June 6, 2011
Layin’ Down the Law — OCR Ready to Put a Hurtin’ on HIPAA Violators
By Lisa A. Eramo
For The Record
Vol. 23 No. 11 P. 10
These days, healthcare organizations need not look far to find evidence that the Office for Civil Rights (OCR) is serious when it comes to HIPAA compliance.
Consider Cignet Health of Prince George’s County, Md., which recently made headlines when it violated the HIPAA Privacy Rule for its failure to provide 41 patients with copies of medical records within 30 (and no later than 60) days upon request. The requests occurred between September 2008 and October 2009. As a result of Cignet’s failure to provide patients access to their health information, Health and Human Services (HHS) imposed a $1.3 million civil monetary penalty.
In addition, Cignet failed to comply with the OCR during the investigation into the violation. In particular, the health system refused to cooperate with investigators and failed to produce the records in response to the OCR’s subpoena. This cost Cignet an additional $3 million civil monetary fine.
The Cignet case is important because it represents the first civil money penalty issued by HHS for violations of the HIPAA Privacy Rule based on increased penalty amounts authorized under the HITECH Act, says OCR spokeswoman Rachel Seeger. HITECH significantly modified the categories of HIPAA violations, the range of civil money penalty amounts, and the available defenses to a HIPAA action, she adds.
To arrive at its $4.3 million total civil monetary fine against Cignet, the OCR tracked access deadlines for each of the 41 patients. It then imposed a penalty per violation per day until April 7, 2010—the date on which Cignet hand-delivered to the Department of Justice 59 boxes of original medical records for each of the 41 patients. The boxes also contained the medical records of approximately 4,500 individuals for whom the OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to HHS.
Prior to February 18, 2009—the date on which HITECH was enacted—the OCR imposed a daily fine of $100 per violation. On or after February 18, the OCR was able to impose a daily fine of $50,000 per violation, as outlined in Section 13410(d) of HITECH.
Hospitals and providers must keep in mind that Cignet’s refusal to cooperate with the OCR is a large part of why the system was fined such a large amount, says Jeffrey Drummond, an attorney at Jackson Walker LLP in Dallas. “The size of the fine is entirely related to the refusal to cooperate, so I’m not surprised by the outcome at all. I’m surprised by the enormity of the fine only because I’m surprised by the apparent stonewalling efforts and lack of cooperation by Cignet,” he says.
“The cost of compliance would have been far less [than the penalty], and I think this is precisely the point that OCR was trying to make,” says Al Shaath, vice president of sales for KOM Networks, a provider of data archiving and storage management software and solutions.
The OCR has indeed made its intentions clear that it will pursue noncompliant providers, including those that ignore its requests.
“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo in a press release dated February 22 that formally announced Cignet’s penalty. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
On February 24, shortly after the announcement of the Cignet penalty, the OCR announced a $1 million settlement against Massachusetts General Hospital in Boston for an incident in which 192 patient records were lost. These records belonged to the hospital’s Infectious Disease Associates outpatient practice and included information about patients with HIV and AIDS.
“If a covered entity is not taking OCR’s recent enforcement activities seriously, then they should seriously reconsider their efforts toward being compliant. Both Cignet and Mass General are examples of the aggressive enforcement efforts OCR will continue to make moving forward,” says Seeger.
However, there are plenty of providers—particularly those in small individual practices or physician groups—who won’t take the time to truly understand the intricacies of HIPAA until they personally know someone who is penalized as a result of a violation, says Barry S. Herrin, CHPS, FACHE, a partner at Smith Moore Leatherwood LLP in Atlanta.
Hospitals are more likely than smaller providers to be HIPAA compliant because in the hospital setting, the confidentiality and privacy of patient records (including HIPAA compliance) is part of The Joint Commission survey process, says Herrin. Individual practices or physician groups don’t have this external motivation to adopt policies and procedures and take steps to ensure that HIPAA is followed, he adds.
