HIPAA Compliance and the High Stakes of Securing Patient Data

Earlier this month, Facebook CEO and founder Mark Zuckerberg was grilled in back-to-back congressional hearings about whether his company is doing enough to protect its users’ data. For many, the hearings—and the data disclosures that prompted them—were an eye-opening event, bringing to the forefront the dangers of data insecurity. In the health care world, data security has long been a top-of-mind issue. But instead of congressional hearings, administrative scrutiny occurs in a different form: the audit.

Indeed, while Congress debates what, if any, regulation is needed to protect users’ privacy on social media, health care providers have lived under the Health Insurance Portability and Accountability Act (HIPAA) for more than 2 decades, and the Health Information Technology for Economic and Clinical Health (HITECH) Act for nearly a decade. The latter of the 2 authorized the US Department of Health and Human Services’ Office of Civil Rights (OCR) to conduct audits to ensure compliance with health privacy regulations.

Rachel V Rose, a Houston-based attorney whose practice focuses on health care and corporate law, said there are generally 2 pathways to a HIPAA audit: a complaint by a consumer, or a random audit as part of OCR’s audit program. The vast majority of audits happen as a result of patient complaints. Since 2003, nearly 26,000 investigations sparked by patient complaint have led to corrective actions. Meanwhile, the second phase of OCR’s random audit program started in 2016 and results were released last year. The random program included 166 audits.

Rose said health care organizations must think ahead in order to avoid HIPAA violations. “While an OCR Pilot Program Audit cannot be avoided if one's name comes up from the random sample, an organization can avoid adverse audit findings,” she told MD Magazine. “Being proactive is crucial and the best way to avoid fines is through compliance.”

When she advises clients, Rose asks them these questions: Are you undergoing annual risk assessments by third parties? Do you have an adequate Business Associate Agreement in place with all required entities? Do you have annual trainings and are their policies and procedures adequate? Is your data encrypted, both at rest and in transit? Do you have current HIPAA releases signed and kept inpatient medical records?

According to Health Information Privacy/Security Alert, an industry newsletter that tracks enforcement, the most commonly investigated areas were impermissible use of patient data, lack of data security safeguards, lack of patient access to data, lack of administrative safeguards, and excessive use (more than the minimum necessary) of patient data. Private practices were at the top of the list of provider types required to take corrective action, followed by general hospitals.

When an audit happens, the practice itself isn’t the only entity that could go under the microscope. Rose noted that vendors of the practice could also be subject to the audit. That’s why she is careful to ensure practices have solid Business Associate Agreements.

An Ounce of Prevention

“Once an entity is selected, as part of the audit, it is asked to list the covered entities and business associates with whom it has a contractual relationship,” she said. “This can lead to other entities being audited.”Jen Stone, a security analyst at HIPAA consultancy SecurityMetrics, said vigilance is required because HIPAA compliance isn’t always black or white. “[HHS’s published audit information] is fairly comprehensive but it is regulation-based, not standards-based. This means that a lot of the regulation is up for interpretation,” she said. “One word of caution—too many organizations believe that the inherent vagueness of the HIPAA audit protocol means they can do less, accept the risk, etc. It doesn’t mean that at all.”

Stone said practices need to work closely with security professionals who can ensure the practice’s procedures and systems meet standards that comply with the regulations. She said outside help is often necessary due to the highly technical nature of systems that store and transmit protected health information (PHI). “While many practices can implement physical security procedures, digital security is a widely comprehensive topic that generally requires the assistance of a third party,” she said.

The first step is cataloging all of the places PHI can be found and then determining the best security measures for each, Stone said. “Then you need professionals who know how to put those standards in place,” she added. “For example—how are the firewalls supposed to be configured? What are the right patching protocols? What other kinds of security controls do I need to put in place (intrusion detection, file integrity monitoring, data leakage prevention, malware prevention, access control systems)?”

Of course, even when an organization does everything right, that doesn’t shield it from the possibility of an audit. However, Rose said in some particular instances “doing everything right” can help. “HIPAA has ‘safe harbors’ meaning that as long as all of the Standard, Required and Addressable items in the [Code of Federal Regulations] are met and companies have done everything possible, then there may be the ability to avoid a fine or adverse actions,” she said.

