By Adrienne Dresevic, Esq., and Leslie A. Rojas, Esq., of The Health Law Partners, P.C.
Last month, the healthcare community received several indications that increased HIPAA enforcement may be on the horizon. These indications, discussed below, reveal that enforcement may focus on smaller providers. However, large providers are always lucrative targets for the government – both financially (through large settlements) and to send a message to other providers. In preparation, providers of all sizes, including radiology practices and facilities, should review their HIPAA policies for compliance areas that need improvement.
Upcoming HIPAA Audits
At a HIPAA security conference held in Washington DC on September 2, 2015, a representative for the Office for Civil Rights (OCR) revealed that new HIPAA compliance audits are approaching, but she did not specify a date. The representative stated that the OCR hired an outside contractor to assist with the audit program. This is a new development for the OCR’s audit program and will bolster its limited resources. Additionally, the representative indicated that the audits would consist mostly of off-site “desk” audits, with only a small number of onsite audits.
While the representative did not indicate what type of entities the OCR would target, smaller healthcare providers may be the bullseye for the next round of audits. During the first round, the OCR found that smaller providers were generally less compliant than larger providers when it came to HIPAA privacy and security requirements. While the audits most certainly will include large healthcare providers as well, recent enforcement activity and a recent OIG report lend support to the notion that the OCR may increase its scrutiny of smaller providers.
Recent HIPAA Enforcement
On September 2, 2015, the OCR announced a $750,000 HIPAA settlement (press release available here) with a radiation oncology practice in Indiana comprised of 13 physicians for potential HIPAA violations. The settlement stems from an employee’s laptop and backup media containing electronic protected health information (PHI) being stolen from the employee’s car. The backup media was unencrypted and contained the names, addresses, birthdates, social security numbers, insurance information, and clinical information of approximately 55,000 patients.
During its investigation, the OCR found that two areas of non-compliance greatly contributed to the breach: (i) the practice did not conduct a HIPAA security risk analysis, which would have identified the frequency with which its employees remove portable media from the facility; and (ii) the practice failed to document and implement a portable hardware and media policy for items containing unencrypted PHI.
The settlement includes the $750,000 fine, as well as a corrective action plan to correct weaknesses in the practice’s HIPAA policies and procedures. The corrective action plan, available here, requires the practice to: (i) conduct a HIPAA risk analysis; (ii) develop and implement a risk management plan; and (iii) review and revise its HIPAA Security Rule policies, employee training, and risk analysis at least once a year. This corrective action plan is a good resource to help covered entities identify ways to improve their HIPAA compliance.
Recent OIG Report
On September 29, 2015, the OIG issued a report, available here, identifying shortcomings in the OCR’s follow-up of reported HIPAA breaches of unsecured PHI. In its report, the OIG attacks the OCR’s documentation of small breaches (less than 500 individuals affected), which prevents the OCR from identifying covered entities with a history of noncompliance. The OIG also points out that the OCR’s records often did not include the corrective actions the covered entity is required to take. Therefore, the OCR is unable to confirm if the corrective actions actually took place. Additionally, the OIG recommended that the OCR expand its outreach and education efforts to Part B providers, in particular, which are often smaller entities.
Providers of all sizes should start with the following to improve their HIPAA compliance today:
- Make sure your HIPAA policies are documented and followed by all employees
- Conduct and document employee training on at least an annual basis
- Conduct and document a HIPAA risk analysis to identify areas requiring improvement (and repeat at least annually)
- Revise your HIPAA policies to correct the weaknesses identified in your HIPAA risk analysis
- Review and revise, as appropriate, your Business Associate Contracts (which should be updated with the 2011 HIPAA Omnibus Rule changes)
- Ensure that electronic PHI held on DICOM and PACS servers (which often store and transfer medical images) are protected from outside intrusion
- Ensure that your Notice of Privacy Practices is on your website
- Develop a policy to promptly investigate potential breaches of PHI under the guidance of healthcare legal counsel
Adrienne Dresevic, Esq., is a Founding Shareholder of The Health Law Partners, P.C., a nationally recognized healthcare law firm with offices in Michigan and New York. Practicing in all areas of healthcare law, she devotes a substantial portion of her practice to providing clients with counsel and analysis regarding compliance, Stark Law, Anti-Kickback Statute, and compliance related issues. Ms. Dresevic serves on the American Bar Association Health Law Section’s Council, which serves as the voice of the national health law bar within the ABA. Ms. Dresevic also serves as the ABA Health Law Section’s Co-Chair of the Physicians Legal Issues Conference Committee, Vice Chair of the Programs Committee (Executive Leadership), and Vice Chair of the Sponsorship Committee. She is licensed to practice law in Michigan and New York, and can be contacted at email@example.com.
Leslie A. Rojas, Esq., is an associate with The Health Law Partners, P.C., a nationally recognized healthcare law firm with offices in Michigan and New York. Ms. Rojas’ healthcare practice focuses on compliance with federal and state healthcare regulations; fraud and abuse issues, including the Stark Law and the Anti-Kickback Statute; HIPAA and health information privacy issues; and transactional and corporate aspects of healthcare. Ms. Rojas is licensed to practice law in Michigan and Illinois, and can be contacted at firstname.lastname@example.org.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.
For more regulatory news, visit www.ahraonline.org/news.