HIPAA Breach Violations Now Come with Harsher Penalties By Sam Khan, Deputy Editor
I
nternal auditors can play a key role in ensuring that universities comply with the new Health Insurance Portability and Accountability Act (HIPAA) rules. For those universities that handle protected health information (PHI), the cost of noncompliance now comes with harsher penalties.
With the most recent modifications to the HIPAA rules in effect, also known as the final omnibus rule, the government’s enforcement capabilities have been strengthened by allowing for more severe penalties around breaches of unsecured PHI. The final omnibus rule was issued in January 2013; however, enforcement did not begin until Sept. 23, “The final omnibus rule marks 2013. the most sweeping changes to
Leon Rodriguez, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), stated in a press release, “The the HIPAA Privacy and Security final omnibus rule marks the most sweeping changes to the HIPAA Privacy Rules since they were first and Security Rules since they were first implemented.” He added that the changes, “not only greatly enhance a patient’s privacy rights and protections, but implemented.” also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.” The final rule expands many of the requirements to business associates of entities that receive PHI, such as contractors and subcontractors. With business associates now accountable in complying with the HIPAA Security Rule, Rodriguez expects that the money collected related to HIPAA violations will increase significantly. Some of the largest breaches reported to HHS have involved business associates. For many years HIPAA’s enforcement capability was considered weak, which resulted in few prosecutions. It was not until 2006 that HHS issued the enforcement rule, which established monetary civil penalties for violating HIPAA rules and procedures. The rule also set parameters for investigations and hearings for HIPAA violations. Later, in 2009, HHS implemented a section of the Health Information Technology for Economic and Clinical Health (HITECH) Act that required HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. ABOUT THE AUTHOR
Sam Khan is the Deputy Editor of College & University Auditor. He works for the Oregon University System as a staff auditor. He has a Bachelor of Science Degree in Journalism from the University of Oregon and a Post-Baccalaureate Accounting Certificate from Oregon State University. He recently passed the Certified Information Systems Auditor exam. He can be reached at sam_khan@ous.edu
Before the final rule was issued in 2013, the maximum penalty for each violation was $100 with an aggregate penalty of $25,000 per year for each violation. To date, using this structure, HHS has collected $15.3 million relating to HIPAA violations and settlements. The final rule increases fines for civil penalties and now includes a tiered penalty structure. Penalties for noncompliance are based on the level of negligence with a maximum penalty of $1.5 million per violation. Penalties per violation range from: • $100 to $50,000 – when the covered entity or business associate is unaware of the violation
and would not have known of the violation by exercising reasonable due diligence. • $1,000 to $50,000 – when reasonable cause leads to a violation. • $10,000 to $50,000 – when a violation of willful neglect is corrected within 30 days of
discovery. 21 COLLEGE & UNIVERSITY AUDITOR
• $50,000 to $1.5 million – when a violation of willful neglect is not correctly addressed within the
required time frame. • If multiple HIPAA violations occur, penalties could surpass $1.5 million.
“Breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised.”
The final rule also strengthens the HITECH Act breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. According to HHS, “Breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised.” Under the final rule, a breach is defined as “an acquisition, access, use or disclosure of PHI in a manner not permitted … [and] is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.”
To demonstrate that there is a low probability that a breach compromised PHI, a covered entity or business associate must perform a risk assessment that addresses the following minimum standards: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of
re-identification. • The unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI
was actually acquired or viewed. • The extent to which the risk to the PHI has been mitigated.
THE CASE AT IDAHO STATE Failure to secure electronic protected health information (ePHI) can result from varying reasons: a lack of encryption, failure to update related HIPAA policies, failure to perform an annual risk assessment, or as with the following case, a disabled firewall. In May 2013, HHS released settlement information in which Idaho State University (ISU) agreed to pay HHS $400,000 for HIPAA Security Rule violations. The settlement, which used the old penalty structure, involved the breach of unsecured ePHI of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic. ISU operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics. Between four and eight of those ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred. “Proper security measures and policies help mitigate potential risk to patient information.”
The OCR opened an investigation after ISU notified HHS of the breach in which ePHI was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities and that ISU also failed to assess the likelihood of potential risks occurring.
OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner. “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.