“The notice of privacy practices that [providers] bought from a consultant are typically woefully inadequate under state law in most cases that I’ve seen,” says Herrin. “They still don’t maintain appropriate physical safeguards over their records. They don’t engage in the dialogue with patients that HIPAA prescribes.”
Revisit HIPAA Defenses
In light of the Cignet and Mass General cases, it’s time for organizations to reassess their HIPAA compliance efforts, experts say.
“All covered entities and business associates should reassess their compliance efforts, particularly their incident response efforts,” says Drummond. ”Cignet didn’t respond to customer complaints that indicated HIPAA violations were occurring. Then Cignet didn’t respond to OCR when it came to investigate. Cignet didn’t comply, but it didn’t respond either, and the latter was the bigger problem. OCR might decide that it likes extracting big fines like this one, so anyone who has to comply with HIPAA should be looking at their compliance and response efforts.”
The biggest lesson that organizations can learn from the Cignet case is simply to respond, says Drummond. This includes responding to patient requests for information as well as responding to the OCR during an investigation. “Be helpful and show that you’re trying to be compliant and do the right thing. What’s particularly interesting in the Cignet case is that it was not even a HIPAA breach situation. Cignet did not expose anyone’s data to the public or put anyone at risk of identity theft. It just refused to let patients have their own information,” Drummond says.
The Cignet case should also remind hospitals that they need an infrastructure that allows them to secure and retain protected health information for longer periods of time, provide immediate access to electronic information, and produce records quickly and in accordance with new and updated regulations, says Shaath. “This [case] should be a wake-up call not only to healthcare organizations but all highly regulated businesses as well to remind them to take a long, hard look at information life cycle management and regulatory compliance,” he adds.
Organizations can also learn from the Mass General settlement. The OCR’s announcement of the settlement specifically references these core components of a compliant HIPAA program:
• employee training;
• vigilant implementation of policies and procedures;
• regular internal audits; and
• a prompt action plan to respond to incidents.
“That’s what [OCR] wants to see as the outputs of a functional, compliant HIPAA privacy and security program,” says Herrin. “They’ve never said this before. There hasn’t been anything previously publicly promulgated to this extent that deals with how [OCR] expects [hospitals and providers] to perform the compliance task.”
This prescriptive guidance will help hospitals develop compliance programs that meet the OCR’s expectations and give the regulator what it’s looking for during an audit, says Herrin, who hopes the guidance will also spark dialogue within hospitals about specific ways they can meet these expectations.
Conduct Internal Audits
The overall message from these and other cases involving hefty settlements is that HIPAA enforcement is taking center stage in a way that it perhaps never did in the past, experts say. In fact, according to HITECH, the federal government must conduct periodic HIPAA audits of hospitals, though many of the details are still unknown.
“OCR is in the process of developing a sound and strategic audit program that will complement our ongoing enforcement activities. At this time, details on this program are still predecisional, and OCR does not have an update on a schedule for implementation,” says Seeger.
The OCR is clearly becoming more aggressive simply because the law requires it to do so, says Herrin. According to HITECH, the OCR must formally investigate any complaint of a HIPAA violation due to willful neglect, which refers to the conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. This means hospitals should try their best to prevent violations from happening in the first place and cooperate with the OCR in the unfortunate event that they do occur, Herrin says.
Perform a Risk Assessment
One of the most important aspects of HIPAA compliance is risk assessment because it helps organization identify where vulnerabilities lie.
According to published CMS guidance regarding risk analysis and risk management, organizations should take the following steps:
• Identify the scope of the analysis.
• Gather data.
• Identify and document potential threats and vulnerabilities.
• Assess current security measures.
• Determine the likelihood of threat occurrence.
• Determine the potential impact of threat occurrence.
• Determine the level of risk.
• Identify security measures and finalize documentation.
An ongoing assessment of potential threats, in particular, is a key component to a successful risk management plan, says Shaath. “The process assessments must incorporate stricter conformance to protecting and preserving the integrity of the information and safeguarding privacy. The protection of the assets can no longer be an afterthought, and failure to do so will have grave repercussions,” he says.
