Video: Every Case Tells a Story| Webinar: ACR/CHEST ILD Guidelines in Practice

An official publication of the ACR and the ARP serving rheumatologists and rheumatology professionals

  • Conditions
    • Axial Spondyloarthritis
    • Gout and Crystalline Arthritis
    • Myositis
    • Osteoarthritis and Bone Disorders
    • Pain Syndromes
    • Pediatric Conditions
    • Psoriatic Arthritis
    • Rheumatoid Arthritis
    • Sjögren’s Disease
    • Systemic Lupus Erythematosus
    • Systemic Sclerosis
    • Vasculitis
    • Other Rheumatic Conditions
  • FocusRheum
    • ANCA-Associated Vasculitis
    • Axial Spondyloarthritis
    • Gout
    • Psoriatic Arthritis
    • Rheumatoid Arthritis
    • Systemic Lupus Erythematosus
  • Guidance
    • Clinical Criteria/Guidelines
    • Ethics
    • Legal Updates
    • Legislation & Advocacy
    • Meeting Reports
      • ACR Convergence
      • Other ACR meetings
      • EULAR/Other
    • Research Rheum
  • Drug Updates
    • Analgesics
    • Biologics/DMARDs
  • Practice Support
    • Billing/Coding
    • EMRs
    • Facility
    • Insurance
    • QA/QI
    • Technology
    • Workforce
  • Opinion
    • Patient Perspective
    • Profiles
    • Rheuminations
      • Video
    • Speak Out Rheum
  • Career
    • ACR ExamRheum
    • Awards
    • Career Development
  • ACR
    • ACR Home
    • ACR Convergence
    • ACR Guidelines
    • Journals
      • ACR Open Rheumatology
      • Arthritis & Rheumatology
      • Arthritis Care & Research
    • From the College
    • Events/CME
    • President’s Perspective
  • Search

Legal Updates: Healthcare Data Privacy and Security under HIPAA

Steven M. Harris, Esq.  |  Issue: May 2014  |  May 1, 2014

Legal Updates: Healthcare Data Privacy and Security under HIPAA

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

A recent costly settlement is the latest reminder of the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Recently, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and a medical practice (the Group) entered into a resolution agreement that serves as an expensive reminder of potential HIPAA exposure for healthcare providers’ failure to maintain written policies and procedures. The settlement, which requires the Group to pay $150,000 and implement a corrective action plan, is based on OCR’s findings that the Group failed (i) to perform risk analysis (required under the HIPAA Security Rule) and (ii) to have written policies and procedures, and train members of its workforce (required under the Breach Notification Rule).

Landscape of Healthcare Data Breaches

In recent years, the number of reports of healthcare data breaches has skyrocketed. In 2013, the Identity Theft Resource Center (ITRC) identified 267 data breaches within the medical/healthcare industry, constituting 43% of all data breaches tracked by ITRC; in 2012, the ITRC identified 163 medical/healthcare data breaches, which comprised only 34.7% of all data breaches.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

Pursuant to the Breach Notification Rule, HIPAA-covered entities (healthcare providers, health plans and healthcare clearinghouses) must notify individuals and OCR (and in some cases the media) of breaches of protected health information (PHI). The Breach Notification Rule further requires business associates to notify covered entities of such breaches. Since reporting began in 2009, OCR has received reports of more than 700 breaches involving 500 or more individuals and 64,000 reports of breaches involving fewer than 500 individuals.

Since 2008, OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into resolution agreements in 16 cases involving HIPAA noncompliance by covered entities.

The Breach, Investigation & Resolution Agreement

The Group is a 12-physician medical practice with six offices. OCR’s investigation and the settlement arose out of the theft of an unencrypted thumb drive containing electronic PHI (ePHI) of approximately 2,200 people from the vehicle of one of the Group’s staff members.

After the Group notified the media, the people whose ePHI was on the thumb drive and OCR, OCR investigated the Group’s compliance with the HIPAA Security, Privacy and Breach Notification Rules (HIPAA Rules). Although the mere occurrence of a breach did not trigger sanctions, the settlement resulted from OCR’s findings that:

  • The Group violated the Security Rule by failing to conduct an accurate and thorough analy­sis of the potential risks and vulnerabilities to the confidentiality of ePHI;
  • The Group violated the administrative requirements of the Breach Notification Rule by failing to maintain written policies and procedures, and to train members of its workforce regarding breach notification; and
  • The Group impermissibly disclosed ePHI by failing to reasonably safeguard the unencrypted thumb drive, which allowed the thief to gain unauthorized access to ePHI.

