Increasing HIPAA Compliance Audits, Enforcement and Penalties

Author: Christine Zoccola

Many employers enacted HIPAA policies and procedures shortly after the passage of HIPAA in 2003 and have not revised their HIPAA plan to reflect subsequent changes in the law. As outlined below, with the changes in the law and the increased enforcement activity from the Office of Civil Rights (the “OCR”), now is the time to consider updating existing HIPAA plans.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 made sweeping changes to the HIPAA privacy and security regulations. Among other things, HITECH imposed new notification requirements in the event of a breach of protected health information; applied privacy and security provisions and penalties to business associates; created stricter disclosure requirements; and strengthened enforcement procedures and penalties. Additionally, HITECH mandated the OCR of the Department of Health and Human Services (“HHS”) to conduct audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and with the breach notification standards. A pilot audit program began in November 2011 and continued through December 2012; thus marking the end to the previously casual HIPAA compliance enforcement period. During the pilot audit program, OCR targeted a wide range of covered entities including individual and organizational providers and health plans of all sizes and functions. The audit program is expected to be expanded into this year and next.

In addition to compliance audits, there has been an increase in HIPAA enforcement from OCR. In 2011, the OCR imposed a civil money penalty (“CMP”) of $4.3 million on Cignet Health of Prince George’s County Maryland, representing the first CMP issued by the OCR for a covered entity’s violation of the HIPAA Privacy Rule. Since that case, there have been many other cases resulting in CMPs or large settlement fines imposed for violations of HIPAA. In 2012, there were a number of highly publicized enforcement actions taken by OCR including the first enforcement action resulting from a breach report required by the HITECH Act breach notification rule. In a September 2012 press release announcing settlement of this case, OCR Director Leon Rodriguez stated “compliance with HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The OCR’s commitment to HIPAA compliance appears to remain strong in the new year. On January 2nd, HHS issued a press release announcing the first HIPAA breach notification settlement involving less than 500 patients. The investigation of this particular case followed a breach report submitted by the covered entity reporting a theft of a laptop computer containing electronic protected health information of 441 patients. Over the course of the investigation, OCR discovered, among other things, the covered entity did not have in place policies or procedures to address mobile device security as required by the Security Rules. OCR Director Leon Rodriguez stated that “this action sends a strong message to the health care industry, that regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” It is clear that regardless of the type or size of the covered entity, OCR is serious about HIPAA enforcement.

Based on recent enforcement activity, it is important to ensure that your HIPAA plan is complete, well documented, effective and up-to-date. Now is the time to review privacy and security policies and procedures to ensure they comply with the constantly evolving HIPAA/HITECH laws and corresponding regulations.

Please consult with your attorney on these issues or contact Jim Hamilton or Christine Zoccola at Bose McKinney & Evans for additional information.