The Health Insurance Portability and Accountability Act (HIPAA) is returning to the spotlight in 2018. According to the U.S. Department of Health and Human Services (HHS), Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to HHS and the Office of Civil Rights (OCR) in order to settle potential violations of the HIPAA. In addition, they have agreed to implement a wide-ranging corrective action plan. This is all because FMCNA recently filed five different breach reports in less than a six-month span. While HIPAA compliance was not completely ignored in this case, there was a failure to conduct an accurate and thorough risk analysis of potential vulnerabilities according to HIPAA.
There are other documented examples of HIPAA violations, and they have all triggered a negative impact. This is why it is vital for healthcare organizations to examine any potential HIPAA compliance changes, and ensure that all employees are trained and aware of these changes. This will reduce the risk of any HIPAA violations and penalties.
We saw a significant increase in HIPAA enforcement activities by OCR in 2016, as well as settlements reached with covered entities. In 2017, it was more of the same, as it was above the normal settlement levels. Therefore, there are certain expectations for 2018. At the 2018 Health Information and Management Systems Society (HIMSS) conference, OCR Director Roger Severino spoke about HIPAA compliance and policy updates. He also emphasized that OCR will maintain its pursuit of HIPAA settlements for extreme violations of HIPAA regulations.
OCR wants to request information on how a percentage of the settlement and civil monetary fines it accumulates can be distributed to the casualties of healthcare data breaches due to HIPAA violations. The office is potentially changing the regulation for covered entities to preserve signed forms from patients verifying that they have received a copy of the covered entity’s notice of privacy practices. In some cases, the forms are signed by patients who only want to schedule a visit to their physician, and are, at times, never read.
Severino also stated that OCR may alter HIPAA regulations in 2018 relating to good faith disclosures of protected health information (PHI). They want to officially clarify that divulging PHI in specific situations is allowed without first obtaining consent from patients.
OCR does not necessarily want to penalize healthcare organizations for violating regulations and would like to reduce settlements. However, organizations must enhance their compliance procedures. They can do this by addressing HIPAA compliance. Using a compliance checklist can go a long way into effectively protecting against security breaches that can lead to HIPAA violations.
It starts with conducting self-audits. In fact, HIPAA requires healthcare organizations to annually conduct internal audits in order to evaluate technical, administrative and physical holes in compliance with HIPAA. Once the holes in compliance are revealed, remediation plans must be employed to undo any potential HIPAA violations.
Employee training for policies and procedures is crucial in order to avoid HIPAA violations. This is especially the case when there are changes within the HIPAA requirements. Documentation is another vital act. This involves documenting all efforts to become HIPAA compliant.
It is also important to document all vendors who may be privy to PHI and then execute business associate agreements to make sure that PHI is securely managed and processed.