• HIPAA in the Rearview Mirror

  • In the process of doing research for a client, I stumbled across a copy of the Federal Register, dated Thursday, December 28, 2000/Vol. 65. No. 250/Rules and Regulations.

    A section in the Federal Register intrigued me. It states “Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. In the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. Disclosures of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security.”   

    Was this statement which was made in the year of 2000, fortuitous?  

    The Health Insurance Portability and Accountability Act (HIPAA) was signed in law in 1996 and The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law in 2009.

    Before HITECH, between 2003 to 2008, HIPAA’s enforcement model was characterized as a “cooperative” model. The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS) goal was one of assisting organizations to become compliant, not to levy fines or penalize.

    More than 33,000 complaints had been filed with the OCR in 2008. Of the 8,000 investigated, 5,600 instances of corrective action were taken, with no fines being issued.

    From the previously mentioned, Federal Register, nine examples of privacy breaches were given. Here are just a few:

    • “A Michigan-based health system accidentally posted the medical records of thousand patients on the Internet. February 10, 1999.”

    • “The health insurance claims forms of thousands of patient’s blew out of a truck on its way to a recycling center in East Hartford, Connecticut. May 14, 1999.”

    • “A speculator bid of $4000 for patient records of a family practice in South Carolina. Among the businessman’s uses of the purchased records was selling them back to former patients. August 14, 1991.”

    Sound familiar? Remember these privacy breaches were reported in 1999.

    Change began to happened in 2009-when the HITECH Act was signed into law, increasing penalties and mandating compliance audits to be performed by HHS. Congress made it clear that HIPAA enforcement should have more teeth and that OCR should be issuing fines. A change in approach began- one of enforcement.   

    From 2003 to 2014, the number of HIPAA complaints received by the OCR exceeded 100,000. Thus far, only 22 cases have resulted in fines. However, the number of complaints requiring corrective action in 2012 was 3,361 and in 3,470 in 2013.

    The Omnibus Final Rule was issued in January 2013. HHS press release stated, “The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Stating further, “The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.”

    Since the Final Rule was issued in 2013, enforcement action has increased, with the average penalty amount of $678,656 2013 and $1,398,044 in 2014.

    HHS provides a wealth of information and a “roadmap” through their resolution agreements posted on their website. They provide organizations with revealing information, that could assist them within their HIPAA compliance programs. Those top three mentioned are: 1) encrypt, 2) conduct risk assessments, and 3) have regular substantial workforce training.

    As we look in the “rear view mirror”, HITECH has strengthened HIPAA in many ways, having it become the formidable and powerful regulations that are needed to protect patient’s privacy rights.

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult