Skip to: Content
Skip to: Section Navigation
Skip to: Site Navigation
Skip to: Search

Bracewell & Giuliani

HHS Moves into Audit Phase of HIPAA Compliance

April 2007

Health and Human Services (HHS) has just begun to move into its audit phase for determining covered entities' compliance with HIPAA's requirements.  For the last four years since HIPAA's privacy rules first became effective, HHS has not been auditing covered entities.  Instead, HHS has given covered entities a four-year period to become familiar with HIPAA's daily requirements and has limited compliance efforts to investigating complaints filed against specific covered entities.   

HHS began its first audit of a covered entity, Piedmont Hospital in Atlanta, earlier this year.  Additional agents have been hired by HHS to enforce HIPAA and we expect to see the number of audits continue to grow now that covered entities have been given a sufficient chance to put HIPAA's requirements in place and have learned how to comply with HIPAA on a daily basis. 

What will HHS auditors want to see?  Auditors will first want to make sure that you have all the legal documents in place.  This will include your HIPAA privacy and security policies and procedures, your plan amendments, your business associate contracts, your HIPAA security risk analysis, your HIPAA employer certification and any records you have created to document certain HIPAA-related events (e.g., HIPAA training records, sanctions of workforce members, actions to mitigate a violation).  Auditors will also want proof that your organization has actually implemented the HIPAA privacy and security safeguards that are described in your HIPAA documents.  The penalties for noncompliance with HIPAA’s privacy and security rules include civil penalties up to $25,000 per year per violation and criminal penalties up to $250,000 and 10 years of imprisonment.   

With HIPAA's fourth anniversary quickly approaching, it is a good time to reevaluate your current HIPAA privacy and security programs.  Frequent audits of your HIPAA compliance program greatly help to minimize the risk of civil or criminal penalties for HIPAA violations.  Frequent audits also demonstrate to HHS your commitment to the privacy and security of protected health information.  Please feel free to contact us if you would like our HIPAA team to assist you in evaluating whether your HIPAA compliance program meets the requirements of the regulations. 

Upcoming Privacy Rule Deadline for Small Health Plans – April 14, 2007 

Please be aware of an upcoming requirement under the HIPAA privacy rules for small group health plans (plans with less than $5 million in annual receipts) in relation to your Notice of Privacy Practices.  A special rule requires you to notify individuals covered by your self-insured health plans of the availability of the Notice of Privacy Practices and how to obtain the Notice of Privacy Practices at least once every 3 years.  When we assisted our clients in implementing a HIPAA Privacy Compliance Program, we discussed adding a paragraph to your annual open enrollment materials informing participants that they can obtain a copy of the Notice of Privacy Practices from the benefits or HR office, satisfying this rule's requirement.  If you have not yet added this paragraph to your annual open enrollment materials, you need to now take steps to alert participants as to the availability of the Notice and how to obtain a copy of the Notice.  The deadline to meet this requirement is April 14, 2007.   Large group health plans should have met this requirement as of April 14, 2006. 

HIPAA's Ongoing Training Requirement for Security Rule Compliance 

Please recall that HIPAA's security rules require that you provide periodic training to your covered workforce members.  HIPAA security training is not a one time event!  You may provide ongoing HIPAA training in a variety of ways, including emails on security topics, break room postings, newsletters, payroll stuffers or informal lunch time discussions.  Obviously, live training will be the most effective method where you have employees' full attention and they can ask questions about everyday compliance with HIPAA.  One of the specialties of Bracewell's HIPAA group is providing ongoing HIPAA privacy and security training.  We would be happy to assist you with providing HIPAA training to your employees to satisfy HIPAA's security rule requirements.  

HIPAA and State Security Breach Reporting Laws 

After all the training you have conducted and all the excellent safeguards you have in place, what if you discover a privacy or security violation in which an individual’s private health information has been compromised? 

HIPAA itself does not directly require you to disclose the violation to the affected individual.  Under HIPAA, it is a business decision of your organization whether to disclose the breach to the individual.  However, HIPAA does require you to mitigate any damage caused by the breach and take necessary measures to prevent a recurrence.  You must also document the breach and the measures you took to correct it.  If an affected individual ever requested an Accounting of Disclosures under HIPAA’s privacy rules, you would be required to report the wrongful disclosure to the individual (this is the way you could indirectly be required under HIPAA to report the violation to the individual).   

