Healthcare businesses and associated entities store and process sensitive medical and patient information that is critical not only to the quality of their treatment services but also to the very health of their patients. However, medical data is also a lucrative target for many criminals because they sell high on the dark market and can be used for further criminal activities. To protect this information, healthcare businesses and hospitals must ensure HIPAA compliance. Complying with HIPAA is also required to minimize the potential of hefty fines that could endanger the bottom line of these entities.
Healthcare governance, risk, and compliance (GRC) professionals can learn a great deal by examining the annual reports issued by the HHS Office for Civil Rights (OCR).
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and standards established in 1996 that healthcare companies must follow to demonstrate their commitment to patient privacy and security.
Why is HIPAA Compliance Important for Healthcare Companies?
First and foremost, HIPAA is about respecting your patients’ privacy. They trust you with their most personal health details, and it’s your responsibility to keep that information confidential. HIPAA compliance helps ensure that only authorized individuals who need it for legitimate healthcare purposes access patient data.
Secondly, HIPAA compliance helps you avoid legal troubles. Non-compliance with HIPAA regulations can result in hefty fines, legal actions, and damage to your company’s reputation. Following the rules and implementing the necessary safeguards reduce the risk of facing these consequences.
Thirdly, HIPAA compliance is about data security. It requires measures to protect electronic health records (EHRs) from unauthorized access or breaches. This could mean using secure computer systems, encrypting patient data, and implementing access controls to limit who can view or edit the information. Having proper policies and procedures in place will be crucial to this goal. It includes training your staff on privacy and security practices, ensuring they understand their responsibilities, and implementing protocols for handling patient information securely. Regular audits and assessments can help you identify any gaps in compliance and address them promptly.
The State of HIPAA Compliance
The HHS Office for Civil Rights (OCR) has been enforcing HIPAA compliance more aggressively in recent years to ensure all healthcare entities establish the controls required for the protection of medical data. 2022 was a record year, with 22 penalties imposed to resolve violations of the HIPAA Rules although this reduced to 13 in 2023.
It’s clear that the HIPAA Right of Access enforcement initiative, launched by the HHS OCR, is working. In 2022, 17 of the 22 financial penalties resolved violations of the HIPAA Right of Access—the failure to provide individuals with timely access to their medical records—compared to just 4 out of 13 in 2023.
The remaining penalties imposed by the OCR in 2023 included failures related to the HIPAA Security Rule, such as inadequate risk analysis, technical and administrative safeguards, reviews of information system activity, and verification of identity. Additionally, other penalties were related to violations of the HIPAA Privacy Rule, including disclosures of PHI in response to online reviews, disclosures of PHI to reporters, and a lack of policies, procedures, and training to prevent HIPAA violations by employees.
Increased workloads and stagnating budgets have plagued the OCR in recent years. This has had a significant impact on its HIPAA enforcement capabilities. OCR’s budget is primarily funded by its enforcement actions, which presents a problem. A reinterpretation of the language of the HITECH Act has significantly reduced the maximum penalties for HIPAA violations in three of the four penalty tiers, causing the average HIPAA penalty to fall from $2.8 million in 2018 to just $321,269 in 2023. While the OCR has appealed to Congress to increase the maximum penalties for HIPAA violations and its overall budget, there are no indications that this will happen soon.
The OCR investigates all large data breaches of 500 or more records. In its annual report to Congress, the OCR explained that it has experienced a 100% increase in large breach reports since 2017. Security incidents have significantly contributed to this rise, increasing steadily from 149 in 2017 to 596 in 2023. The OCR reports that 79.7% of data breaches in 2023 were caused by hacking, compared to 41.6% in 2017. This is a trend that will continue in 2024 as well, as the recent breach of Change Healthcare proved.
To address these issues, the OCR has restructured and created a new enforcement division that will, if all goes well, allow the OCR to investigate data breaches faster, clear the current backlog of investigations, and impose more financial penalties. HIPAA Journal expects to see the results from this initiative throughout 2024.
Changes to HIPAA in 2024
The OCR is considering multiple proposed modifications to the HIPAA Privacy Rule. They include:
- Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and emergency circumstances.
- Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion about whether consent is required).
- Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
- Strengthening individuals’ access rights to inspect and obtain copies of PHI and reducing the time allowed to respond to access requests to 15 days.
- Addressing the form of PHI access includes individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
- Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden.”
Similarly, OCR Director Melanie Fontes Rainer recently confirmed that OCR’s HIPAA Right of Access enforcement initiative will continue. In 2024, OCR will also make compliance with HIPAA concerning reproductive healthcare information and HIPAA Security Rule compliance to protect against the increasing numbers of hacking incidents enforcement priorities.
Finally, the FTC announced modifications to the Health Breach Notification Rule (HBNR) that augment its scope and application. The revised rule will become effective on July 29, 2024. In terms of applicability, the new HBNR is applicable to a “vendor of personal health records,” an entity not covered by HIPAA that offers or maintains an electronic record of “PHR identifiable health information,” that has the “technical capacity to draw information from multiple sources,” and that is managed, shared, and controlled by or primarily for the individual.
In addition, the final rule would redefine “breach of security” so that notification requirements are triggered upon a data breach or an “unauthorized disclosure” of PHR identifiable health information rather than an “unauthorized acquisition” of that information.
With an ever-growing threat landscape, increased data security in a healthcare environment is more necessary than ever. For a more in-depth assessment of your compliance standing and needs, connect with an Elevate consulting specialist about our HIPAA HITECH services.
To read the full 2024 HIPAA report, visit the HIPAA Journal Here.