After 10 years, HIPAA has bite

Still lacking in some areas, say privacy advocates
By Erin McCann
12:00 AM

Healthcare privacy and security 10 years ago was, according to many industry officials, nascent and altogether lacked any teeth.

In addition to poor enforcement activity, patient privacy advocates pointed to the 600,000 businesses and business associates who had the legal right to access patient’s medical data without consent.

“How can anything possibly be private with this type of loophole?” said Deborah Peel, MD, founder of Patient Privacy Rights and one of the earliest and most outspoken critics of HIPAA, when the initial rule was released.

Between 2003 and 2005, despite thousands of filed HIPAA violation complaints, there was only a single criminal action taken by the Department of Health and Human Services’ Office for Civil Rights, according to a 2013 AHIMA report.

One of the biggest breaches recorded during that time period was at Providence Health System in 2005.

Unencrypted backup media and laptop computers at the health system went missing, according to reports. The devices contained protected health information, Social Security numbers and financial data for some 386,000 patients.

Years later, Providence Health System agreed to pay HHS $100,000 to settle alleged violations of HIPAA Privacy and Security Rules.

Come early 2008, OCR drew even more criticism over its supposed lack of enforcement, as more than 33,000 HIPAA violation complaints were submitted to OCR by then, but only 24 percent of those were actually investigated, with no monetary penalties issued.

Even the Office of Inspector General found deficiencies in the Centers for Medicare and Medicaid Services and OCR’s enforcement activities, claiming they took “limited action to ensure that covered entities adequately implement the HIPAA Security Rule.”

Enter the 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH, which privacy advocates said was far from perfect in regards to protecting patients’ health information, but it gave HIPAA a little more bite.

Now, covered entities could face up to $1.5 million per incident for gross HIPAA violations; security breach notifications requirements were beefed up, and HHS would now be required to conduct periodical audits on CEs. 

Subsequently, these new controls gave OCR’s enforcement activity a little boost.

“After years of voluntary compliance and corrective action plans, OCR is imposing significant monetary penalties for HIPAA violations,” Marcy Wilder, health privacy attorney and director of Hogan Lovell’s privacy and information management practice, told AHIMA.

In March 2013, for instance, Idaho State University’s Pocatello Family Medicine Clinic two years ago, when clinic officials notified the Department of Health and Human Services of a breach involving electronic protected health information for some 17,500 patients.

Following an investigation, OCR determined that the PHI of those 17,500 patients was left unsecure for 10 months due to the disabling of an ISU firewall.
Furthermore, the ISU clinic failed to conduct risk analysis of the confidentiality of the ePHI for more than five years. As a result, this May, ISU agreed to pay $400,000 to HHS to settle HIPAA breach allegations.

Then, months later in July, following an investigation stemming from a 2009 incident, OCR ordered managed care behemoth WellPoint to hand over $1.7 million after leaving the protected health information of 612,402 individuals accessible over the Internet.

According to the report, WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade.

As far as what the healthcare industry forks over annually for these breaches – it’s a pretty penny, says officials at the Ponemon Institute, who estimate the costs to be nearly $7 billion per year. That's more money than the healthcare industry spends on cancer research annually. 

What’s more, is that nearly half of all hospitals have seen more than five data breaches at their organization – this in comparison to the 29 percent that had more than five data breaches in 2010.

Then, in September 2013, HIPAA privacy and security requirements got even tougher, say industry officials, after the release of the Omnibus Final Rule. 
Among the most significant changes in the final rule was that business associates were now accountable for violating specific privacy and security rules.
Current OCR Director Leon Rodriguez said this should come as no surprise to industry officials.

“We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations,” he told Healthcare IT News back in August.

Some, however, still didn’t think the rule went far enough.

Patient Privacy Rights’ Deborah Peel, for instance, said the final rule proved deficient in one area, specifically.

Peel pointed to the example pertaining to patients who pay for services out of pocket who can request that their health information isn’t shared with other groups. “HHS did not require segmentation technologies so that (patient health information) can be protected and selectively shared. Instead, the information should be ‘flagged’ so only the ‘minimum necessary’ information is disclosed,” she said to amednews.

For the most part, though, the final rule was seen as an improvement for patient privacy, far beyond what the landscape looked like 10 years ago.

“I would say for the most part, and certainly within the traditional covered entity community, I think this rule is very much welcome,” added Rodriguez.