Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

August 3, 2011

HIPAA Update

A series of recent events should remind all health care providers of the importance of reinvigorating their HIPAA compliance programs. Many providers would admit that since the implementation of the privacy rules in 2003 and security rules in 2005, the focus on HIPAA has lessened. After years of virtually no penalties being levied under the rules, regulators have started to step up enforcement with significant penalties and increased prosecutions, at a time when the rules are evolving because of changes made under the American Recovery and Reinvestment Act of 2009. This Alert provides an update on developments regarding the HIPAA privacy and security rules.

Criticism of the Enforcement of Security Regulations

A report of the United States Department of Health and Human Services Office of the Inspector General (OIG) accused the United States Department of Health and Human Services Office of Civil Rights (OCR) and its predecessor the Centers for Medicare and Medicaid Services (CMS) for a lack of rigor in enforcing the security regulations. In July 2009, OCR took over as the enforcer of the HIPAA security rules from CMS. At the time, CMS had failed to levy a single penalty against a violator of the security rules. It had also not audited a provider, although it had the power to do so. The OIG took it upon itself to perform its own security audits of hospitals in seven states. The OIG identified 151 vulnerabilities in systems and controls intended to protect electronic health information, 124 of which were categorized "high impact." Among the issues found by the OIG were:

  • Inadequate Password Settings 
  • Computers That Did Not Log Users Off After Inactivity 
  • Unencrypted Laptops 
  • Outdated Anti-Virus Software 
  • Uninstalled Critical Patches 
  • Operating Systems No Longer Supported By Manufacturer 
  • Unreviewed Audit Logs 
  • Inappropriate Sharing of Administrator Accounts 
  • Unchanged Default User Identification and Passwords 
  • Lack of E-mail Encryption 
  • Unsecured Data Center Access 
  • No Computer Equipment Inventory List so Electronic PHI Could Not Be Tracked 
  • No Written Plan for Media Disposal 
  • No Password Protection for Computers on Portable Carts 
  • Unencrypted Backup Tapes 
  • Incomplete or No Risk Analysis 
  • Delayed Termination of Employee Network Access 
  • Incomplete Disaster Recovery Plans and Contingency Plans 
  • Unsafe Backup Tape Storage 
  • Unrestricted Internet Access

Training of State Attorneys General on HIPAA Enforcement

The American Recovery and Reinvestment Act of 2009 gave State Attorneys General the ability to enforce the HIPAA regulations. OCR held four training sessions across the country and paid for two individuals from the Attorney General's Office of each state to attend. OCR also intends to have web-based training. State Attorneys General are expected to be more aggressive with enforcement, as the aggrieved parties will be citizens of their state in most instances. In addition, Breach Notification Laws mandate the reporting of breaches in certain cases, making it easy for regulators to know where investigations should best take place.

Penalties Lodged Against Providers

OCR imposed a $4.3 million fine on a medical group in Maryland and came to a $1 million dollar settlement with a Massachusetts hospital. The $4.3 million fine was related to a failure to release medical records to patients and a refusal to cooperate with OCR's investigation. The settlement came in response to an employee leaving documents on a train and included an extensive, three-year corrective action plan.

Proposed Changes to the Right to Accounting Rules

Proposed changes to HIPAA's accounting of disclosure rules have been released. While it is uncertain what the final rules will include, most agree that these changes will require providers and other covered entities to carefully review their electronic records systems to ensure the capability to comply with the rules when they become final and effective. The proposed rule scales back the number of years for which an accounting must be provided (from six years to three years), scales back the number of days available to respond to a request (from 60 days to 30 days), and introduces the concept of a request for an "access report." An access report is a report that indicates who has accessed electronic protected health information about an individual.

Conclusion

Providers and other covered entities, as well as their Business Associates, should ensure that they have adequate HIPAA compliance programs in place that adequately address risk areas. Hiscock & Barclay, LLP has experience in assisting providers with HIPAA compliance and other privacy-related efforts, including the provision of training, and with responding to regulatory reviews and investigations.

Should you need assistance in these matters, in the development or update of a HIPAA compliance program, or in understanding any changes to the HIPAA rules, please contact Melissa M. Zambri, Partner in the Firm's Health Care and Human Services Practice Area at (518) 429-4229 or at mzambri@hblaw.com.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Subscribe

Sign up to receive our latest news

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas

Other

Featured Media

Alerts

Sweeping Anti-Sexual Harassment Bill Signed Into Law

Alerts

Forum Selection Clauses in IP Licensing: New Impact on IP

Alerts

NYS Court of Appeals Issues Decision on Out-of-State Risk Retention Groups

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out