In the process of doing research for a client, I stumbled across a copy of the Federal Register, dated Thursday, December 28, 2000/Vol. 65. No. 250/Rules and Regulations.
A section in the Federal Register intrigued me. It states “Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. In the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. Disclosures of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security.”
Was this statement which was made in the year of 2000, fortuitous?
The Health Insurance Portability and Accountability Act (HIPAA) was signed in law in 1996 and The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law in 2009.
Before HITECH, between 2003 to 2008, HIPAA’s enforcement model was characterized as a “cooperative” model. The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS) goal was one of assisting organizations to become compliant, not to levy fines or penalize.
More than 33,000 complaints had been filed with the OCR in 2008. Of the 8,000 investigated, 5,600 instances of corrective action were taken, with no fines being issued.
From the previously mentioned, Federal Register, nine examples of privacy breaches were given. Here are just a few:
“A Michigan-based health system accidentally posted the medical records of thousand patients on the Internet. February 10, 1999.”
“The health insurance claims forms of thousands of patient’s blew out of a truck on its way to a recycling center in East Hartford, Connecticut. May 14, 1999.”
“A speculator bid of $4000 for patient records of a family practice in South Carolina. Among the businessman’s uses of the purchased records was selling them back to former patients. August 14, 1991.”
Sound familiar? Remember these privacy breaches were reported in 1999.
Change began to happened in 2009-when the HITECH Act was signed into law, increasing penalties and mandating compliance audits to be performed by HHS. Congress made it clear that HIPAA enforcement should have more teeth and that OCR should be issuing fines. A change in approach began- one of enforcement.
From 2003 to 2014, the number of HIPAA complaints received by the OCR exceeded 100,000. Thus far, only 22 cases have resulted in fines. However, the number of complaints requiring corrective action in 2012 was 3,361 and in 3,470 in 2013.
The Omnibus Final Rule was issued in January 2013. HHS press release stated, “The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Stating further, “The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.”
Since the Final Rule was issued in 2013, enforcement action has increased, with the average penalty amount of $678,656 2013 and $1,398,044 in 2014.
HHS provides a wealth of information and a “roadmap” through their resolution agreements posted on their website. They provide organizations with revealing information, that could assist them within their HIPAA compliance programs. Those top three mentioned are: 1) encrypt, 2) conduct risk assessments, and 3) have regular substantial workforce training.
As we look in the “rear view mirror”, HITECH has strengthened HIPAA in many ways, having it become the formidable and powerful regulations that are needed to protect patient’s privacy rights.
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.