Please be aware of new state law notification statutes!  Although HIPAA may not directly require it, you may be required to report certain security breaches under these new state statutes that are gaining in popularity.  A by-product of the astronomic increase in the occurrence of identity theft, the state notification statutes generally require organizations to inform individuals when personal information is obtained by an unauthorized person.  California was the first state to enact such a law in 2003 and as of January 2007, 34 other states have followed suit.   

Many state breach notification laws follow the California statute, with minor variations.  The California statute provides that "any state agency, person or business that owns or licenses computerized data (including personal information) must disclose any security breach of data to any resident of California whose unencrypted personal information was, or is believed to have been, acquired by an unauthorized person."   

Texas' security breach notification statute went into effect on September 1, 2005 and is very similar to the California statute.  The Texas statute requires every business operating in Texas to protect sensitive identifying information of Texas residents.  Additionally, if the business stores computerized data with sensitive personal information, the business must disclose any breach of system security to Texas residents whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.  Penalties can range from $2,000 to $50,000 per violation.   

Please be aware of the scope of these state statutes!  For most of these statutes, it does not matter where your business is located.  Instead, reporting requirements under the specific statute are triggered when the personal information of a resident of that state is believed to be accessed by an unauthorized person.  Under many state statutes, if notifying individuals would cost an organization more than a certain amount (usually around $250,000, the business may notify individuals of the breach using the media.  This is why we are hearing of many reputable businesses reporting data security breaches.  Without these state statutes in place, we would never be aware of the sheer number of breaches that occur on a daily basis.  The number of reported breaches since 2003 is now over 100,000 million!  Those are just the breaches that have been reported by the media.  These are very serious statutes with serious business consequences.  Please contact us if you would like more information about state breach notification statutes and your obligations under these statutes.  

Update on Complaints Against Covered Entities 

As of March 31, 2006, the Office of Civil Rights ("OCR") within HHS had received approximately 18,912 complaints against covered entities.  OCR has resolved around 72% of these complaints.  OCR has sent 304 cases to the Department of Justice for criminal prosecution.   

The most frequent violations discovered by OCR are:

  • Wrongful uses and disclosures of protected health information ("PHI");
  • Lack of adequate safeguards to protect PHI;
  • Refusal to provide access to an individual’s medical records;
  • Failure to comply with the minimum necessary rules; and
  • Failure to obtain a HIPAA authorization when required. 

HIPAA Criminal Prosecutions 

The first HIPAA criminal conviction occurred in 2004.  U.S. v. Gibson involved a cancer center employee who stole patient data to fraudulently obtain credit cards.  This employee could have easily been prosecuted under a state identity theft statute but instead, the U.S. Attorney’s Office chose to prosecute this individual under HIPAA.  HIPAA attorneys speculate that the cancer center was not fined or prosecuted under HIPAA since they had reasonable and appropriate policies and safeguards in place and were not aware of the employee’s actions.  Gibson just finished his 16 month sentence in a federal prison. 

Liz Ramirez of Alamo, Texas was the next person to be convicted under HIPAA.  Ramirez was an employee at a doctor's office and sold the medical records of an FBI agent to an undercover agent for $500, believing that the agent was a drug dealer.  Ramirez was sentenced on August 23, 2006 to 6 months in prison, 4 months of home confinement and 2 years of supervised release. 

Fernando Ferrer was the first person to be found guilty of HIPAA violations by a jury (the others pleaded guilty and did not have a jury trial).  Ferrer's cousin Isis worked at a health clinic as a patient scheduler.  Isis stole 1,100 patient files and sold this information to Ferrer who then filed fraudulent Medicare claims in the amount of $2.8 million dollars.  The crime was discovered when Isis bragged to colleagues about what she had pulled off.  Isis is currently being prosecuted.  The health clinic was not charged since it reported the theft to the U.S. Attorney's Office, took proactive measures to inform affected patients of the theft, helped patients protect their identities, conducted a follow-up security audit and provided updated training to employees. 

Prosecutors are charging employees of covered entities under two different theories: 1) aiding and abetting and 2) committing a crime within the scope of employment since the employee is acting as an agent of the employer/covered entity. 

HIPAA's Final Enforcement Rule

HHS has issued final regulations for HIPAA's enforcement rule, which became effective March 16, 2006.  These final regulations address how HHS will impose civil penalties for violations of HIPAA. The final regulations contain several significant changes from the proposed regulations.   

First, HHS modified the method for calculating the number of violations.  Under the proposed regulations, HHS stated that they would look at three primary factors for determining violations: 1) the number of times a covered entity engaged in a particular conduct, 2) the number of individuals affected and 3) the duration of the violation.  The final regulations give much more discretion to HHS in determining the scope of a violation.  HHS states that the number of violations of an identical provision will be determined based on the covered entity's obligation to act or not to act.  For each day of a continuing violation, HHS may determine that a separate violation of the rule occurs on each day for the duration of the continuing violation.  HHS may impose penalties up to $100 per day per violation.  

