With 2017 just beginning, covered entities, such as health plans and most health care providers, under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) need to be aware of current trends in the realm of protected health information (PHI). In a Health Care Compliance Association webinar titled “What’s New on the HIPAA Front?” Vaniecy Nwigwe and Debbie Campos of HHS Office for Civil Rights (OCR) presented an overview discussion of PHI designation and authorization, PHI breaches, enforcement matters, and marketing.
The HIPAA Privacy Rule generally requires covered entities, i.e. health plans and most health care providers, to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice, as described in 45 C.F.R. Sec. 164.524(c)(3).
PHI designations. Designation occurs when an individual directs the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. Conversely, authorization occurs when an individual gives permission to another person to direct the covered entity to transmit the PHI to another person (or entity) designated by the authorized individual (or entity).
The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.
According to the speakers, this distinction matters because of fees. The fee limitations only apply to individuals who direct a covered entity to send PHI to another person or entity. Under the Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.
Breaches. From September 2009 through November 2016, approximately 1,738 instances involving a breach of PHI affecting 500 or more individuals were reported. Of that, 60 percent of the breaches initiated through theft or loss. In addition, there were over 58,000 reports of breaches of PHI affecting less than 500 individuals during calendar year 2016 alone.
Enforcement. Highlighting some of HHS’ enforcement actions, the speakers noted that over 125,445 complaints had been received as of December 31, 2015, and over 30,000 cases have bene resolved with corrective action or technical assistance. HHS expects to receive 22,000 complaints in 2017.
In one prime example of a major breach, the speakers noted that nonprofit health system, St. Joseph Health’s ePHI was publically accessible on the internet from February 1, 2011, to February 13, 2012, affecting the records of over 31,800 individuals. St. Joseph Health agreed to adopt a comprehensive corrective action plan and pay $2.4 million to settle allegations that the health system violated the HIPAA Privacy and Security rules (see Health system slammed over searchable internet server, October 19, 2016). St. Joseph Health also agreed to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on the revised policies and procedures.
HIPAA settlement. On January 18, 2017, the OCR announced a HIPAA settlement based on the impermissible disclosure of unsecured (ePHI). MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan. On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers, affecting 2,209 individuals.
MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached. OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.
Marketing. Generally, a communication about a product or service that encourages recipients of the communication to purchase or use the product or service is considered marketing. In the case of covered entities, if the communication rises to this level, the covered entity must obtain an individual’s authorization to do so. Another form of marketing communication is an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
SOURCE: Health Care Compliance Association webinar, What’s New on the HIPAA Front? and HHS press release, January 18, 2017.
Visit our News Library to read more news stories.