Are you doing enough to prevent breaches of protected health information?

HIPAA violations can have serious legal consequences.

Case in point: A federal grand jury has indicted a former employee at the University of Pittsburgh Medical Center for allegedly stealing patient data. The defendant disclosed to other people the names, birth dates and Social Security numbers of patients – information later used to file false tax returns. The law carries of maximum sentence of 80 years in prison, a fine of more than $4.7 million, or both.

In another case, a former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for HIPAA violations. Upon learning that he was being dismissed from his job, the UCLA employee accessed the medical records of his superior and coworkers, as well as more than 320 patient records (many of them celebrities) during the following four weeks. Charges were filed in 2009 and the defendant pleaded guilty in early 2010 to four misdemeanor counts of illegally reading private and confidential medical records.

Not only do these cases demonstrate the long reach of HIPAA enforcement, but also the importance of bumping up security and other safeguards to prevent these types of medical data breaches.

What is a breach?

A breach occurs when 1) there has been “unauthorized” access, use or disclosure of “unsecured” PHI that violates the HIPAA Privacy Rule, and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”

What is “unsecured” PHI?

The rules define “unsecured” PHI as any information that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the application of a technology such as encryption and destruction.

Encryption - Proper encryption should use an algorithmic process to transform data into a form that is meaningless without a confidential process or key (which also must be protected).

Destruction - Hard copy PHI, such as paper or film, needs to be thoroughly shredded or destroyed so that it cannot be read or reconstructed.

How do I protect my business?

To steer clear of HIPAA violations and breaches, you should:

Establish breach notification procedures and update policies - Develop guidelines for determining when a breach has occurred, who will prepare individual notifications, and when a breach will trigger a requirement for notice to the media or immediate notice to HHS. Amend your HIPAA privacy and security policies, too, to cover the security breach notification rules.

Maintain a breach incident log - Set up a system to log security breaches affecting fewer than 500 individuals, which you must file with HHS within 60 days after the end of the year.

Revise business associate agreements - Discuss with your business associates (and put in writing) when they should notify you of a breach by their organization, what information should be reported, and which party will issue the required notifications.

Train employees on proper procedures - Employees should understand when they have encountered a breach and how to report it. A successful training program will provide formal instruction on HIPAA-related policies and procedures, as well as build awareness through workplace postings and other employee materials.

Are you doing enough to prevent breaches of protected health information?

Life's a "breach" if you mishandle protected health information

In late August 2009, the Department of Health and Human Services (HHS) issued new regulations requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is compromised. Specifically, the HITECH Act requires businesses to report breaches affecting 500 or more individuals to HHS within 60 days of discovering the breach. It also requires that HHS post on its website a list of these reported breaches.

The “Breach Notification Rule’ is now in full play. Last week, HHS posted a list of breaches of unsecured PHI that affected 500 or more people. As summarized in the report, 27 of the breaches resulted from thefts of paper or electronic records. Other breaches were described as “Hacking/IT Incident,” “Loss,” “Incorrect Mailing,” “Unauthorized Access,” “Misdirected Email,” and “Phishing Scam.” The breach affecting the largest number of individuals was reported by Blue Cross Blue Shield of Tennessee. There, a theft of hard drives resulted in breaches of unsecured PHI affecting half a million individuals.

Does the new rule apply to you?

It does if you’re a HIPAA-covered entity or business associate, including most health care providers, health plans and health care clearinghouses. Employers who act as sponsors of group health plans may also be covered entities, depending upon their level of involvement.

What is a breach?

A breach occurs when 1) there has been “unauthorized” access, use or disclosure of “unsecured” PHI that violates the rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”

“Unsecured” PHI is any information that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology such as encryption and destruction.

Encryption - Proper encryption should use an algorithmic process to transform data into a form that is meaningless without a confidential process or key (which also must be protected).

Destruction - Hard copy PHI, such as paper or film, needs to be thoroughly shredded or destroyed so that it cannot be read or reconstructed.

Beyond enhancing your data security efforts, you have a responsibility to:

=> notify individuals when their health information has been compromised
=> update your HIPAA policies and procedures
=> educate employees on new procedures

Cover all the bases with our HIPAA Forms CD-ROM and Poster Bundle. It includes all the HIPAA compliance materials you need - from an Employee Information Poster and HIPAA Privacy and Security Policy to a Breach Incident Log and other essential forms - to stay in compliance.

For additional direction with your compliance questions, go to HIPAA FAQs.

Life's a "breach" if you mishandle protected health information

Looks like we made it - Saying goodbye to 2009 and hello to 2010

So here we are, ushering in 2010 … a fresh, unspoiled year … a blank slate waiting to be filled with new experiences and opportunities. The year ahead feels like that shining, new employee you just hired, coming to you with impeccable credentials and a winning personality. Will the new year, like that new employee, be everything you hoped for?

