It’s Time to Refocus on HIPAA Compliance

By Adrienne Dresevic, Esq, and Aaron J. Beresh, Esq, of The Health Law Partners, PC

The US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is currently auditing radiology providers and suppliers and other covered entities (eg, radiology practices, providers and suppliers, etc) and their business associates (eg, PACS, billing companies, IT companies, management companies, accountants, attorneys, etc) pursuant to its Phase 2 HIPAA Audit Program. During the Phase 1 Audit Program, the OCR focused its audits on covered entities only but is now broadening its audits to include business associates of covered entities to determine risks and weaknesses. As these Phase 2 audits are currently underway, radiology providers and suppliers should be proactive about reviewing their current HIPAA program to improve their compliance and prepare for potential receipt of an audit inquiry.

Increased Enforcement Actions

The OCR’s implementation of the Phase 2 Audit Program follows several significant HIPAA Resolution Agreements and is another sign that the OCR is taking HIPAA seriously. Examples of recent cases include:

• In December 2015, the University of Washington Medicine agreed to a $750,000 settlement to resolve allegations that it violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.
• In March 2016, North Memorial Health Care of Minnesota agreed to pay $1,550,000 to resolve allegations that it potentially violated the HIPAA Privacy and Security Rules by failing to: 1) institute an organization-wide risk analysis to address the risks and vulnerabilities of PHI; and 2) enter into a Business Associate Agreement with a significant contractor.
• In March 2016, the Feinstein Institute for Medical Research agreed to pay the OCR $3,900,000 to settle potential HIPAA violations related to a laptop containing approximately 13,000 patients’ electronic PHI (which included names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, and medications).
• In April 2016, the OCR entered into a settlement with New York Presbyterian Hospital as a result of the hospital’s disclosure of two patients’ PHI to film crews and staff during the filming of “NY Med” (an ABC television series) without first obtaining authorization from the patients.

These examples are illustrative of the significant penalties radiology providers and suppliers could incur for failure to properly address HIPAA privacy and security issues.

Phase 2 Audit Program

The Phase 2 Audit Program is primarily a “compliance improvement activity” designed to obtain information as to how the OCR can improve upon corrective action plans and develop various types of technical assistance. Although the Phase 2 Audit Program is not necessarily intended to levy significant penalties, radiology providers and suppliers and/or business associates that are subjected to an audit and are determined to have deficient HIPAA compliance could be subject to further investigation. Thus, not only is it important that radiology providers and suppliers analyze and improve their HIPAA compliance from a best business practices perspective, but also to prepare for receipt of a potential audit notification.

Information related to the Phase 2 Audit Program can be found here.

Action Items

Given that cyber threats are becoming more prevalent, radiology providers and suppliers are advised to take a proactive approach to address HIPAA compliance, as providers and suppliers who are storing, transmitting, and accessing PHI on electronic systems are vulnerable to possible breach issues. Examples of practical tips for radiology providers and suppliers include:

• Conduct an overall review and evaluation of current HIPAA policies and procedures;
• Conduct and document a HIPAA risk analysis to identify areas requiring improvement (and repeat at least annually);
• Revise HIPAA policies to correct any items identified in the HIPAA risk analysis;
• Conduct and document employee training (and repeat at least annually); and
• Develop policies and procedures to promptly investigate potential breaches of PHI.

Given the Phase 2 Audit Program and the OCR’s recent enforcement actions, now is the time for radiology providers and suppliers to refocus efforts on HIPAA compliance.

Adrienne Dresevic, Esq, is a founding shareholder of The Health Law Partners, PC, a nationally recognized healthcare law firm with offices in Michigan and New York. Practicing in all areas of healthcare law, she devotes a substantial portion of her practice to providing clients with counsel and analysis regarding compliance, Stark Law, Anti-Kickback Statute, and compliance related issues. Ms. Dresevic serves on the American Bar Association Health Law Section’s Council, which serves as the voice of the national health law bar within the ABA. Ms. Dresevic also serves as the ABA Health Law Section’s Co-Chair of the Physicians Legal Issues Conference Committee, Vice Chair of the Programs Committee (Executive Leadership), and Vice Chair of the Sponsorship Committee. She is licensed to practice law in Michigan and New York, and can be contacted at adresevic@thehlp.com.

Aaron J. Beresh, Esq, is an attorney with The Health Law Partners, PC, a nationally recognized healthcare law firm with offices in Michigan and New York. Mr. Beresh’s healthcare practice focuses on physician/practice/supplier/hospital transactions and HIPAA and health information privacy issues.  Mr. Beresh is licensed to practice law in Michigan, and can be contacted at aberesh@thehlp.com.

The authors are members of The Health Law Partners, PC and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.