Publication

OCR Reports On Continuing Complaint Issues

Richard P. Kusserow | July 2017

At the 2017 HCCA Compliance Institute, OCR reported that it is expecting about 17,000 HIPAA complaints this year. To date, OCR has received over 150,000 HIPAA complaints that led to 25,000 cases having been resolved, either with corrective action steps and/or technical assistance. OCR reported settlement results are based on due diligence and the events leading up to breach.  As such, dollar amounts can vary on several factors, but on average settlements start at $50,000 per infraction and go up from there. The amount of the infraction is influenced by multiple factors, including: size of organization, level of negligence leading up to the breach, and how the organization reacted after the breach was discovered.

Breach Sources

  •  Paper/Film
30%
  • Network Server
16%
  • Portable Electronic Devices & Laptops
24%
  • Desktop Computers
11%
  • Email
9%
  • Other
10%

 

Continuing Enforcement Issues

OCR reported on the major areas where it found violations. It also called on the provider community to benefit from lessons learned through audits and investigations to safeguard against HIPAA violations or penalties, particularly with regard to the following:

  1. Privacy and Security Risk Analysis. OCR has found that organizations underestimate the proliferation of ePHI within their environments. Many providers either fail to conduct a security risk analysis of their environment, or conduct reviews that are incomplete or inaccurate. Conducting reviews that identify all potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI is a regulatory requirement. This includes identifying all risk of ePHI created, maintained, received or transmitted by the organization. It is important to ensure that all potential locations of ePHI are included in the Risk Analysis, including: (a) EHR; (b) billing systems; (c) documents and spreadsheets; (d) database systems and web servers; (e) fax servers; (f) backup servers; (g) cloud-based servers; (h) medical devices messaging apps, such as email, texting, and FTP; and (i) media.
  2. Identified Risk Remediation. Failure to act in a timely manner to address identified risks continues to be a problem area. Regulatory requirements mandate implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR continues to find instances of breaches where a risk analysis had previously identified the potential for a reportable breach, but steps to remediate the risk were not acted upon properly. In some cases, encryption was included as part of the remediation plan, but was not implemented within a reasonable timeframe.
  3. Business Associate Agreements (BAAs). Absence of BAAs continues to be an enforcement area for OCR, with many healthcare organizations being sloppy about determining which entities are business associates. OCR provided common examples of parties not recognized as business associates, including (a) a collection agency providing debt collections services to a health care provider, which involves access to PHI; (b) an independent medical transcriptionist providing transcription services to a physician; and (c) a subcontractor providing remote backup services of PHI data for an IT contractor of a health care provider.
  4. Absence of ongoing auditing. It is necessary to verify appropriate policies and procedures are in place and being followed to protect ePHI. In addition, the regulations call for periodic review of information system activity records, such as auditing logs, access reports, and security incident tracking reports. This concept tracks to OIG compliance guidance that calls for ongoing monitoring by all program managers, followed by ongoing auditing conducted by external parties to verify that monitoring of risks is taking place, and validating that it is achieving desired outcomes.
  5. Patching of Software. The use of un-patched or un-supported software on systems which access ePHI is a significant risk area that OCR often encounters in audits and investigations. This area warrants more attention than many healthcare entities are currently giving it.
  6. Insider threat. Regulations call for policies and procedures ensuring that members of the workforce have appropriate access to ePHI; and preventing those who do not have access to ePHI from obtaining it. Screening procedures, including background and OIG LEIE checks, should be part of the on-boarding process.
  7. Disposal of PHI. There must be policies and procedures implemented to ensure proper and secure disposal of PHI when no longer needed. This includes ensuring that electronic media have been cleared, purged, or destroyed so that contents cannot be retrieved. Electronic devices should be disposed of in a timely manner to avoid accidental or improper disposal.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.