Part B Insider (Multispecialty) Coding Alert

Published on Mon Aug 18, 2014 PDF

HHS collected millions in HIPAA penalties in recent years.

HIPAA breaches caused by laptop thefts are on the rise, new HHS reports show. Are you doing all you can to avoid risk in this area?

Two recent reports to Congress from the HHS Office for Civil Rights, mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, cover calendar years 2011 and 2012.

A breach notification report provides an overview of the breach notification requirements, while a report on the HIPAA rules summarizes complaints HHS has received of alleged violations of HITECH and the HIPAA Privacy and Security Rules, according to OCR.

During 2011 and 2012, the reports state that HHS entered into seven resolution agreements/corrective action plans totaling more than $8 million in settlements, reports Milwaukee, Wis.-based attorney Meghan O’Connor in a blog posting for von Briesen & Roper. These settlements resulted from breaches reported to HHS, which spurred investigations. OCR received 236 reports in 2011 and 222 reports in 2012 of breaches involving 500 or more individuals.

“The compliance report reviews HHS compliance and enforcement activities, as well as complaints received by HHS with respect to the HIPAA Privacy, Security, and Breach Notification Rules,” O’Connor says. From 2003 to 2012, OCR investigated 27,466 complaints and resolved 18,559 of these cases by requiring corrective actions and/or providing technical assistance.

Avoid Top 4 Causes Of HIPAA Breaches

O’Connor points out that, according to the breach report, the primary reported causes of larger breaches included:

• Theft;
• Unauthorized access, use, or disclosure;
• Improper disposal; and
• Hacking/IT incident.

“Based on the types of breach reports submitted, HHS advises that entities subject to HIPAA should ensure completing of risk evaluations, secure portable electronic devices, provide for proper disposal of PHI, implement physical access controls, and provide trainings to members of the workforce,” states a blog posting by health law attorney Leah Roffman for Cooley. “These are important steps to take to limit the likelihood of a breach.” 

Note: The breach notifications report is at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreptmain.html. The report on the HIPAA rules is at www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereptmain.html.