The following example demonstrates the result of this modification to the regulations.  A covered entity has 30 days to respond to an individual's request to copy his or her medical records.  If the covered entity misses the 30 day deadline and instead, provides the copies on day 40, a violation of HIPAA occurs.  Under the proposed regulations, a single violation has occurred affecting one individual and was corrected in a timely manner and thus, the covered entity could be subject to a $100 penalty.  Under the final regulations, HHS would assert that a separate violation of the rule occurred on each of the 10 days the copy of the records was late.  Thus, the penalty would be $1,000 instead of $100. 

Second, HHS may take statistical samplings to determine the penalty to impose when a large number of identical violations have occurred.  Statistical sampling could help or hurt your organization, depending on the characteristics of the sample taken by HHS.  The regulations provide the following example.  A health care provider has 3,000 patients and 210 (7%) of those patients failed to receive a Notice of Privacy Practices.  During an audit, HHS reviews a random sample of 100 patients and determines that 15% of those patients failed to receive the Notice of Privacy Practices.  The penalty will be based on the 15% determination instead of the actual number of patients who failed to receive the Notice (7%). 

If a civil penalty is imposed against a covered entity, the covered entity may request a formal hearing and may appeal the decision of that hearing. 

What's the Future for HIPAA Enforcement? 

With the final HIPAA Enforcement Regulations in place, we are expecting to see much increased enforcement of the privacy and security rules by HHS.  So far, HHS has not imposed any civil penalties and instead, has pursued a voluntary correction policy during the initial learning phase of HIPAA in which a covered entity was given the chance to correct the violation without receiving an automatic penalty.  However, now that the HIPAA privacy rules have been in place for almost four years, we are expecting HHS to take a more aggressive stance in issuing penalties for violations, especially for chronic failure to comply with HIPAA's requirements. 

Based on reports of recent investigations of covered entities, organizations are reporting that HHS has become more probing, more sophisticated and more intense in its investigation efforts.  Individuals are also becoming more sophisticated as to their rights under HIPAA.  Instead of only reporting an alleged violation to the covered entity's privacy officer, individuals are also now reporting such alleged violation to HHS.  Please note that HHS investigates every complaint it receives against a covered entity!  The best protection is to conduct frequent audits of both your HIPAA privacy and security programs! 

Please note that if HHS audits or investigates your organization, HHS will send an initial letter informing you of this fact.  There has been no consistency as to the department to which HHS has sent these letters.  Sometimes, the letters are sent to a specific department within an organization.  Sometimes, the letters are sent to the main mailing address.  Sometimes, the letters are sent to departments that have no connection to protected health information.  Please ensure that you educate your employees who receive mail to be on the lookout for mailings from HHS.  It is critical that your organization does not get off on the wrong foot with HHS and appear unresponsive to initial inquiries! 

How Does HIPAA Privacy/Security Interact with Identity Theft Issues? 

Identity theft is currently the most prevalent financial crime in the United States and is becoming more common each day.  The reputation of many businesses has been severely damaged over the past few years due to instances of theft of individually identifiable information.  We all recall the ChoicePoint fiasco in which over 145,000 individuals’ sensitive information was wrongfully obtained.  Last year, the Veterans Administration reported 26.5 million records were stolen and it seems like a daily occurrence that we hear of yet another security breach in which sensitive data has been stolen from very prominent companies who we trust to protect that data.  Health data is especially a popular target among identity thieves since health data contains both social security numbers and other types of very marketable data.   

Many covered entities are quickly discovering that when an identity thief strikes, not only is the covered entity a victim of a crime but it may also have liability for the theft under HIPAA if adequate safeguards are not in place to prevent the incident!  For example, computers stolen from Christus St. Joseph, a hospital located in downtown Houston, resulted in the loss of over 16,000 files containing patients’ medical records and social security numbers.  An MD Anderson auditor's laptop was recently stolen containing 4,000 patient files.  Also, the theft of a Humana employee's laptop left in his car resulted in the loss of 17,000 unencrypted patient files.  The list goes on and on. 

With the advent of camera phones, video phones and extremely small flash drives that commonly store at least one gig of data, sensitive information held by your health plans can be stolen in a matter of seconds.  Phishing and other social engineering tactics are unfortunately becoming commonplace as methods to easily obtain sensitive medical data and social security information.

