(August 23, 2014): Almost all health care providers and suppliers qualify as a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Together with the "business associates" with whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential. Let's face it, the regulations governing a health care provider's obligations under HIPAA are both extensive and complex.
Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA's privacy and security mandates. Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.
I. The Importance of Conducting a HIPAA Risk Assessment:
A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA's security requirements. While most health care providers and suppliers have diligently worked to comply with HIPAA's privacy requirements, their compliance with HIPAA's security and risk assessment mandates remains a challenge. A recent case out of the U.S. Attorney's Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.
Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI. At the time of his arrest, he was discovered to be in possession of patient medical records from Texas. The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital. The defendant allegedly took the patient records with the intent to use the patient's PHI for personal gain. The defendant is currently in jail, awaiting trial. If convicted, he could be sentenced to prison for up to 10 years. There are two main points that all covered entities and business associates should keep in mind:
- The theft of PHI is a serious crime. Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain. Under 18 U.S.C.A. § 1028A(a)(1), the federal "Aggravated-Identity-Theft" statute prohibits an individual's knowing use of another person's identifying information without a form of authorization recognized by law.
- While the government's Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.
II. HIPAA's Security Rule Requires that a Risk Assessment be Conducted:
While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions. The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement. Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI. Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.
Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers. A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA's Privacy, Security, and Breach Notification requirements. A number of health care providers were included in these audits. The results showed that 60% of the deficiencies reported were related to HIPAA security requirements. In addition, 65% of the findings were for health care providers, in particular smaller providers. Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency. Nearly 80% of the healthcare providers had not completed a risk assessment. OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.
III. Meaningful Use and Risk Assessments:
Conducting a risk analysis is also a core requirement under the Meaningful Use rules. In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions. Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.
Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available. Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not. While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.
IV. Final Remarks:
While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately. The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions. Need help? Give us a call. In Part II of this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.
-  HIPAA Privacy, Security and Breach Notification Audits: Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf
-  See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).