OCR Cracking Down on HIPAA Violations

January 5, 2017

The Health Insurance Portability and Accountability Act (HIPAA) has a primary goal of protecting the confidentiality and security of healthcare in formation, and has established standards for electronic data interchange (EDI). HIPAA is celebrating its twenty-first anniversary this year, after its enactment on August 21, 1996. HIPAA was groundbreaking at the time, with standards in place to ensure the protection of patient information – but as technology advances, it is becoming increasingly difficult to maintain these standards of protection.

The Office of Civil Rights (OCR), the federal agency who enforces HIPAA, announced that they will be focusing on two key initiatives in FY17. The first will be to increase the number of audits performed. The second, and equally important endeavor, will be to integrate modern technology and HIPAA in order to investigate breaches and improve cybersecurity. In recent times there have been numerous settlements for HIPAA violations; and with the OCR’s intention to crack down, it’s imperative to stay compliant in the New Year.

A few trends have been observed from these HIPAA violations.

One is that many of the settlements from 2016 have been due to breach notifications from stolen electronic devices, such as tablets and laptops. The laptops were unsecure or unencrypted, which allowed the information within to be compromised with little to no effort from attackers. UMass Amherst was recently obligated to pay a $650,000 HIPAA fine for not having a firewall in place. UMass Amherst was also ordered to disclose the names of patients, their addresses, SS#s, DOB, health insurance information, diagnoses, and the procedure codes that were infiltrated.

This goes to suggest that many HIPAA violations are preventable, and not the sophisticated infiltration schemes that you may think. Like cybersecurity, HIPAA violations are most often at the hands of internal personnel who fail to follow compliance regulations.

Social media use has become more robust in the workplace, and along with it instances of HIPAA violations. The sharing of photographs, or any form of PHI without written consent from the patient is a major violation that calls for reporting. Even if an individual outwardly shares their own healthcare information online, it is not compliant to share their experience. The taking and sharing of photographs in the office can be an accidental violation if patient information is revealed, even in the background, on a desk, wall, or computer monitor. If you have any doubt about the status of an image taken for distribution, check with your compliance officer before publishing.

Taking cues from these HIPAA settlements will allow you to set up internal policies that will help you be certain that everyone in your practice, office, or firm has an understanding on HIPAA breaches and their consequences.

Have a happy, HIPAA compliant 2017.

You May Also Like…