Subsequent to OCR’s investigation, OCR entered into a resolution agreement with the Group, under which the Group agreed to:

  • Pay a $150,000 fine;
  • Perform a comprehensive, organization-wide risk analysis of all ePHI security risks and vulnerabilities covering the Group’s electronic media and systems;
  • Address and mitigate any security risks and vulnerabilities uncovered in the risk analysis by developing a risk management plan and, if necessary, revising its policies and procedures;
  • Provide the risk analysis, risk management plan and revised policies and procedures to OCR to review and revise, and implement any of OCR’s revisions; and
  • Comply with reporting requirements.

What Does This Mean?

OCR’s press release notes conspicuously that this is the first settlement with a covered entity for failing to have breach notification policies. Despite the Group’s timely notification to the affected individuals, the media and OCR, the Group was sanctioned for violating the Breach Notification Rule by failing to maintain written breach notification policies and procedures.

Although the Security Rule does not require encryption, if a breach occurs, failure to encrypt is likely to invite scrutiny from OCR, other regulators and plaintiffs’ attorneys. Moreover, even if ePHI is lost or stolen, breach-reporting obligations may be excused if encryption is in accordance with National Institute of Standards and Technology (NIST) standards.

Risk analysis is a recurring theme in OCR’s resolution agreements and Security Rule guidance. In August 2013, OCR expressed a similar focus on risk analysis when settling with Affinity Health Plan Inc. for returning used photocopy machines without erasing PHI from the copier hard drives. In its press release, OCR stated, “covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

This settlement is a reminder of the importance of taking appropriate steps to protect the privacy and security of PHI. Parties will pay a high price for their failure to take appropriate steps to protect the confidentiality and security of PHI. In addition to the monetary fine, addressing the breach and the resulting investigation will result in other heavy costs. For example, legal and consulting costs can be substantial; attention of staff members and leadership is diverted; and a corrective action plan can be significantly more expensive and time consuming to implement than if effective policies and procedures had been employed. Moreover, it is difficult to quantify the adverse impact of a breach on one’s reputation and relationships. Thus, even when covered entities diligently pursue HIPAA compliance, they should still consider cyber insurance or other means to offset the potential for incurring the immense costs of a breach or investigation.

Action Steps

To avoid potentially significant costs and liabilities for HIPAA noncompliance and to minimize the likelihood and consequences of a data breach, proactive steps should be taken to ensure that systems, policies and procedures comply with the HIPAA Rules and applicable state law. Accordingly, consider:

  • Reviewing written HIPAA privacy, security and breach notification policies and procedures, and updating them if necessary;
  • Identifying and reviewing all business associate relationships and business associate agreements;
  • Assessing potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI through the performance of risk analysis;
  • Engaging in risk management to identify and take action on security gaps and promptly correcting identified HIPAA violations;
  • Documenting HIPAA-related determinations and actions;
  • Training workforce members to comply with the HIPAA Rules and promptly identifying, investigating and responding to possible data breaches;
  • Encrypting ePHI to the extent feasible;
  • Avoiding unnecessary disclosures of PHI; and
  • Obtaining cyber insurance.

HIPAA compliance is imperative, and taking proactive measures can help you avoid a bigger issue down the road.


Steven M. Harris, Esq.

Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins LLC. He may be reached at [email protected].

 

Page: 1 2 3 | Multi-Page
Share: 

Filed under:Information TechnologyLegal UpdatesPractice SupportQuality Assurance/ImprovementTechnologyTechnology Tagged with:healthcare dataHIPAALegalphysicianPractice ManagementprivacyrheumatologistTechnology

Related Articles

    Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties

    April 1, 2013

    Physicians’ business associates can now face civil and criminal penalties for violating HIPAA laws guarding the confidentiality of protected health information

    Phase 2 of HIPAA Audit Program Launches

    May 13, 2016

    Bacho/shutterstock.com With many competing priorities facing physician practices, HIPAA compliance and security is not a topic that usually makes it to the top of the list. But this is not the case with the Department of Health and Human Services’ Office for Civil Rights (OCR), because it has initiated a new phase of audits of…

    Email & Text in the World of HIPAA

    May 17, 2019

    fizkes / shutterstock.com The world we live in necessitates infor­mation be communicated in a quick and easy manner. This remains true in the healthcare setting. The ability to text or email staff and patients has become a priority for many healthcare entities. However, maintaining patient privacy and confidentiality is essential to ensure we meet compliance…

    Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

    May 13, 2016

    love work 51/shutterstock.com Recent enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) have shown an increase in fines and penalties assessed against smaller providers for failing to comply with the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA). Historically, OCR has…

  • About Us
  • Meet the Editors
  • Issue Archives
  • Contribute
  • Advertise
  • Contact Us
  • Copyright © 2025 by John Wiley & Sons, Inc. All rights reserved, including rights for text and data mining and training of artificial technologies or similar technologies. ISSN 1931-3268 (print). ISSN 1931-3209 (online).
  • DEI Statement
  • Privacy Policy
  • Terms of Use
  • Cookie Preferences