Trusiak Law - Buffalo Attorney, HERO act, HIPAA Law


SuperUser Account
/ Categories: General

2018 All-Time Record Year for HIPAA Enforcement

The Office of Civil Rights recently reminded us of the importance of HIPAA privacy and the cost of neglect. In a February 7, 2019, posting the Office for Civil Rights (OCR) concluded an all-time record year in HIPAA enforcement activity.OCR also recently issued a Report to Congress detailing the frequency of types of breaches. See Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2015, 2016, and 2017 As Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, Public Law 111-5, Section 13402, These OCR notifications require organizational introspection and required remedial effort in some simple, significant ways regarding your Security Risk Analysis, Business Associate Agreement Compliance and E Mail Integrity Post Separation for Former Employees.

First, Security Risk Analysis

In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

An analysis of 2018 enforcement activity highlights some key findings.

  • The majority of organizations OCR settled with failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). That is, they did not perform a Security Risk Analysis as required by the Security Rule or they failed to complete one that was sufficient to meet the standard of the Security Rule.
  • Another key finding was failure to obtain a written Business Associate Agreement with contractors who performed business associate functions on their behalf.

These finding serve as a reminder that a Security Risk Assessment (SRA) is neither optional nor a "one and done" exercise. An initial SRA and regular updates must be undertaken and an active Security Risk Management Program must be in place to mitigate risks identified in the SRA.

Second, BAA Compliance

And don't forget that Covered Entities must know who their Business Associates are, and Business Associates know who their Subcontractors are, who perform business function activities. If they do, make sure there is an executed Business Associate Agreement in place with them. The Business Associate due diligence is simple: coordinate with your accounts payable department to identify Covered Entity payments to vendors, identify the subset of vendors with access to protected health information and then ensure the relevant vendors have the required Business Associate Agreements. Or----stick your head in the sand and hope and pray there is no breach event necessitating an OCR inquiry requesting the above information.

Third, E mail Integrity Post Employment

In the Report to Congress on Breaches of Unsecured Protected Health Information, OCR noted that from 2015-2016, unauthorized access/disclosures were the most common cause of reported breaches affecting 500 or more individuals. In 2017, they were the second most frequent cause. Additionally, for each of these years, unauthorized access/disclosures were the leading cause of reported breaches affecting less than 500 individuals. Although OCR has not yet reported 2018 numbers to Congress, a review of the OCR Breach Portal indicates that unauthorized access/disclosures remained the second most frequent cause of reported breaches, making up over a third (35%) of reported breaches affecting 500 or more individuals.

A Covered Entity must have standard policies for removing work force members protected health information access upon separation from employment to prevent unauthorized access to protected health information by former employees. This is especially important for Covered Entities with a Bring Your Own Device Policy. How does your Covered Entity wipe clean protected health information from a personal device upon separation from employment--including acrimonious separations that occur without notice?

Trusiak Law can assist you in measuring your compliance with the HIPAA Privacy, Security and Breach Notification Rules. It will be done under attorney client privilege to protect you.

Previous Article Security Risk Analysis: Ensure Your Risk Analysis includes an assessment of the Health and Human Services Voluntary Cybersecurity Practices for the Health Industry
Next Article The Department of Justice in April 2019 Updated Guidance for Evaluating Corporate Compliance Programs


Call and schedule your meeting today! Contact Trusiak Law