Mid-Atlantic Health Law TOPICS

A version of this article was published in The Daily Record on February 26, 2015 and in the Idaho Business Review on April 28, 2015.

In December, the Office of Civil Rights of the Federal Department of Health and Human Services (OCR), the agency charged with enforcing the Health Insurance Portability and Accountability Act of 1996 (commonly known as HIPAA), imposed another major penalty for alleged HIPAA violations, this time fining a dermatology practice (APDerm) $150,000.

A. The Case

According to OCR, this case arose in 2011 when an unencrypted flash drive - one containing surgical records of about 2,200 skin cancer patients - was stolen from the vehicle of an APDerm employee. OCR investigated, finding that APDerm violated HIPAA when it failed to do any of the following:

1. Formally assess the security risks to its electronically-stored patient records, as required by HIPAA,

2. Use written policies and procedures for handling and storing electronic records to mitigate such risks,

3. Train employees in such policies and procedures, and

4. Alert patients about the loss of their records.

B. Déjà Vu All Over Again

The APDerm case is typical of OCR HIPAA enforcement since 2009.

First, the large fine comes in a case involving the loss of an unencrypted, portable electronic device containing records for numerous patients. As previously noted in TOPICS, OCR in 2011, imposed a $1,000,000 fine on Massachusetts General Hospital when a hospital employee left an unencrypted laptop containing 192 patient records on a subway in Boston. Similarly, OCR in 2012, imposed a $50,000 fine on Hospice of Northern Idaho when a laptop containing 441 patient records was stolen from a hospice employee's vehicle. And in April, 2014, OCR imposed a $1,975,220 fine on Concentra Health Services when an unencrypted laptop was stolen from a physical therapy office in its system.

Second, as the above cases show, OCR's 2002-2008 approach to HIPAA enforcement - where OCR typically sought only corrective action plans and remedial training in response to HIPAA violations - has become more punitive. Although OCR still seeks corrective action, it has used the increased personnel and greater financial penalty authority derived from the 2009 stimulus package to collect large fines. OCR has clearly signaled that it expects all health care providers under HIPAA to have become compliant with the now decade-old HIPAA privacy and security rules, whether the provider is a health system, a hospital, or even a small health care facility or physician group practice (such as APDerm).

Finally, OCR purports to punish not the loss of the device itself, but the failure to take HIPAA-required precautions against loss. In the cases mentioned above - including APDerm - OCR has emphasized that an ounce of prevention is worth a pound of cure.

C. Getting Out of the Crosshairs

In that light, there are some reasonable steps health care providers should take now to protect themselves from HIPAA enforcement.

First, providers should minimize use of unencrypted, portable devices for storing patient data. Although smartphones, laptops, and flash drives are convenient, they are much more easy to lose than a bulky desktop or a room full of boxed paper records. Commercial off-the-shelf encryption software is now cheaper than ever, and is as close to bulletproof HIPAA protection as one can get. Alternatively, providers should cause their clinicians and employees to use portable devices sparingly, while frequently sweeping data off the devices into more secure storage.

Second, providers should document a formal risk assessment for their electronic records. Providers typically do this type of assessment informally anyway; the assessment involves asking common sense questions such as "how are we backing up patient data in case there is a power outage?" or "how are we controlling patient data when it goes offsite?"

Finally, providers should document their policies and procedures for protecting data. OCR said it punished APDerm because APDerm had no documentation to show that it paid attention to HIPAA compliance at all. Left unsaid is that HIPAA compliance is more about formalizing and documenting what a provider already does out of common sense, than it is about following arcane rules. For instance, a physician group may have told employees not to share patient information in gossip online or in social media, but does the group have a written policy on social media?

As the APDerm case shows, HIPAA enforcement has become harsher and less forgiving, even for non-institutional providers such as physician groups. To get out of the crosshairs, providers should reach for the common sense solutions close at hand to improve their HIPAA compliance.