The Health Insurance Portability and Accountability Act (“HIPAA”) and its 2009 Amendment and implementing regulations are a source of continuing compliance issues for health care providers and their business associates. It is more likely than not that your organization will eventually experience a data breach. The question is whether your organization will be prepared for the potential consequences.
Before delving further, it is worth noting that a breach should not be synonymous with blame or wrongdoing. A breach under HIPAA is defined as “the acquisition, access, use, or disclosure of protected health information [“PHI”] in a manner not permitted [under the HIPAA Privacy Rule] which compromises the security or privacy of the [PHI].” Breaches are a regular occurrence and often difficult to prevent, even with the most robust compliance program.
While there is no way to obtain an exact figure for the frequency of HIPAA data breaches, statistics from the Office for Civil Rights (“OCR”) are instructive. OCR is a part of the U.S. Department of Health and Human Services (“HHS”) and is responsible for investigating compliance with HIPAA. According to OCR’s website, OCR has investigated and resolved 220,000 complaints under HIPAA in the last sixteen years. 27,000 of those investigations resulted in active investigation and intervention by OCR in the form of corrective actions and technical assistance. Intuitively, it is difficult to deny the likelihood of a HIPAA breach occurring in any organization. Has anyone in your organization ever accidentally sent a letter to the wrong address? Has anyone lost a phone or laptop with work information on it or let some information slip in conversation? Occasional occurrences are difficult to prevent. Mistakes and errors are inevitable.
It is worth noting that these occurrences are not automatically deemed a breach. Organizations should analyze the particular facts and circumstances with their counsel to make that decision. Regardless of fault or when the breach occurs, however, breaches often expose lapses or gaps in an organization’s compliance efforts. Incidents can also trigger investigations or audits by OCR, the involvement of law enforcement, fines, coercive corrective action plans, and even private lawsuits under New York General Business Law § 349, among other legal headaches.
The OCR is a source of steady news about the latest high-profile HIPAA investigations and enforcement. At the end of 2019, OCR reported that it imposed a $2,150,000 penalty on a not-for-profit health system as a result of an incident in which an employee inappropriately accessed and sold patient information. OCR found that the health system had failed to timely submit a breach notification, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict workforce members’ access to ePHI to the minimum necessary.
Although organizations are regularly found to lack adequate policies and procedures, in this case, there was no mention of inadequate policies. It was the health systems’ practices that were deemed inadequate. Under 45 C.F.R. §§ 164.404-414, individuals and organizations subject to HIPAA, not OCR, bear the burden of proving that required notifications of a breach are made on time. They also bear the burden of proving whether or not any particular acquisition, access, use, or disclosure was a breach. Faced with such odds, individuals and organizations subject to HIPAA are better served to ensure they have compliant policies and procedures and that those policies and procedures are effectively implemented.
A lack of adequate risk analyses is a recurring theme in many OCR investigations. Risk analysis is a mandatory part of the HIPAA administrative safeguards under 45 C.F.R. § 164.308. As are risk management and information system activity review. HIPAA does not contain many mandatory security standards, such as requiring a specific standard for computer operating systems, security software, or other specific security measures. Instead, the HIPAA administrative safeguards require that organizations conduct risk analyses for any “potential risks or vulnerabilities to the confidentiality, integrity, and availability or electronic [PHI]” and “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” as part of the organization’s ongoing risk management.
In simpler terms, organizations subject to HIPAA must ensure that they are actively identifying risks to PHI and, after careful consideration, selecting and implementing measures to minimize those risks. While risk analysis is one important aspect of HIPAA compliance, it is one specification among many, all of which must be met to avoid a similar fate as the not-for-profit health system discussed above.
To appropriately assess whether your organization is complying with HIPAA, a gap analysis is essential. Many organizations are performing some portion of their compliance obligations very well. It is likely, however, unless you have recently conducted a gap analysis, that current policies and practices require improvement.
Perhaps your organization is excellent at ensuring that protected health information is only disclosed to permissible individuals under permissible circumstances, but do you have an adequate security awareness and training program? You hired an IT firm last year to conduct a risk analysis of your electronic information system, but do you have a policy and procedures describing when and how to complete a risk analysis? Did your organization implement new safeguards in response to the results of such risk analysis and document those determinations? Was the risk analysis and response part of a larger mandatory risk management policy? Do you have an access authorization policy or a policy and procedures for information system activity review? Are your policies and procedures being implemented? One of these issues may be the source of your next compliance headache.
This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter discussed. Please consult an attorney to ascertain how the applicable law may relate to you or your business. © 2020 Law Offices of Pullano & Farrow PLLC