HIPAA Enforcement Goes Beyond OCR

HIPAA Enforcement Blind Spots

By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting

HIPAA enforcement has increased in recent years, but the US Department of Health and Human Services Office for Civil Rights (OCR) still only fines a few organizations out of the thousands of investigations it conducts. Many believe that OCR won’t ever catch them, which is probably true. However, HIPAA enforcement can cost you a fortune if you think you are immune to other threats. You need to watch your blind spots.

HIPAA and HITECH are federal laws enforced by OCR, but there are many other ways that HIPAA enforcement can occur.

While the HITECH Act gave state attorneys general the HIPAA enforcement authority for HIPAA’s civil penalties, 46 states have their own data breach laws. Some of these laws include health information and can be enforced separately from HIPAA at the state level. Recently a $ 6.8 million HIPAA enforcement penalty was assessed by the Puerto Rico insurance agency for a HIPAA data breach. HIPAA enforcement through class action lawsuits is taking place even though HIPAA does not allow for individuals to sue for HIPAA violations. The Federal Trade Commission has issued penalties for data breaches and non-compliance with HIPAA. You can even be penalized by multiple agencies for the same offense.

State Laws
California reduced the HIPAA Data Breach law’s 60-day notification requirement to just 5 days. California, Massachusetts, and Texas expanded HIPAA to include anyone that stores protected data, not just organizations that qualify as HIPAA Covered Entities and Business Associates. State HIPAA enforcement investigations and penalties can take place separately from federal investigations.

State Board and Agency Requirements
A surprisingly large $ 6.8 million HIPAA enforcement fine was levied against an insurer by the Commonwealth of Puerto Rico’s insurance agency. To be accredited to sell insurance in Puerto Rico, the insurer, Triple-S Salud, signed a contract that required them to be compliant with HIPAA. In 2013, they sent a mailing out to over 13,000 members that mistakenly included protected information.

According to an interview with Information Security Media Group, Ricardo Rivera Cardona, the top official at ASES, the Puerto Rican government agency that issued the HIPAA fine, said “We are sending a message that we are here to enforce. There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.”

Rivera Cardona told Information Security Media Group that the penalty for the breach was $ 500 per record, plus $ 100,000 because Triple-S Salud did not cooperate with ASES’ investigation into the incident, including “not supplying information requested [by ASES] and providing misleading information.”

Lawsuits
Attorneys have figured out how to get around HIPAA’s lack of a private individual’s right of action. Even though HIPAA does not allow an individual to sue a Covered Entity or Business Associate because of a data breach, state data breach laws do allow individuals to file lawsuits based on HIPAA and collect damages even when no HIPAA enforcement has taken place.

An Indiana jury awarded $ 1.44 million against Walgreens in a lawsuit for a HIPAA violation where the plaintiff said that HIPAA had created a standard of care that a Walgreen’s pharmacist violated. While no HIPAA enforcement penalty was assessed, the court allowed the case to continue. The jury found that the pharmacist was personally liable, and that Walgreen’s was also liable because the violation occurred during the performance of the pharmacist’s employment.

In Missouri case a court allowed a HIPAA lawsuit to proceed because “a federal statute which does not provide a private cause of action may be a legitimate element of a state law claim.”

Minnesota settled a lawsuit against Accretive Health Care for a HIPAA data breach caused when an unencrypted laptop was stolen. Accretive agreed to pay a $ 2.5 million penalty and stop doing business in Minnesota for two years.

FTC
Owners of health care businesses and their business associates need to beware of the Federal Trade Commission (FTC).

In a ruling against LabMD, Inc., the FTC recently asserted its rights to enforce HIPAA as part of its responsibilities to protect consumers. The FTC also penalized Accretive Health Care for the Minnesota data breach.

An FTC HIPAA enforcement ruling can follow you for a long time. In a case settlement with Goldenshores Technologies, the company was put on a 20-year compliance schedule and the business owner “for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment.”

Complying with HIPAA is the right thing to do for your medical practice, your business, and — most important– your patients and customers.

This article was originally published on 4Medapproved’s HIT Security blog and is republished here with permission.