An Expert's View of HIPAA
HIPAA: Those 5 little letters can cause sweaty palms for almost anyone in the health care sector. That probably stems from the fact that, although we all know about the Health Insurance Portability and Accountability Act, most of us do not understand it.
Many doctors do not understand just how financially serious a HIPAA violation can be. Can you explain the structure of the law regarding fines?
In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The US Department of Health & Human Services (HHS) may assess civil penalties when it discovers a HIPAA violation. Each year, HHS increases the penalty due to inflation. Here are the civil monetary penalty amounts for 2020. The penalty amount enforced by the Office for Civil Rights (OCR) depends on the facts involved. The 4 categories for the penalty structure are:
Tier 1: A violation that the covered entity was unaware of and could not realistically have avoided, had a reasonable amount of care been taken to abide by HIPAA rules—the penalty amount is between $119 and $59,522 for each violation;
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)—the penalty amount is between $11,912 and $59,522 for each violation;
Tier 3: A violation suffered as a direct result of willful neglect of HIPAA rules, for example, sharing protected health information (PHI) through office gossip, in cases where an attempt has been made to correct the violation—the penalty amount is between $11,904 and $59,522 for each violation; and
Tier 4: A violation of HIPAA rules constituting willful neglect, for example, an unauthorized release of information, where no attempt has been made to correct the violation—the amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.
Should we expect the number of dental offices audited this year to increase?
When looking at recent enforcement trends by HHS and OCR, smaller practices and solo practitioners are coming under enforcement scrutiny by OCR.
One potential reason is that OCR focused on larger organizations that suffered breaches, because larger fines could be imposed. This would prompt attention by other organizations to prioritize HIPAA compliance as an enterprise risk, meaning that was a financial and reputational risk for the organizations. However, applying hefty fines to larger organizations has not had the punitive effect that OCR thought it would have to encourage all entities, including smaller organizations, to prioritize HIPAA compliance.
HIPAA has been around for over 20 years, and the healthcare industry is still perplexed on what it takes to achieve compliance. This may be the result of not uniformly enforcing HIPAA across organizations. However, recent enforcement action by OCR shows that OCR is enforcing HIPAA requirements across all covered entity types, and not just focusing on larger organizations. This could be to trigger enforcement awareness across all types of organizations to protect the security of patients’ data. Dental practices are covered entities, and considering recent OCR enforcement action against smaller organizations, they should be vigilant about complying with HIPAA.
Has there been a lessening of HIPAA rules because of COVID-19?
No. At the onset of the pandemic, OCR issued notifications of enforcement discretion, because the United States declared the pandemic a public health emergency. The notifications of enforcement discretion should be narrowly applied because their issuances are to enable covered entities and their business associates to continue their treatment and health care operation efforts during this public health emergency.
What are the top items that dental offices are not addressing as far as HIPAA regulations?
The top issues that dental offices are not addressing under HIPAA are:
Not implementing a security management process, including performing a comprehensive and/or enterprise-wide HIPAA risk analysis and having a risk management plan;
Not having access or identity management access controls to ensure that only those employees who need access to PHI for their responsibilities have access, especially for their electronic health or medical records systems;
Not having processes for ongoing monitoring and auditing of these electronic health records/electronic medical record systems;
Not having technical controls for their desktops, laptops, and mobile devices, including encryption and password management processes;
Not having policies and processes for individuals to exercise their rights to their data, and especially the right of access; and
Vendor management (i.e., not ensuring that they have subcontractor business associate agreements [BAAs] with their vendors or ensuring that vendors are reporting their privacy and security incidents)
What advice would you give for a dental office to be compliant with HIPAA?
HIPAA compliance is an ongoing activity that takes money, time, and resources, but the benefits of complying with HIPAA outweigh the risks. The initial steps in achieving HIPAA compliance are performing the risk analysis/risk assessment; conducting an inventory of third parties contracted to perform health care operations and the data and e-PHI they receive, create, maintain, or transmit; making sure that the dental office has BAAs with their vendors or third parties, as well as reviewing their third parties’ subcontractor agreements with subcontractor BAAs; and ensuring that the dental practice develops and implements appropriate policies and procedures relating to minimum necessary requests, uses, disclosures, and transfers of PHI, verification, permitted uses and disclosures, and individual rights.