In a recent press release, the federal Office for Civil Rights (OCR) announced it concluded 2018 with a record of $28.7 million from the settlement of 10 cases and the winning of a judgment in another regarding HIPAA compliance violations. The amount was 22% greater than its previous high of $23.5 million in 2016.
These numbers reflect a few things. First, OCR is not afraid to investigate when a breach has occurred. Second, once OCR starts an investigation, Pandora’s Box is opened. Third, fines are increasing over time. Finally, many health care organizations generally do not comply with some basic HIPAA tenets.
The list of offenses OCR found, and fined for, this past year include the unintentional breach of electronic protected health information (PHI) visible from organizations’ websites, lack of business associate agreements, stolen laptops, employees falling for phishing attacks, and former employees gaining access to data.
HIPAA compliance solution providers are finding that practices frequently fall short on basic HIPAA requirements, but not necessarily because of willful neglect, according to Marc Haskelson, President and CEO of Compliancy Group, LLC. “They aren’t in compliance primarily because people really think what they have in place is adequate,” he said.
Unfortunately, many are wrong. Just a few years ago, OCR performed a limited number of desk audits to see where providers stood on the regulations. Out of 166 audits, more than 94% failed to demonstrate they had adequately covered the main HIPAA regulations.
The findings do not surprise solution providers like Haskelson. One of the most common things he hears from clients is they get lost in health care alphabet soup and assume that meeting the requirements for MIPS (Merit-based Incentive Payment System) or MACRA (Medicare Access and CHIP Reauthorization Act of 2015) makes them compliant with HIPAA. This is not the case, however.
It may be helpful for providers to look at simple guides such as the one on Compliance Group’s website (https://compliancy-group.com/). It has 7 questions that can give someone an idea of whether their program is compliant or needs work. Physicians are asked:
- Have you done the major audits and assessments required under HIPAA (there are 6)?
- Have you identified all gaps uncovered by the above audits and documented deficiencies?
- Have you created remediation plans to address those deficiencies?
- Have all staff members undergone annual HIPAA training?
- Do you have policies and procedures that address the HIPAA privacy, security and breach notification rules?
- Have you identified all vendors and associates?
- Have you defined a process for investigating and tracking incidents or breaches?
“If they aren’t addressing all of these components, their compliance is just not sufficient,” Haskelson said.
At Fortified Health Security based in Franklin, Tennessee, staff performed about 125 HIPAA audits this past year. Company president Dan Dodson said he has a good sense of what people fail to do on the compliance front. And it is usually the basics.
“Although the HIPAA requirements are black and white, there are many variables that affect an organization from becoming and maintaining HIPAA compliance,” Dodson said. “Oftentimes, they confuse buying the latest technology with being compliant, when in fact they should be focused on how their people, processes, and technology are being used in conjunction to advance their compliance posture.”
For instance, the largest settlement of 2018–and in the history of HIPAA enforcement–was Anthem’s $16 million fine. It could have been prevented by patching (updating) their system, which Dodson calls “pretty basic stuff.”
To show OCR they are serious about compliance, providers need to perform an annual assessment that identifies threats. This risk analysis is the heartbeat of any security program, Dodson said. Various options are available to help practices complete an assessment. These include a free, downloadable tool provided by the Department of Health and Human Services (HHS) that groups can fill out themselves. Other tools are automated programs that allow an office to download information, have it assessed and receive a report regarding their status. Finally, consultants can come into an office and perform a personalized, detailed assessment. These can cost tens of thousands of dollars, depending on the size and scale of the organization.
After performing an assessment, health care organizations need to have an ongoing remediation program that addresses gaps uncovered in the assessment. Putting a plan in place to close gaps and begin making improvements goes a long way toward not getting fined should a breach occur, Dodson said.
Aside from the obvious advantage of not having a breach and/or eliciting fines from OCR, HIPAA compliance helps organizations run better, Haskelson said. Risk assessments force organizations to evaluate their privacy and security strategies, which is generally good for a practice.
An effective compliance program also helps increase patient loyalty, and better employee training can make your patients more satisfied that their data is being kept safe and secure, he said. It also can also improve a group’s chances of selling their practice if they are on the market. If an organization is on OCR’s “wall of shame” after a breach, it tarnishes their reputation. “Private equity folks go after offices that are compliant,” he said.
A poor HIPAA program that leads to a breach can make an organization less desirable to patients as well. “One of the things people mistake is the whole brand damage that happens when they have a breach,” Dodson said.
Health care is increasingly becoming about consumer engagement and choice. Studies have found that up to 40% of patients would change practices if a breach occurred at their current doctor’s office, Dodson said.
“Imagine the ramifications not only in the context of OCR,” he said. “If 40% of patients go elsewhere most practices couldn’t survive. But what if it was only 5%? Most organizations couldn’t even survive that.”