22 COLLEGE & UNIVERSITY AUDITOR
BREACH REPORTS HHS maintains a list of breaches of unsecured PHI affecting 500 or more individuals on their website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html The full dataset can be downloaded and includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches to HHS. The following university-related breaches have been reported during 2013: Individuals Affected
Date of Breach
Type of Breach
Location
Date Reported
University Of Michigan Health System
3,999
11/14/2012
Theft
Laptop
1/17/2013
The University of Texas MD Anderson Cancer Center
29,021
4/30/2012
Theft
Laptop
2/7/2013
University of Connecticut Health Center
1,382
06/07/2010 – 12/07/2012
Unauthorized Access/ Disclosure
Network Server
3/27/2013
The Brookdale University Hospital and Medical Center
28,187
9/21/2012
Unauthorized Access/ Disclosure
Other Portable Electronic Device
3/27/2013
The Brookdale University Hospital and Medical Center
2,261
8/11/2012
Unauthorized Access/ Disclosure
Paper
3/27/2013
Oregon Health & Science University
1,076
2/22/2013
Theft
Laptop
4/23/2013
University of Florida
14,519
03/01/200910/25/2012
Theft, Unauthorized Access/ Disclosure
Desktop Computer, Electronic Medical Record
4/23/2013
1,114
2/22/2013
Theft
Laptop
4/23/2013
University of Mississippi Medical Center
10,000
11/01/201201/19/2013
Loss
Laptop
4/23/2013
Indiana University Health Arnett
10,350
4/9/2013
Theft
Laptop
5/17/2013
University of Florida
5,875
02/01/201204/11/2013
Theft, Unauthorized Access/Disclosure
Electronic Medical Record
6/5/2013
University of Rochester Medical Center & Affiliates
537
2/15/2013
Loss
Other Portable Electronic Device
6/5/2013
Louisiana State University Health Care Services Division
6,994
12/1/2011
Unauthorized Access/ Disclosure
Desktop Computer
8/9/2013
Covered Entity
Oregon Health & Science University
HOW DOES HIPAA APPLY TO UNIVERSITY CLINICS? University hospitals have dedicated staff to adhere to all parts of the HIPAA rules, but that is not always the case with small university health clinics. The final omnibus rule has not changed the fact that some university health clinics do not need to comply with all parts of the HIPAA rules. An auditor should check with the institution's legal counsel to determine which rules apply. According to HHS, when a university provides healthcare to students in the normal course of business, such as through a health clinic, it is a “healthcare provider” as defined by HIPAA. If a university also conducts any covered transactions electronically in connection with that healthcare, it is then a covered entity under HIPAA. As a covered entity, the university must comply with the HIPAA Administrative Simplification Rules for Transactions, and also with code sets and identifiers with respect to its transactions.
23 COLLEGE & UNIVERSITY AUDITOR
However, many universities, even those that are HIPAA covered entities, are not required to comply with the HIPAA Privacy Rule because the only health records maintained by the university are “education records” or “treatment records” of eligible students under the Family Educational Rights and Privacy Act (FERPA), both of which are excluded from coverage under the HIPAA Privacy Rule. In addition, the exception for records covered by FERPA applies both to the HIPAA Privacy Rule and the HIPAA Security Rule, because the Security Rule applies to a subset of information covered by the Privacy Rule. THE DISTINCTION BETWEEN THE HIPAA PRIVACY RULE AND HIPAA SECURITY RULE According to HHS, the Privacy Rule establishes a national standard to protect individuals’ medical records and other PHI and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain health care transactions electronically. The Privacy Rule requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Security Rule is a subset of the Privacy Rule. It establishes a national standard to protect individuals’ ePHI that is created, received, used or maintained by a covered entity. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities must: • Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or
transmit; • Identify and protect against reasonably anticipated threats to the security or integrity of the information; • Protect against reasonably anticipated, impermissible uses or disclosures; and • Ensure compliance by their workforce.
Auditors may want to review contracts with cloud service providers to ensure they meet the standards of the Security Rule.
Auditors may want to review contracts with cloud service providers to ensure they meet the standards of the Security Rule. Recently, the Oregon Health & Science University (OHSU) notified 3,044 patients that their PHI had been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.
CONCLUSION In light of recent changes to HIPAA, internal auditors can play a key role in ensuring that their institution complies with the final omnibus rule. An auditor should consult with their institution's legal counsel to determine how the rule changes might impact the institution and whether it would be necessary to audit controls to ensure compliance. RESOURCES FOR FURTHER INFORMATION Federal Register, Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule http://www.gpo.gov/fdsys/ pkg/FR-2013-01-25/pdf/2013-01073.pdf NIST Special Publication 800-66 Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf n
24 COLLEGE & UNIVERSITY AUDITOR