The OCR’s Notorious Wall of Shame

Originally published by HealthMark Group on January 13, 2022
2022 Alliance sponsor feature article courtesy of HealthMark Group

Avoiding HIPAA Breaches and the “Wall of Shame”

Ever-evolving developments in healthcare technology, aimed at increasing efficiency and access, are growing at an exponential rate. That may offer more effective processes and support better care coordination, but it also leaves many practitioners finding it exceedingly difficult to remain compliant amid all of the security measures guided by the Health Insurance and Patient Accountability Act (“HIPAA”). Whether dealing with staffing shortages, clinic expansion, or a lack of training, avoiding breaches of personal health information (“PHI”) is both a top priority and an ongoing challenge.

When breaches do occur, HIPAA requires they be reported to the U.S. Department of Health & Services Office for Civil Rights (“OCR”). Violations affecting 500 individuals or more must be reported within 30 days of discovery to impacted individuals and within 60 days to the OCR and local media. OCR also publishes information identifying these breaches on what has become known as the OCR “Wall of Shame”. Established under the HIPAA Breach Notification Rule and HITECH Act, the Wall of Shame lists the names and other details of organizations under investigation due to a violation that has occurred within the last 24 months. To state the obvious, you do not want to be placed on this list.

Recent Statistics

• In 2021, 607 violations affecting nearly 45 million individuals were submitted to the OCR and are now visible on the Wall of Shame (a 20% increase in breaches compared to 2019, only two years prior) ¹
• Breaches have increased 84% in the last five years, with 329 reported in 2016²
• The average cost per record breached hit $499 in 2020 on an upward trend, totaling $13.2 billion for the year³
• Unauthorized access/disclosure accounts for 34% of violations every year, up 162% over the past three years⁴
• Hospitals typically account for 30% of all large data breaches⁴

Potential Financial Consequences

Most often, the OCR resolves cases through voluntary compliance or by accepting a covered entity’s plan to address the breach and adjust policies and procedures to avoid future violations. For severe cases, the Enforcement Final Rule of 2006 allows the OCR to issue financial penalties to covered entities that fail to comply with HIPAA Rules. There are currently four main tiers of such violations⁵:

• Tier 1, $100 – $50,000 per breach: A violation that the covered entity was unaware of and could not have reasonably avoided.
• Tier 2, $1,000 – $50,000 per breach: A violation that the covered entity should have been aware of but could not have avoided.
• Tier 3, $10,000 – $50,000 per breach: This violation is considered to be the result of willful neglect in instances where corrective measures were taken within a reasonable timeframe.
• Tier 4, $50,000 per breach: This violation is considered to be the result of willful neglect in instances where no corrective measures were taken to resolve the breach.

While less common, criminal penalties do exist in addition to fines for various violations, including malicious intent (i.e., selling data for harm or commercial gain).

How HealthMark Can Help

With management of PHI at the core of HealthMark’s business, it remains the highest priority to keep data secure and compliant. Our team responsible for the handling of medical records is required to undergo Certified Release of Information Specialist (“CRIS”) training and certification to demonstrate understanding of patient privacy rights and HIPAA requirements. Guidelines around HIPAA, the Privacy Rule, Information Blocking, etc. are constantly evolving, making regulatory education one more thing for practices to manage. Our goal as a partner is not only to offer services that ease administrative loads, but to also do the work for clients by combing through often convoluted details and staying abreast of the most important changes that are occurring. By doing so, we can share with clients what they need to know and when, which allows our clients to focus more of their limited resources on their primary goal of patient care.

1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
3. https://www.beckershospitalreview.com/cybersecurity/healthcare-data-breaches-up-55-1-in-2020-report-finds.html
4. https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
5. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

The HIPAA Privacy Rule’s Right of Access

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

One of the key goals of The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is to ensure patients have the ability to access their protected health information (PHI) in a timely manner and in the format most convenient for them. Some providers have implemented electronic health record systems that offer patients the ability to view and download their health records at any time. However, patients do not always take advantage of that option. Some rather have a hardcopy of their records, or certain records might not be stored electronically. In these cases, a patient will submit a request for a copy of their health records.

