With each new iteration of HIPAA, it seems that HHS’ reach grows wider and its power stronger. It’s no surprise that the new omnibus HIPAA Rule imposes significantly stronger enforcement of HIPAA, given the increase in the numbers and severity of privacy / security breaches over the last few years.
WHERE WE’VE BEEN:
Before I get into the detail of HHS’ new enforcement powers under the omnibus HIPAA Rule, humor me with this brief wake-up call on the healthcare industry’s already abysmal record of privacy / security breaches:
As of December 31, 2012, HHS/OCR has investigated and resolved more than 18,122 cases by requiring covered entites or their business associates to make changes to their HIPAA compliance practices.
According to Redspin’s February 2013 report on 2012 breaches, the number of large breaches (over 500 patients impacted) increased in 2012 over 2011 by 21.5%…the good news is that there was a 77% decrease in the the number of patient records affected.
Breaches have been reported in at least 48 of 50 states, plus the District of Columbia and Puerto Rico.
A late December 2012 study by the Ponemon Institute indicated that 94% of healthcare organizations have had at least one major breach (affecting 500+ patients) over the past two years , and 45% had more than five incidents.
The average cost for a breach among the organizations was a whopping $2.4 million over a two-year period. This has increased by $400,000 since 2010.
The Ponemon study showed a significant spike in legal defense costs, with breaches involving business associates being the most costly.
The average number of lost or stolen records per breach has been 2,769. HHS data shows that just the top ten data breaches in 2012 resulted in nearly two million compromised patient records.
The top five incidents contributed to nearly two-thirds of the total number of patient records exposed.
In 2012, the root causes among breaches ranged widely, including malicious hacks, lost back-up disks, an email containing hundreds of thousands of patient records.
Business Associates have accounted for 57% of all patient records breached.
HHS / OCR has stepped up its enforcement activities in 2012, with an increasing focus on business associate violations, and violations through loss of laptops, smartphones and other mobile devices.
Settlements in 2012 show that no entity is excluded from OCR’s investigative eye. Breaches were investigated in large and small hospital organizations, state departments of health, physicians’ groups, insurers, hospices, home health organizations, and business associates.
WHERE WE’RE GOING:
Unfortunately, the number of breaches that will be reported in the future is likely to increase. As Steve Fox wrote in his recent guest post on HITpoint, the new Rule tightens the definition of a breach to include any incident where there is probability that PHI has been compromised. In the past, an incident didn’t qualify as a breach unless there was also a risk of harm to an individual. Under the omnibus Rule, HHS also has expanded its ability to enforce HIPAA to a longer chain of regulated entities, has defined stricter enforcement criteria, and increased penalties for violations.
Business associates, like covered entities, are directly subject to financial penalties. In the past, business associates did not have direct financial liability. Penalties that result from actions of a business associate’s subcontractor will be attributed to the business associate.
HHS says it will investigate any complaint when a preliminary review or independent HHS inquiry indicates a possible violation due to willful neglect. However, if there are not indications of willful neglect, HHS will rely on informal, voluntary actions to seek compliance.
The amount of civil money penalties will be determined depending on the following factors:
The nature and extent of the violation
The nature and extent of harm
The entity’s history of prior compliance
The financial condition of the entity
The omnibus Rule has formally adopted the HIPAA penalty structure created within the HITECH Act of 2009:
WHAT TO DO?
Healthcare organizations have been required to conduct periodic security risk analyses since 2005, which many actually do. But in a time of constant flux — Meaningful Use / MIPS and ICD-10 initiatives leading the wave — organizational efforts to prevent compromise of patient information must be ongoing. Frequent vulnerability scanning, privacy/security training of new employees (and regular refresher training), and encryption of all data devices are essential preventative measures.
And what about those business associates? Healthcare organizations must insist that their BAs conduct regular, documented third-party security assessments as a requirement in their partner contracts. Further, since business associates’ sub-contractors that “touch” patient information will now be counted as BAs, contracts should address them as well.
Make sure your business associates are prepared for the new requirements. Download our infographicthat discusses the impact of omnibus HIPAA on business associates.