Higher fines, increased enforcement of HIPAA on the way

June 18, 2014
HHS attorney says many healthcare organizations fail to perform a thorough risk analysis

The federal government plans to step up its enforcement of the Healthcare Insurance Portability and Accountability Act (HIPAA) in the coming months and levy higher fines against those organizations that run afoul of the law.  According to an article recently published by Law360, Jerome B. Meites, chief regional civil rights counsel for the Chicago area at the U.S. Department of Health and Human Services (HHS), told attendees at an event held last week by the American Bar Association that the past year will “pale in comparison” to the next 12 months of enforcement.

Over the last 12 months, HHS OCR has published nine resolution agreements that have resulted in over $10 million in monetary settlements, including a record $4.8 million monetary settlement announced in May 2014. 

"Knowing what’s in the pipeline, I suspect that that number will be low  compared to what's coming up,"Meites was quoted as saying in the article.

The increase in OCR enforcement activity may be attributable to OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. The report focused on the shortfall in OCR’s action to ensure covered entity compliance with the Security Rule.

According to Mr. Meites remarks, OCR is still working to identify which organizations will be audited from a list of over 1,200 candidates. Eight-hundred of these candidates are covered entities—health care providers, health plans, or health care clearinghouses—and the other
400 will be businesses associated with the care providers, including storage companies, external networks and applications.

The list of HIPAA fines has been studied by healthcare companies who are trying to avoid a fine, but according to Meites remarks, that may now be more difficult.  They have included the latest state, Alaska, a small hospice in Idaho, a physicians practice in Arizona, and health insurance companies, as well as hospitals and clinics.  They are also geographically distributed, using all the different federal regions.

The area of securing mobile devices was also mentioned in his comments. I was in New England last January at a health provider’s corporate office and when we went out to the recently snow-plowed parking lot, there was a flash drive lying on the ground. And of course, it had protected health information (PHI) on it. Luckily, the security director was there with me.

According to Meites, “"Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with." These comments regarding portable media (e.g., phones, usb drives, laptops, etc.) are not surprising considering that of the 18 published actions, seven involved the loss of unencrypted devices.

Mobile devices have proved very difficult for most organizations to secure, including memory sticks, flash drives, laptops, smartphones and even paper file folders and CDs, all full of PHI. Per an HHS Office of Civil Rights (OCR) report to Congress on breaches of unsecured PHI in 2011 and 2012, mobile devices were among the most prominent locations where PHI was stored in the 222 reported breaches to OCR in 2012 and included:    

  • Laptop computers (60 reports affecting 654,158 individuals);
  • Other portable electronic devices (20 reports affecting 463,702 individuals);

Mr. Meites also made a recommendation on how to avoid an enormous fine. He said that when they went in to investigate a breach, many of the organizations had not done an accurate and thorough risk analysis, which is supposed to be step number one. Meites implied that not having the risk analysis made a fine that much more likely.

He also noted "that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions."

"You really have to think carefully about what a risk analysis involves, and it can’t just be the obvious," Meites said. "Everywhere in your system where [patient information] is used, you have to think about how to protect it."

Another related area to watch is “Meaningful Use.”  The CEO or CIO has to sign an attestation that the organization has completed a risk assessment on their electronic record, and then the organization can qualify for an incentive payment of a million dollars or more.  But the risk assessments may not be thorough, and if the regulators feel the risk assessment was not adequate, they will reach back and take the incentive bonus back.  

They can also prosecute the organization for fraud and possibly impose criminal charges.  According to the Dallas Morning News, this happened to a Texas hospital CFO, Joe White, who was indicted and now facing prison time and hefty fines for attesting without a proper risk assessment. 

HIPAA regulators are under pressure from Congress to produce results, and they will continue to tighten the audits, examine all risk analyses and risk assessments in minute detail, and impose hefty fines to reduce the number of breaches which continues to grow and affect more U.S. citizens.