HIPAA Enforcement Update: Implications for Oncology Practices
In the past year, the healthcare sector has seen a dramatic rise in the Health Insurance Portability and Accountability Act (HIPAA) enforcement, settlement agreements, and the resumption of the Office of Civil Rights audit protocol. The Office of Civil Rights was appointed as the enforcement arm for the HIPAA rules in 2009. The number of healthcare records that were breached in 2015 (113 million) was nearly triple the number of records breached between 2009 and 2014 (41 million); this, in addition to the unprecedented number of ransomware attacks the industry is facing this year, shines a spotlight on healthcare and the security of the information we house.
The Office of Civil Rights has entered into 10 resolution agreements with healthcare entities governed by the HIPAA rules in 2016 alone, which is astounding compared with the previous 6 years.1 For example, in 2014 and 2015 there were 6 resolution agreements in each year between the Office of Civil Rights and entities that found themselves in breach of the HIPAA rules and led to an investigation; with just a little more than half of 2016 gone, that number is already nearly double.1 The Table lists this year’s resolution agreements with HIPAA and the settlement amounts.1
The numbers of resolution agreements, as well as the settlement amounts, speak volumes of the significance of entities complying with the HIPAA rules. More than 50% of the resolved investigations in 2016 involved a lack of security as it relates to patient information, and organization-wide risk analysis being conducted as is required by the HIPAA rules.1 In fact, in the majority of the cases, had the entity performed a thorough risk analysis and rectified any identified risks, the outcome of these investigations could have been considerably better.
Office of Civil Rights Kicks Off Next Phase of HIPAA Audit
The Office of Civil Rights recently kicked off the next phase of their auditing protocol. On July 11, 2016, the Office of Civil Rights notified the current pool of auditees of their selection and submission requirements of HIPAA documentation.2 The good news is that if you did not receive a notification that you were selected and of your submission requirements, you can breathe easy for a few months; however, that does not mean that you will never be selected for auditing purposes by the Office of Civil Rights.
This audit protocol is expected to develop into a continuous cycle of proactive auditing versus reactive investigations when breach notification occurs. The goal is to confront potential problems before they transpire. By the end of 2016, the Office of Civil Rights expects to have notified the business associates who are selected for audit of their requirements for document submission, and to kick off the onsite audit portion of their audit protocol.2
Ransomware on the Rise
The cyber landscape has not improved for the healthcare sector. In 2015, we saw several well-publicized hacking attacks against major health insurers, resulting in the loss of approximately 100 million patient records in just 3 major incidents. Although we are not seeing hacking attacks of that magnitude in 2016, we are observing an unprecedented number of ransomware attacks against large and small healthcare organizations.3-5
For example, hospitals in California, Texas, Kansas, Kentucky, Maryland, and Washington, DC, have been victims of ransomware attacks. In at least 2 cases, the hospitals had paid ransoms to regain access to their information—Hollywood Presbyterian Medical Center paid $17,000 (with an initial demand of $3.4 million), and Kansas Heart Hospital in Wichita paid a ransom, for which they have declined to disclose the amount.3,5
Do You Have a Complete Compliance Program?
As we consider the reality of HIPAA and the cybersecurity landscape for healthcare entities, it is clear that we must ensure we are meeting our responsibilities to protect the patient information we create, maintain, and store. One of the most important aspects of this is to make sure that you have a complete HIPAA compliance program in place. A complete program will involve third-party vendors to help establish policy and procedure, and information technology support to ensure that your technical environment is secure.
Looking ahead to the very real possibility of being audited or investigated by the Office of Civil Rights makes today a great day to examine what your organization has in place:
- Do you have documented policies and procedures?
- Are these policies and procedures communicated to employees?
- Are they enforceable by rule?
- When was the last time you completed a HIPAA security risk assessment?
- When was the last time you completed a HIPAA risk analysis?
- Do you know the status of your network environment?
- US Department of Health & Human Services. Resolution agreements: resolution agreements and civil money penalties. www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html. Accessed August 16, 2016.
- US Department of Health & Human Services. HIPAA privacy, security, and breach notification audit program. www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit. Accessed August 16, 2016.
- Lee S; for Newsweek. Ransomware wreaking havoc in American and Canadian hospitals. March 23, 2016. www.newsweek.com/ransomware-wreaking-havoc-american-and-canadian-hospitals-439714. Accessed August 16, 2016.
- Zetter K; for Wired. Why hospitals are the perfect targets for ransomware. March 30, 2016. www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets. Accessed August 16, 2016.
- Siwicki B; for Healthcare IT News. Ransomware attackers collect ransom from Kansas hospital, don’t unlock all the data, then demand more money. May 23, 2016. www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-de mand-second-ransom. Accessed August 16, 2016.