By Margaret Alston, Senior Privacy Consultant
Among fanfare for the 20th birthday of the Heath Insurance Portability and Accountability Act (HIPAA), we have also seen the largest HIPAA settlement ($5.55 million) – laid at the feet of Advocate Health Care. This last case was on the heels of two July 2016 settlements: $2.75 million with the University of Mississippi Medical Center, and $2.7 million with Oregon Health & Science University. With mandatory breach notification required for the past 7 years, HIPAA compliance risk exposure has increased and HIPAA enforcement is on the rise.
The Federal Trade Commission is paying attention to security as well. In addition to enforcement actions that point to security promises, the FTC has published security guidance – a lessons learned from enforcement actions, if you will. Moreover, even without regulator oversight, the possibility of a data breach brings with it a complex set of state laws and costs associated with notification and possible litigation.
Another trend is the increased responsibility of vendors to health organizations. As enforcement rises and sophistication of health care organizations about HIPAA increases, these “covered entities” under HIPAA expect more from their vendors, most of whom qualify as Business Associates under HIPAA. In turn, Business Associates are required to sign up for HIPAA obligations in a Business Associate Agreement, and then live up to those responsibilities with both direct regulatory compliance risk and liability to the covered entities they support. While early in the life of HIPAA, before the amendments under HITECH in 2009, healthcare organizations may have been more concerned with their own HIPAA compliance than for their vendors’ compliance, now vendors are asked more in-depth questions about how they comply.
With this in mind, the HIPAA anniversary is a great reminder that the security risk assessments and the strong privacy and security programs that HIPAA requires are more important to today’s healthcare businesses and their vendors – not less. In fact, as part of its settlement, Advocate Health Care has agreed to conduct a complete risk assessment and present security plans to HHS for approval. It makes sense, then, that organizations that handle sensitive personal information – such as Protected Health Information (PHI) – would take the same measures on their own.
A first step can be a HIPAA Health Check; a high level gap analysis against HIPAA privacy, security and breach notification requirements compared with current practices and documentation. The purpose of this Health Check is to identify areas in which major program components are either not adequately documented, or may not exist at all. From this high level gap analysis, an organization can consider how to prioritize and address in a reasonable and thoughtful way.
With over 10 significant settlements year to date and commencement of the Phase 2 HIPAA Audit program review of both covered entities and business associates, our 20th year of HIPAA brings with it increasing security and privacy focus and expectations. Fortunately, there are also more resources available to organizations who wish to double down on their compliance and security stance.