Digital Debut
HIPAA Biannual Update
January to June 2022
BY MAIA KUNKEL | AUGUST 2022
Since ASCA’s last update in January, healthcare organizations across the country posted 337 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous time periods, the vast majority of the breaches—95 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to steadily decrease, comprising only 3 percent of breaches in the first six months of 2022 compared to 21 percent in the first half of 2017.
SOURCE: ASCA
Within the US Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in January, OCR has announced 13 more settlements in its HIPAA Right of Access Initiative, bringing the total to 38 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in corrective action plans with several years of monitoring and settlements ranging from $3,500 to $240,000. Three examples are provided below, along with precautions ASCs can take to avoid similar violations.
What Happened: MHHS is a not-for-profit health system located in Texas. OCR’s investigation began when a complaint was filed alleging that MHHS failed to take timely action in providing a patient their complete medical and billing records. OCR discovered that MHHS ignored five requests made by the patient, resulting in a 564-day delay to obtain their health records. Following the investigation, MHHS agreed to a corrective action plan and a settlement of $240,000.
Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology (IT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. In the case of MHHS, while the patient ultimately did receive a copy of their requested PHI, it took five requests, a formal investigation from OCR and almost two years.
ASCs should review their policies and training programs to ensure that all HIPAA obligations are able to be met when a patient requests access to their medical records. As OCR continues to announce more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients are able to be granted timely access to their own medical information and be able to take charge of healthcare decisions in a prompt manner.
What Happened: In response to a negative review posted online, UPI, a dental practice in North Carolina, impermissibly disclosed a patient’s PHI on a webpage. Further, UPI did not respond to OCR’s data request or an administrative subpoena and did not contest the findings listed in OCR’s Notice of Proposed Determination. As a result, UPI incurred a $50,000 penalty.
Takeaway for ASCs: Receiving a negative review is frustrating, but ASCs should never retaliate, especially with disclosing a patient’s PHI. Doing so can impact your reputation and business and can needlessly lead to OCR investigations and civil money penalties. Healthcare providers big and small are subject to comply with all HIPAA rules and are trusted with keeping patients' PHI confidential. ASCs should ensure that members of staff are informed of their obligations to adhere to all HIPAA requirements both in the ASC and online.
What Happened: OSU-CHS, a public research university, provides preventive, rehabilitative and diagnostic care. In 2018, OSU-CHS filed a breach report stating that an unauthorized third party gained access to a web server containing electronic PHI (ePHI). In 2016, a hacker installed malware compromising more than 250,000 individuals’ ePHI. The disclosed information included names, Medicaid numbers, addresses and treatment information of the affected individuals. OSU-CHS also falsely reported the initial date the breach occurred, claiming the ePHI was disclosed a year later. The ensuing investigation found that OSU-CHS caused numerous potential violations, including impermissible uses and disclosures of ePHI, the failure to conduct an accurate and thorough risk analysis of its systems, and the failure to timely report a breach notification to the affected individuals and HHS. OSU-CHS agreed to a settlement of $875,000 and will institute a corrective action plan that includes two years of monitoring.
Takeaway for ASCs: Cyberattacks continue to be on the rise. With hacking and IT incidents now making up the majority of new OCR breach investigations, ASCs must prioritize the security of patients’ PHI. In this case, the failure to do so and the false reporting of when the breach began had the potential to understate the true extent of the damage. Reviewing all HIPAA Privacy, Security, and Breach Notification Rules will help ASCs understand the steps needed to keep patients’ PHI protected from all bad actors. Regularly locating where ePHI is housed in information systems and conducting an accurate risk analysis will help ensure information is kept safe.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.