HIPAA Biannual Update
January to June 2023
BY MAIA KUNKEL | JULY 2023
During the first half of 2023, healthcare organizations across the country posted 322 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous updates, the vast majority of the breaches—96 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to the theft of PHI continues to steadily decrease, comprising only 2 percent of breaches in the first six months of 2023 compared to 21 percent in the first half of 2017. For the first time since ASCA began reporting its Health Insurance Portability and Accountability Act of 1996 (HIPAA) biannual update in 2016, loss of PHI was not cited as a cause of a breach investigation in the first half of 2023.
Within the US Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of HIPAA, which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in February, OCR has announced two more settlements in its HIPAA Right of Access Initiative, bringing the total to 44 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in corrective action plans with several years of monitoring and settlements ranging of up to $16,500. Three examples of recent resolution agreements are provided below, along with precautions ASCs can take to avoid similar violations.
What Happened: In 2021, OCR began investigating Life Hope Labs, a diagnostic laboratory in Georgia, after a complaint was filed alleging that the laboratory would not provide a personal representative a copy of their deceased father’s medical records. The relative did not receive the records until after the investigation began, seven months after the initial request. Following OCR’s investigation, Life Hope Labs agreed to a $16,500 settlement and a corrective action plan with two years of monitoring.
Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. ASCs should review their policies and training programs to ensure that they are able to meet all HIPAA obligations when a patient requests access to their medical records. As OCR continues to announce more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients are able to access their own medical information and take charge of their healthcare decisions in a prompt manner.
What Happened: iHealth Solutions, based in Kentucky, provides coding, billing and IT services to healthcare providers. OCR began investigating iHealth Solutions in 2017 after receiving a breach report stating the vendor experienced an unauthorized transfer of PHI from its unsecured server, including patient names, addresses, social security numbers and medical histories, among other exposed data. OCR discovered that more than 250 individuals had their PHI exposed online. The six-year investigation resulted in a $75,000 penalty and an agreement to implement a corrective action plan with two years of monitoring.
Takeaway for ASCs: HIPAA Privacy, Security and Breach Notification Rules apply to ASCs, vendors and other third-party service providers alike. ASCs must have contracts, also known as business associate (BA) agreements, with their vendors to ensure that the BAs will appropriately safeguard PHI. With cyberattacks targeting healthcare organizations on the rise, ASCs must ensure that all entities entrusted with access to PHI have a risk management plan implemented to address and mitigate security risks and vulnerabilities. The agreement also serves to clarify the permissible uses and disclosures of PHI by the BA, based on the relationship between the parties and the vendor’s activities or services. ASCs also can help prevent future investigations by confirming that all BAs with access to PHI are regularly educated on all HIPAA policies and procedures to protect the privacy and security of their patients online.
What Happened: OCR began investigating the Washington community hospital in 2018 after receiving reports that almost two dozen security guards impermissibly accessed the medical records of 419 individuals. The guards used their login credentials to access patient medical records without a job-related purpose. The exposed PHI included patient names, addresses, notes related to treatment and insurance information. The hospital agreed to a $240,000 fine, a corrective action plan and two years of monitoring.
Takeaway for ASCs: Current and former staff members impermissibly accessing PHI continues to be an issue in the healthcare industry. ASCs have to be aware of and monitor which staff members have access to patient data and whether that access is deemed essential to job obligations. ASCs should have policies and procedures in place to prevent snooping from occurring and to protect patients against potential identity theft and fraud. ASCs also can help prevent instances such as this from occurring by providing regular workforce training to all staff members on updated HIPAA policies and procedures.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information, questions or concerns, write Alex Taira, ASCA’s regulatory policy and research manager.