HIPAA requires a provider to respond to a request from a patient for their health records (with some exceptions, like psychotherapy notes) as quickly as possible. The provider has up to 30 days to respond to the request, but The U.S. Department of Health & Human Services (HHS) strongly encourages providers to respond sooner, especially if the information is already in electronic format. An extension of 30 additional days is permitted, but the patient must be provided notice of the extension in writing along with the reason for the extension within the first 30 days. Some state laws require requests to be addressed in a shorter period of time.

A provider cannot refuse a patient’s request to send health records to them via unencrypted email if the patient has been informed of and has accepted the risk associated with the unencrypted transmission of their health record. The provider’s access request form should include an area where the patient can acknowledge that they accept the risk of having their records sent via unencrypted email.

Last year, HHS launched an initiative to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.” Since then, the HHS Office for Civil Rights (OCR) has settled 2 cases regarding a patient’s right to access health records. The most recent one was in December 2019. A penalty of $85,000 and a 1-year corrective action plan were imposed by the OCR. The first enforcement action was in September 2019 under the same terms. The decision emphasized, “This right to patient records extends to parents who seek medical information about their minor children.” It is hard to say whether that will be the OCR’s standard enforcement arrangement, but history shows that generally, penalties have been decided on a case by case basis.

A reasonable, cost-based fee can be assessed, but HHS encourages providers to give records (especially if in electronic format) to patients at no cost when possible. It is important to note, though, that a patient does not lose their right to access their health record even if they have an outstanding balance with a provider. The fundamental point is clear: a patient’s access to their health record may not be obstructed or delayed by a provider, so it is important to be diligent and address a patient’s request as soon as possible.

Cyber Security and HIPAA

2017 Alliance Sponsor feature article by MedMal Direct

Cyber Threats have become a serious issue in healthcare IT over the past few years. Every day there are attempts to break into secure computer environments in order to either ransom the owner’s information to themselves or just to steal that information and sell it to someone else. Medical records go for about $60 per record (that’s what the hacker is paid by the buyer) whereas simple credit card records go for about $10 per record. The reason that medical records are so valuable is simple – the information doesn’t change. A person cannot turn off their medical record or change their birth date, however we can cancel a credit card and render it useless.

HHS and OCR have provided guidance on the topic of breaches and response to breaches and requires covered entities to have a breach notification and response policy and procedure in place. This policy must include the following:

1. Definitions
2. Notifications in the event of a breach
3. Discovery
4. Content of Notifications
5. Methods of Notification
6. Arrangements with Business Associates in the event of a breach by BA
7. Law Enforcement Delays
8. Administrative Requirements

In the event of a suspected breach it is imperative that the organization conduct an assessment to identify the exact nature of the breach. Some organizations are capable of conducting the initial assessment themselves and others may need an outside consultant to assist. OCR rule 45 CFR 164 includes specific guidance on what is required in order to investigate, mitigate, and remediate a breach.

Organizations must develop clear privacy and security guidelines in order to avoid the risk of a true breach. These policies must include how an organization secures its data. Guidelines are provided in the rule for the specific methods that are acceptable for encryption of data and OCR relies on NIST as the expert to provide the standards for which an organization must meet.

A Covered Entity can purchase insurance to protect itself in the event of a breach. This ‘risk transfer’ shifts the financial burden of a breach from the CE to the insurance carrier who also is then responsible, under most policies, for the investigation, notification, remediation, and fines or penalties (see your policy for exact details on coverages).

Guidance on policy and procedure is available to insureds through MedMal Direct’s Risk Management Department and increased limits for cyber liability coverage can be purchased at the request of the insured.

OCR FAQs on Section 1557 clarify member questions on language assistance requirements

Originally published in the July 12, 2017 issue of MGMA’s Washington Connection
Reprinted with permission from MGMA

The Office for Civil Rights (OCR) released FAQs on its final rule implementing Section 1557 of the Affordable Care Act that offer much needed clarification for covered medical group practices on language access requirements for individuals with limited English proficiency (LEP) stemming from a final rule implementing Section 1557 of the Affordable Care Act. Section 1557 builds on longstanding civil rights laws and provides additional nondiscrimination requirements for covered group practices, including posting taglines alerting LEP individuals to the availability of language assistance services. Notably, the FAQs clarify that the phone number displayed on each tagline should be your group practice’s phone number.

For more information about how to comply with Section 1557, download MGMA’s member resource entitled, “Section 1557: What Your Practice Needs to Know.”

