The Importance of Being Earnest – Why HIPAA and HITECH Compliance Matters
Rachel V. Rose, JD, MBA
This auditing and compliance “Tip of the Week” was originally published by the National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.
2018 was a banner year for the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) in terms of the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) enforcement activity. Awards for the ten cases that settled totaled $28.7 million, which surpassed the previous record by nearly $5.2 million, which was set in 2016 (1).
One of the settlements was against Cottage Health, a hospital system in California, for $3 million for breaches related to the “unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015.” (2) What’s significant is the underlying violations of the Security Rule, which led to the two breaches.Breach No. 1 occurred when the ePHI server was accessed through the internet. The requisite security configuration settings, which included the use of a unique username and password, were not activated. Resultantly, ePHI containing a variety of individual identifiers (i.e., names, birth dates, conditions, diagnoses, lab results, etc.) were accessed. Breach No. 2 resulted from a server being misconfigured during an IT response to a “troubleshooting ticket”. In turn, unsecured ePHI was exposed over the Internet.
I’d like to pose a question to you, the reader. Have you ever reported a breach related to your own organization or received an investigative letter from OCR? If you have encountered either of these two scenarios, then you know that the “horse is already out of the barn” in relation to compliance matters that should have been addressed and adhered to for nearly two decades.
The purpose of this tip is to provide a semblance of what should be done to mitigate risk based upon the findings of past settlements and judgments. (3)
Factors to Consider in Risk Mitigation
Receiving a notice from OCR or self-reporting is never pleasant. As my clients have learned, OCR often does a “deep dive” and conducts a very thorough investigation, which can result in records being reviewed that date back years before the date of the breach or alleged incident.
Cottage Health’s situation provides a “teaching moment” and insight into what OCR honed in on. The relevant areas include:
- Failure to conduct an adequate, accurate and comprehensive assessment of the potential risks and vulnerabilities to secure the confidentiality, integrity and availability of the data;
- Failure to implement security measures to reduce risks and vulnerabilities to a “low level”;
- Failure to perform both technical and non-technical evaluations in relation to technical, administrative and physical safeguards required by the Security Rule; and
- Failure to obtain written business associate agreements. (4)
Since risk can be defined as the product of probability times severity, has your organization taken adequate steps to assess its compliance with the Security Rule? In the event of an audit, an investigation or a breach, the clock cannot be moved back. In order to be proactive and mitigate risk, a person should address the issues identified in the Cottage Health Scenario.
In order to avoid becoming an OCR statistic and potentially facing a private lawsuit by those individuals whose information was breached, entities should conduct a thorough risk analysis, ensure that business associate agreements are in place for all entities that create, receive, maintain or transmit information, undergo annual training, encrypt data both at rest and in transit and update comprehensive policies and procedures in accordance with the National Institute for Standards and Technology (NIST). Breaches are costly from a financial, emotional, reputational and legal standpoint. Care should be taken to ensure compliance before a breach notification arises – by then, it’s too late.
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.