HIPAA Biannual Update

Digital Debut

HIPAA Biannual Update

January to July 2018

The Office of Civil Rights (OCR), within the US Department of Health and Human Services (HHS), is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA), which delineates who can view or receive an individual’s protected health information (PHI) and sets standards for the security of PHI when being stored or transferred electronically.


To read this article, you have to be a member of ASCA or subscribe to ASC Focus magazine.

Already a member or subscriber? Log in.

To become a member, click here. To subscribe to ASC Focus, click here.

Since our last update in January, health care organizations across the country posted 165 breaches of PHI affecting 500 or more individuals. Most of the breaches (78 percent) were caused by unauthorized access or hacking. The percentage of breach investigations due to theft increased slightly (from 12 percent to 15 percent), but the overall number of breach investigations decreased slightly (from 180 investigations in the second half of 2017 to 165).


ASCs can take important steps to help prevent these sorts of breaches and limit their liability. ASCs are encouraged to review and update policies and procedures frequently to prevent unauthorized access, improper disposal, and loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Below are selected enforcement actions that highlight a few precautions ASCs can take.

Fresenius Medical Care North America (FMCNA)

What Happened: Five separate security breaches at various FMCNA facility locations occurred in a six-month span between February and July 2012. Due to failure to conduct an accurate risk analysis, there were not adequate policies and procedures in place to address several security vulnerabilities. FMCNA paid a $3.5 million settlement.

Take Away for ASCs: OCR Director Roger Severino pointed out the lack of any “enterprise-wide risk analysis,” highlighting the importance of developing a centralized information security plan that can be implemented across multiple facilities. Each of the FMCNA-covered entities had slightly different infractions—from impermissible disclosures to inadequate tracking of hardware and electronic media—but in all cases, there was a failure of alignment with defined policies and procedures to address security incidents. Together, several smaller incidents over the course of a few months resulted in millions in settlement charges.

Filefax Inc.

What Happened: Filefax, a company in Northbrook, Illinois, claimed to provide storage, maintenance and delivery services for medical records. An OCR investigation, however, revealed that Filefax had left PHI of 2,150 individuals in an unlocked truck at a shredding and recycling facility. Filefax paid a $100,000 settlement and, subsequently, closed.

Take Away for ASCs: It is imperative that ASCs consider the entire continuum of any PHI they handle, including proper vetting of any outside entities that might handle PHI. In this instance, there were numerous impermissible access points, such as transporting in the unlocked truck, and granting an unauthorized person permission to remove PHI from Filefax. Also worth noting, the Filefax closing during the course of the investigation did nothing to alter the result, as entities are responsible for HIPAA obligations regardless of their operating status.

The University of Texas MD Anderson Cancer Center

What Happened: MD Anderson is an academic institution and cancer treatment and research center in Houston. Three separate data breaches occurred in 2012 and 2013, resulting in the loss of a laptop and two unencrypted USB drives containing PHI for more than 33,500 individuals. The required settlement of $4.35 million was the fourth largest amount ever awarded in a settlement for HIPAA violations.

Take Away for ASCs: The foundation for this settlement goes all the way back to MD Anderson’s device encryption policies. OCR found that MD Anderson had written specific encryption policies in 2006, identifying device encryption as a possible security vulnerability. Despite this, they failed to adopt any enterprise-wide solution until 2011 and, even then, the solution was rolled out sporadically. The ramifications for not encrypting devices are extremely serious since, as seen here, loss of a small number of un-encrypted devices could mean exposure for thousands of individuals’ PHI.

ASCA provides several resources to help ASCs remain compliant with HIPAA. The page dedicated to HIPAA Resources can be found in the Federal Regulations section of the main site. You can find background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating their HIPAA compliance program.

For more information or for questions and concerns, write Alex Taira.