HIPAA Tip #3 : The OCR Is No Longer the Only HIPAA Enforcer



Beyond the OCR, New HIPAA Enforcers Are Now Active

Most developers know by now that the Office for Civil Rights (the OCR) is the official HIPAA enforcement agency. Most “HIPAA 101” courses teach that this agency, a section of the U.S. Dept. of Health and Human Services (HHS), is officially tasked with enforcement of the HIPAA Regulations. The OCR is also the “interpreter” charged with explaining and clarifying the Regulations for the healthcare community and all others who deal with, or who are affected by HIPAA. But the HIPAA enforcement landscape is changing, and developers need to understand how.

HIPAA Enforcement — Once Upon a Time

Once upon a time, HIPAA enforcement was a gentle giant. Enforcement authorities took an “education and outreach” approach to violations of the HIPAA Rules. In earlier days, even when patient data had actually been compromised, offenders paid no penalties and signed an agreement, called a “Corrective Action Plan” or CAP, promising to fix the problems that led to the violation.

For years, and in spite of tens of thousands of submitted reports of violations, the OCR didn’t hand out a single monetary penalty until 2011. Today, HIPAA enforcement is dramatically different.

HIPAA Enforcement Has Awakened — with a Vengeance

Once upon a time is no longer. Today, HIPAA enforcement is making headlines on a regular basis. And there are significant new players on the enforcement scene, in addition to the official ‘HIPAA Cops’ at the OCR.

HIPAA enforcement has awakened, in part, because of the immense new threats to data of all kinds, including the personal health data protected by HIPAA. Breaches of consumer records have become front-page news. Recent examples include retailers Target and Home Depot, health insurer Anthem, financial giant JPMorgan, and even auctioneer eBay.

The threats to personal health data, called “Protected Health Information” (PHI) under HIPAA, have never been greater than they are now. Cyber threats, including so-called “malware” and attacks of various types, are also on a strong upward trend in sophistication and stealth — making them harder to prevent, defend against and recover from. Hacks and data breaches in all industries, including healthcare, are currently at an all-time high, with nearly one billion records of various types compromised in a wide variety of breaches over the past few years.

Stolen Health Data Is Cash to Criminals

Greed is driving much of the increase in hacking, as massive quantities of stolen data of all types are bought, sold, and traded on underground black markets. Stolen data is cash to criminals, and personal health data is especially valuable. Collections of health data are not mere ‘libraries’ or ‘warehouses’ to cyber crooks. To criminals, quite literally, they are bank vaults filled with cash.

Developers, when you’re designing healthcare apps and including mechanisms to safeguard the PHI you’re entrusted with, understand that you’re protecting cash. If your apps or systems are hacked, at stake is the cash value (to criminals) of the data you’re protecting, and the cash you’ll lose in data recovery and breach notification expenses — not to mention your reputation. Failing to properly protect PHI, as well as failing to fully comply with HIPAA, can be very costly indeed. Some recent penalties for major HIPAA violations are in the multi-millions of dollars.

According to experts at the Institute for Critical Infrastructure Technology (also this), the rise in successful hacks has pushed the price of stolen data down recently. But stolen data is still a goldmine. Complete identity-theft kits with comprehensive health insurance credentials can be worth hundreds of dollars, up to $500 each, on the black market, and health insurance credentials alone can fetch $20–50 each. In comparison, stolen consumer payment cards typically are sold for $1 to $2 each.

Developers, make no mistake: criminals want your patient data, and they’ll go to amazing lengths to get it.

HIPAA Compliance Helps Protect the Privacy and Security of PHI

Most developers know that HIPAA protects the privacy of individually identifiable health data. But HIPAA also sets standards for the security of digital health data. Every computer, network and storage device in your organization, and all health data in Electronic Health Record (EHR) systems and elsewhere, must all be configured and protected to the HIPAA Security Rule’s standards.

Full HIPAA compliance means that your electronic systems, networks and data all meet specific, baseline security standards that reduce your chances of being hacked and breached. Getting fully compliant with HIPAA’s Privacy and Security Rules also helps developers avoid enforcement actions. And HIPAA enforcement isn’t what it used to be.

Two NEW Kinds of HIPAA Cops Are Enforcing the Law

Understanding HIPAA enforcement is more important now than ever because there are new ‘HIPAA Cops’ on the scene that most healthcare organizations are not aware of. In addition to the established HIPAA enforcement agency, the OCR, two new types of HIPAA enforcement powers are active now.

First, the changes to HIPAA in the HITECH Act and the HIPAA Omnibus Rule gave State Attorneys General the power to bring civil, HIPAA-based suits in federal courts on behalf of state residents. The ramifications here are huge, with fifty completely independent, powerful new players who can each initiate new HIPAA enforcement actions. And State AGs are already flexing their enforcement muscles.

An example: On June 15th this year (2017), New York’s Attorney General Eric T. Schneiderman announced a punitive settlement with CoPilot Provider Support Services, a NY-based corporation that provides a variety of IT support services to healthcare organizations. For over a year, CoPilot had failed to disclose or report a breach that exposed over 221,000 patient records. CoPilot claimed it is not subject to HIPAA Rules, and rather than challenge CoPilot on that basis, AG Schneiderman prosecuted the case under New York State law GBL §899-aa, which mirrors many of HIPAA’s data breach notification requirements. And this legal action by a State AG is not the only example.

The other new HIPAA enforcement player on the scene is the Federal Trade Commission. Beginning in 2014, the FTC has assumed the mantle of HIPAA enforcement ‘authority’ upon itself. While the FTC lacks a legal mandate to enforce the HIPAA Regulations directly, it has been taking a parallel legal track by investigating the business practices of HIPAA-regulated (and other) entities who have created significant data breaches.

Also in 2014, a federal court upheld the FTC’s power to sue companies that fail to protect customer data. And the FTC has sued dozens of companies in recent years for failing to take reasonable steps to protect consumer data. In addition to increased OCR enforcement, developers can expect HIPAA-related enforcement activity from State AGs and the FTC to increase sharply in coming years. Long-term, more cybercrime = more breaches = more enforcement activity.

While HIPAA enforcement is scaling up, its resources are also limited. The most egregious and ‘willful’ HIPAA violators will generally be targeted first. Developers should work to avoid being so vulnerable.

Resolve to Protect PHI Better

Developers, resolve to improve the safeguards you build to protect the valuable health data you’re entrusted with. Understand that full compliance with HIPAA includes your company, your people (including sub-contractors), and your business processes, in addition to your apps. Comply fully with HIPAA and reduce your risk of data breaches, bad publicity, angry constituents, lawsuits and HIPAA enforcement against you.

When it comes to full compliance and avoiding HIPAA enforcement actions, an ounce of prevention today is worth far more than a pound of cure tomorrow.

Was this article helpful? Read on to learn about HIPAA Business Associates (BAs) or subscribe below to learn more about MedStack and get tips delivered straight to your inbox.