Example White Paper:

Surviving HIPAA’s Security Maze

Introduction

Traversing the maze of HIPAA privacy and security compliance regulations can be a daunting – and costly task.

The 1996 Health Insurance Portability and Accountability Act (HIPAA) was instituted to protect the personal health information held by covered entities, including hospitals, doctors, pharmacies and health insurance companies. A HIPAA violation, by any covered entity, can result in multi-million dollar fines and even draw jail sentences for the most egregious violations.

The High Cost of HIPAA Violations

Following are some public record examples of the largest fines that have been imposed since HIPAA was enacted; however, literally thousands of other smaller, but significant fines have also been imposed.

  • Cignet Health – $4.3 million dollars (2011)
  • CVS Caremark — $2,25 million dollars (2009)
  • Blue Cross/Blue Shield of Tennessee — $1.5 million dollars (2012)
  • Massachusetts General Hospital — $1 million dollars (2011)
  • Phoenix Cardiac Surgery — $100,000 (2012)

The following chart lists the various types of HIPAA violations, along with their penalties.

VIOLATION TYPE MINIMUM PENALTY MAXIMUM PENALTY
Individual didn’t know they violated HIPAA $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million
Reasonable cause and not willful neglect $1,000/violation; annual max of $100,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect but corrected within time $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect and is not corrected $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million

Source: American Medical Association (AMA)

What Constitutes a HIPAA Violation?

A HIPAA violation can occur when a covered entity fails to handle patient information properly, resulting in medical and other personal data being improperly divulged to unauthorized parties. Failure to notify affected patients of an information security breach through alerts, emails and other media also constitutes a violation of the HIPAA regulations.

While there are an endless number of scenarios for possible violations, a few of the most common and avoidable all have certain characteristics, such as unencrypted data, employee errors, data stored on devices lost, stolen or no longer in use, business associates, and a lapses in notification.

HIPAA also gives patients and their families the right to have continued insurance coverage while in the process of looking for a new employer.

2009 ARRA HITECH ACT Exacerbated HIPAA Compliance Challenges

As part of the HITECH Act’s proposed rule to implement “meaningful use” of electronic medical record (EMR) technology, through the use of incentive payments, the Centers for Medicare & Medicaid Services (CMS) dictated that eligible professionals and hospitals must conduct a security risk analysis and implement security updates, as necessary, to comply with HIPAA Security Rules. This HITECH mandate was part of the Stage 1 requirements for meeting “meaningful use.” The HITECH Act also increased the penalty amounts for violations. HIPAA penalties, before HITECH, were capped at $25,000 for multiple violations of the same provision in a single calendar year. Now, under HITECH, they are now capped at $1.5 million.

How Can A Covered Entity Navigate the HIPAA Maze?

The answer: By being vigilant and paying careful attention to HIPAA’s mandates. Following are some general suggestions on where to start your journey. First, revisit HIPAA privacy and security compliance regulations that are applicable to your organization. These rules are listed in the HIPAA Privacy, Security, and Breach Notification Rules and can be found at www.hipaa.com.

Make sure your facility has in place formal, documented policies and procedures for dealing with the most common and avoidable HIPAA violations. These include:

  1. Sending unencrypted protected health information (PHI) via public communication media.
  2. Employee errors – divulging PHI to unauthorized parties.
  3. Data stored on lost or stolen devices.
  4. PHI data stored on obsolete or old IT equipment no longer in use.
  5. Inappropriate sharing of PHI with business associates or partners.
  6. Failing to notify promptly when security breaches occur.

Identify and Address Your Gaps and Needs in These Areas.

Conduct a careful review of your security procedures in these areas and identify any gaps that need to be addressed. The next step is to draft new policies and procedures and institute training for all staff members to ensure they are aware of your new security policies and procedures.

Test Your New Program

It is not enough to assume that all pieces of your new security plan are in place. You must test the new program to see if it is actually working – in practice. Examine each of the six operational areas to verify you are in compliance with HIPAA regulations.

Examine all of your PHI communication channels. Is every piece of PHI that you are sending outside of your facility, via public communication media, encrypted?

Verify, through testing, that all your employees are aware of HIPAA regulations on how to handle PHI. Document that you have conducted the proper training and save your employees’ test results in an easily accessible electronic database.

Make certain you have in place written procedures — and your employees have been apprised of these procedures — for handling and protecting PHI on mobile devices. This will not completely ensure that PHI stored on these devices will not be lost or stolen, but it will protect you if that happens because you have taken steps to prevent this loss.

An aspect that is often overlooked in HIPAA security risk analyses is the PHI stored on obsolete IT devices or on end-of-lease hardware equipment. HIPAA regulations are forcing companies to re-evaluate their technology disposal methods. Improper data sanitization of old IT hardware can expose you to HIPAA violations. There are professional companies that provide the service of “sanitizing” PHI on PC hard drives, servers, notebooks and other IT devices. They can also provide verification certificates aren’t complying, your business associates are putting your protected health information at risk. for each piece of equipment that has been “cleaned” for your records.

Also as a result of the HITECH Act, all your business partners and associates agreements require an update. More importantly, you need to ensure that your business associates are complying fully with the HIPAA Security Rule, another new obligation imposed by the HITECH Act. Previously, your business associates’ security measures needed only to be “reasonable and appropriate.” They now have to comply fully with the more than 60 specific safeguards outlined in the HIPAA Security Rules.

What To Do If a Breach Actually Occurs

When a security breach does occur, you need to have in place an organization-wide procedure for notifying the proper authorities that a breach has taken place. Failure to promptly acknowledge a breach can result in increased penalty amounts. Breach notice obligations are also exacerbated by incidents caused by business associates. Security lapses by your business associates can result in substantial notification costs and enforcement risks for your organization.

Keep All Your HIPAA Compliance Information in a Single Location

To facilitate a possible HIPAA inquiry at your facility, you should store all your compliance paperwork, electronically, in a single location. It should be well organized, up-to-date and contain at a minimum the following information:

  • All requisite HIPAA security policies, procedures, security plans, security reminders, documentation of access rights, etc.
  • All requisite HIPAA privacy policies and procedures
  • Requisite HITECH breach response procedures
  • Notice of privacy practices
  • Log of HIPAA training
  • Accounting of disclosures for the past six years
  • Log of security incidents
  • Your organization’s business associates agreements

Conclusion

Traversing the HIPAA privacy and security compliance maze can be a daunting task, especially with the added 2009 HITECH Act requirements that have substantially increased the obligations of healthcare providers and their business associates. The stakes are high on this journey, but by being vigilant and paying careful attention to HIPAA’s mandates, you can successfully navigate this maze.