Health Insurance Portability and Accountability Act (HIPAA) compliance is aimed at maximizing privacy and data security when it comes to patient records. It prescribes minimum data storage and sharing standards. The Act affects health care organizations, physicians and managed IT service providers (MSPs) that are tasked with the responsibility of managing hospital computers and networks ensuring patients and their information remains safe.
To learn more, refer to the infographic below created by the Maurice A. Deane School of Law at Hofstra University’s Online Master’s in Health Law and Policy program.
Compliance with HIPAA is a serious matter that requires careful handling to avoid fines and penalties. The Department of Health and Human Services (HHS) conducts regular audits through the Office for Civil Rights (OCR). If any MPS is found to be noncompliant, the entity can be slapped with fines of up to $50,000 per violation. The fines can reach $1.5 million annually across all HIPAA violation categories.
Attracting these hefty penalties can affect an organization’s bottom line and operational viability. For this reason, covered health care entities and business associates need to treat the Act with the gravity it deserves. The HIPAA Compliance Checklist provides a viable way to stay vigilant and up-to-date with the requirements.
The HIPAA security rule
Recent changes compel all business associates to adhere to the requirements of the security rule. The rule encompasses the implementation of security procedures, risk analysis, training and the adoption of a breach response plan. It has three key components, including backup and disaster recovery plan, physical safeguards and technical safeguards.
Physical safeguards refer to protection measures for servers and facilities like data centers. These include the use of access badges, door locks, surveillance cameras, security guards and more. Technical safeguards, on the other hand, are designed to control electronic access to the Electronic Patient Health Information (ePHI). Examples of technical safeguards include multi-factor identification, use of passwords and encryption.
Encryption entails the use of a Transport Layer Security (TLS)-secured connection to gain privileged access to records stored in the cloud. Experts recommend using end-to-end encryption to secure sensitive information, including data in motion.
A comprehensive backup and disaster recovery plan is an additional component of the HIPAA compliance security rule. It does not focus on prevention and protection. It is aimed at ensuring that health care facilities are well-prepared for any eventuality. The Backup Disaster Recovery (BDR) solution consists of data backup, disaster declarations, alternate site guides, a comprehensive disaster list and an ePHI recovery plan.
HIPAA Phase 2 audit protocol
OCR uses Phase 2 audits to establish best practices for ensuring security and privacy of sensitive health information. The process involves the implementation of desk audits, which are used to review submitted documentation. Selected entities are served a notice and a document request letter prior to the start date.
The entities are required to respond by submitting the required documents within 10 days from the receipt of the letter. The submission process is carried out via a secure online portal. OCR gives organizations 10 days to respond to findings noted in the review. Once the entire process is complete, the auditor will issue a report within 30 days.
Phase 2 audits also encompass on-site reviews that are conducted over the course of three to five working days. These audits are more comprehensive than desk audits. The site visits are aimed at reviewing the procedures and policies implemented by health care organizations and business associates to meet selected standards.
Auditors employ a comprehensive audit protocol that is in line with the updated Omnibus Final Rule. The audits address security, privacy and breach notification separately. The nature of audits performed by OCR officers may vary based on type of organization or business associate.
Entities are required to submit only the specified document and not compendiums relating to all procedures and policies. This is aimed at simplifying the review process and reducing the workload for the auditor. In the event that the requested documents are not available, organizations are required to submit instances from the applicable time periods.
Preventing HIPAA violations
Health care organizations, physicians and business associates work tirelessly to prevent HIPAA violations. The extensive list of rules and obligations heaps pressure on covered entities. Oftentimes, the organizations overlook the minor requirements regardless of spending considerable time and money on compliance issues.
Some of the most common HIPAA violations include failure to release information to patients in a timely fashion, not adhering to the authorization expiration date and improper disposal of patient records. In addition, many entities are fined for insider snooping, releasing the wrong patient’s information, missing a patient’s signature, insecure data storage, releasing unauthorized health information and more.
Fortunately, the majority of health care information systems available today include automated reminders, procedures and alerts to remedy these issues before they cause a violation. Reputable medical IT service providers generally identify these instances when evaluating the system.
Although no system is perfect, entities are expected to demonstrate best efforts and reasonable care when it comes to standards of compliance.
Office for Civil Rights (OCR) imposes stiffer HIPAA fines
In recent years, OCR has been using the new tiered penalty structure stipulated by Health Information Technology for Economic and Clinical Health (HITECH) Act to impose stiffer non-compliance fines. It took the enforcement body considerable time to start imposing the multi-million dollar penalties that many in the health care sector had predicted since 2010.
OCR has since heightened enforcement activity. As a result, covered entities and the business associates have witnessed higher dollar HIPAA settlements.
Some of the high-profile cases involve entities, such as Triple-S Management Corporation (TSS), Lahey Hospital and Medical Center (LHMC) and the University of Washington Medicine (UWM).
Triple-S Management Corporation (TSS) is one of the leading medical insurance providers in San Juan, Puerto Rico. In 2015, the company was slapped with a $3.5 million fine for several HIPAA breaches. The violations occurred over a period of five years. They included sharing of ePHI data on employees’ computers and improper access to the entity’s database by a former member of staff whose access was not immediately terminated.
In addition, OCR discovered unauthorized disclosures that involved health plan beneficiary mailings. In some instances, insurance identification cards were delivered to the wrong recipients. The mailings displayed ID numbers on envelope labels.