Yesterday, Law360 reported on some interesting comments made by Jerome B. Meites, a chief regional civil rights counsel at HHS (speaking on his own behalf) at the American Bar Association conference in Chicago on Physician Legal Issues. [1] According to the report, Meites told "attendees that the past 12 months of enforcement will likely pale in comparison to the next 12 months." Meites further said that, "Knowing whatís in the pipeline, I suspect that that number will be low compared to what's coming up."

Meites also addressed the risk of portable media devices, stating that "Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with." These comments regarding portable media (e.g., phones, usb drives, laptops, etc.) are not surprising considering that of the 18 published actions, 7 involved the loss of unencrypted devices. Additionally, according to OCR's most recent report to Congress [2]:
The 222 reports submitted to OCR for breaches occurring in 2012 described the following locations of the PHI (in order of frequency):
(1) laptop computer (60 reports affecting 654,158 individuals);
(2) paper (50 reports affecting 386,065 individuals);
(3) network server (30 reports affecting 986,607 individuals);
(4) desktop computer (27 reports affecting 253,720 individuals);
(5) other (22 reports affecting 166,411 individuals);
(6) other portable electronic device (20 reports affecting 463,702 individuals);
(7) e-mail (8 reports affecting 241,108 individuals); and
(8) electronic medical record (5 reports affecting 121,964 individuals).
Similarly, many of the most notable class actions and other enforcement actions also involved the loss or theft of laptops. The action against Accretive Health by both the Minnesota Attorney General and the FTC stemmed from the theft of an unencrypted laptop and the class action settlement by AvMed Health Plans involved the theft of two unencrypted laptops from its corporate office (recall that in this case, several of the plaintiffs were victims of identity theft).

According to the report, Meites also "noted that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions."
"You really have to think carefully about what a risk analysis involves, and it canít just be the obvious," Meites said. "Everywhere in your system where [patient information] is used, you have to think about how to protect it."
Providers and business associates should remember that a Risk Analysis is not a check-the-box exercise. That is, completing the HIT Security Risk Assessment Tool provided by the National Learning Consortium is unlikely to be sufficient to meet the obligations of performing a thorough Risk Analysis. Similarly, as OCR has made clear in numerous settlements, the Risk Analysis process is an on-going effort and a Risk Analysis must be undertaken when there is a change in the environment:
  • move to a new office space -- settlement with Blue Cross and Blue Shield of Tennessee
  • update to website that handles PHI -- settlement with WellPoint
  • change in server configuration -- settlement with Skagit County, Washington and New York and Presbyterian Hospital

(Brief summary of the OCR settlements.)

For those providers that have attested to Meaningful Use, completing a proper Risk Analysis is that much more important because MU dollars could be clawed back based on fraud given the failure to comply with the requirements of the program.

---------------------------------------
[1] Jeff Overley, Big Year Ahead For HIPAA Fines, HHS Atty Says, Law360.com, June 12, 2014, https://www.law360.com/health/articles/547721?nl_pk=e15b4a14-9a51-44fe-8fba-30fc49555202&utm_source=newsletter&utm_medium=email&utm_campaign=health

[2] HHS, OCR, Report to Congress on Breach Notification Program: 2011 - 2012 Report to Congress on the Breach Notification Program, https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreptmain.html
---------------------------------------

Posted by Tatiana Melnik on June 13, 2014