Perhaps we have adjusted our expectations. 2015 sent shockwaves through health plan sponsors and health care providers with massive data breaches, such as the one at Anthem Blue Cross Blue Shield, and the rise of ransomware attacks, such as the one that temporarily shut down the information systems at Hollywood Presbyterian Medical Center. 2016 brought a new government audit program that awakened many covered entities and business associates to the need to review their HIPAA compliance measures and their readiness to respond to an audit request.
The 2017 year did not serve up seismic HIPAA events – it mostly provided a continuation of what we have seen in the past. This may be calming, but still leaves plenty to be concerned about.
The HIPAA audit program continued through 2017, with the Office of Civil Rights (OCR) of the Department of Health and Human Services issuing an initial report of its audit findings citing widespread compliance gaps.
The news was particularly bad with regard to HIPAA’s security rules, where none of the 63 covered entities audited was found to be in full compliance with both the Risk Assessment and Risk Management requirements. The audited entities received ratings on a scale of 1 to 5, with a rating of 1 or 2 indicating that the entity was either fully or substantially in compliance with the selected audit control. None of the entities received the top compliance rating for the Risk Management control, and only three entities received a rating of 2 in this category. The remainder of the entities’ efforts to comply with the standard were deemed, at best, inadequate. Similarly, just 8 of the 63 entities received a rating of 1 or 2 for compliance with the Risk Assessment control.
The current phase of audits is scheduled to conclude with an intense, comprehensive on-site review of a small group of covered entities and business associates. The initial findings reported by OCR suggest that there will be more phases of audits to come.
OCR continued its stepped-up enforcement of HIPAA rules, announcing 10 settlements in 2017. The settlements revealed a variety of compliance problems, including:
- the failure to enter into a signed business associate agreement with a business associate;
- the failure to timely report a breach of unsecured protected health information; and
- the lack of a security management process to safeguard electronic protected health information.
Four of the settlements included financial payments in excess of $2 million, and one of those exceeded $5 million. While other settlements may have involved smaller payments, they all imposed substantial, ongoing compliance burdens under OCR oversight and substantial reputational harm.
None of these actions has grabbed the headlines like some of the news from prior years, but that, in and of itself, creates a risk of complacency at a time when the threats to the privacy and security of protected health information are greater than ever and government enforcement of HIPAA’s requirements continues at its highest level. Health care providers and health plans will be well advised to use this period of relative quiet to improve their compliance with HIPAA, their preparedness for a HIPAA audit, and most importantly the privacy and security of the information that they use and disclose.