In the recent HIPAA conference organized by the Office for Civil Rights (OCR) and National Institute of Standards and Technology (NIST), OCR Director Roger Severino and Serena Mosley-Day, Senior Advisor Compliance and Enforcement for OCR, both talked about the focus of OCR and enforcement actions taken over the past few months.
Future billing is PHI
One of the first items of concern that Director Severino highlighted was Surprise Billing, where he referred to high unexpected costs presented to patients without giving them any advance notice of what that cost is likely to be. He said that future billing information is considered Protected Health Information (PHI) and patients have the right to know what their expected out-of-pocket costs will be for items or services before they receive care. Just like a bank provides a good faith estimate to a real estate buyer prior to closing on the transaction, covered entities should also be responsible for providing accurate estimates to patients for health care.
Patient’s Right of Access
Director Severino indicated that OCR has recently placed focus on patient’s right of access to information, because they have seen that there is significant deficiency in this area. Per HIPAA, patients have the right to request any or all of their health information and providers must give them the information requested within 30 days and may charge a reasonable fee to do so.
As recently as September 2019, the first enforcement action on patient right of access was settled with Bayfront Health St. Petersburg. In 2017, a mother had requested fetal records of her unborn child, and was denied these records. She went on to hire an attorney and eventually, after about 14 months, received the full records she had asked for. OCR investigated this and levied a penalty of $85,000. This shows that the number of patients impacted for right of access is not a driving factor for enforcement. Even a single patient’s complaint is taken seriously enough by OCR.
Hacking/ IT Incidents
The future focus of OCR will most likely be on hacking and IT security breaches. Over the last years, hacking/IT incidents have grown to become 61% of the total number of breaches. Of breaches affecting 500 or more individuals, the number of hacking/IT incidents has increased from 39 reported in 2014 to 149 reported in 2018. Email and network server issues contribute to about 65% of breaches, and this number has also increased significantly over the years. They have seen the number of breaches increase due to email phishing attacks as well as network server hacks. It is likely that we will continue to see more healthcare data breaches due to compromise of email and network servers.
Cybersecurity concerns and trends
Director Severino and Serena Mosley-Day highlighted some cybersecurity concerns and trends that OCR has seen in the recent past, and has urged providers to take these concerns seriously in their own healthcare entities. The issues they highlighted at the conference were:
- Ransomware – OCR assumes a breach in the case of a ransomware attack. Be sure to follow breach notification protocol any time you experience a ransomware attack.
- Phishing attacks – Phishing attacks have become much more sophisticated, therefore be sure to conduct regular phishing tests on your employees in addition to training them.
- Remote Desktop Protocol Vulnerabilities – be sure to apply manufacturer-issued patches as soon as possible.
- Weak authentication – they continue to see problems such as single factor authentication and poor password rules.
- Access controls – there have been recent investigations where they found that covered entities have not enforced proper access control for current employees and those who have left the workforce. Shared passwords are a no-no - a huge effort will be needed to change passwords every time an employee leaves the department or the company. Director Severino highlighted that there is a huge technical component to access control, but if you don’t have the human side covered, then you are at tremendous risk.
Recurring compliance issues
Some recurring compliance issues that OCR has seen in their recent investigations are:
- Right of Access not honored
- Lack of Business Associate Agreements
- Failure to conduct a comprehensive Risk Analysis
- Impermissible Disclosures
- Failure to manage identified risk, e.g. encryption, lack of transmission security
- Lack of appropriate auditing
- Insider threats
As a covered entity or business associate under HIPAA, do pay heed to these recurring compliance issues and ensure that your entity is taking the necessary steps and following the needed administrative, technical and physical safeguards listed in the HIPAA Security Rule.