Physician Practices Beware: Scam Email Disguised as Communication from Office of Civil Rights

By Joy Hord, Parker Poe
Reprinted with permission from Parker Poe

Receiving an email that your practice has been identified for participating in the HIPAA Privacy, Security, and Breach Rules Audit Program is enough to raise anyone’s blood pressure. The likely response is to open the email immediately, determine the scope of the audit, and mobilize a team to prepare for the response.

Opening the email, however, may not direct the email recipient to information regarding a governmental HIPAA audit. Instead, some providers are finding that the link directs to a non-governmental company’s marketing efforts for a cybersecurity service. The Office of Civil Rights (OCR) of the Department of Health and Human Services (the entity responsible for HIPAA audits and enforcement) has published alerts (available here) regarding the scam emails.

Although nothing in the most-recent alerts suggests that the current scam emails will result in a malware attack, covered entities and business associates must remain on guard regarding the potential risks of opening a communication that may appear to come from the OCR. Providers who have a question regarding whether an email is an official communication from OCR regarding a HIPAA audit may contact the OCR at OSOCRAudit@hhs.gov. Official communications from the OCR original from the same address.

Parker Poe has developed a number of tools to assist our clients to perform self-audits regarding compliance with the privacy, security and breach notification rules under HIPAA. We also advise clients routinely regarding responses to HIPAA audits. More information regarding our team can be found here.

About the Author
Joy Hord focuses her practice on regulatory and compliance matters specifically related to the health care industry. Her clients include hospitals, physicians, pharmacies and other health care providers. Ms. Hord also has significant experience representing health care professionals and organizations with business law and transactional issues, such as mergers, acquisitions and joint ventures. Ms. Hord leads Parker Poe’s Health Care Practice, which includes attorneys from the firm’s North Carolina and South Carolina offices.

December 16th Lunch & Learn Webinar: Legal Hot Topics

December 16th Lunch & Learn Webinar:
Legal Hot Topics

December 16, 2015 | 12:00 PM – 1:00 PM
Sponsored by Medical Mutual

Program

North Carolina Medical Group Management Association, in cooperation with the North Carolina Medical Society Foundation, invites you to join our December webinar focusing on several healthcare law hot topics, scheduled for Wednesday, December 16th from 12:00 pm – 1:00 pm.

Hot Topics to include:

• Tort Reform Worked! Update on the effect of a cap on plaintiffs’ non-economic damages in medical malpractice cases in North Carolina, with bonus information on the ACA’s potential limiting effect on plaintiffs’ future economic damages projections.
• Privacy and Security in the age of imminent Phase 2 HIPAA Audits by the Office of Civil Rights (“OCR”) within the U.S. Department of Health and Human Services, as well as recent enforcement action by the OCR.
• Update on supervision of physician assistants, including the changes to the NC Medical Board’s (“NCMB”) regulations and reference to the audit form the NCMB uses for site visits to evaluate that supervision.
• Sunshine Act – Discussion on open payments data as well as utilization data that now is available to the public online.
• Serenity Now! Introduction to simple online resilience tool that can benefit nearly everyone.

Who Should Attend?
This webinar is ideal for practice managers, administrators and physicians.

Speaker

Jason Newton
Senior Vice President & Associate General Counsel
Medical Mutual
After a 14+ year career as a lawyer in private practice defending healthcare providers, Jason Newton joined Medical Mutual in 2013. Over his career, Jason has provided educational programs on a variety of medical/legal issues to nearly 2,000 lawyers, paralegals, graduate students, litigation/risk management industry professionals, physicians, healthcare providers, and medical practice managers in multiple states. He has written and presented on topics including liability for independent contractors, liability from staff actions/omissions in the medical practice, use of social media by healthcare professionals and patients, use of digital evidence and audit trails in litigation, peer review processes and protection, the advantages and pitfalls of electronic medical records in litigation, tort reform, and lessons learned from case studies of medical malpractice suits.

Registration

This webinar is complimentary for members and $50 for non-members. Space is limited so make sure to register early! After you register, you will receive an emailed confirmation with webinar and phone-in instructions.

Continuing education credit may be granted through your professional organization (MGMA, PAHCOM, AHIMA, etc.). Please self submit for these organizations

Questions

For questions or more information please contact the NCMGMA offices at info@ncmgm.org.