In 2016, the Office for Civil Rights (“OCR”) imposed civil monetary penalties (“CMPs”) of over $22.8 million on 12 entities, including a business associate. The most frequent violations of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act regulations (“HIPAA Laws”) are not hacking! They are:
Lost/stolen laptops, mobile devices, paper medical records, thumb drives
|
No security risk assessment or assessment not enterprise-wide
|
No or outdated Business Associate Agreement
|
Improper disclosure of PHI
|
Effective September 6, 2016, the CMPs for violations of the HIPAA Laws were increased:
Level of Violation
|
CMP per Violation
|
Did not know
|
$100 - $55,010
|
Reasonable cause
|
$1,100 - $55,010
|
Willful neglect (corrected)
|
$11,002 - $55,010
|
Willful neglect (not corrected)
|
$55,010
|
The OCR announced in August that it also will begin investigating breaches of protected health information that affect less than 500 individuals (“small breach”). The factors to be considered in deciding whether a small breach will be investigated include:
-
Size of the breach;
-
Was there theft or the improper disposal of unencrypted PHI;
-
Did the breach involve an unwanted intrusion into the IT system (e.g., hacking);
-
Amount, nature, and sensitivity of the PHI;
-
Have there been multiple breaches reported from the same entity; and
-
Have similar entities had small breaches reported.
So there is even more reason now for covered entities and business associates to take steps to minimize the risk of a CMP and which typically also results in an extensive corrective action plan (“CAP”) being required by the OCR. How can you avoid being next victim of a CMP and CAP? First, if the level of violation is “did not know” or “reasonable cause,” no CMP will be imposed by the OCR if the violation is corrected within 30 days of when discovered. Therefore, timely reporting of violations is critical, which is then followed up by a robust investigation and responsive actions. Require employees to notify the designated person within 24 hours of when a breach is known or suspected. Since frequently this requires employees to self-report their own mistakes, there must be a culture that fosters this self-reporting without repercussions.
Second, the OCR has encouraged covered entities and business associates that experience a violation of the HIPAA Laws to perform a root cause analysis of why the violation occurred. The Joint Commission and the National Patient Safety Foundation have excellent tools for root cause analyses and action plans.1 If the violation is “willful neglect,” the HIPAA Laws require the OCR to impose a CMP. But if the violation is corrected within 30 days of being discovered, the potential CMP is much less. Having well-defined strategies in place before a violation occurs will more likely result in timely resolution of the violation and avoidance of a CMP and CAP. Detailed documentation must clearly reflect when the violation was discovered, how was the violation investigated, and what actions were taken to minimize and correct the violation.
1. The Joint Commission Root Cause Analysis and Action Plan Framework Template (https://www.jointcommission.org/framework_for_conducting_a_root_cause_analysis_and_action_plan); National Patient Safety Foundation RCA2 (www.npsf.org/?page=RCA2).
[View source.]