If the current trend holds true, the healthcare industry can expect to see an increase in HIPAA violation resolution agreements in the coming year.
David Holtzman, JD, former senior advisor for health IT and the HIPAA Security Rule at HHS' Office for Civil Rights and current vice president for compliance at CynergisTek, a health information privacy and security consultancy agency, attributes this increase in formal resolutions to a couple of factors.
In a contributed piece to Healthcare Info Security, Mr. Holtzman said the OCR could use the money collected from previous settlements (there were three in December alone) to fund enhanced enforcements. And, in an interview with Becker's Hospital Review, Mr. Holtzman said legislative changes that occurred in 2013 are coming into effect now. The HIPAA Omnibus Rule was passed in 2013, and breach investigations that were launched at that time are now coming to completion.
"The changes to the HITECH Act [including the HIPAA Omnibus Rule] took effect in 2013, so as we are seeing these most recent cases, it appears to take two to three years for the investigation and settlement process to run its course," he says.
The HIPAA Omnibus Rule expands the privacy and security requirements of HIPAA to further strengthen patient privacy protections, which includes enhanced risk assessments and brings business associates into the pool of covered entities to join healthcare providers, health plans and entities processing health insurance claims, among other provisions.
Here, Mr. Holtzman discusses the recent HIPAA resolutions and how organizations can try to prepare for breaches and protect themselves from these monetary settlements.
Question: In December, there were three HIPAA violation settlements, one of which was the second largest settlement to date. Can we expect to see more of the same in coming months?
David Holtzman: It's important to realize that the resolution agreements that were announced in December, as well as the several other resolution agreements that were announced in 2015, each represent compliance reviews that began as breach notifications reported, in some cases, up to five or six years ago. What we can draw from this is that a number of compliance reviews on large breaches are being completed and, where appropriate, formal resolutions are being negotiated, not based entirely on the breach incident itself but on findings of the broader compliance review, which are finding indications of systemic failures to comply with the HIPAA Security Rule.
The resolution agreements that have been settled within the past two to three years have each focused in some respects on a failure of the organization to conduct the enterprisewide risk analysis and risk management process. OCR's review will look at the breach as a mere symptom of larger compliance issues, and on review of the breach report, the organization can expect to be required to demonstrate or to provide evidence of its compliance with the broad strokes of the security rule — and to some extent the privacy rule — as well as fulfill its obligations for notification under the breach notification rule.
Q: UW Medicine was the latest HIPAA resolution agreement, with a settlement of $750,000. What was the crux, if it can be boiled down to one, of the issue here?
DH: UW Medicine is an interesting story in that they on paper had a credible health information privacy and security compliance program organizationwide. Yet when OCR went to investigate or required UW to provide proof that the program had actually been implemented, apparently OCR found that the central organization, UW Medicine, had not followed up to assure implementation by its subsidiaries and affiliates. [OCR also found] while UW Medicine had performed information security risk analysis, it was in the limited scope of only its EHR systems to satisfy the requirement for the meaningful use EHR incentive programs.
This is a common error in that the [HIPAA] security rule requires, in addition to establishing policies and procedures, that the information system risk assessment be a much broader approach. The requirement is to perform an assessment and evaluation in risk mitigation for the entire enterprise that handles ePHI.
The other interesting note from the UW Medicine case is that this is the first resolution agreement involving a breach incident that derived from a phishing attack.
Q: What are the key indicators or factors in determining the amount of the fine?
DH: OCR's enforcement rule lays out the issues for consideration of the amount of fine or penalty that is appropriate. For example, what is the financial health of the organization and their ability to pay a fine or penalty without preventing them from carrying out their health mission? What is the severity of the incident? But at the end of the day, these are truly negotiated settlements and represent a percentage of what the department could levy as a civil monetary penalty if attempts to negotiate a resolution agreement were not successful.
Q: While no organization is 100 percent protected from a data breach, what are some ways hospitals and health systems can try to prevent breaches or ensure HIPAA compliance?
DH: There are three main ways to protect from these types of phishing attacks. First is educate your users to be judicious in handling email communications that they receive and to limit or prohibit use of personal email or access to personal email accounts, as well as raise awareness of the threats posed by links, hyperlinks embedded within an email.
The second step is for an organization to conduct social engineering or phishing exercises in which they manage or produce their own suspicious email to measure and identify those workforce members who are susceptible to these types of communications so that you can provide enhanced education and monitoring of their activities.
Lastly, implement technology to monitor network traffic so that if there is malware that successfully infiltrates your network system, you can identify through monitoring the unusual activity within the information system and stop any attempted exhilaration of data.
Q: Any final thoughts?
DH: First of all, 99.99 percent of all compliance reviews and complaint investigations that are initiated by OCR continue to be resolved informally through the voluntary corrective action of covered entities and business associates. However, that still leaves hundreds, if not thousands, of complaints and compliance reviews that we can expect to see resolved through formal enforcement.
More articles on HIPAA:
Dental practice software company settles FTC charges on patient data encryption
Gun control overhaul sparks change in HIPAA
Who are the biggest repeat HIPAA violators? ProPublica reveals top 10