In the recent HIPAA conference organized by the Office for Civil Rights (OCR) and National Institute of Standards and Technology (NIST), OCR Director Roger Severino and Serena Mosley-Day, Senior Advisor Compliance and Enforcement for OCR, both talked about the focus of OCR and enforcement actions taken over the past few months.
One of the first items of concern that Director Severino highlighted was Surprise Billing, where he referred to high unexpected costs presented to patients without giving them any advance notice of what that cost is likely to be. He said that future billing information is considered Protected Health Information (PHI) and patients have the right to know what their expected out-of-pocket costs will be for items or services before they receive care. Just like a bank provides a good faith estimate to a real estate buyer prior to closing on the transaction, covered entities should also be responsible for providing accurate estimates to patients for health care.
Director Severino indicated that OCR has recently placed focus on patient’s right of access to information, because they have seen that there is significant deficiency in this area. Per HIPAA, patients have the right to request any or all of their health information and providers must give them the information requested within 30 days and may charge a reasonable fee to do so.
As recently as September 2019, the first enforcement action on patient right of access was settled with Bayfront Health St. Petersburg. In 2017, a mother had requested fetal records of her unborn child, and was denied these records. She went on to hire an attorney and eventually, after about 14 months, received the full records she had asked for. OCR investigated this and levied a penalty of $85,000. This shows that the number of patients impacted for right of access is not a driving factor for enforcement. Even a single patient’s complaint is taken seriously enough by OCR.
The future focus of OCR will most likely be on hacking and IT security breaches. Over the last years, hacking/IT incidents have grown to become 61% of the total number of breaches. Of breaches affecting 500 or more individuals, the number of hacking/IT incidents has increased from 39 reported in 2014 to 149 reported in 2018. Email and network server issues contribute to about 65% of breaches, and this number has also increased significantly over the years. They have seen the number of breaches increase due to email phishing attacks as well as network server hacks. It is likely that we will continue to see more healthcare data breaches due to compromise of email and network servers.
Director Severino and Serena Mosley-Day highlighted some cybersecurity concerns and trends that OCR has seen in the recent past, and has urged providers to take these concerns seriously in their own healthcare entities. The issues they highlighted at the conference were:
Some recurring compliance issues that OCR has seen in their recent investigations are:
As a covered entity or business associate under HIPAA, do pay heed to these recurring compliance issues and ensure that your entity is taking the necessary steps and following the needed administrative, technical and physical safeguards listed in the HIPAA Security Rule.