforcement. In fact, a covered entity had to do something so outrageously egregious that the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), the civil rights and health privacy rights law enforcement agency, was forced to act.
The next phase began around the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. At that time, the targets were usually large institutions like hospital systems, national pharmacy chains and health plans.
During the two previous periods, small business health providers, such as dentists, had very little to worry about in terms of being subjected to an audit. Maybe the OCR followed the pattern of many federal prosecutors and thought that busting a couple of solo practitioners or single digit or low double digit medical groups just didn’t get the same press as bringing down a national chain or large health care provider. In fact, before the HITECH Act, HIPAA did not require health care providers to notify anyone in the event of a breach.
The Latest Phase
Now, enter the third phase, where anything goes, at least when it comes to the small business health care providers.
In December 2013, Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), a 12 physician organization, agreed to pay $150,000 to HHS for potential HIPAA Privacy, Security, and Breach Notification Rules violations . Specifically, APDerm reported a stolen unencrypted thumb drive containing 2,200 patient records. The records contained information about procedures and photos of patient cancers and procedures. However, the records did not include any financial data or social security numbers.
In addition to the payment, HHS required APDerm to implement a corrective action plan to correct its HIPAA deficiencies which includes developing a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. This case marked the first time that HHS settled with a covered entity for not having HIPAA policies and procedures in place to address the HITECH Act. Specifically, the practice lacked:
- A written and regularly updated risk analysis;
- A formal risk and security plan;
- An adequate breach response plan; and.
- HIPAA training for its employees.
In April 2012, Phoenix Cardiac Surgery, P.C., of Arizona (“Practice”) agreed to pay $100,000 to settle its case with HHS and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
Initially, the case began with a report that the physician practice had a publicly accessible Internet-based calendar which it used to post clinical and surgical appointments. However, after further investigation, OCR found that the practice had implemented few HIPAA policies and procedures and limited safeguards to protect patients’ electronic protected health information (ePHI).
In this case, OCR’s investigation revealed the practice had failed to:
- Implement adequate policies and procedures to appropriately safeguard patient information;
- Document that it trained any employees on its HIPAA policies and procedures;
- Identify a security official and conduct a risk analysis; and
- Obtain business associate agreements in instances where services included ePHI storage and access.
Other Agencies Join In
Other agencies also feel the need to protect patient confidentiality, particularly in light of the increasing identity threat crimes which are the result of inadequate security controls.
In 2013, the Federal Trade Commission (FTC) filed a complaint against LabMD, Inc., an Atlanta-based company that conducts laboratory tests on physicians’ patient samples. FTC alleged that LabMD, in two separate incidents, collectively exposed the personal information of approximately 10,000 consumers. Specifically, the billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network, with the personal information of at least 500 consumers ending up with identity thieves.
LabMD, with annual revenues of about $4.4 million countered that the FTC had no authority to address private companies’ data security practices. The court rejected LabMD’s claim and stated that FTC had the authority to enforce instances where companies failed to employ reasonable and appropriate measures to prevent unauthorized access to personal information under Section 5 of the FTC Act, 15 U.S.C. § 45. Additionally, the court found that the FTC’s enforcement power did not overlap with OCR’s enforcement power under HIPAA.
In January 2014, LabMD’s CEO announced that the company would wind down its business citing the toll that the legal battle against FTC took on the company.
Healthcare attorney Kirk Nahra, a partner at Wiley Rein LLP stated that “the FTC is saying that everyone regulated by HIPAA has to worry about us too.”
New OCR Survey for Audit Program
On February 24, 2014, HHS OCR announced that it will survey up to 1,200 covered entities and business associates to determine suitability for its HIPAA Audit Program. The last time OCR reviewed covered entities under its HIPAA Audit Program, it reviewed the conducted the privacy and security controls of a dental practice.
At the conference where this was announced, OCR deputy director Susan McAndrews stated that determining whether organizations conduct timely and thorough HIPAA security risk assessments will likely be an area of focus. She further said that risk assessments were a common weak spot found in the pilot audit program and risk assessment deficiencies were also found in previous breach investigations. I think we are about to see the fourth phase of HIPAA enforcement.
What the OCR hopes to glean through its survey or how these surveys will assist it in selecting the next round of audit is anyone’s guess. What we do know is that small business health care providers are now fair game.
Ensure Your HIPAA Compliance Meet Standards
Also, it appears that the OCR may have realized what many compliance experts have always known: that a large proportion of small business health care providers lack the resources, expertise or even the motivation to ensure adequate controls are in place to protect patient data.
In any event, it’s time for small business health care providers to ratchet up their HIPAA compliance activities, which include:
- conducting annual risk assessments,
- having on-going awareness education besides the mandatory yearly training, and
- designate someone knowledgeable and interested in HIPAA as the practice’s HIPAA Privacy and Security Officer.
HIPAA does not require the designated person to be an employee. This allows health care businesses to hire someone externally to provide qualified HIPAA training services. Sometimes these consultants can be obtained at very reasonable monthly rates.
One thing we know for sure is that small business health care providers are now on OCR’s radar and appear to be easy targets. They need to take action and ensure they are in compliance or risk serious consequences.