Building a HIPAA Toolbox: Part 1
Demonstrate voluntary compliance in five preventive steps.
As of June 2013, the Office for Civil Rights (OCR) has announced more than $10 million in penalties and settlements related to alleged HIPAA violations. OCR—responsible for enforcing HIPAA regulations—had more than 500 investigations still open at the end of 2013, all based on breach notifications alone. With the expanded enforcement under the omnibus HIPAA regulations that became effective September 2013, investigations, penalties, and settlements are expected to rise.
Although the large settlement agreements announced by OCR attract attention, more significant are the thousands of investigations resolved by OCR where a penalty was not assessed because the covered entity was found to have: 1) addressed the underlying cause of the breach or violation; and 2) mitigated any potential harm to affected individuals. Even when OCR finds that a covered entity or business associate was non-compliant with HIPAA, the investigation may be concluded through voluntary compliance, rather than financial penalty. There are a few proactive steps a covered entity or business associate (you) can take to improve your ability to demonstrate voluntary compliance in an investigation.
- Prevention Goes a Long Way
It may seem simplistic to say that you can manage the risk of a breach by complying with obligations under HIPAA; however, robust compliance plans not only reduce the risk of a breach, they position your organization to respond if one arises.
When a breach occurs, it does not necessarily mean you will be subject to penalties. The majority of settlement agreements announced by OCR involve non-compliance beyond the breach itself. Many of these organizations faced allegations that risk assessments were not performed; employees were not trained; policies and procedures were ineffective, insufficient, or missing; encryption was not implemented; and/or safeguards were incomplete. In the event a breach occurs despite compliance efforts, your compliance program can demonstrate voluntary compliance with the majority of HIPAA requirements, and narrow the scope of the investigation to the implication of the breach itself.
- Identify Potential Breaches in a Timely Manner
Of the 101 entities that were audited for breach notification compliance in 2013, 31 were found to have an element of non-compliance related to the notification rule. Of the 31 entities with deficiencies, 23 had findings regarding the timeliness of notification.
The breach notification rule requires that you provide necessary notification without unreasonable delay, and in no case later than 60 calendar days from the date a breach is known to the entity, or would have been known through exercise of reasonable diligence. By incorporating the “would have been known” component in the timing requirements for breach notification, HIPAA imposes an obligation for you to implement effective policies for detecting potential breaches. Timely identification is accomplished primarily through active monitoring, mandatory reporting, and periodic audits.
- Have a Breach Response Plan
Breach discovery triggers a period of heightened scrutiny for your organization. Even when notification is provided within the 60-day period, a primary question plaguing most organizations is, “What took so long?” The resolution is to improve your ability to respond appropriately, which you can do by developing a plan for the time of crisis.
A breach response plan or policy usually involves describing the identification and investigation process, sending notification requirements applicable to the organization, and describing expectations to mitigate harm and prevent future incidents. The plan lays out the structure. Additionally, consider how your plan will be implemented:
- Who will comprise the internal team to manage the breach response?
- At what point is legal counsel involved?
- What insurance, forensics, credit monitoring, or other consultants does your organization have available?
Knowing the answers to these questions in advance of a breach enables a timely, effective response.
- Protect Individuals and Mitigate Harm
The fifth most common issue subject to corrective action by OCR in 2011, 2012, and 2013 was mitigation. Actual implemented mitigation strategies are highly dependent on the facts of a particular breach. For instance, a misdirected fax may focus on confining unauthorized disclosure, such as recovery or destruction of the document, or execution of confidentiality agreements with the unauthorized recipient. A breach related to a lost, unencrypted laptop, on the other hand, cannot be easily confined, and mitigation will likely focus on protecting affected individuals against potential harm, beginning with patient notification and identity theft and credit monitoring protection. Identifying potential mitigation strategies to incorporate in your breach response plan provides your team with the necessary tools to respond to a breach appropriately.
- Learn From Your Mistakes
The most important component of a breach response, and frequently the focus of a related investigation, is the steps an organization takes after the dust settles. A review of the OCR settlement agreements includes corrective action plans that detail your expectations to prevent a repeat breach.
In the event of a breach, the facts, vulnerabilities, and other information gathered during the internal investigation process should be factored into your risk analysis and risk management processes. Every breach or similar violation presents an opportunity for your organization to grow and to improve information protection. Ask yourself:
- Have the vulnerabilities that allowed the breach been resolved?
- Have applicable workforce members been sanctioned, terminated, or re-trained?
- Were new technologies or other safeguards implemented?
- Were policies and procedures revised?
- Did you document or summarize what steps were taken in response?
Demonstrate an appropriate response to the situation and your organization’s commitment to comprehensive HIPAA compliance by implementing these preventive measures and documenting them.
Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage, LLP. She serves on the National Advisory Board for AAPC. Harper works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark law, anti-kickback, state licensure, and Medicare conditions of payment and participation. She is a member of the Kansas City, Missouri local chapter.