By: Greg Ewing, JD, MPH, DrBicuspid.com Contributing Editor
March 19, 2014 — This Second Opinion originally ran on the Texas Dentists for Medicaid Reform (TDMR) website. DrBicuspid.com appreciates them allowing us to reprint this column in its entirety. For more information, please visit the TDMR website.
It is safe to say that covered entities and business associates alike have experienced three phases of HIPAA enforcement.
The first 2 phases
Originally, during the early days of HIPAA, there was little or no enforcement. In fact, a covered entity had to do something so outrageously egregious that the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) was forced to act.
The next phase began with the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. At that time, the targets were usually large institutions such hospital systems, national pharmacy chains, and health plans.
During these periods, small-business healthcare providers, such as dentists, had very little to worry about in terms of being subjected to an audit. Maybe the OCR followed the pattern of many federal prosecutors and thought that busting a couple of solo practitioners or single-digit or low double-digit medical groups just didn’t get the same press as bringing down a national chain or large healthcare provider. In fact, before the HITECH Act, HIPAA did not require healthcare providers to notify anyone in the event of a breach.
The latest phase
Now, enter the third phase, where anything goes, at least when it comes to small-business healthcare providers.
In December 2013, Adult & Pediatric Dermatology (APDerm), a 12-physician organization, in Concord, MA, agreed to pay $150,000 to HHS for potential HIPAA Privacy, Security, and Breach Notification Rules violations.
Specifically, APDerm reported a stolen unencrypted thumb drive containing 2,200 patient records. The records contained information about procedures and photos of patient cancers and procedures. However, the records did not include any financial data or Social Security numbers.
In addition to the payment, HHS required APDerm to implement a corrective action plan to correct its HIPAA deficiencies. This included developing a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. This case marked the first time that HHS settled with a covered entity for not having HIPAA policies and procedures in place to address the HITECH Act.
Specifically, the practice lacked the following:
- A written and regularly updated risk analysis
- A formal risk and security plan
- An adequate breach response plan
- HIPAA training for its employee
In an earlier case from April 2012, Phoenix Cardiac Surgery of Arizona agreed to pay $100,000 to settle its case with HHS and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
Initially, the case began with a report that the physician practice had a publicly accessible Internet-based calendar that it used to post clinical and surgical appointments. However, after further investigation, OCR found that the practice had implemented few HIPAA policies and procedures, as well as limited safeguards to protect patients’ electronic protected health information.
In this case, OCR’s investigation revealed the practice had failed to do the following:
- Implement adequate policies and procedures to appropriately safeguard patient information
- Document that it trained any employees on its HIPAA policies and procedures
- Identify a security official and conduct a risk analysis
- Obtain business associate agreements in instances where services included patients’ electronic health information storage and access
New OCR survey for audit program
On February 24, 2014, HHS OCR announced that it will survey up to 1,200 covered entities and business associates to determine suitability for its HIPAA Audit Program. The last time OCR reviewed covered entities under its audit program, it reviewed the privacy and security controls of a dental practice.
At the conference where this was announced, OCR Deputy Director Susan McAndrews stated that determining whether organizations conduct timely and thorough HIPAA security risk assessments will likely be an area of focus. She further said that risk assessments were a common weak spot found in the pilot audit program, and risk assessment deficiencies also were found in previous breach investigations.
What the OCR hopes to glean through its survey or how these surveys will assist it in selecting the next round of audit is anyone’s guess. What we do know is that small-business healthcare providers are now fair game.
Also, it appears that the OCR may have realized what many compliance experts have always known: that a large proportion of small-business healthcare providers lack the resources, expertise, or even the motivation to ensure adequate controls are in place to protect patient data.
In any event, it’s time for small-business healthcare providers to ratchet up their HIPAA compliance activities, which include the following:
- Conducting annual risk assessments
- Having ongoing awareness education besides the mandatory yearly training
- Designating someone knowledgeable and interested in HIPAA as the practice’s HIPAA privacy and security officer
HIPAA does not require the designated person to be an employee. This allows healthcare businesses to hire someone externally to provide qualified HIPAA training services. Sometimes these consultants can be obtained at very reasonable monthly rates.
One thing we know for sure is that small-business healthcare providers are now on OCR’s radar and appear to be easy targets. They need to take action and ensure they are in compliance or risk serious consequences.
Gregory Ewing, JD, MPH, is president of Texas Dentists for Medicaid Reform. He also practices with the Asbahi Law Group of Washington, DC.
Copyright © 2014 Texas Dentists for Medicaid Reform
Article source: DrBicuspid.com.