Attorneys Stress Increasing Importance of Pre-Breach HIPAA, HITECH Compliance

Attorneys Stress Increasing Importance of Pre-Breach HIPAA, HITECH Compliance

If the federal government’s recent activity is any indication, organizations and companies that handle protected health information must be even more vigilant in complying with the HIPAA and HITECH Act before a data breach occurs.

“The federal government has already this year begun enforcing HIPAA to an extent that it never has since HIPAA came into existence in 1996,” said Eric Fader of Edwards Wildman Palmer LLP.

Some of the more recent enforcement actions included a $1.5 million settlement with BlueCross BlueShield of Tennessee related to the loss of unencrypted hard drives from a storage facility in March 2012. This was the first enforcement settlement against a health-care insurer. Also, in May, a small, five-person cardiology practice in Phoenix was fined $100,000 for failure to have proper HIPAA and HITECH procedures in place.

In June, the Alaska Department of Health and Social Services was fined $1.7 million for numerous HIPAA violations that were uncovered in the investigation following the loss of a USB drive containing patient information.

“These recent developments are really the beginning of HIPAA enforcement on a lot of fronts that people have been waiting for for years,” said Fader.

Fader said that, despite the fact that the Acts have been in existence for a while, there are still companies and individuals that are not aware of their requirements.

“I think there are many, many people and entities that have been brought under HIPAA by the HITECH Act who don’t understand that it applies to them and don’t understand how draconian some of these civil and criminal penalties can be,” he said.

Fader says that he continues to see companies and even attorneys who come into possession of protected health information, such as individually identifiable combinations of somebody’s name and another item of data—even just the fact that that someone has seen a physician—and are unaware that they are likely to be considered a business associate under HIPAA and need to have an appropriate agreement in place.

“There’s still protected health information being shared between doctors and their lawyers, between insurance companies and their brokers, between a lot of different parties—without really respecting the requirements of HIPAA and the HITECH Act,” said Fader.

He also recommends that companies make sure that they are as careful as possible about securing their information.

“With an increasing number of people using tablets and smartphones where you can download emails and with devices being stolen or left on buses, or people’s cars being stolen or broken into—if you’re going to be walking around with a mobile device on which you have any type of patient information, that thing had better be encrypted and you’d better know what HIPAA is, because the government is starting to nail people to the wall for violations,” said Fader.

Civil Rights

“Lately the Office for Civil Rights [OCR] is becoming very sophisticated and very aggressive in the kinds of information that it requests of entities that experience breaches,” said Katherine M. Keefe of Dilworth Paxson, LLP.

Keefe said the letters that are sent to companies that experience breaches include “all manner of questions regarding the entity’s fundamental compliance with HIPAA. And organizations that haven’t paid attention to that stand to lose a lot in the realm of being investigated after a breach.”

Lynn Sessions of Baker Hostetler agreed and also stressed that companies need to make sure that their breach response plan is up to date before the OCR gets involved.

“We’ve got clients who had that plan on the shelf from 2009, never looked at it, dust it off, have not been doing the risk assessments, and the OCR is not real happy about that. And so, the original request [from the OCR] is actually pretty friendly and pretty basic and says ‘give me your risk assessment, give me your compliance with the privacy rule, give me your compliance with the security rule.’ But beyond that, we’re not seeing in most instances that our clients are necessarily doing the annual risk assessments and looking and seeing how their organizations are changing as they’re going into the advent of electronic health records, patient portals, other vulnerabilities that they have,” she said.

Fader said the recent trend toward increased government enforcement is likely to increase when the omnibus HIPAA and HITECH rule is released this year. He also warned that after the omnibus rule comes out, the government may be less likely to grant leniency for violations.

“There are going to be higher expectations on the part of the enforcement authorities once it’s explained to people exactly what these laws mean and exactly how they’re expected to comply,” said Fader.