HIPAA Biannual Update
July to December 2023
BY MAIA KUNKEL | FEBRUARY 8, 2024
During the last half of 2023, healthcare organizations across the country posted 336 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous updates, rises in unauthorized access or hacking comprised almost all—98 percent—of the breaches. The percentage of breach investigations due to the theft of PHI continues to dwindle, now comprising just 1 percent of breaches in the second half of 2023, compared to 21 percent in the first six months of 2017. For the first time since ASCA began reporting its Health Insurance Portability and Accountability Act of 1996 (HIPAA) biannual update in 2016, improper disposal was not cited as the cause of a breach investigation in the last half of 2023.
Within the US Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of HIPAA, which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in July, OCR has announced two more settlements in its HIPAA Right of Access Initiative, bringing the total to 46 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in corrective action plans with several years of monitoring and settlements ranging of up to $160,000. Two examples of recent resolution agreements are provided below, along with precautions ASCs can take to avoid similar violations.
What Happened: St. Joseph’s Medical Center is a nonprofit academic medical center in New York. OCR began investigating after the The Associated Press published an article featuring the medical center’s response to the COVID-19 pandemic. Photographs and patient information were included in the outlet’s reporting, including COVID-19 diagnoses, current medical statuses and treatment plans. OCR determined that three individuals’ PHI was disclosed in the article without first obtaining their written authorization. After OCR’s investigation, St. Joseph’s Medical Center agreed to an $80,000 penalty and a corrective action plan with two years of monitoring.
Takeaway for ASCs: Patients should never have to worry when receiving medical care that their faces and PHI might later be published online without their permission. As media interest remains high in healthcare and its current challenges, and healthcare entities are increasingly joining social media, ASCs must ensure that all policies under the HIPAA Privacy Rule are maintained when agreeing to participate. ASCs should ensure that any photos taken of patients and published have written authorization for use before posting or sharing with the media. ASCs also can prevent the same from occurring at their facility by providing routine workforce training to all members of staff on updated HIPAA policies and procedures.
What Happened: In 2015, the New York Police Department informed Montefiore Medical Center that it found evidence of theft of a patient’s PHI. The medical center conducted an internal review and discovered that two years prior, one employee stole the electronic PHI of more than 12,000 patients and sold the information to an identity theft ring. After the theft was discovered, MMC filed a breach report with OCR. Nine years after the initial contact from the police, MMC agreed to a $4.75 million settlement, a corrective action plan and two years of monitoring.
Takeaway for ASCs: While the outside threat of cybersecurity and hacking of PHI always are a concern, ASCs should keep in mind that threats also can exist internally. ASCs must be aware of and monitor the members of staff who have access to patient data and whether that access is deemed essential to their job obligations. Surgery centers can help prevent instances of potential identity theft and fraud from occurring by providing regular workforce training to all members of staff on updated HIPAA policies and procedures. Additionally, ASCs can implement a regular review of information system activity, encrypt electronic PHI to help protect against unauthorized access and implement multifactor authentication to ensure only authorized users are able to access sensitive patient information.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site under the ASC Operations tab. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information, questions or concerns, write Alex Taira, ASCA’s regulatory policy and research manager.