By way of background, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires the Department of Health and Human Services to periodically audit covered entities and business associates for their compliance with the requirements of HIPAA. During these audits, covered entities are often asked to produce policies and procedures as well as evidence that they have been conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronically-protected health information (PHI) that they create, receive, maintain or transmit.To assist these entities in maintaining compliance, the Office of Civil Rights (OCR) has provided many different self-assessment tools, many of which can be found here.
Since the onset of COVID however, many covered entities have been faced with other significant challenges including strict adherence to vaccine and quarantine requirements as well as significant reductions in workforce and discretionary income often needed to conduct such intensive HIPAA self-assessments. In addition, many such covered entities benefited from the government’s relaxation of enforcement discretion for telehealth remote communications, use and disclosure of PHI for health oversite activities and online and web-based office visits. This discretion furthered lured covered entities into a false sense of security.
Most recently, on April 11, 2023, OCR announced its plan to allow the Notifications of Enforcement Discretion issued under HIPAA and the HITECH Act during the COVID-19 Public Health Emergency to expire on May 11, 2023. As a result, covered entities will now need to once again dust off their HIPAA policies and procedures and take immediate steps to prepare the necessary assessments of their HIPAA vulnerabilities and implement corrective actions. For some, picking up where they left off pre-COVID will be easy while others may struggle and be susceptible to enforcement actions, levies fines or the imposition of civil money penalties or referrals to the Department of Justice (DOJ) depending on the severity of the violation.
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 325,577 HIPAA complaints, initiated over 1,161 compliance reviews and settled or imposed civil money penalties totaling $134,828,772.00 on entities including national pharmacy chains, major medical centers, group health plans, hospital chains, and small physician provider offices. The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty. During the COVID pandemic, OCR imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a data breach involving the electronic protected health information of 10.4 million individuals as well as a $5.1 million dollar penalty on Excellus Health Plan to settle a HIPAA violation case stemming from a data breach that affected 9.3 million individuals. In each instance, OCR determined the entities had failed to conduct an accurate and thorough organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members.
Most recently on April 4, 2023, the DOJ entered into a settlement agreement with a web-hosting company for $300,000 involving alleged violations of the False Claims Act (FCA) as a result of cybersecurity failures and breach of HIPAA-protected health information. In this case, the DOJ alleged that the company failed to adequately maintain audit logs showing who accessed certain individual applicants’ personal information. It was also alleged that no systems were in place to properly monitor compliance or conduct internal assessments into system vulnerabilities.
These most recent enforcement activities along with the clear signaling from the government that things are going back to normal mean that covered entities need to immediately reimplement their HIPAA self-assessment audits. If the risk analyses are not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality and integrity of PHI exist and the door wide open for violations to occur.
If you have questions regarding this blog post or would like to speak with counsel, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.
*Disclaimer: Thoughts shared here do not constitute legal advice.