April 25, 2018

The secured email protocols and other measures designed to protect sensitive patient information that hospitals and billing companies have implemented during the past few years can seem like a hindrance, but they’re necessary in the age of instant access to information—and cybercrime.  They’re also required by law. With the threat of penalties and fines for breaches of protected health information (PHI) and electronic PHI (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA), these privacy and security controls have become the new norm.

All covered entities and their business associates are exposed to civil and criminal penalties if they don’t adhere to the proper administrative, technology-related and physical processes and procedures to safeguard PHI privacy and security required under HIPAA.

As the numbers and case examples show, covered entities, including medical groups and clinicians, can’t be too careful when it comes to HIPAA compliance, which includes conducting periodic security risk assessments and having policies and practices in place for safeguarding PHI.

We often think of this data in terms of electronic files; however, for many practices, PHI is still (or also) in paper form.  Consider, for example, the physician who brings some medical records home or takes them from one facility to another and leaves them in the back seat of a car.  Whenever any of the data elements that constitute PHI are in a clinician’s or employee’s possession, that person is responsible for protecting it, by, for example, placing it in a briefcase or an envelope that closes or something that covers the information, or locking it in the trunk of the car if the information will be temporarily left behind.  Once an individual has the PHI, it is their responsibility to protect it.

Know Key Data Elements

Under HIPAA, PHI that is based on the following list of 18 identifiers must be treated with special care:

1. Names
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

The Health and Human Services Office of Civil Rights (OCR), which is responsible for enforcing HIPAA, reports that, as of January 31, 2018, it has settled or imposed civil monetary penalties in 53 cases totaling more than $75.2 million since the HIPAA Privacy Rule went into effect in 2003.  OCR has received more than 173,000 complaints, investigated more than 37,000 of those complaints (of which more than 25,000, or 69 percent, led to corrective action) and initiated an additional 871 compliance reviews.  (In approximately 11,000 additional investigations, no violations were found.)

Enforcement Persists

At the 2018 meeting of the Health Information Management Systems Society (HIMSS), OCR Director Roger Severino said that although the second round of HIPAA audits has ended, there is “no slowdown in our enforcement efforts.”  He emphasized that these enforcement efforts include entities of all sizes, including the “smaller and quiet” entities as well as the larger ones, stressing that entities that hold PHI “need to treat it like gold.”

If an OCR investigation determines that no violation has occurred, the findings are documented and the case is closed.  However, if violations are identified, the covered entity may be required to: 1) implement voluntary compliance (develop, implement and use processes and procedures to monitor HIPAA adherence); and/or 2) enter into a resolution agreement (a contract signed by the covered entity and OCR), under which the entity must perform various compliance-related tasks and submit to monitoring for up to three years).  A corrective action plan detailing how the compliance plan will be carried out is often developed along with the resolution agreement.  Fines are imposed in some cases, and criminal penalties occur in extreme situations.

In 2017, for example, Children’s Hospital of Dallas paid $3.2 million for failing to implement a risk management plan and to encrypt ePHI on its laptops, work stations, mobile devices and removable storage media until 2013.  The hospital had filed a data breach report in 2010 following the loss of an unencrypted, non-password-protected mobile device and another in 2013 following the theft of an unencrypted laptop.  An OCR investigation revealed that the hospital issued unencrypted mobile devices to nurses and allowed members of the workforce to continue using unencrypted laptops and other devices.

Reports of HIPAA resolution agreements and civil monetary penalties surface regularly on OCR’s website and in news reports, revealing new ways in which privacy and security regulations have been overlooked, misunderstood or neglected.

Top Troublespots

Following are 10 of the most common reasons for HIPAA citations, from Laurie Zabel, CHC, CPC, of MedSafe.  We encourage providers to incorporate consideration for all of these scenarios into their HIPAA compliance plans.

Employees disclosing information, such as employees gossiping about patients to friends or co-workers.

Medical record mishandling, such as leaving a patient chart in a location where another patient can see it.

Lost or stolen devices.  All devices must be password protected and encrypted.  Mobile devices are most vulnerable to theft.

Texting patient information.  Texting is easy and may seem harmless, but it is potentially placing patient information in the hands of cybercriminals.

Social media.  All employees should know that the use of social media to share patient information is a HIPAA violation.

Employees illegally accessing patient files.  Whether out of curiosity, spite or as a favor for a friend, unauthorized access to patient information is illegal.

Social breaches.  An individual may ask innocently about their friend, who is a patient. It is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing PHI.

Authorization requirements.  Written consent is required for the use or disclosure of an individual’s PHI that is not used for treatment or payment. It is always best to obtain prior authorization before releasing any information.

Accessing patient information on home computers could result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer.

Lack of training.  HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.

We advise medical groups to check with their hospitals about the facilities’ HIPAA compliance programs as well.

OCR has extensive resources to assist organizations in understanding the requirements and implementing the necessary measures to promote compliance, including a Security Risk Assessment Tool, training materials for employees and staff, and a HIPAA FAQs search tool.