In addition to wishing you a "Happy New Year" in this first blog post of 2010, I feel like I should express my congratulations, too. Congratulations on enduring a year that was anything but dull, thanks to a lingering recession, the swearing in of a new, Democratic president and heightened labor law enforcement under the Obama administration. Many of you successfully kept your businesses afloat with fewer employees, fewer resources and budgets that were cut to the bone.

Lest you forget your strength and resilience during such trying times, let us take a quick walk down memory lane to revisit the changes that hit employers the hardest in 2009 (and that were covered in HR Forum):

=> New Family and Medical Leave Act (FMLA) rules become effective in January, with expanded military coverage and revised guidelines on determining FMLA eligibility and handling leave requests.

=> In his first piece of legislation as President, Barack Obama signs the Lilly Ledbetter Fair Pay Act into law in late January, an equal-pay bill designed to make it easier for employees to sue for pay discrimination.

=> In response to the nation’s dire economic situation, President Obama signs a $787 billion stimulus package that includes a COBRA subsidy for laid-off workers, hiring incentives via tax credits for certain types of workers and other new HR requirements.

=> Just as most businesses are preparing to update their employment verification practices to incorporate newly updated I-9 Forms, the Department of Homeland Security (DHS) pushes back the scheduled update by two months (to April 3).

=> In late April, Secretary of Homeland Security Janet Napolitano urges employers to aggressively prepare for another outbreak of swine flu to prevent it from becoming a full-fledged pandemic.

=> The U.S. Immigration and Customs Enforcement (ICE) launches a bold initiative in early July as part of its stepped-up enforcement, alerting 652 businesses nationwide that ICE agents will be inspecting their hiring records.

=> Beginning September 8, all federal contractors and subcontractors are required to use E-Verify, a free, web-based system, that compares employee information from the Form I-9 against federal databases to verify a worker’s employment eligibility.

=> Also in September, all businesses covered by HIPAA - or that offer products or services that interact with protected health information – must notify individuals when their health information has been breached, along with updating their HIPAA policies and procedures.

=> In October, OSHA announces a national emphasis program (NEP) on recordkeeping to assess the accuracy of injury and illness data recorded by employers, largely due to unusually low incidence rates in traditionally high-rate industries.

=> The provisions of the Genetic Information Nondiscrimination Act (GINA) go into effect in November, which includes an updated EEOC “Equal Employment Opportunity is the Law” poster – the fifth federal-level posting change in five years.

Awareness and action in 2010

While the new year is starting on a high note – with many experts indicating that the recession is lifting – we can most likely expect a similar level of labor law reform and increased enforcement under the Obama administration in 2010. Check back here often for insights on the latest legal and HR issues affecting your business, including solutions to help you meet every challenge like a seasoned pro.

Looks like we made it - Saying goodbye to 2009 and hello to 2010

New HIPAA Breach Notification Rules kick in today

With medical data breaches on the rise, the federal government is taking action to help stem the problem. The Department of Health and Human Services (HHS) recently issued new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is breached. The HHS regulations came two days after the Federal Trade Commission (FTC) issued regulations outlining similar requirements for personal health record (PHR) vendors, PHR-related entities and third-party service providers.

“This new federal law ensures that covered entities and business associates are
accountable to the Department and to individuals for proper safeguarding of the
private information entrusted to their care. These protections will be a
cornerstone of maintaining consumer trust as we move forward with meaningful use
of electronic health records and electronic exchange of health information,”
said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR.
(HHS Press Release)

Under the new rules, businesses must immediately notify individuals of a breach, as well as the HHS (or the FTC) and the media when a breach affects more than 500 individuals. This new notice requirement is designed to help consumers make informed decisions when their health information is released to unauthorized users, while also prompting companies to enhance security. Businesses are also required to update their HIPAA policies and train employees on new procedures.

What is a breach?

A breach occurs when 1) there has been “unauthorized” access, use or disclosure of PHI, which violates the HIPAA Privacy Rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”

Let’s say, for example, your company sponsors a group health insurance plan and a laptop containing enrollment information constituting PHI is lost or stolen. You most likely would be required to notify the affected individuals. Or perhaps you operate a HIPAA-covered medical practice and a staff member impermissibly downloads patients’ PHI to his personal computer. Again, you would need to notify the affected patients.

The effective date of the new HIPAA Breach Notification Rules is today, September 23, 2009. However, HHS has stated it will not impose penalties until February 22, 2010.

New HIPAA Breach Notification Rules kick in today