As mentioned earlier, a breach in security can have a disastrous impact on your organization.  An effective HIPAA Privacy/Security program greatly bolsters your efforts to guard against identity theft and other types of theft or wrongful use of data.  A well-run HIPAA program could potentially serve as a defense against a negligence action or any other type of suit for the failure to reasonably safeguard sensitive information resulting in identity theft.  Additionally, your employees may be more motivated to pay close attention during HIPAA training if they know that they are also key players in guarding against identity theft attempts. 

HIPAA Compliance Tips 

Remember that HIPAA compliance efforts do not stop once you have a HIPAA compliance program in place.  HIPAA is an ongoing process and requires constant diligence to prevent violations from occurring.  It is important to conduct frequent audits of your HIPAA program and document your results to show to HHS upon audit or an investigation.  Below are some tips for complying with HIPAA on a daily basis.   

1)     Continue HIPAA Privacy and Security Training Efforts

A covered entity’s greatest risk for civil and criminal penalties stems from its employees’ misuse of PHI.  Ongoing training efforts are the best way to minimize the risk that your employees will wrongfully use or disclose PHI.  Ongoing training programs also demonstrate a true commitment to safeguarding the privacy and security of individuals’ sensitive medical information.  HHS will take this into account upon an audit or investigation.  Additionally, HIPAA’s security rules require you to provide periodic training updates to your affected employees.  Consider the following for your ongoing training efforts:

  • Live Training – periodically providing your employees with live HIPAA training will allow difficult questions and issues to finally be answered;
  • Email Reminders – short emails may address a specific aspect of HIPAA and are quick and easy to send to affected employees;
  • Bulletin Board Reminders – posting a short reminder or a HIPAA tip on an employee bulletin board reinforces the importance of HIPAA;
  • Short Lunch-Time Discussions – informal discussions over lunch not only allow your employees to discuss tricky HIPAA issues that have arisen but also allow for enriching the working relationships of your employees. 

Always remember to document any type of HIPAA training that you provide to your employees! 

2)    Remind All Employees of the Importance of Reporting HIPAA Violations to the Privacy Officer  and/or the Security Officer

You will recall that individuals who believe their privacy rights have been violated are not required to report the alleged violation to the privacy officer.  An individual may go directly to HHS to report a HIPAA violation, bypassing your privacy officer.  Obviously, it is not a welcome event to have HHS at your doorstep to investigate a complaint without any prior notice of a problem!  Therefore, it is critical that your employees are aware of the need to report privacy and security events to your privacy or security officer so you will have a chance to take care of any problem before it escalates into a governmental investigation.  Also, make sure your employees know who is the privacy officer and security officer!  This training can be incorporated into the training updates you provide to your employees.

3)     Conduct a Walk-Through of Areas Where PHI is Stored

A great way to catch potential HIPAA violations early is to conduct a walk-through audit of areas containing PHI (such as your benefits office or accounting office) to observe whether PHI is properly safeguarded.  Remember to document the date of the tour, your findings and any corrective measures you determined were necessary.  Look for the following during the walk-through:

  • Loud conversations involving PHI that could be overheard by an unauthorized individual;
  • PHI left on unattended desks or other work areas that could be read by unauthorized individuals;
  • Files containing PHI that are not secured after hours;
  • Unattended computers containing PHI in which the employee either has not logged off or is not using a password-protected screen saver;
  • Faxes containing PHI left in a general work area;
  • Computer screens that are positioned in a way that could allow an unauthorized individual to view the contents of the screen; and
  • Computer passwords visibly posted near a workstation.

4)    Keep Good Records!

A repeated theme of HIPAA is the need to document your actions!  Creation of a paper trail is not only required by HIPAA but also is critical to survive any potential audit or investigation by HHS.  Here are some of the actions you should document:

  • Revisions to your policies and procedures;
  • HIPAA authorizations to use or disclose protected health information and any revocations thereof;
  • Requests for individual access to protected health information, any accountings of disclosures, any individual restrictions on uses and disclosures, amendments made to PHI and all records related to such requests;
  • Agreements with business associates referring to the use or disclosure of protected health information and records of actions taken to enforce compliance of contract provisions with business associates;
  • Notice of Privacy Practices and any changes made to this document;
  • Instances in which PHI is de-identified;
  • Records of disciplinary action taken against workforce members for violations of the privacy or security policies and procedures;
  • Records of steps taken to mitigate violations of the privacy or security rule; and
  • Complaints received from individuals and associated correspondence.


         
Related People
Gail Sargent
Related Practices
ERISA
Executive Compensation and Benefits