The HIPAA environment has changed.
Gone are the days of the completely underfunded, reactionary and at times, anemic Office of Civil Rights (OCR). Gone are the relatively small, innocuous and non-impactful breaches.
Here to stay is the increasingly funded, proactive and robust OCR. Here are the multi-million record breaches, international black market sales and routine fraud using PHI—welcome to the new normal.
The new normal of HIPAA is much less Mayberry and a lot more GMen. The OCR employs and contracts with auditors, accountants, social engineers and security experts. Depending upon the type of audit (proactive or reactive), OCR will dig deep, fast, and not always tell you what is happening until after it’s over.
The big driving force behind these changes are the volume and scope of breaches.
How many of you out there received a letter from Anthem regarding the loss of your PHI in February? Anyone out there receive a letter from Premara?
These two breaches impacted ~90 million US citizens, or roughly 1 out of 3 adults. Interestingly enough, both of these companies fall under the corporate umbrella of Blue Cross Blue Shield (BCBS). Unfortunately for consumers, this is not the first time BCBS has been involved in a breach. In 2009, about 230,000 individuals had their information stolen from an unencrypted server.
At the end of 2014, the OCR sent out notifications that its audit program was going to shift gears dramatically.
In 2015, the OCR plans on auditing 10 percent of every covered entity in the United States and 5 percent of every business associate. To support that effort, most of these entities received notice of their pending audit in December of 2014. In addition to this 10/5 audit plan, the OCR is also pursuing individual entities who merit additional attention.
For example, in 2014, the OCR reached out to BCBS and offered to perform a security audit – BCBS refused. After the breach in February of 2015, the OCR again offered to audit the security protocols and procedures of BCBS, who then refused to cooperate. Now, the audit will be formal, with courts involved, and likely much more invasive.
The potential fines and punishments levied against BCBS should be severe.
If the landscape of HIPAA has changed, the enforcement arena has been terraformed into an entirely new planet.
First, the normal HIPAA fines still apply. Roughly speaking, there is a cap of $1.5 million for the violation of any one particular code section of HIPAA. This means that if it is determined that Anthem breached the code section of HIPAA dealing with encryption, then for this one incident (no matter how many records impacted) Anthem will not pay more than $1.5 million. This amount does not take into account the administrative costs (average of $100 per person for notification and credit monitoring) and legal fees from third-party suits.
Next, two new enforcement trends are picking up steam in the US right now: criminal penalties and personal rights of action.
Amazingly enough, California has now sentenced several people to jail time for HIPAA violations. In one particular instance, the violator did not disclose, share, or otherwise disseminate the medical records they viewed, rather they logged into an EMR from their home and viewed medical records, after they had been fired. It bears mentioning that the criminal penalty of jail time has been upheld on appeal.
The other emerging trend is the personal right of action. The personal right of action means that if a data controller is responsible for the breach of someone’s PHI or violation of HIPAA, that individual can be sued personally by the impacted parties.
Right now, about 20 percent of states have some form of a personal right of action. While a lawsuit against a data controller could take several forms, the bottom line is that individuals who handle, maintain, care, or distribute PHI now have much more to worry about. Even some employers may indemnify their employees, some will not.
The New Normal
The bottom line is that everything you know about HIPAA before 2015 needs to be reevaluated, tested and documented.
The sheer volume of people impacted by breaches is staggering. If the past is any indication, prepare for a big swing to the new normal. We are already seeing an uptick in audits, not to mention more serious enforcement mechanisms.
Now is the time to get ready. Gather your core decision makers around the table and get serious about HIPAA – prepare now or pay later.
About the Author: W. Hudson Harris is a JD, MBA, MA, & Esq. who began his IT career in 1997 in network administration; moved on to tech support for Microsoft and finally University IT. Hudson obtained his masters degrees and law degree, ultimately opening his own law practice in San Diego in 2010. Hudson published his first book as an executive editor, Tax Free Trade Zones of the World and in the United States in 2012. Since then, he has been published several times in trade journals. Currently, he serves as Privacy Officer and Associate General Counsel. He now writes on Technology and HIPAA centered issues at legallevity.com and @legallevity.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.