Three years have passed since the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted, adding HIPAA Breach Notification requirements to a long list of privacy-related obligations imposed on health care entities. To date, nine separate entities have incurred more than $12 Million in fines and penalties from breaches and other HIPAA violations.
Many of these fines could have been avoided if the company (or “entity”) had established policies and procedures to ensure it met all regulatory requirements, or if the company’s workforce had followed such policies. Where computer theft or loss was involved, costly notifications and fines related to a breach could have been avoided if proper encryption had occurred.
Here is a summary of federal enforcement actions occurring since HITECH became law: Breach Incident/violation
Improper disposal of PHI
Rite Aid Pharmacy
Large pharmacy retail chain
Use of PHI for marketing purposes without an authorization
Management Services Organization Washington, Inc.
Healthcare management company
Denied patients access to their medical records
Cignet Health, Inc.
Multi-site healthcare facility
Lost fee tickets/billing forms on subway train
Massachusetts General Physicians Organization
Hospital and physician organization
Impermissible access to patient records
University of California Los Angeles Health System
Academic medical center
Stolen hard drives
Blue Cross Blue Shield of Tennessee
Large health insurance carrier
Posted surgery appointments on publicly-available Internet-based calendars
Phoenix Cardiac Surgery, P.C.
Cardiac surgery practice group
Stolen flash drive
Alaska Dept of Health and Social Services
State health agency
Stolen lap top computer
Massachusetts Eye and Ear Associates, Inc.
Ophthalmology practice group
The Office of Civil Rights (OCR), under the Department of Health and Human Services, is charged with enforcing all HIPAA regulations, including the recent HITECH Act. There are several reasons to believe that enforcement of HITECH is not going away any time soon:
1. With each passing year, the number of facilities receiving enforcement actions has increased, due to a HITECH provision that allows fines and penalties received under HITECH to be used by OCR to expand its enforcement efforts. Thus, with each fine levied there is the opportunity for OCR to hire more staff and/or expand its scope of investigations and audits.
2. OCR has awarded a $9 Million contract to KPMG, to help audit HIPAA Privacy and Security compliance by covered entities and their business associates. Those audits are on-going and early results indicate this model to be an effective means for OCR to monitor privacy compliance across a wide range of entities.
3. Under HITECH, States Attorneys General are given specific authority to bring civil actions for HIPAA violations and to obtain damages on behalf of state residents when violations have occurred. OCR has already introduced a HIPAA enforcement training program specifically for States Attorneys General.
Nonetheless, there is much that you can do to help avoid similar enforcement actions:
1. Learn and follow the HIPAA policies and procedures specific to your organization.
2. Know and respect the privacy rights of patients served by your organization.
3. Protect the privacy and security of all patient information entrusted to you. Take special care to encrypt all portable electronic devices that might contain sensitive or protected health information.
4. Report suspected violations or breaches immediately by calling your privacy official.
To learn more about HIPAA enforcement process or what you can do to avoid HIPAA breaches, contact the University of Louisville Privacy Office at (502) 852-3803 or firstname.lastname@example.org.