The Health Insurance Portability and Accountability Act (HIPAA) was signed into law close to three decades ago. HIPAA was initially comprised of two primary rules: (1) The Privacy Rule, which establishes standards to protect individuals’ medical records and other personal health information (this was later expanded when the Breach Notification Rule was finalized); (2) The Security Rule, then instituted the requirements for safeguarding electronic protected health information (ePHI). Both rules are enforced by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Up until the passage of the HITECH ACT in 2009, HIPAA compliance was often seen as a paper tiger with no enforcement action of any significance and little more than perfunctory industry compliance. HITECH helped to solve this issue by providing funding for the digitization of medical records and tightening up the rules on privacy and security provisions of HIPAA. HITECH also put some sharp teeth into the enforcement mechanisms needed to force greater compliance.
HITECH provided significant cash incentives for adoption and effective use of health information technology, opened the door to more credible expansion of the soon to be critical healthcare exchanges, and empowered patients to be more directly involved in their care. HIPAA is designed to be a framework that allows for patients’ access to their information, while making it truly portable and available no matter where they seek treatment or what organization operates as their provider and/or insurer. HITECH also made a major change in enforcement, by moving that function to the U.S. Department of Health & Human Services’ Office of Civil Rights. In order to understand the gravity of non-compliance, we must first understand that HIPAA and its promulgated rules are prescribed legal obligations that healthcare providers, health plans, and their business associates must comply with or face stiff financial penalties, monitoring and corrective action plans. Intentional non-compliance can lead to the individuals responsible for the violations facing imprisonment. While criminal cases are rare, they underscore the seriousness of HIPAA compliance.
One recent example of improved enforcement was announced by OCR on September 11th, 2023. HHS and OCR stated in the September 11 release:
“Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation’s largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI). The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident. Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI).”
There have been many enforcement actions by OCR and below are a few more good examples. In addition to fines, all were assigned corrective actions plans which can often involve significant investment and long-term monitoring and reporting.
- June 15th, 2023 – Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima Washinton, was penalized $250,000 after an investigation found that security guards working at one of their facilities had accessed medical records.
- HHS Office for Civil Rights Settled a HIPAA Investigation with Arkansas Business Associate MedEvolve for $350,000. This was after OCR concluded that “a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet.”
- HHS Office for Civil Rights Settled a HIPAA Investigation into Arizona Hospital System following a cybersecurity hacking that reportedly exposed the records of 2.81 million patients. The financial penalty in this case was $1.25 million.
The immediate and most significant risk of HIPAA non-compliance is the financial penalties, particularly for small organizations. Depending on the severity of the breach, and if there is a pattern of non-compliance, penalties can go from thousands to a record $16 million dollars, which was paid by Anthem Inc. in 2018. But we cannot gloss over the damage to patient trust and an organization’s reputation. News of any data breach or HIPAA violation can impact not just patients, but also partners, and the public at large. Rebuilding trust can be expensive, challenging and time-consuming.
Forensic and administrative investigations and breach remediation expenses can quickly dwarf the cost of penalties by OCR. Ransomware recovery, for instance, can easily run in the millions and then begins the OCR HIPAA reporting and investigations process. Implementing corrective measures and notifying affected individuals can also add up quickly. Just think how much care can be diluted by or lost to these events and resulting costs.
Some Steps to Avoid HIPAA Penalties
- Develop and maintain policies and procedures that are adequate to meet the obligations of your organization. Be sure they address and align with HIPAA requirements. Regularly review and update these documents to reflect changes in technology and regulations. Be sure to maintain versions so that the progressive changes made can be shown.
- Conduct regular and complete risk assessments involving all aspects of the business that could impact privacy, security, integrity and availability of protected health information. This proactive approach can help prevent breaches and demonstrate a commitment to compliance. More important than the assessment, are the corrective actions you take to improve and test your systems. Assessments are of no value if they end up on a shelf and risks are left unacknowledged or remediated.
- Training employees and contractors in HIPAA regulations and the importance of compliance is crucial. Employees should be clearly aware of their roles in protecting patient information and the risks associated with their actions. They should also know and understand the policies and procedures designed to reduce risk and comply with the law. Employees and contractors should be able to consider their actions to limit breaches, recognize the signs of potential breaches, and know what to do and not do when they believe a breach may have occurred.
- Organizations should have security measures in place to protect ePHI. This includes, but is not limited to, implementing protections such as: software and firmware updates to minimize vulnerability; encryption of sensitive data and communications; access controls with unique credentials and complex passwords; multi-factor authentication; network isolation; incident response and disaster recovery plans; and secure immutable backup systems.
- Keep up to date on the rules. HIPAA regulations do change over time. Organizations must stay informed about updates and adapt their practices accordingly.
Compliance is not an option; it is a legal obligation that healthcare entities, their employees, and business associates must take seriously. By proactively following compliance requirements, implementing strong security policies and procedures, and staying informed about potential changes in laws and regulations, organizations can reduce the risks associated with breaches and of non-compliance. This is critical in any organization that prioritizes the protection of patients and their sensitive health information.
Read more about HITECH HERE.