Similar to other sectors, the healthcare sector has faced numerous challenges from government regulation to fraud, data breaches to inflation, and other factors that influence the management of the healthcare. The Health Insurance Portability and Accountability Act (HIPAA) was signed and enacted into law by President Clinton in 1996 (Nahra, K. (2002). The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 by President Obama as an integral part of the American Recovery and Reinvestment Act. With the increased application of technology not only in the health sectors but the economy in general, potential fraud or compromise of critical information demanded the establishment of some form of security and privacy standards. It led to the enactment of the Hipaa Act to mitigate such concerns. The department of Health and human services was given the critical role and oversight for the implementation and enforcement of regulations under this Act. Consequently, the Privacy Rule, the Electronic Transaction and Code Sets Rule, and the Security were established. HITECH Act revised HIPAA and proposed amendement to the enforcement regulations in relation to civil monetary penalties. The new law gave HHS more control over the enforcement and compliance of the HIPAA regulations and new stiffer penalties were introduced. The HITECH Act created new privacy statutes, breach notification laws, disclosure restrictions, and controls on the marketing of PHI. The Act also established a minimum data set for use when transmitting sensitive patient information in the course of the patient care. HIPAA is separated into Title I and Title II. Title I offers health insurance for individuals and covered dependents to be able to receive health insurance be able to receive health insurance benefits when under another employer. It varies from the Consolidated Omnibus Budget and Reconciliation Act in that it refers to the employees’ portability between employers. HIPAA Title I requirements apply to coverage under person’s health care plan but may exclude dental or vision plans missing in the comprehensive care package. Title II (administrative simplification), focus on the standardization of healthcare-related electronic transactions and systems to offer protection to identifiable individual’s health information. Title II regulations include the aforementioned privacy rules that are designed to protect patient’s control of access to personal information, and security rules that act as guidance to physical protection of information.
Several limitations have been identified on Title I. First, and it does not require employers to provide health care insurance to their employees. These limitations provide loopholes that can be exploited by employers. HITECH allows HHS to create programs that are aimed at enhancing and improving health care while promoting the use of electronic health records. The Act provides monetary incentives to encourage healthcare institutions to transit from paper record management to electronic health record management.
Despite these Acts having good intentions to improve the healthcare system, they have been a major source of financial burden. The burden has resulted not only from the need for expensive IT systems and infrastructures, but also from fines and legal fees caused by their violation. A large number of HIPAA and HITECH violations has been reported in the past three years. The violations range from breach of notification to utter violation of Privacy and Security Rules.
Purpose of the study
The purpose of the case study analysis is to explore the reported HIPAA and HITECH violation cases in the past three years to identify major causes of breaches. Identification, the major causes of HIPAA violation, will enable organizations to learn from the affected institutions so as to improve their HIPAA policies and procedures and be prepared to respond to possible breaches or violations. The study also aims at identifying why compliance with HIPAA is becoming hard to most organizations by identifying the various facets of HIPAA compliance.
Impediments to HIPAA/HITECH Compliance
Although the HIPAA privacy rules and security Rules have impacted health organizations since 2001, recent developments have heightened the compliance challenge for most healthcare organizations. HIPAA compliance landscape has undergone numerous changes since the passage and enactment of HITECH and security Rule and Privacy rules. HITECH changed the types of organizations considered as covered entities and the scope of compliance. Similarly, regulators mandated with enforcing the compliance of the new regulations have instituted aggressive audits of health institutions. Under the HIPAA act, the government introduced privacy principles and security guidelines for all health organizations. Under the privacy Rule, the concepts of protected health information (PHI) and electronic PHI (ePHI) were introduced. HITECH introduced landmark provisions to HIPAA that affects healthcare organizations. The role of covered entities in assessing risks was increased while penalties for non-compliance were increased to $ 50,000 per incident or up to $ 5 million annually. These provisions are aimed at stricter data protection regulations to improve the privacy of the patient and the security of the data.
