Though the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, it wasn’t until 2003 that the first national data privacy and security rules were issued by the U.S. Department of Health and Human Services (HHS). These include the Privacy Rule, Security Rule and Enforcement Rule.
- Privacy Rule—describes individual rights regarding protected health information (PHI), defines covered entities (CEs) and business associates (BAs) and explains how they can use and disclose PHI.
- Security Rule—sets standards for safeguarding electronic PHI.
- Enforcement Rule—delineates compliance, investigations and potential penalties for HIPAA violations and assigns responsibility for enforcing the regulations to the Office for Civil Rights (OCR).
The HIPAA Omnibus Rule, effective March 23, 2013, amended the Enforcement Rule to ensure CE liability for the acts of BAs who are agents of the CE in accordance with the federal common law of agency. To enforce HIPAA compliance rules, OCR has indicated a shift toward more focused audits based on data patterns and trends. This month’s blog takes a look at recent OCR efforts, affirms the importance of BA risk assessments, and provides eight steps to ensure CEs and BAs meet HIPAA compliance.
Enforcement of HIPAA Privacy and Security Rules Increasing, Along with Associated Penalties
The OCR has stepped up enforcement of all rules and penalties. Complaints and reports of breaches initiate an investigation and any potential breaches must be reported promptly. Fines are assessed for lack of timely breach notification. Further, failure to notify affected individuals of the breach incurs an additional violation per day of delay.
Penalties are tiered based on the type and frequency of the violation. There are four HIPAA violation penalty tiers, each defined by level of culpability.
Importance of Risk Assessments to Comply with HIPAA Rules and Regulations
From January 2, 2015 through February 2018, OCR investigated 31 organizations for breaches and assessed a total of $52.7 million in penalties. Fourteen organizations (45 percent) were cited for inappropriate risk management—either failure to conduct a thorough risk assessment, or failure to act following assessment and risk identification.
The next highest citation (29 percent) related to Business Associate Agreements (BAAs)—either failure to establish a BAA, or failure to review and update the current BAA to comply with HIPAA rules. Several organizations on the list were cited and fined for both reasons.
Can You Pass Scrutiny? Eight Steps to Ensure HIPAA Compliance
Consider the following steps to ensure your organization and all BAs are in compliance with HIPAA rules:
- Assess and monitor BA security and compliance programs—require each BA to perform a privacy and security risk analysis on a regular basis and report results.
- Maintain a current BAA with all BAs. Each BA employee who handles PHI must have a signed BAA on file.
- Perform a Security Risk Assessment (SRA) on a regular basis and take corrective action. Any changes to PHI access triggers a new SRA. If a risk is identified, take corrective action immediately.
- Implement technical safeguards focused on endpoint security software, user monitoring software, user controls, access controls and audit controls.
- Ensure administrative safeguards through annual HIPAA training, employee testing and signatures on HIPAA acknowledgement agreements.
- Follow all security safeguards and requirements outlined in the list below.
- Verify that you and your BAs have privacy safeguards in place—a designated privacy officer and job description, privacy risk management plan, HIPAA privacy plan, privacy breach and incident response plan, privacy plan for laptops and equipment, ePHI policy to ensure transmission is secure and compliant, and off-boarding policies and procedures for terminating access to PHI when a workforce member terminates employment.
- Guarantee physical safeguards to secure remote offices, employee equipment, phone conversations, and electronic documents and data displayed on an employee’s workstation screen. Each employee should sign an acknowledgement statement to verify HIPAA compliance.
Further, it is prudent to have up-to-date photos of workspaces used by employees and BAs who work remotely. Best practice is to visit remote locations in person to verify compliance. OCR audits require proof that offsite and remote workspaces meet HIPAA compliance requirements.
Finally, exercise extreme diligence with privacy and security rules if your organization uses offshore vendors to perform work and access PHI. Legal teams should develop offshore vendor contracts that: Hold the domestic BA entity responsible for any breaches and any fines related to offshore breaches