For those healthcare employers that have been resting on your laurels and viewing through rose-colored glasses your entity’s HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health) compliance efforts, the time has come to thoroughly clean your glasses and prepare for increased Office of Civil Rights (“OCR”) enforcement actions.  Speaking at the recent National HIPAA Summit, the OCR’s Director, Leon Rodriguez, announced that the OCR intends to follow the Office of Inspector General’s (“OIG”) vigilant enforcement model for HIPAA violations.  The OCR intends to focus its enforcement efforts on both “common-sense” patient confidentiality and breach violations.  In addition, the OCR continues to work on audits of covered entities.

First OCR HITECH Breach Settlement

Making history as the OCR’s first HITECH Breach Notification violation settlement, Blue Cross Blue Shield (BCBS) of Tennessee recently settled with the OCR for approximately $1.5 million.    The ground-breaking settlement illustrates the OCR’s increased focus on penalizing non-compliant healthcare entities.  Further, it indicates the OCR is effectively working the kinks out of its HITECH breach investigative process and is not afraid to levy hefty fines on those healthcare organizations deemed to be sub-par in their patient privacy and security compliance efforts.  BCBS reported around 57 hard drives containing protected health information (PHI) were stolen from a leased facility.

Fines Levied only Small Fraction of HIPAA Violation Cost

BCBS reportedly spent about $18.5 million on its investigation of the reported HIPAA violations.  Besides the obvious costs of managing its response to the government’s investigation, this hefty price tag included paying for the following:

  • informing patients of their patient information leak;
  • hiring a data recovery specialist to analyze the extent of the breach;
  • review and improvement of the organization’s overall HIPAA compliance; and
  • approximately 500 BCBS employees to assist with the investigation.

Phoenix Physician Group Targeted Through Settlement

 In addition, last month, Cardiac Phoenix Surgery reached a $100,000 settlement with the OCR for failure to properly safeguard its patient information.   The investigation began with a claim that the group posted appointments for its patients on a publicly accessible calendar.  Through its extensive investigation, the OCR discovered the physician group’s general failure to safeguard its PHI through limited policies and other safeguards.

Many physicians and physician groups have long believed they are immune from government scrutiny for general compliance enforcement, including patient confidentiality.   However, the recent settlements should cause physicians and their groups, along with other healthcare entities, to embrace the applicable regulatory requirements to better safeguard protected health information before it is too late.

What Employers Need to Know to Avoid Becoming HIPAA Violation Targets

Both the OCR’s recent enforcement announcement and its settlements serve as wake-up calls to healthcare employers to avoid complacency with their patient privacy and security compliance efforts. Increased government scrutiny is certainly here to stay.  To avoid becoming a target on the OCR’s investigative radar, healthcare facilities and companies should adopt the following objectives:

  • routinely assess their privacy and security policies to evaluate whether there is adequate protection of its PHI under the letter of both state and federal laws and regulations;
  • annual training of staff and other healthcare providers on these requirements; and
  • perform routine risk assessments to identify any potential holes in its HIPAA-related compliance.

By adopting these focused compliance efforts, a healthcare entity may not necessarily escape the OCR’s probing gaze, but will certainly reduce the possibility that a violation will be found, as well as lessen the monetary damage if non-compliance is detected.