Digital Debut

HIPAA Biannual Update

July to December 2020

BY MAIA KUNKEL | JANUARY 2021

Since ASCA’s last update in July, healthcare organizations across the country posted 324 breaches of protected health information (PHI) affecting 500 or more individuals. This is the highest number of breaches reported in a six-month span in the past three years and exceeds the number of breaches in the first half of 2020 by almost 40 percent. Consistent with previous time periods, most of the breaches—90 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to decrease, comprising only 7 percent of breaches in the first half of 2020 down from 21 percent in the first half of 2017.

Within the US Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Below are selected enforcement actions that highlights some precautions ASCs can take.

Investigations in HIPAA Right of Access Initiative and The University of Cincinnati Medical Center, LLC (UCMC)

What Happened: Since the previous update in July, OCR has announced 11 settlements in its HIPAA Right of Access Initiative. These investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records. In the case of UCMC, the medical center failed to respond to a patient’s inquiry to direct a copy of their medical records stored in UCMC’s electronic health record (EHR) to their lawyers. OCR received a complaint after this request went unanswered and resulted in a six-month delay in the third party receiving the requested records. The settlement of the UCMC investigation included a monetary settlement of $65,000, a corrective action plan and two years of monitoring.

Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. ASCs should review their policies and training programs to ensure that all HIPAA obligations are able to be met when a patient requests access to their medical records. In the press statement announcing these corrective actions, OCR stressed the importance of compliance and allowing individuals to take charge of healthcare decisions in a timely manner. As the COVID-19 public health emergency continues, ASCs should keep in mind that patients’ ability to timely access their own medical information remains critical.

Premera Blue Cross (PBC)

What Happened: In 2015, PBC filed a breach report on its own behalf claiming that cyber-attackers gained unauthorized access to its IT system. A phishing email was used to install malware giving the hackers unlimited access to the IT system and remain undetected for more than nine months. The cyberattack resulted in the disclosure of more than 10.4 million individuals’ PHI; such disclosed information included the individuals’ names and addresses, social security numbers and bank account information. The eventual settlement included a $6.85 million penalty and a two-year corrective action plan.

Takeaways for ASCs: This was a serious breach and resulted in the second largest HIPAA violation settlement in OCR history. Breaches in security affect healthcare providers large and small. Identifying potential security vulnerabilities, whether human or technological, are essential to prevent hackers from gaining access to PHI and remain undetected. ASCs can help combat against phishing by staying vigilant, reporting any suspicious emails and implementing risk management strategies.

The City of New Haven, Connecticut Health Department

What Happened: OCR conducted an investigation into the New Haven Health Department after a breach report was filed claiming a former employee accessed a computer containing PHI. The investigation revealed that the individual returned to the health department after being terminated and used their still active login credentials to download patients’ PHI including names and addresses, dates of birth and sexually transmitted disease test results onto a USB drive. The investigation also found that the former employee shared their login credentials with an intern who continued to use the active username and password to further access PHI. The city agreed to a more than $200,000 settlement and a two-year corrective action plan.

Takeaways for ASCs: ASCs have to be aware of and monitor which staff members have access to patient data. As employment ends, it is imperative that ASCs terminate access to any sensitive documents. In this case, the failure to do so resulted in two individuals accessing and downloading the PHI of hundreds of patients for weeks without detection. Implementing termination procedures and utilizing unique user identification would help ASCs ensure that the proper individuals are safely accessing PHI.

ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resource page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.