A risk assessment should examine every aspect of HIPAA compliance, including who has access to information and what physical security measures are in place to protect data in transit and data at rest, says Shaath. “Data encryption and data redundancy are very important to demonstrate security. Documentation of HIPAA compliance steps is also important, as auditors will ask for this [information]. It is also important that staff be knowledgeable about privacy and security policies and procedures in place at the hospital,” he says.
Although HITECH hasn’t necessarily redefined risk assessment, it has highlighted the need for facility-specific controls, says Drummond. The largest evolution of risk management programs came in the wake of the adoption of the Security Rule, which set specific standards for physical, technical, and administrative safeguards, he says. It also required covered entities to develop and implement risk analyses and draft these analyses into formal policies and procedures.
“Since then, except for breach notification procedures, the rules haven’t really changed that much. Risk management evolution should be more driven by the particulars of the entity,” Drummond says.
Herrin agrees, adding that perhaps the most important aspect of performing a risk assessment is the understanding that there is no cookie-cutter approach. The assessment—as well as the overall HIPAA compliance program—must be tailored to the specific hospital and its unique needs, he adds.
“The rules are the same, but the compliance task is different,” says Herrin. “What’s frustrating for us is when [a provider] pulls a compliance policy off the Internet from some hospital in Hawaii, Alaska, or California and then adopts it in their hospital. That policy can have nothing to do whatsoever with how they practice their medical arts. Policies need to be designed from the inside out.”
Likewise, each facility should determine separately who will be able to access the record and under what circumstances, says Herrin. Administrative access will generally be the same from facility to facility; however, clinical access will likely vary.
For example, a freestanding hospital’s access controls may be restricted so that physicians who collaborate but aren’t necessarily integrated in terms of patient care have access to only their own patients’ information. This access control model may look different than one used by a large integrated medical practice (eg, the Mayo Clinic) in which patients may benefit from allowing all physicians to access information, says Herrin.
Facilities should take a team approach to creating user access controls that help ensure HIPAA compliance and deter snoopers, says Herrin. Involve the following personnel:
• IT/security staff can help determine whether certain levels of access control—as well as exceptions to those levels—can be created. For example, some hospitals may want to restrict patient information from physicians not treating the patient unless they are consulting physicians.
• Clinicians can explain the rationale behind why they may need access to certain types of information. These facts may not necessarily be intuitive to IT staff.
• HIM can ensure that information provided through role-based access is complete and accurate.
This same team of individuals should also meet regularly (at least annually) to reassess how the organization identifies and handles risks, says Drummond. “If you don’t have everyone at the table, you’re missing out on threats as well as possible resolutions. Make someone responsible for ensuring that the HIPAA policy development process is constantly evolving and revising,” he says.
Go Beyond Policies and Procedures
Having policies and procedures that incorporate a thorough risk assessment are helpful, but organizations should keep in mind that auditors will likely look beyond these documents at incident reports and how HIPAA complaints are actively addressed, says Drummond.
“You’ll need to show you’ve got the typical three-ring binder of HIPAA forms and policies, but [auditors] are probably going to be looking more at how you do things to deal with a constantly changing threat environment. The best way to prepare for a HIPAA audit is to be prepared to deal with a big HIPAA problem,” he says.
“Policies and procedures are not just a stack of binders on a shelf. They must be an everyday part of an organization’s culture,” Seeger says. “OCR strongly encourages covered entities and business associates to build and maintain a culture of compliance within their organization by regularly reviewing their policies and procedures to ensure full compliance with HIPAA. While HITECH may be an incentive for covered entities, self-evaluation should be standard practice. To ensure compliance, covered entities and business associates should conduct regular internal audits, hold regular trainings for their employees, and have a prompt action plan in place to respond to incidents.”
— Lisa A. Eramo is a freelance writer and editor in Cranston, R.I., who specializes in healthcare regulatory, HIM, and medical coding topics.