HIPAA Biannual Update

Digital Debut

HIPAA Biannual Update

January through June 2020

Since ASCA’s last update in January, healthcare organizations across the country posted 233 breaches of protected health information (PHI) affecting at least 500 individuals. Consistent with previous time periods, most of the breaches—86 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to decrease, comprising only 7 percent of breaches in the first half of 2020 down from 21 percent in the first half of 2017.

Within the US Department of Health & Human Services (HHS), the Office of Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Below are selected enforcement actions that highlights some precautions ASCs can take.

The Practice of Steven A. Porter, MD

What Happened: The practice of Steven A. Porter, MD, provides gastroenterological services in Ogden, Utah. OCR began investigating after the practice filed a breach report with OCR regarding a dispute with a business associate of Porter’s electronic health record (EHR) company. The investigation revealed significant noncompliance with HIPAA rules, including allowing the EHR company to transmit electronic PHI (ePHI) on the practice’s behalf without ensuring the safeguard of the ePHI. The final agreement reached between OCR and Porter’s practice included a $100,000 settlement, a corrective action plan and two years of OCR monitoring.

Takeaway for ASCs: As stated in the press release announcing the enforcement, OCR Director Roger Severino stressed that HIPAA obligations need to be taken seriously, no matter the size of the healthcare provider. ASCs must have risk-analysis procedures in place that thoroughly and accurately assess vulnerabilities to confidential PHI. ASCs also should develop and implement policies and procedures to help detect, prevent and correct security violations.

University of Rochester Medical Center (URMC)

What Happened: URMC initially filed a report with OCR in 2017 after discovering the loss of an unencrypted flash drive. URMC impermissibly disclosed the ePHI of 43 patients when an unencrypted laptop was stolen from a treatment center. URMC agreed to a $3 million settlement and a substantial corrective action plan that includes two years of OCR monitoring.

Takeaway for ASCs: Since theft and loss are constant threats to ASCs, failing to encrypt devices puts PHI at risk. Given that a similar instance happened at URMC in 2010, the failure to fix the deficiencies led to a repeat breach. ASCs should be vigilant in ensuring that devices and hardware are encrypted and password protected.

OCR Guidance for Sharing PHI with First Responders

In March, in response to the COVID-19 pandemic, OCR issued guidance expanding HIPAA flexibilities. The guidance details the extent to which covered entities may disclose PHI about an individual suspected of contracting COVID-19 or an individual who may have been exposed to it to first responders. Severino highlighted the importance of first responders’ access to information during the COVID-19 crisis, hoping that these flexibilities would assure the safety of first responders by providing real time infection information. These entities may provide information to law enforcement, paramedics, other first responders and public health authorities in compliance of the HIPAA Privacy Rule. The guidance details the circumstances under which a covered entity may disclose PHI about individuals—including the name—without prior HIPAA authorization, such as when it is necessary to provide treatment, when it is required by law or when a first responder is at risk for infection. The guidance also clarifies regulatory permissions that covered entities may use to disclose PHI regarding whether a person has or has been exposed to COVID-19 to first responders, so extra precautions can be taken, including the use of personal protective equipment (PPE). A reminder is included stating that reasonable efforts must be made to try to limit the PHI disclosed to the “minimum necessary” to accomplish the purpose for the disclosure.

ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resource page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.