HIPAA enforcement has not slowed in 2021. The Office for Civil Rights (OCR), the HIPAA enforcement agency, has begun dozens of investigations, for general compliance review, breaches, and the Right of Access, among other topics.
HIPAA Right of Access is Still a Priority
Five settlements for failure to meet the HIPAA Right of Access requirements have been announced during the first quarter of 2021. Since 2019 there have been eighteen settlements under the Right of Access Initiative established in 2019. Four of the five in 2021 have been announced since President Biden took office, supporting our view that HIPAA is Not Political.
We expect more Right of Access settlements will be announced by OCR in coming days and weeks. When they’re announced this blog will be updated.
OCR Investigates Breaches and Complaints
Since January 1, OCR has started at least 115 investigations of healthcare data breaches affecting 500 or more individuals. HIPAA requires organizations to report these large breaches to the U.S. Department of Health and Human Services (HHS) and HHS publishes them on the web, also required by law. OCR automatically investigates these.
OCR also starts investigations based on the thousands of individual complaints they receive each year. They received over 27,000 complaints in 2020 and expect more than 28,000 in 2021, according to OCR’s Serena Mosley-Day, Senior Adviser on HIPAA Compliance and Enforcement at the HIPAA Summit last week.
Top HIPAA Enforcement Issues
At the HIPAA Summit, Day also named the recurring compliance issues OCR sees.
- Individual Right to Access
- Risk Analysis
- Business Associate Agreements
- Access Controls
- Audit Controls
- Information System Activity Review
HIPAA Enforcement Affects all Types and Sizes of Organizations
HIPAA Right of Access Settlements
Similar to past settlements, the following Right of Access cases announced in 2021 represent a variety of covered entities, small, large, nonprofit and for profit, from behavioral health to primary care to plastic surgery.
All settlements thus far have included a payment of fines, and a corrective action plan (CAP), requiring two years of oversight by OCR.
$200,000 – Banner Health
Banner Health, a non-profit organization, is one of the largest health care systems in the United States and is based in Phoenix. It operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities. (agreed to a two-year CAP)
$75,000 – Renown Health, P.C
Renown Health, P.C. is a private, not-for-profit health system in Nevada. (agreed to a two-year CAP)
$70,000 – Sharp HealthCare
Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers, is located in California and provides health care through four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan. (agreed to a two-year CAP)
$65,000 – Arbour Hospital
The Arbour, Inc., doing business as Arbour Hospital is located in Massachusetts and provides behavioral health services. (agreed to a two-year CAP)
$30,000 – Village Plastic Surgery
Village Plastic Surgery is located in New Jersey and provides cosmetic plastic surgery services. (agreed to a two-year CAP)
Investigations can Mushroom if Gaps Persist
Investigations begin for a variety of reasons. The mandated breach reports automatically generate investigations involving 500 or more, but individual complaints on relatively small issues are also a source. Know the breach notification steps so you can show OCR you can meet compliance requirements.
Data breaches and individual complaints may be a sign of gaps in other areas and OCR wants to learn if other issues are present. OCR offers technical assistance to organizations being investigated, which if followed, can help organizations improve and may lessen the severity of any enforcement outcome. An investigation should be taken seriously, and responses should be prompt and complete.
An Untrained Workforce is a Vulnerability
Of the 115 large breaches reported since January 1, well over half of them – 78 – were caused by a hacking/IT incident attacking mostly email or network servers. Email by itself was the location of almost half the breaches so far this year, either through hacking or another type of unauthorized access or disclosure.
There are several remedies for protecting email security and increasing HIPAA compliance. Good quality malware protection is a start. Applying appropriate levels of security access to different staff positions is important. Strong password policies are essential. But one of the easiest and lowest tech remedies that can help the most is security awareness training for the workforce. Hackers use social engineering, a fancy term for basic motivation psychology, to get people to click, open, and reply to email with information. Security awareness should be taught to everyone, on a regular basis to teach and remind them how to recognize and avoid intrusion and theft.
Best Practices Recommended by OCR
- Risk Analysis and Risk Management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned
- Incorporate lessons learned from incidents into the overall security management process
- Review all vendor and contractor relationships to ensure BAAs are in place as appropriate and address breach/security incident obligations
- Review Records Access Policies, Procedures and Practices
- Train staff on the difference between Right of Access requests and authorizations
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security
Avoid HIPAA Enforcement with Prevention
HIPAA enforcement is not going away.
By far the most effective way to stay ahead of HIPAA enforcement is to do an annual HIPAA Risk Analysis and follow a Risk Management Plan throughout the year.
In every settlement agreement under the Right of Access Initiative published so far, OCR noted that the organization did not have an adequate Risk Analysis – policies were lacking, workforce training was missing and the inventories of protected health information (PHI) locations were incomplete.
Each of the best practices recommended by OCR listed above are included in The HIPAA E-Tool® Risk Management module. If you need help, let us know.