August 17, 2018

August 17, 2018

Subscribe to Latest Legal News and Analysis

August 16, 2018

Subscribe to Latest Legal News and Analysis

August 15, 2018

Subscribe to Latest Legal News and Analysis

Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier

As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through.  It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.

The Ghost of HIPAA Past

2017 continued to be haunted by large-scale data breaches.  As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates.  The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach. 

It was similarly terrifying that 2017 required guidance on HIPAA and natural disasters, but in the aftermath of several large-scale natural disasters, OCR issued guidance to remind health care providers of how health information may be used and shared in a crisis, consistent with HIPAA standards.

The Ghost of HIPAA Present

Aggressive HIPAA enforcement remained an ever-present reality in 2017 and there were a number of notable settlements imposed on regulated entities large and small:

  • OCR settled its first enforcement action for a health care provider’s failure to timely report a breach to OCR, affected individuals, and the media. It cost the health care company $475,000.

  • In April, OCR announced a tiny $31,000 settlement with a small health care provider for failing to produce a BAA with one of its business associates, and, just four days later, a separate $2.5 million settlement with a larger healthcare company for failing to implement sufficient HIPAA policies and procedures.

  • Memorial Hermann, a large health system, settled potential HIPAA violationswith OCR for $2.4 million after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.

The Ghost of HIPAA Yet to Come

Of course, the Ghost of HIPAA Yet to Come is the scariest one of all. Iliana Peters, formerly OCR’s Senior Advisor for HIPAA Compliance and Enforcement, and presently OCR’s Acting Deputy Director for Health Information Privacy, provided insight into HIPAA enforcement trends and OCR’s current and future agenda at the 2017 Health Care Compliance Association’s annual “Compliance Institute.”  One of the highlights of Ms. Peters’ presentation was the anticipated implementation of HITECH Act provisions requiring a percentage of civil monetary penalties or settlements collected by OCR to be shared with individuals affected by a HIPAA violation. Given OCR’s willingness to impose seven-figure fines, it is likely that this development will incentivize data breach victims and others aggrieved by the privacy or security failures of a covered entity or business associate, and increase the stakes for non-compliance.  Ms. Peters’ presentation also referenced implementation of controversial updates to the HIPAA accounting rules which were passed as part of HITECH, but have yet to be implemented.

It’s not all doom and gloom on the horizon, however.  Earlier this week, OCR released a new set of tools and initiatives to help fight the nation’s current opioid crisis and implement the 21st Century Cures Act.  These tools support critical federal policy goals with the potential to have a significant, positive impact on health care.  OCR has promised additional guidance in the coming months.  So as 2017 winds down, there is reason to be hopeful for regulated entities that are willing to take advantage of available guidance and to learn from the mistakes of the past.  Everything that we learned in 2017 can be used to support HIPAA compliance in the months and years ahead.  So on that positive note, we wish everyone happy holidays and a 2018 that is free from the specter of non-compliance.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz Levin
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. A large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process.

She also counsels health care clients and other business entities on the requirements of the HIPAA Privacy Rule and Security Standards,...

(617) 348-1614
Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney
Associate

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her experience also includes legal internships with a large, nonprofit health care system and with the International Trade Administration of the US Department of Commerce. 

202.434.7453
Ellen L. Janos, Health care attorney, mintz levin law firm
Member

Ellen specializes in providing regulatory and strategic advice to health care clients of all types, including hospitals, long-term care facilities, hospices, retail pharmacies, PBMs, and pharmaceutical manufacturers.

She also represents companies doing business with, and investing in, health care providers. She represents clients in Medicare, Medicaid, and third-party payor audits and investigations; in the development of corporate compliance programs, HIPAA, privacy and security compliance initiatives; and in the negotiation and implementation of Corporate Integrity Agreements. She...

617-348-1662