Anesthesia Coding Alert

Take note of the areas HHS will be watching.

Are you guilty of one of the top-six HIPAA compliance issues that tend to trigger investigations and enforcement actions by the HHS Office for Civil Rights (OCR)? If so, you’d better prepare for a visit from the feds.

HIPAA Complaints Keep OCR Busy

Since 2003, OCR has received more than 134,246 HIPAA-related complaints, and investigated and resolved more than 24,241 cases (as of May 31, 2016). According to figures compiled by associates at the law firm Davis Wright Tremaine LLP (DWT), there have been 36 OCR enforcement actions, comprised of 34 settlements and two civil monetary penalty (CMP) actions.

Settlement amounts and CMPs total more than $40 million, with an average settlement amount of more than $1 million. And 23 out of the 36 OCR enforcement actions arose from breach reports to HHS. At least 25 of the 36 involved electronic protected health information (ePHI).

OCR also typically hands down Corrective Action Plans (CAPs) following an investigation, especially one arising from a breach. The average minimum length of a CAP is approximately two years, according to DWT.

What’s more: State attorney generals (AGs) are also getting in on the HIPAA enforcement action, with 11 actions by state AGs in less than seven years — five actions in Massachusetts, two in Connecticut, and one each in Indiana, Minnesota, New York, and Vermont. The average penalty amount from a state AG enforcement action is $347,909.

What to Expect from an OCR Investigation

Trend: Since 2008, the number of OCR enforcement actions resolved each year has risen steadily, according to DWT. In 2015, OCR resolved six complaints total, but as of June 10, 2016, OCR has already resolved the same amount, signaling that 2016 may be a record-breaking year in terms of number of enforcement actions and settlements.

“These investigations and compliance reviews take personnel out of their ‘day jobs,’ having to intensively focus on the OCR requests,” laments Rebecca Williams, RN, JD, chair of the Health Information Practice at DWT in Seattle. “Sometimes OCR will come on-site for interviews and further investigation. And, of course, these tend to be stressful situations.”

“An OCR investigation is an all-hands-on-deck experience,” agrees Adam Greene, a Washington, D.C.-based partner attorney with DWT who specializes in HIPAA compliance matters, formerly a regulator at HHS playing a key role in administering and enforcing the HIPAA Rules.

“The initial data request may ask for a large amount of information, which takes significant resources to put together,” Greene says. “And some investigations will stretch for a number of years, with each data request once again requiring significant resources to respond.”

Beware of the Top 6 Trends

According to Williams, some top issues that have been trending for enforcement actions include:

1. Lost or stolen portable media that was not encrypted, particularly thefts of laptops left in unattended vehicles;
2. Disposal of PHI, such as leaving PHI in dumpsters or on the hard drives of printers and scanners;
3. Incomplete or totally absent risk analyses;
4. Hacking and malware;
5. Accessibility of PHI through Internet services; and
6. Failure of covered entities (CEs) to have business associate (BA) agreements (BAAs) in place.

Bottom line: CEs and BAs “should understand that OCR is still resolving most cases through voluntary corrective action, but is more willing than ever before to seek significant financial enforcement where there are systemic or egregious compliance failures,” Greene warns. “For example, a lack of a BAA where one is clearly required, or a failure to include a large amount of ePHI in periodic risk assessments, are more likely than ever before to lead to sizable financial settlements.”

Resource: To view the DWT data and new infographic, visit www.privsecblog.com/2016/06/articles/healthcare/hipaa-enforcement-actions-by-the-numbers/.