The Human Health Services (HHS) Office for Civil Rights (OCR) on a regular basis issues press releases announcing recent Health Insurance Portability and Accountability Act (HIPAA) settlements and enforcement actions. For example, just a few weeks ago, the HHS issued a release stating that a Texas health system provider agreed to a $2.4 million settlement and to take corrective action for disclosing a patient’s protected health information (PHI) without authorization. These types of settlements should serve as a wake-up call and reminder that all health care organizations, including their business associates, need to re-examine their HIPAA and data privacy compliance efforts to help reduce the potential of an OCR investigation.
Following are some actions health care organizations should take:
- Ensure the firm’s compliance program does what it’s supposed to be doing. While organizations have HIPAA compliance programs and data security policies and procedures, they may only look good on paper but in practice are not very effective. CIOs and IT administrators should review recently issued government guidance documents to evaluate the effectiveness of their organizations’ compliance programs. Such documents include the Department of Justice Fraud Section’s Evaluation of Compliance Programs and the HHS’ resource guide, which contains hundreds of questions useful in measuring compliance effectiveness.
- Have an updated documented risk analysis and risk mitigation plan in place. Healthcare organizations must perform an accurate and thorough assessment of electronic PHI risks and document how those risks will be managed. It’s critical for privacy and security officials to make sure their risk analyses are thorough, documented, and updated regularly. Companies must also have a documented plan they follow to actually address the risks they identify. Take the case against a federally qualified health center, which resulted in a $400,000 settlement with the HHS OCR. The health center allegedly had not conducted a risk analysis until 2012 after it experienced a data breach. Its subsequent risk analyses were found to be insufficient to meet the requirements of the HIPAA Security Rule.
- Review state laws. HIPAA does not supersede state data privacy and security laws unless it is impossible to comply with both state law and HIPAA. In addition, state laws provide less protection or more restricted access to the patient. It’s essential that companies operating in multiple states examine the numerous state laws applying to healthcare information. These laws are subject to change, and conducting multi-state surveys of applicable laws can be an expensive and time-consuming process. Because state attorneys general and other regulatory and law enforcement agencies enforce the laws in their states, it is important to keep up with relevant state laws.
Caitlin Morgan specializes in insuring health care organizations – from medical facilities to independent living facilities, nursing homes, assisted living, CCRS and others. We provide everything from General Liability and Professional Liability insurance to Cyber Liability, D&O, EPLI and other key coverages. For more information about our products, please give us a call at 877.226.1027.
Sources: Holland & Knight, LLP, HHS