HIPAA Biannual Update
January to June 2021
BY MAIA KUNKEL | JULY 2021
Since ASCA’s last update in January, healthcare organizations across the country posted 344 breaches of protected health information (PHI) affecting 500 or more individuals. This is the highest number of breaches reported in a six-month span in the past three years and exceeds the number of breaches in the first half of 2020 by more than 40 percent. Consistent with previous time periods, the vast majority of the breaches—94 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to steadily decrease, comprising only 3 percent of breaches in the first half of 2021 compared to 21 percent in the first half of 2017.
Within the US Department of Health & Human Services (HHS) the Office of Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Below are selected enforcement actions that highlight a few precautions ASCs can take.
Investigations in HIPAA Right of Access Initiative and The Arbour, Inc.
What Happened: Since the previous update in January, OCR has announced six more settlements in its HIPAA Right of Access Initiative. These investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records. In the case of Arbour, in 2019, the behavioral health center had a complaint filed after a patient’s request to access their records went unanswered. After OCR provided the center with technical assistance, the agency received another complaint from the same patient as they still had not received access to their requested records. Due to OCR’s investigation, Arbour provided the patient a copy of the records after a five-month delay. The resulting investigation included a monetary settlement of $65,000 and a corrective action plan with one year of monitoring.
Takeaway for ASCs: In 2019, OCR introduced the HIPAA Right of Access Initiative, a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. ASCs should review their policies and training programs to ensure that all HIPAA obligations are able to be met when a patient requests access to their medical records. As OCR announces more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients are able to be granted timely access to their own medical information and be able to take charge of healthcare decisions in a prompt manner.
What Happened: Operating as AEON Clinical Laboratories, Peachstate provides diagnostic and laboratory-developed tests. In 2017, OCR began a compliance review of Peachstate to determine its adherence to the HIPAA Privacy and Security Rules and discovered systemic noncompliance. This included a failure to conduct an enterprise-wide risk analysis, implement risk management and audit controls and maintain documentation of HIPAA policies and procedures. The settlement included a $25,000 penalty and the implementation of a corrective action plan with three years of monitoring.
Takeaways for ASCs: All healthcare facilities, including clinical laboratories and ASCs, must comply with the HIPAA Security Rule. Compliance helps ensure facilities keep patients’ PHI secure and out of the wrong hands. In Peachstate’s case, the failure to establish and implement basic Security Rule requirements needlessly put patients’ electronic health information at risk and exposed a vulnerability to malicious activity.
What Happened: In 2015, Excellus Health Plan filed a breach report stating that its information-technology (IT) systems were targeted by cyberattacks for more than two years. The hackers were able to install malware and conduct operations that resulted in the disclosure of 9.3 million individuals’ PHI, including their names, addresses, social security numbers and bank account information. Upon investigation, OCR concluded that the health plan failed to implement risk management strategies and neglected to conduct an enterprise-wide risk analysis, review information system activity or access controls. Due to the sheer scale of the breach, Excellus Health Plan agreed to a $5.1 million dollar settlement and a two-year corrective action plan.
Takeaways for ASCs: This was a massive breach. As hacking continues to be a great threat, especially to individuals’ PHI, cyberattacks have the ability to have devastating effects on healthcare entities big and small. To combat this threat, it remains crucial that ASCs are aware of potential security vulnerabilities and implement risk management strategies. In this case, the failure to establish such procedures allowed for the hackers to remain undetected for more than a year and access the PHI of millions of individuals.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resource page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.