Lessons Learned from OCR Enforcement Actions
As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.
Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.
My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.
Conduct Risk Analysis
Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.
Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.
The Minimum Necessary Rule
Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.
Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.
Physical and Technical Safeguards
Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.
Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.
Encrypt, Encrypt, Encrypt!
BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.
Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.
To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.