Digital Debut
HIPAA Biannual Update
January to June 2024
BY MAIA KUNKEL | AUGUST 16, 2024
During the first half of 2024, healthcare organizations across the country posted 359 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous updates, rises in unauthorized access or hacking comprised most—95 percent—of the breaches. The percentage of breach investigations due to the theft of PHI continues to dwindle, now comprising three percent of breaches in the first half of 2024.
SOURCE: ASCA
Within the US Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in February, OCR has announced three more settlements in its HIPAA Right of Access Initiative, bringing the total to 49 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in settlements of up to $115,200. Two examples of recent resolution agreements are provided below, along with precautions ASCs can take to avoid similar violations.
What Happened: AMR provides emergency medical services across the United States. OCR began investigating in 2019 after a complaint was filed, alleging that AMR did not provide a patient with their medical records after multiple written requests. In response to OCR’s investigation, AMR amended its internal procedures to better streamline and track fulfilling medical records requests. AMR sent the individual the records in late 2019, over a year after the initial request. Following OCR’s investigation, AMR agreed to a $115,200 settlement.
Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. ASCs should review their policies and training programs to ensure that they are able to meet all HIPAA obligations when a patient requests access to their medical records. As OCR continues to announce more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients are able to access their own medical information in a timely manner and be able to take charge of healthcare decisions in a prompt manner.
What Happened: OCR began investigating in 2017 after the media reported that HVHS experienced a data security incident. HVHS, which provides care in Pennsylvania, Ohio and West Virginia, was found to be in violation of several provisions of the HIPAA Security Rule. Among these violations was the failure to conduct a risk analysis to determine potential risks and vulnerabilities to PHI; the lack of a contingency plan to respond to an emergency, such as a ransomware attack or fire, that damages systems that house PHI; and the failure to implement policies and procedures to only allow authorized users or programs access to patients’ PHI. As a result of the investigation, HVHS agreed to a $950,000 settlement, a corrective action plan and three years of monitoring by OCR.
Takeaway for ASCs: Hacking and ransomware have quickly become the most pressing cyber threat in healthcare. Since 2018, OCR has received a 264 percent increase of reported large breaches involving ransomware and a 256 percent increase in reported hacking incidents. ASC staff and patients alike should be confident that electronic PHI (ePHI) is secured and inaccessible from bad actors, both internally and externally. While the task of safeguarding PHI in an increasingly targeted sector may feel onerous, OCR has shared several strategies that all healthcare entities covered by HIPAA, including ASCs, can implement now to strengthen its defenses.
- Review all vendor and contractor relationships to ensure business associate agreements are in place, as appropriate, and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes, conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement a regular review of information system activity.
- Utilize multifactor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on a regular basis; reinforce staff members’ critical role in protecting privacy and security.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Maia Kunkel at mkunkel@ascassociation.org.