Report: HIPAA complaints on the rise

The Department of Health and Human Services recently released its "Annual Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance."

In the report, the HHS detailed the number of complaints received for the calendar years 2011-12, the number of complaints resolved, the number of subpoenas or inquiries issued and more.

The HITECH Act requires HHS to conduct the report, which found that during 2011 and 2012, the U.S. Office for Civil Rights (OCR) received 19,476 complaints, which was a significant increase over each respective year prior. The 9,022 complaints received in 2011 was the largest number of complaints received in any calendar year to that point.

During 2012, the OCR opened at least 235 compliance reviews addressing allegations of violations of the HIPAA Rules that did not arise from complaints. Of these, 222 compliance reviews were opened as a result of a breach report affecting 500 or more individuals.

Several particular cases were pointed out in the report, none of which were dentist related. One case, however, involved the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI). On September 13, 2012, the Department reached an agreement with MEEI to settle potential violations of the HIPAA Security Rule. According to the report, "MEEI agreed to pay $1,500,000 and to take corrective action to properly safeguard the ePHI of its patients."

The violation stemmed from the theft of an unencrypted laptop containing the electronic protected health information (ePHI) on MEEI's patients. The information contained on the laptop included patient prescriptions and clinical information.

Although the HIPAA Security Rule has been in effect since 2005, the OCR's investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the rule, including:

  • Conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices;
  • Adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopting and implementing policies and procedures to address security incident identification, reporting and response.

OCR instructed MEEI to do the following, in addition to the fine:

  • Develop, retain and revisit its HIPAA Privacy and Security policies and procedures as necessary;
  • Conduct and document a risk analysis that complies with the HIPAA Security Rule;
  • Develop a risk management plan, as required by the HIPAA Security Rule, to address the risks identified by the risk analysis;
  • Identify a security official who is responsible for the development and implementation of the policies and procedures and the HIPAA Security Rule;
  • Train workforce members on the requirements of the HIPAA Rules; and
  • Engage a qualified, independent third-party monitor to, among other duties, conduct compliance reviews, and render reports to the OCR for a period of three years.

These are the types of situations CDA tries to help dentists avoid by staying current on all of the latest requirements under HIPAA. Members can visit cda.org/privacy-HIPAA for resources and information about how to stay compliant.

In addition to investigating complaints, the OCR also conducts HIPAA audits. Unlike complaint investigations or compliance reviews, audits are reviews of covered entities and business associates that are initiated not because of any particular event or incident indicating possible noncompliance on the part of the covered entity or business associate, but rather based on application of a set of objective selection criteria.

The entire audit protocol is organized around modules, representing separate elements of privacy, security and breach notification.

Phase 1 of the audits was conducted between 2011 and 2012 by consulting firm KPMG. In Phase 2, the OCR will be conducting the audits, starting in 2014 and continuing into 2015.

According to the report, "the majority of entities audited, particularly small entities, continued to show deficiencies with regard to all three of the HIPAA Rules -- Privacy, Security and Breach Notification."

The audit program is intended to be primarily for information gathering, but the OCR will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues. Therefore, it is important that dental practices have a current HIPAA risk analysis in place; that their Notice of Privacy Practices are current and acknowledgement of receipt forms are maintained. They should also have policies and procedures in place to identify and respond to breaches.

The ADA offers a HIPAA Compliance Kit with sample policies, procedures and forms. Office breach policies and procedures should also note California requirements that are different from HIPAA requirements. Resources available on cda.org/practicesupport include "Data Breach Notification Requirements," "Sample Notice of Privacy Practices" and "Access to Patient Records FAQ."

For more HIPAA resources, visit cda.org/practicesupport.