A series of recent events should remind all health care providers of the importance of reinvigorating their HIPAA compliance programs. Many providers would admit that since the implementation of the privacy rules in 2003 and security rules in 2005, the focus on HIPAA has lessened. After years of virtually no penalties being levied under the rules, regulators have started to step up enforcement with significant penalties and increased prosecutions, at a time when the rules are evolving because of changes made under the American Recovery and Reinvestment Act of 2009. This Alert provides an update on developments regarding the HIPAA privacy and security rules.
Criticism of the Enforcement of Security Regulations
A report of the United States Department of Health and Human Services Office of the Inspector General (OIG) accused the United States Department of Health and Human Services Office of Civil Rights (OCR) and its predecessor the Centers for Medicare and Medicaid Services (CMS) for a lack of rigor in enforcing the security regulations. In July 2009, OCR took over as the enforcer of the HIPAA security rules from CMS. At the time, CMS had failed to levy a single penalty against a violator of the security rules. It had also not audited a provider, although it had the power to do so. The OIG took it upon itself to perform its own security audits of hospitals in seven states. The OIG identified 151 vulnerabilities in systems and controls intended to protect electronic health information, 124 of which were categorized "high impact." Among the issues found by the OIG were:
- Inadequate Password Settings
- Computers That Did Not Log Users Off After Inactivity
- Unencrypted Laptops
- Outdated Anti-Virus Software
- Uninstalled Critical Patches
- Operating Systems No Longer Supported By Manufacturer
- Unreviewed Audit Logs
- Inappropriate Sharing of Administrator Accounts
- Unchanged Default User Identification and Passwords
- Lack of E-mail Encryption
- Unsecured Data Center Access
- No Computer Equipment Inventory List so Electronic PHI Could Not Be Tracked
- No Written Plan for Media Disposal
- No Password Protection for Computers on Portable Carts
- Unencrypted Backup Tapes
- Incomplete or No Risk Analysis
- Delayed Termination of Employee Network Access
- Incomplete Disaster Recovery Plans and Contingency Plans
- Unsafe Backup Tape Storage
- Unrestricted Internet Access
Training of State Attorneys General on HIPAA Enforcement
The American Recovery and Reinvestment Act of 2009 gave State Attorneys General the ability to enforce the HIPAA regulations. OCR held four training sessions across the country and paid for two individuals from the Attorney General's Office of each state to attend. OCR also intends to have web-based training. State Attorneys General are expected to be more aggressive with enforcement, as the aggrieved parties will be citizens of their state in most instances. In addition, Breach Notification Laws mandate the reporting of breaches in certain cases, making it easy for regulators to know where investigations should best take place.
Penalties Lodged Against Providers
OCR imposed a $4.3 million fine on a medical group in Maryland and came to a $1 million dollar settlement with a Massachusetts hospital. The $4.3 million fine was related to a failure to release medical records to patients and a refusal to cooperate with OCR's investigation. The settlement came in response to an employee leaving documents on a train and included an extensive, three-year corrective action plan.
Proposed Changes to the Right to Accounting Rules
Proposed changes to HIPAA's accounting of disclosure rules have been released. While it is uncertain what the final rules will include, most agree that these changes will require providers and other covered entities to carefully review their electronic records systems to ensure the capability to comply with the rules when they become final and effective. The proposed rule scales back the number of years for which an accounting must be provided (from six years to three years), scales back the number of days available to respond to a request (from 60 days to 30 days), and introduces the concept of a request for an "access report." An access report is a report that indicates who has accessed electronic protected health information about an individual.
Conclusion
Providers and other covered entities, as well as their Business Associates, should ensure that they have adequate HIPAA compliance programs in place that adequately address risk areas. Hiscock & Barclay, LLP has experience in assisting providers with HIPAA compliance and other privacy-related efforts, including the provision of training, and with responding to regulatory reviews and investigations.
Should you need assistance in these matters, in the development or update of a HIPAA compliance program, or in understanding any changes to the HIPAA rules, please contact Melissa M. Zambri, Partner in the Firm's Health Care and Human Services Practice Area at (518) 429-4229 or at mzambri@hblaw.com.