AXEL.org

ePHI

A HIPAA Breach

A HIPAA breach can cripple your medical practice

Over the last few months we have discussed HIPAA in very general terms.  I have tried to impart some of the basics of its security and privacy obligations upon each of you, while ignoring the rest of the Act.

Certainly, it is a massive undertaking to fully grasp all of HIPAAs ins-and-outs, and I will not ever try to bore you with the entire 5 sections of HIPAA.  So if you need to know about Insurance Portability, Tax Matters, Group Plans, or Revenue Offsets, please feel free to read the other four Titles.

Now that we have discussed what information is subject to HIPAA and who is responsible to keep and control electronic protected health information (ePHI), it’s a good time to learn what I like to call the “so what?” of HIPAA.  As I travel, meet, speak with, and interact with doctors, I am often presented with the “so what?” response.

Many doctors have told me: “Steve I understand that HIPAA exists, but we have always done it this way.  I think we are compliant.  Or we don’t know how to fully comply.”  And almost all those conversations end with “so what if we are not compliant, no one will even look at my little office to audit us.”

So, I realized that I needed to do a little more in this blog. Let’s discuss what a breach is, what you have to do if you are in breach and finally the “so what?”, namely what are the fines?

Let’s first learn what a “breach” is and is not.  A breach can be defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted, which compromises the security or privacy of the protected health information.

This means that if protected health information is in the possession of the wrong person and they can read it, a breach exists.  If you give Jan Smith’s records to Jane Smith, there is a breach.  Or if you fax medical records to (702) 555-1234, but the patient’s number was (712) 555-1234, you have a breach.

It’s these little mistakes that plague offices at times.  Most certainly, if your patient charts are on your laptop and it’s stolen, that’s a breach.  Should your server be accessed due to a hacking incident, or if you email a patient’s records to Kinkos as opposed to Dr. Kinko (the physician you intended to refer your patient to), you have a breach event.

Simply put, records must be seen only by those authorized to see them, and Covered Entities (CE) and Business Associates (BA) in possession of the records hold the responsibility to ensure no breaches take place.

“But what if my PHI is encrypted?” you ask. If the PHI is encrypted when the breach took place, you are probably covered.  The unauthorized use or disclosure of PHI is presumed to be a breach, unless there is a low probability that the information was compromised.

So when the PHI ends up in the wrong hands, but all they see is 0s and 1s due to your encryption, you may be protected. If you realize an email went to joesmith@mail.org as opposed to josmith@mail.org, but the email was sent with encryption, you are probably ok not reporting a breach.

However, a breach notification is necessary in all situations except those in which the CE demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. We will discuss what a “risk assessment” is in the next blog.

But today’s blog is addressing a breach.  So, assuming a reportable breach took place, now what?  Once a CE or BA is made aware of a possible breach, they must report the breach to the Department of Health & Human Services.

The report must be made without “unreasonable delay”.  While it is not 100% certain what constitutes an “unreasonable delay”, 60 days appears to be the outer limit for reporting, and waiting until the 60th day could be unreasonable as well.

Some state laws provide stricter reporting rules such as California’s mandate that you have 5 days to report a breach.   We will discuss the notice details in a later blog

And now the “So what?”  Here are the federal breach penalties.  But please take note that some states allow separate penalties.  Additionally, some states allow private causes of action against the CE by the harmed patients.  So these charts present only the tip of the iceberg in some cases.

Looking through the charts it is easy to see the risks you’re taking by not making sure your office is HIPAA compliant. In 2016, the Office for Civil Rights (OCR) collected over $20 million in fines, and in 2017 they have already disclosed over $17 million in fines collected.

Finally, don’t think that just because you are only an employee for a company, that you are immune from these fines and prison sentences. If an executive is aware of a violation, delegating the responsibility to someone else (the company’s “Security Officer”, perhaps) DOES NOT protect the executive from a personal penalty.

So now that you know what the ramifications are for a HIPAA breach, it is crucial that you take the necessary steps to ensure you don’t end up as one of OCR’s statistics.

Take the painful (but important) measures to be compliant now to save yourself a lot of stress, heartache, and money in the future. Otherwise the question you’ll be asking isn’t “so what?” but rather “does anyone know a good attorney?”

HIPAA Violations – An Open Discussion

An open Discussion on HIPAA.

First, its HIPAA, not “HIPPA” which you see a lot as you navigate an internet search about HIPAA.  If you Google HIPPA, you will find plenty of articles, discussing HIPAA, but spelling it as HIPPA.  You can even find professionally appearing and academic articles spelling it incorrectly.  Second, HIPAA is more than just a privacy law, it deals with document access, insurance coverage, pre-existing conditions, and many other things.  Finally, HIPAA compliance is not impossible or some secret for experts only… it is attainable.  But, first things first, why should you worry about HIPAA?

Look we are all busy, none of us want to read a bunch of legislation written by attorneys which makes almost no sense to non-attorneys; I get it.   When it comes to legal issues, I always find it important to know the real reasons why I should take notice of something.  Large monetary fines and possible prison time seem to get my focus.  The Federal Government issued almost $11.4 million in HIPAA fines before March 1, 2017; paying attention yet?   How about knowing that you can face Federal jail time for wrongful disclosures?  Now that you realize HIPAA is serious, let’s look at the governments’ enforcement activity in 2017.

Just to get your ears perked up, here are some examples of the fines issued by the Federal Government before the end of February 2017:

January 9, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00.

Presence Health discovered that paper-based operating room schedules, which contained the PHI (Protected Health Information) of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  Making matters worse, Presence Health failed to timely notify each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and the OCR.  This case is a great first case to take notice of, as it addresses both the loss of the medical information and the failure to report the breach.

January 18, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million.

MAPFRE filed a breach report with the OCR indicating that a USB data storage device containing ePHI (electronic Protected Health Information) for 2,209 patients was stolen from its IT department, where the device was left without safeguards. MAPFRE also failed to conduct proper risk analysis, implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storages.  This investigation revealed many breaches, across many levels of HIPAA.  Yet, one of its teaching points is about laptop and USB drive security.  Many offices use laptops and USB drives on a daily basis to access and transfer information.  If they contain PHI, they must secure them.

February 1, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a civil money penalty of $3.2 million to Children’s Medical Center of Dallas (Children’s), who paid the fine in full.

Children’s filed a breach report with the OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport.  The device contained the ePHI of approximately 3,800 individuals.  Later, Children’s filed a separate HIPAA Breach Notification Report with the OCR, reporting the theft of an unencrypted laptop from its premises which contained the ePHI of 2,462 individuals.  Again, we see issues with remote devices being compromised.  In a review of OCR violation history, remote device compromises appear to be a majority violator.  Probably a good time to determine if your office had PHI on any remote or removable devices.

February 16, 2017 – Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI.  This final case shows that your password protocols must be established and followed.  Of course, the hardest part of protecting your company is protecting it from its employees.  However, there is no excuse for allowing former employees to retain access rights to your data.

These four fines are just the tip of the iceberg when dealing with HIPAA, but together they do shed some light on the many different types of violations your company can face.  Many states now can assert similar level fines upon a party in breach.  Some states even allow private causes of action for damages caused by a breach.  And then, there can be criminal consequences as well.  Now that I have your attention, be sure to check back soon for more on HIPAA.