Protecting Patients

But Rose warned that safe harbors aren’t applicable in every scenario. “This provision must be read in conjunction with the penalty provisions,” she said. “If an employee or independent contractor acts willfully and knowingly, then the safe harbor may be off the table, at least for the individual.”With all of the focus on rules, compliance and penalties, Rose said the goals of HIPAA ought to be shared by patients and practices alike. “The laws were enacted to protect the physician-patient relationship and to ensure that a patient's medical records were not disposed of or released improperly,” she said. “Who does not want that?”

Robert Gellman, a privacy and information policy consultant who wrote the “Patient’s Guide to HIPAA” for the World Policy Forum, agrees. He said while HIPAA isn’t a favorite buzzword around the health care industry, some of its “red tape” reputation is undeserved.

“There is also evidence that some difficulties arise because some health care providers impose their own policies that are stricter than HIPAA,” he said. “When this happens, HIPAA is blamed when HIPAA is not at fault. I'm not arguing that HIPAA is perfect, but it did get a lot of the basics of patient/system interaction right.”

Still, HIPAA has important shortcomings, Gellman said—a lot of them. One area of concern, he said, has to do with how patients’ PHI is accessed by third parties. He noted that national security provisions of the privacy regulations allow for law enforcement to access a patient’s health information without a warrant and without even a written request. Moreover, when disclosures of patient health data are made, the patient doesn’t always have an easy way to find out.

“With modern computer systems, all uses and disclosures can be readily tracked and often are tracked,” he said. “But the rule allows only limited access to accounting records by patients. Similarly, rights of access and correction to basic health records are not as broad as they should be.”

Gellman said other facets of the law aren’t robust enough to be meaningful. “You have the right to request restrictions on uses and disclosures, but the right is so weak as to be meaningless,” he said. “You can also control some disclosures if you pay out of pocket, but the health care system is so convoluted that it is almost impossible to exercise this right effectively.”

One of the biggest problems, as Gellman sees it, isn’t about what is covered by HIPAA, but rather about who. Or, more precisely, who is not covered by it. Gyms and fitness clubs, nutritional counselors, alternative medicine practitioners, online search engines, and a host of other entities that may at some point have access to patient health information are not required to comply with HIPAA, Gellman said

One exemption strikes him as particularly egregious. “I think it is terrible that HHS wrote the HIPAA rule so that NIH is not covered by it,” he said. “This point illustrates the conflict of interest that HHS has, writing a rule that affects many HHS components and operations.”

Levying Penalties

Gellman noted that the All of Us Research Program, an effort to compile a database of health data from at least 1 million Americans, is not covered by HIPAA, nor by the Privacy Act of 1974, meaning that “the records that NIH collects have no statutory privacy protections.”If HIPAA is a headache for health care providers, the worst fear of many is a heavy fine. However, OCR most often resolves HIPAA violations with corrective action. Only 53 entities have been assessed monetary penalties, totaling $75 million in fines, Rose said. Whether a fine is levied, and how much it will cost often varies. “Sometimes OCR fines entities to make a policy statement and other times, it is the egregiousness and the length of time or the severity of the breach that is considered,” she said.

Of course, even if a health care organization isn’t given a monetary penalty, the costs of a data breach can still range in the hundreds of thousands of dollars. Stone pointed to an analysis by her consultancy, which noted that internal investigations and fixes, notifications to government agencies and patients, legal fees, and compensation such as credit monitoring for affected patients, mean that a data breach is a costly endeavor regardless of any fine imposed by OCR.

Going forward, Stone said it’s not yet known whether OCR will resume random audits. “They haven’t announced plans for further random audits, but that doesn’t mean there won’t be any,” she said. “Because it’s a government program, the focus on random audits could change if our government’s approach to protecting private health information changes. Audits take time and money, so funding plays a role in this.”

Regardless of the future of random audits, the issue of health care data privacy will remain a major part of any health care organization’s business operations. Rose said health data is big business on the black market, so there’s a high incentive to compromise the data security systems of health care providers. Health care organizations have no choice but to step up.

“Technology is part of life and cybersecurity carries costs with it,” Rose said.