Just over 20 years ago, President Bill Clinton signed HIPAA into law. Over that period, the act has been honed through a combination of legislation (such as the 2013 Omnibus Act) and enforcement rulings by the Office of Civil Rights (OCR).
While legislation can instantaneously change the face of a law, enforcement rulings can have just as much effect on your practice and are more difficult to stay current with. Over the last two years, the OCR’s enforcement tactics and priorities have changed significantly.
2015-16: A Surge of HIPAA Enforcement by the OCR
For many years HIPAA was regarded as a set of laws “with no teeth”. Now, that is a dangerous misconception.
In the last two years, the OCR has collected $38,449,620 in settlements– approximately four times the amount they collected in the previous 18 years combined! Even within the last two years there’s been a significant uptick. They collected $27,974,400 in 2016, up from only $10,475,220 in 2015 — nearly three times as much.
While the magnitude of penalties for violations has risen significantly, the OCR has become more discerning with their action. From 2015-2016 there were only 1,303 complaints that resulted in the OCR requiring corrective action, only 20% of that from 2013-2014.
This is not due to an increase in responsibility in covered entities. Over the last two years the OCR has instituted a policy in which they intervened early and provided technical assistance. In fact, 9,293 cases were mitigated this way.
The Extended Reach of HIPAA
When the Omnibus Act passed in 2013, a multitude of new businesses fell under HIPAA jurisdiction. In several new actions, the OCR is committing itself to enforcing that extended reach. Some examples include:
- The OCR settled with a county government for the first time.
- A judge ruled that a covered entity had to pay the OCR civil money penalties for only the second time ever.
- The OCR went after a hybrid entity for the first time.
- The OCR leveled their first enforcement for lack of timely breach notification.
Mostly importantly, in March 2016 the OCR launched Phase 2 of their HIPAA audit program. Drawing on the results of their 2011 and 2012 audits, the OCR will be looking at both covered entities and business associates. They will be looking at whether CAs and BAs meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will be primarily desk audits, although some on-site audits will be conducted.
Implications of this New Scope of Enforcement
The OCR is a meticulous enforcement body and is becoming increasingly powerful in its prosecution ability. That being said, they are showing more leniency and willingness to work with organizations that appear to be making a good faith effort. The presence of a robust HIPAA compliance program could make the difference between the OCR offering technical assistance or leveling a heavy fine.
In the last two years, there have been 18 cases severe enough to merit a monetary settlement or fine.
When we examine these cases some patterns emerge:
- 13 were due to lack of encryption or proper firewall security protection.
- 9 of the 13 were due to the loss or theft of unencrypted laptops or other physical storage devices of ePHI.
- 3 cases involved old-fashioned paper PHI; ePHI can’t be your company’s only focus.
The OCR did their own analysis and published the top five reasons complaints require remediation:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
You can be sure that these will be the first things the OCR looks for when conducting an audit. Luckily, an organization-wide gap analysis can find these vulnerabilities before the OCR gets involved.
Takeaways
- Between 2015 and 2016, HIPAA enforcement increased several times over and can be expected to continue increasing.
- Preparation is key for the possibility of an audit under the OCR’s Phase 2 Audit Program.
- The OCR is interested in all entities touched by HIPAA (including hybrid entities and business associates), not just large healthcare providers.
- Organizations with small breaches should prioritize corrective actions, as the OCR will be looking more closely in the future.
Does all this talk of OCR enforcement give you compliance anxiety? Gazelle Consulting is here to help!
Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org to go over your compliance and see how you can protect your PHI, and avoid costly fines!