Lessons Learned from Recent HIPAA Settlements

By Published On: November 9, 2016

If you have been overwhelmed by the number of HIPAA settlement announcements recently, you are not alone.  Over the past sixteen months, the Office for Civil Rights (OCR) has announced seventeen HIPAA settlements.  Many of the settlements identified more than one potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rule.  The settlements involved covered entities of different sizes and types, including hospitals, universities, physical therapists and business associates.  With settlement amounts ranging from $25,000 to $5.55 million, a privacy or security incident can affect a covered entity’s bottom line, their reputation, and can take valuable time away from other activities.

What can health centers learn from these recent settlements?  For this week’s blog, we analyzed the HIPAA settlements since July 2015 and identified the following key takeaways:

  • If a computer, laptop or other mobile device allows access to ePHI, the ePHI must be protected if/when the device falls into the wrong hands: While the use of computers, laptops and other mobile devices has made it easier to access and share patient’s electronic protected health information (ePHI), these devices also provide new opportunities for ePHI to be intentionally or unintentionally compromised.  Among the recent settlements, several covered entities reported that devices containing ePHI were stolen from an employee or a business associate’s employee.
  • If ePHI is stored on the internet, consider who is storing it and who has access:  Internet-based services can provide health centers with low cost or free data storage options.  In several recent settlements, however, covered entities disclosed ePHI to an internet-based service without a business associate agreement in place.  Recent settlements also highlighted instances where ePHI was accessible to the public through internet-based services.
  • If PHI is used for marketing or publicity, HIPAA-compliant authorization forms must be used: Patient stories can be a powerful tool in marketing your health center.  In two recent HIPAA settlements, covered entities used ePHI for publicity and marketing purposes without obtaining appropriate authorization from the patients.
  • If an employee is terminated, their access to PHI must also be terminated: In one recent settlement, a covered entity’s former employees accessed a database containing ePHI because their access rights were not revoked upon leaving employment.  In another settlement, a covered entity’s former employee had on-going access to ePHI that was stored on their personal laptop and on a USB flash drive.
  • If a business associate will be receiving PHI, an up-to-date business associate agreement is essential: Business associates provide important services on behalf of covered entities such as claims processing, data analysis and processing, practice management and billing. Several recent settlements highlighted instances in which covered entities disclosed PHI without an up-to-date business associate agreement in place.

The corrective actions plan for each settlement contains specific compliance requirements for each covered entity.  Typically, the corrective action plan is in place for 2-3 years.  For health centers, the corrective action plans provide insight into the policies and procedures, trainings and internal monitoring that they should have in place to protect themselves from an OCR investigation, audit or settlement.

To learn more about the recent HIPAA settlements, the compliance requirements included in the corrective action plans, and how to include the lessons learned into  your health center’s compliance work plan, join our webinar, Behind the HIPAA Headlines, on Thursday, November 10th.

For more information about HIPAA, please contact an attorney at Feldesman Tucker Leifer Fidell LLP at (202) 466-8960.