Mikael Grondahl

HIPAA: The Importance of Your Privacy – Part 2

We previously discussed the importance of your privacy, and the fact that we don’t want our personal health information floating around across the internet or exposed to strangers in other ways.

There’s obviously not anyone’s business when I had my latest flu vaccine shot, or any other procedures, except for my doctor or other involved medical staff.

Here’s an overview of HIPAA, examples of a couple of violations that has occurred recently, and the fines and penalties related to not following HIPAA law.

I believe that by looking at what’s really at stake here, most companies probably will start being a little bit more careful with securing personal health information, making sure devices are encrypted, and procedures are being followed.

HIPAA stands for the Health Insurance Portability and Accountability Act and was enacted as a law in 1996 to protect patient confidentiality and provide security measures for confidential health care information.

HIPAA protects the privacy of health information, sets national standards for securing electronically stored health information and establishes a procedure for notifying patients in the event of unauthorized disclosure of health information, according the U.S. Department of Health and Human Services.

HIPAA requires covered entities to notify affected individuals when their health information has been disclosed without authorization. Covered entities must also notify the secretary of HHS of any breaches of patient health information. If the privacy breach affects more than 500 individuals, the covered entity must notify the media.

All entities that store or use the medical records of individuals, including clinics, hospitals, health insurance companies, health clearinghouses, and contractors of any of these entities, are subject to HIPAA regulations, and are required to ensure that patient information is always hidden from public view.

HIPAA law requires that agencies prevent misuse of patient records by increasing the efficiency of data management systems, by implementing safeguards such as key card systems to track the individuals who have access to protected health information, by securing electronic transaction systems to ensure any information sent electronically is equally protected, and by requiring special authorization to be on file to share patient information with others outside of the medical practice.

Employers, law enforcement and schools are some of the entities that do not have to follow HIPAA laws. Individuals can obtain copies of their medical records and must give permission to the HIPAA-covered entities before those entities can share health information.

Who makes sure HIPAA regulations are followed?
The Office of Civil Rights for the U.S. Department for Health & Human Services (HHS) enforces HIPAA and is responsible for investigating complaints. Fines for HIPAA violations range from $100 to $50,000 per violation, up to $1.5 million for violations of a single provision. The U.S. Department of Justice may seek criminal penalties for egregious violations.

What are the 10 Most Common HIPAA Violations?

  1. Keeping Unsecured Records
  2. Unencrypted Data
  3. Hacking
  4. Loss or Theft of Devices
  5. 5. Lack of Employee Training
  6. Sharing Protected Health Information
  7. Employee Dishonesty
  8. Improper Disposal of Records
  9. Unauthorized Release of Information
  10. 3rd Party Disclosure of Protected Health Information

What are the fines and penalties?
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

The fines use an increasing scale, depending on the number of patients and the amount of neglect – severity.

Starting with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision (Didn’t Know), and end where a breach is due to negligence and not corrected in 30 days (Willful Neglect).

The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”.

  • Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time.
  • Willful Neglect ranges from $10,000 to $50,000 per incident and can result in criminal charges.

HIPAA violation categories and their respective penalty amounts are outlined in the chart below:

Violation Amount per violation Violations of an identical provision in a calendar year
Did Not Know $100 – $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect — Corrected $10,000 – $50,000 $1,500,000
Willful Neglect — Not Corrected $50,000 $1,500,000

Source: HHS, Federal Register.gov

What sort of penalties are we talking about? Check out this chart with fines levied in years past:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

HHS’ Office for Civil Rights is becoming more aggressive in enforcing HIPAA regulations. As HIPAA audits ramp up, hospitals and health systems are bolstering safeguards and security practices to avoid multimillion dollar fines. Below are two examples from 2018.

  • February 1, 2018 – Fresenius Medical Care North America

(Failure to encrypt electronic devices including laptop computers, and USB thumb drives)

Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules

Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan, in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

https://www.hhs.gov/sites/default/files/fresenius-racap.pdf

  • June 18, 2018 – The University of Texas MD Anderson Cancer Center

(Failure to encrypt electronic devices including laptop computers, and USB thumb drives)

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties (CMPs) imposed by OCR.

https://www.hhs.gov/sites/default/files/alj-cr5111.pdf

So, out of the 10 most common HIPAA violations, both Fresenius Medical Care North America and The University of Texas MD Anderson Cancer Center violated the regulations concerning:

#2. Unencrypted Data

#4. Loss or Theft of Devices

#5. Lack of Employee Training (Probably)

It cost both these companies a good amount of money in fines, and it will probably cost them even more with the bad press and publicity that follows these violations. HIPAA is there to protect us, as patients, customers, clients or whatever we want to call ourselves. With proper training and safeguards, neither of these companies should have violated HIPAA laws and regulations, and most importantly, their client’s health information would not have been exposed.

How many other companies out there are just waiting to get fined? My guess is a lot of them, and for such simple things as not encrypting their devices and providing proper employee training.