Reducing HIPAA Penalty Risk
by Juli Ochs
As hospitals and providers implement electronic medical records, they are faced with mounting technological challenges. The risk of managing protected health information has never been higher; health care professionals, therefore, need to mitigate this risk to avoid penalties, negative media coverage, and legal action.
The Office of Civil Rights (OCR) suggests adopting a “culture of compliance” to reduce risk. This culture begins at the leadership level by promoting a strategy that meets the needs of the organization and protects the rights of the patient. Assessing risk, enhancing security procedures, training staff, and promoting accountability will help align your strategy with a culture of compliance.
Hospitals and providers should be aware of the magnitude of penalties imposed on organizations that fail to comply with the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules. An increasing number of health care organizations, both large and small, have been penalized in the past year by the OCR for failure to comply. Most of the notable penalties resulted from a failure to secure electronic protected health information (ePHI) — specifically, a lack of encryption, failure to update related HIPAA policies, and/or failure to perform an annual risk assessment.
Recent cases of HIPAA violations
There are many cases from the past year that required providers to pay penalties to the Department of Health and Human Services (HHS) for failure to comply with HIPAA rules.
Two recent cases involved the Alaska Department of Health and Social Services, and the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, a specialty hospital with 13 satellite offices, over 160 providers, and a medical school affiliate of Harvard. Both were settled with HHS for $1.5 million and $1.7 million, respectively, for allegedly failing to secure ePHI on laptops, not addressing security and access to portable devices in their information security policies, or performing an annual risk analysis per HIPAA’s security rules.
In March 2012, Blue Cross Blue Shield of Tennessee (BCBST) fell victim to the theft of 57 unencrypted computer hard drives that contained the health information of more than 1 million individuals. BCBST notified HHS in compliance with HIPAA’s breach notification requirements. BCBST subsequently agreed to pay $1.5 million and update its HIPAA compliance program to reduce the chances of losing protected health information in the future.
In April 2012, Phoenix Cardiac Surgery, P.C., a practice of five cardiologists, became the first small practice to be penalized for HIPAA violations. The OCR investigated allegations in response to a patient’s complaint that the practice publicly posted surgical schedules on its website. As a result of the investigation, the practice has been penalized $100,000 and is required to remove identifying patient information from its public website and implement appropriate HIPAA policies and procedures.
Steps to help compliance
There are important lessons to be learned from these providers. You can reduce your chance of HIPAA violations by incorporating these steps into your compliance policies:
- Perform an annual risk assessment as required by §164.308(a)(1), security management process of the HIPAA regulations. You can easily identify risks by following the course of electronic data through your organization.
- Using the results of your risk assessment, encrypt all portable devices used to store or communicate ePHI, such as smartphones, tablets, laptops, and USB drives.
- Communicate your risk assessment results with your employees, and ask them to help devise strategies to improve the results. Generally, staff members want to be involved in the decision-making processes when an organization integrates cultural changes. In addition, develop accountability measures that reward staff for making compliant choices. Educated employees have the tools and guidance to understand the results of their actions.
- Periodically identify gaps that might allow for unauthorized use, disclosure, modification, or loss of data. If you find an area of vulnerability, take corrective action immediately.
- Update your policies, procedures, and training materials. If your materials were last updated before 2009, then you are at risk for a penalty assessment. Last year, the OCR created a HIPAA audit program that can be used as a guide for updating your materials.
Creating a culture of compliance
Developing and acting on a plan based on your specific risks will help you create a culture of compliance, as suggested by the OCR. Health care leaders should understand the risks they face and use that knowledge to implement a culture change.
Most employees want to work for an organization with a culture they can relate to — one with integrity, a commitment to compliance, and incentives for accountability. Patients want to be treated by an organization that respects their privacy and protects their information. While there is no question of the technological challenges and the current risk environment, taking steps to reduce the risk of penalties can yield major strategic benefits for your organization.
Juli Ochs, Health Care Engagement Director
firstname.lastname@example.org or 612-397-3011