There is growing demand for more accountability and penalties for noncompliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as for data breaches involving protected health information (PHI).
More providers enforcing policies
In the past year, there have been numerous reports about HIPAA CEs applying their own organizational sanctions against personnel who violate their information security and privacy policies that are also violations of the HIPAA requirements. This is good; Policies are not effective if they are not enforced and sanctions consistently applied.
For example, consider the Catskill Regional Medical Center in Harris, N.Y., which apparently takes the HIPAA requirements seriously and put controls in place to catch employees who are looking through patient files when they have no job need to do so.
In February, an employee was fired for looking through 431 files of patients whom she knew or with whom she worked. Some good security practices were likely in place to be able to catch this employee:
- The employee was caught as a result of an audit. This means there were access logs of some
type(s) in place to document whenever someone accessed patient files. Does your organization log
whenever someone accesses the personally identifiable information (PII) within your
- The snooped-upon patients were notified. Not only is this a good breach response practice, but
it's also required by at least 46 U.S. data breach notification laws.
- The hospital actively enforced the sanctions for noncompliance with its own internal policies
as well as with federal laws. Does your organization consistently enforce sanctions for policy and
- The hospital likely had ongoing awareness communications and regular training in place to be able to fire the employee. Do you have effective training in place?
This is also a good example of the insider threat. In this case, it was reported that the motivation for the person to snoop was merely curiosity; she had access so she took advantage of that access, even though she had no business need to look at the records. Do you wonder how many of the physical, hard-copy records she snooped through, too? It's harder to log access to papers as opposed to digital files.
More HIPAA HHS audits resulting in more sanctions
There is also much more push from the government for more active HIPAA enforcement to help reduce PHI breaches. This was made crystal clear on Feb. 18, when, as part of the U.S. stimulus package, President Barack Obama signed into law the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which significantly expands the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
One significant resulting change is that HIPAA will now basically apply to CE business associates (BAs) directly. BAs were already required to follow the security that the CEs put into their contracts. I've done more than 150 BA security program reviews, which included review of the contracts, and the security requirement details within these contracts typically have been missing at worst and vague and incomplete at best. Add to this that the risk to the BA for noncompliance was basically just for a contractual breach for failure to comply, and you are left with little motivation for the BAs to invest the time, personnel and resources necessary for effective safeguards.
That has now changed. The HITECH Act includes a statutory obligation for BAs to comply with HIPAA, and BAs now face noncompliance enforcement actions from the Department of Health and Human Services (HHS), in addition to also possibly receiving civil and criminal penalties for noncompliance and for PHI breaches occurring from compliance failures.
The HITECH Act also increases the penalties for HIPAA violations. The HITECH Act authorizes state attorneys general to bring civil action in federal district court against individuals who violate HIPAA. The original HIPAA rules authorized the HHS Secretary to conduct compliance reviews but do not have specific requirements. The HITECH Act now requires ongoing audits to ensure Privacy Rule and Security Rule compliance.
Another important change that HITECH Act brings to HIPAA is PHI breach notification, which was not part of the original HIPAA rules. This is significant to CEs and BAs, even though there are at least 46 state-level breach notice laws. To date, few CEs had privacy breach response and notice plans in place.
Increasing criminal prosecutions and convictions after HIPAA violations
As the HIPAA criminal convictions and sanctions table shows, more criminal convictions are starting to occur. What the table does not show is that there are many more active prosecutions of HIPAA criminal activities that have not yet been resolved. In April 2008, a Department of Justice spokesperson reported that the department has filed more than 200 criminal cases since 2003 under a statute that includes HIPAA, but that not all cases are necessarily HIPAA-related, according to The Wall Street Journal.
[HIPAA] policies are not effective if they are not enforced and sanctions consistently applied.
HIPAA originally provided for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining PHI with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm. In July 2005, the Justice Department ruled that only a CE could be criminally liable and prosecuted under HIPAA. The HITECH Act has changed this by allowing criminal penalties for wrongful disclosure of PHI to apply to individuals who obtain or disclose PHI maintained by a CE, whether or not the individuals are employees of a CE.
The HITECH Act also permits the OCR to pursue an investigation and apply civil monetary penalties against individuals for criminal violations of the HIPAA Privacy Rule and Security Rule if the Justice Department did not prosecute the individuals. Additionally, the HITECH Act changes HIPAA to require formal investigations of complaints and to impose civil monetary penalties for violations resulting from willful neglect. Any civil monetary penalties collected must then be transferred to OCR to use for HIPAA enforcement activities, and the HHS must establish a process to distribute a percentage of the collected HIPAA penalties to harmed individuals.
This is the second in a two-part series. Learn more in "HIPAA enforcement getting stronger."
Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, is an information privacy, security and compliance consultant, author, instructor and management tools creator with her own company, Rebecca Herold & Associates LLC. Herold has provided information security, privacy and compliance services to organizations in a wide range of industries throughout the world for more than 17 years. She was named one of the Top 59 Influencers in IT Security for 2007 by IT Security magazine. Herold is an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program.
This was first published in March 2009