2014 HIPAA roundup & year end review
There has been no shortage of HIPAA related controversy this year, so with 2015 just around the corner, we thought we’d roundup news highlights from the past 12 months.
Increase in complaints
The number of HIPAA violation complaints received by the Department of Health and Human Services continued to increase during 2014.
By May 2014, complaints were already up by 45.7% compared to the number received during May 2013, equating to an increase of over 2,100 complaints year on year.
Reasons cited for the increase in HIPAA violation complaints include better consumer awareness, the rise in the home health care industry, and the uptake of healthcare professionals using portable devices.
As well as a rise in the number of HIPAA complaints, HIPAA violations were also reported to be on the rise throughout 2014, with some significant breaches reported, and a record breaking $4.8 million HIPAA settlement occurring as a result of a joint breach involving New York-Presbyterian Hospital and Columbia University.
During 2014, nearly 150 breaches involving 500 or more individuals were published on the HHS.gov website, with the maximum number of individuals being affected coming in at a staggering 4,500,000.
The majority of breaches that have occurred throughout 2014 are due to theft, highlighting the need to ensure all devices are encrypted. In fact, one of the most significant fines this year was the result of an unencrypted laptop being stolen.
Notable fines for HIPAA violations this year include the joint breach at the New York-Presbyterian Hospital (fined $3.3 million) and Columbia University (fined $1.5 million), and Concentra (fined $1.725 million).
5 year Health IT Plan
Federal regulators have issued a 5 year health IT plan to tackle a number of issues across the industry.
The five main goals of the new federal strategic plan include:
- expanding adoption of health IT
- advancing secure and interoperable health information exchange
- strengthening healthcare delivery
- advancing the health and well-being of individuals and communities
- advancing research, scientific knowledge and innovation
Goal 2 in the plan – “Advance Secure and Interoperable Health Information” – focuses on making improvements to protect the privacy and security of health information.
In the next 3 years, the objective is to improve education and training, and to push compliance when managing electronic health information.
To achieve this, part of the strategy will focus on advancing technical and electronic methods to accurately identify, proof, match, and authenticate information across data sources. The development and implementation of policies, practices, and education that protect health information from breach will be supported, while addressing cybersecurity risks and developing technologies.
The second part of this strategy is to continue development, administration, and enforcement of federal privacy and security regulations and standards for HIPAA-covered entities and business associates, and to continue enforcement of applicable federal privacy and security requirements for entities not covered by HIPAA.
Phase 2 HIPAA audits delayed
Phase 2 HIPAA audits were expected to commence in fall of 2014; however, this has now been delayed until some time in 2015 due to slow web portal development.
The pre-audit survey has now been delayed until OCR can receive information submitted by entities via the new web portal. There is still no date confirmed for when the pre-audit is expected to start.
While OCR initially stated that more desk audits would be completed, the new web portal will allow them to streamline the process and save time when analysis of the data begins. On-site desk audits are still likely, but the submission of information via the web portal will enable OCR to conduct this phase of the audit far more efficiently.
Ebola privacy Guidelines Reminder
The Ebola outbreak in West Africa was first reported back in March 2014, and has rapidly become the deadliest occurrence of the disease since its discovery in 1976.
The current epidemic sweeping across the region has now killed more than all other known Ebola outbreaks combined, with over 15,000 reported cases.
HIPAA came under scrutiny following the Ebola pandemic, as the challenge to protect an individual’s PHI while also protecting the safety of other patients and the wider community resulted in confusion over what can and cannot be disclosed. The full bulletin, released in November, can be found on the HHS website.
Federal regulators released a special bulletin reminding covered entities and business associates about the sharing of patient information during a crisis or emergency situation.
OCR stated “The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.”