Posted on October 01, 2012
On September 17, 2012, the Department of Health and Human Services (HHS) announced that the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) agreed to pay an amount of $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). As this article describes, this settlement is one of many recent actions that demonstrate the government’s increased commitment to enforcing the HIPAA regulations.
As many in the health care industry are aware, HIPAA regulations (specifically, the Privacy Rule and Security Rule) require health care providers and health care organizations to comply with complex standards in order to ensure the confidentiality and security of patients’ protected health information. Protected health information (PHI) is generally any individually identifiable health information transmitted or maintained by a health care provider or organization. The Privacy Rule sets limits on who can access and receive PHI. The Security Rule protects PHI in electronic form by requiring entities covered by HIPAA to implement and maintain physical, technical, and administrative safeguards. For years, the Office of Civil Rights (OCR), the government agency responsible for enforcing HIPAA, did not aggressively enforce these rules.
On February 19, 2009, however, President Obama signed into law the stimulus package known as the American Recovery and Reinvestment Act (ARRA). Among other things, ARRA contains the Health Information Technology for Economic and Clinical Health Act (HITECH Act) which provides the once dormant HIPAA regulations with newfound power. The HITECH Act increases penalties forHIPAA violations, imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI, and extends the legal requirements set forth in HIPAA to third parties performing functions that involve the use or disclosure of PHI (known under HIPAA as “Business Associates”)(1). The HITECH Act also provides State Attorneys General with the authority to bring civil actions to enforce HIPAA violations on behalf of state residents (an authority previously reserved for the OCR).
Much of the increased recent enforcement activity stems from the HITECH Act’s requirement that theHHS perform periodic audits to ensure health care providers, organizations, and business associates comply with HIPAA and the HITECH Act. In November 2011, OCR piloted a program (OCR HIPAAAudit Program) to perform 115 audits of health care providers and organizations to review selected privacy, security, and breach notification policies.
In July 2012, OCR released the OCR HIPAA Audit Program Protocol utilized by OCR investigators. The protocol covers over 160 areas of performance evaluation, including 81 areas related to the Privacy Rule, 78 areas related to the Security Rule, and 10 areas related to data breach notification. The protocol also demonstrates that OCR has broadened its audit activities to include a review of the use of encryption technology and requirements related to data breach reporting, including risk assessment processes and the content and timeliness of notifications. Health care providers, health care organizations, and business associates should recognize that, in light of the new enforcement environment, a failure to comply withHIPAA regulations increases the risk of liability. While far from comprehensive(2), the following recent examples of HIPAAenforcement actions serve as a warning to health care providers, health care organizations, and business associates:
(1) Health care entities should note that in addition to the data breach requirements set forth byHIPAA and the HITECH Act, Pennsylvania maintains its own data breach disclosure law (Breach of Personal Information Notification Act) for a breach of computerized data that materially compromises the security or confidentiality of personal information. See 73 P.S. §§ 2301, et seq.
(2) The health care compliance newsletter, Health Information Privacy/Security Alert, reports that as of September 1, 2012, OCR had published 452 breach reports that affected over 20 million people.
The attorneys at Knox, McLaughlin, Gornall & Sennett are committed to assisting clients ensure compliance with the HIPAA and HITECH Act regulations. If you have questions or concerns about matters related to compliance with HIPAA and HITECH Act regulations, such as implementing adequate policies and procedures to appropriately safeguard patient information, training staff onHIPAA regulations, conducting a HIPAA compliance analysis, or contracting with Business Associates, please contact us at (814) 459-2800.
Joy E. Sadaly is an Associate at Knox McLaughlin Gornall & Sennett, P.C.’s Erie office.