Four lessons learned from OCR HIPAA enforcements

Rita Bowen, MA, RHIA, CHPS, SSGB -

Protected Health Information (PHI) breaches occur for many reasons besides cyberattacks. In fact, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), which leads breach investigations, has reported several significant resolution agreements and civil money penalties (CMPs) since 2009 for breaches unrelated to cybercrime.

These investigations yield valuable lessons for healthcare organizations and other Covered Entities (CEs) wanting to better protect patient information and reduce breach risk.

Highlighted here are four lessons from recent OCR HIPAA enforcements:

1. Implement administrative safeguards for ePHI
Administrative safeguards are the internal policies and procedures that serve as the foundation for preventing non-compliant PHI and electronic PHI (ePHI) access or disclosure. One essential administrative safeguard is conducting and updating a risk analysis. This involves an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. Routinely conducting these assessments can help in avoiding breaches, like the 2016 incident at the Feinstein Institute for Medical Research.

The breach, reported in 2016, resulted from the theft of a laptop computer containing the ePHI of approximately 13,000 Feinstein patients and research participants from an employee's car. A later investigation found Feinstein failed to conduct an accurate and thorough risk analysis of its ePHI and to implement policies and procedures for granting access. Feinstein paid $3.9 million as part of its resolution agreement,1 but was by no means alone in the violation. More than 20 organizations were cited in 46 resolution agreements and CMPs for not conducting proper risk analysis since 2009.

2. Follow the Minimum Necessary Rule
Disclosing a patient's entire record in response to a Release of Information (ROI) request is not always needed, nor is it HIPAA compliant. Authorizations and request letters should be utilized collectively to answer requests for information with the minimal amount of patient information to fulfill the need. To avoid violating the Minimum Necessary Rule, organizations' information governance (IG) plans should include provisions for mapping patient information access based on employees' assigned job duties and modified with job changes. These privileges need to be removed when an employee leaves an organization.

Neglecting to remove such access caused a breach at Triple-S Management Corp in 2015. Former employees were able to access a restricted database containing ePHI because their access rights had not been terminated. For this violation, as well as other HIPAA violations, Triple-S paid a $3.5 million settlement to the OCR.2

In addition to mapping patient information access in the IG plan, organizations should consider conducting Minimum Necessary Rule audits. There is technology available to monitor access and deliver activity notifications. This technology can assist in performing audits, which can help determine if employees have the appropriate permissions based on their job duties and if access has been properly removed where applicable.

3. Implement training and testing for long term prevention
Proper training for employees on policies and procedures, new HIPAA regulations, the Minimum Necessary Rule and cyberattack attempts is crucial when ROI is conducted in-house.

CEs should evaluate employee knowledge and compliance through scheduled testing and the use of unannounced simulated PHI disclosure request forms containing incomplete information or errors to observe how employees respond. Organizations can also send out simulated phishing attack emails, testing training efficacy and compliance with cyberattack protocols.

Based on this testing, further education and training can be performed as warranted. Training, however, should be a continual process for all employees, not just those requiring more support.

4. Prevent impermissible uses and disclosure of PHI
HIPAA gives many permissible reasons to use or disclose PHI, including, but not limited to, treatment, payment or healthcare operations. There are, however, many more reasons why PHI should not be accessed or disclosed.

For example, employees at Shasta Medical Center discussed a patient's PHI with a newspaper after the patient disclosed her records to another media organization. The CE released her records, claiming the patient waived her privacy rights by speaking to the media first. The OCR disagreed, and Shasta paid a $275,000 settlement.3

From an impermissible access perspective, employees of the University of California at Los Angeles Health System (UCLAHS) accessed ePHI of two celebrity patients, but, according to the OCR's investigation, the organization did not properly train employees on the impermissible access, nor did it implement appropriate security measures or sanctions. UCLAHS was charged an $865,000 resolution payment as a result.4

Partners offer tools and knowledge
Regardless of the type of breach, it is clear from these OCR enforcements that proper employee training and compliance is an organization's best defense. To support employees and mitigate breach risk, hospitals and health systems should consider partnering with a PHI disclosure management firm. The partner will hire, train and retain staff to ensure accuracy, quality and compliance when disclosing PHI, and assist in the organization's breach prevention efforts.

These partners should also offer HIPAA and state regulation expertise, as well as multiple layers of quality assurance through redundant quality checks, including the use of record integrity applications to assist staff in checking for comingled records.

Having the right people and the right tools will protect patient privacy and an organization's bottom line.

About the author:
Rita Bowen, MA, RHIA, CHPS, SSGB, is vice president, privacy, compliance and HIM policy for MRO Corp.

1 http://wayback.archive-it.org/3926/20170128215437/https://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-health-information-results-in-hipaa-settlement.html
2 http://wayback.archive-it.org/3926/20170128164641/https://www.hhs.gov/about/news/2015/11/30/triple-s-management-corporation-settles-hhs-charges.html
3 https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/SRMC/press-release/index.html
4 http://wayback.archive-it.org/3926/20140108162127/http://www.hhs.gov/news/press/2011pres/07/20110707a.html

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.