Check Request Status610-994-7500

Test Blog

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More

HITECH Answers
HCCA Wrap Up
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, shares insights from attending the Health Care Compliance Association’s Compliance Institute, including updates on the OCR’s HIPAA audits and patient access guidelines.

Read More

Lessons Learned from OCR Enforcement Actions

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More

Insights from MRO’s Legal Expert: Best Practices for Incident Response Plans

Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement.

Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices.

Create a Patient Data Protection Committee

Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually.

Provide On-Going Education and Training

Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches.

As part of this culture of compliance, workforce members should undergo formal training at least once a year.

Encrypt

Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach.

Test the Effectiveness of Compliance Program

Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance.

Assess BA Compliance

It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.

This blog’s author, Sara Goldstein, Esq., will give presentations on the topic of breach management and incident response at upcoming NCHIMA, MDHIMA, and FHIMA annual meetings.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Sign Up for Future Blog Posts

Read More

Field Report: HCCA Compliance Institute and HIPAA Summit

I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute and the annual HIPAA Summit, both in the Washington, D.C. area, where representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks on what to expect from their office in 2017. I reported on my experiences at these events in an article for RACmonitor; here are some highlights.

New Director of the OCR

Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino had a long and distinguished public service career.

In his remarks at the Summit, Severino emphasized the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to increased patient confidence in the system, which, according to the new director, is paramount for the system to function.

OCR Priorities for 2017

Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.

Update on HIPAA Audit Program

Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.

OCR Enforcement

Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties, including the need for regular and thorough risk analyses, encryption, access and audit controls, and timely breach notification.

For more information on the OCR, join MRO for the first installment of our free privacy and security webinar series, “Lessons Learned from OCR Enforcement Actions,” Monday, April 17, 1pm Eastern.

Sign Up for Future Blog Posts

Read More