HIPAA Compliance in 2017: The Heat is on

The doctor-patient relationship has always involved a certain level of privacy. But over the years, the stakes for healthcare providers who violate patient privacy have increased exponentially. Barely two months into 2017 and already we are seeing increased activity.

A newly released report from Protenus in conjunction with databreaches.net, January saw 31 healthcare data breaches disclosed resulting in the exposure of 388,307 patient and health plan member records.

The largest healthcare data breach reported last month involved CoPilot Provider Support Services, Inc. and impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services’ Office for Civil Rights, however, was only notified of the breach in January 2017, well outside the 60-day deadline for reporting breaches.

According to the report, the average number of days between the breach occurring and the incident being reported to OCR was 174 days. It took an average of 123.5 days for healthcare organizations to discover a breach had occurred.

Those healthcare entities affected by data breaches are finding themselves having to pay significant penalties. Case in point, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information.

Presence Health, one of the largest healthcare networks serving Illinois, agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. You can read the resolution agreement here.

According to OCR, Presence Health discovered that paper-based operating room schedules that contained the personal health information of more than 800 patients had gone missing from one of its surgery centers. Presence Health, however, failed to notify those affected by the breach and OCR until more than 100 days after making the discovery.

But that’s not all, OCR went on to state that Presence Health, in 2015 and 2016 also failed to provide timely written breach notifications to those whose personal health information had been compromised.

In an unrelated case, on Feb. 1 OCR announced that Children’s Medical Center of Dallas would pay a $3.2 million fine for failing to comply with HIPAA regulations on numerous occasions dating as far back as 2009.

“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,†a news release states.

Last year, healthcare data breaches rose to record levels with 16,471,765 records exposed, according to a report in HIPAA Journal, and OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed.

In addition, in 2016 OCR collected approximately $23 million in fines, representing a more than a 300 percent increase over the previous annual record of $7.4 million in 2014.

It’s no wonder that so many Americans are concerned about the security of their health information. A Xerox eHealth Survey released earlier this month found nearly half of those questioned are concerned about having their personal healthcare information stolen.

It is more important than ever before that healthcare providers find better methods of securing and sharing healthcare data.

Providers who find themselves the target of a HIPAA audit or compliance review will be required to show that they have the necessary documentation in place to safeguard protected health information and show how all required security safeguards are being addressed.

Having a compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.