According to (Shuren, & Livsey (2011), HITECH increased the scope to include business associates to comply with the Act. Business associates need to acknowledge and understand HITECH Act’s breach notification and how to encrypt relevant data. The HIPAA Security rule requires that a healthcare organization to build their information security following four cardinal rules. The security rules are based on standards while standards are based on specifications (safeguards) that are administrative, physical and technical. The Security rule dictates that health institutions implement these standards and specifications including the “required and “addressable” specifications without exception.
In June 2005, the Department of Justice published an Opinion memorandum outlining the scope of criminal enforcement under the administrative simplification section of HIPAA. The department argued that covered entities and those responsible may be prosecuted under 42 U.S.C. & 1320d-6, and the knowing element of the crime set forth in that provision required. The following sections outline enforcement cases that have been instituted since the enactment of HITECT and HIPPA in 2009.
In the first HIPAA privacy case to go to trial, the jury found an individual guilty of wrongfully obtaining PHI with the intent to sell, or use it for personal gain (Balser Group, 2013). In the case involving the US and Ferrer, Ferrer had paid a co-defendant for the information with the intent of committing Medicare Fraud. The individual was sentenced for 87 months and three supervised years upon release and a fine of $2.5 million.
In 2011, OCR announced its landmark penalties due to non-compliance with HIPAA’s privacy and security requirements. In the same year (2011), OCR fined Cignet Health of Prince George’s County $ 4.3 million for its failure to respond to 14 individual’s PHI and failing to cooperate with OCR investigations. At the beginning of 20111, OCR received $ 1 million from the General Hospital Corporation and Massachusetts General Physical organization due to their failure to implement reasonable safeguards to protect PHI. The particular incident leading to the Massachusetts settlement occurred when an employee left documents with PHI on a subway train (Downing et al., 2013).
HITECH Act authorizes the office of the Attorney General to file civil suit in federal court against covered entities or business associates in case the violation poses a threat to, or harm, one or more of the state’s resident. Under, this provision, the office of the Attorney General for the State of CONNECTICUTfiled a suit against Health Net of the Northeast, Inc due to a possible bleach of PHI. The enforcement authority found that the disc drive containing PHI of over 1.5 million past and present members of Health NET was missing. Health Net failed to inform the affected personals of the possible breach until roughly six months after the reported violation date. The office of the Attorney General settled with Health Net agreed to a Stipulated Judgment that imposed $ 250,000 payment and a Corrective Action as stipulated under Civ. No, 3: 10CV57 (PCD). According to the CAP, Health Net was supposed to complete the identification of all the affected individuals to notify them of the breach and offer non-cost credit monitoring services. In addition, the corrective Action plans required Health Net to provide a status report to the office of the attorney general.
Another landmark case in the inception of the breach regulation involved the university health system. The university health system failed to provide or document appropriate training, sanctions, and security measures to minimize the risk of unauthorized access to PHI. In the case, an employee of the system reviewed patients PHI without a permissible reason regardless of the fact that there was no further use or distribution of the data. Consequently, the university health system was fined $ 865, 000 and three-years CAP. In the first enforcement action as a result of breach notification required by HITECH, OCR announced in March 2012 that Blue Shield of Tennessee (BCBST) agreed to pay $ 1,500,000 to settle probable violations of the privacy and security rules. In addition, BCBST was required to revise its privacy and security policies and procedures and submit these policies and procedures to HHS for further approval. Under the CAP agreement, BCNST agreed to train employees involved with handling PHI. Consequently, BCBST notified HHS (as required by the breach notification regulation under HITECH) that 57 unencrypted hard drives were stolen from a leased property. The drives contained PHI for over 1 million individuals. According to OCR investigations, BCBST failed to implement the required administrative safeguards to protect the information in the leased property adequately. In addition, BCBST was fined for slag implementation of physical safeguards. A few months after the first enforcement action, following a breach notification report, HHS reported that the Alska JDeprtaent of Health and Socail Services had agreed to pay $ 1.7 million to settle a possible violation of HIPAA security Rule. OCR investigation revealed that the department had failed to protect the electronic PHI of its Medicaid beneficiaries. In addition, HHS reported that the Alaska Department of Social Services had breached notification when a storage device containing PHI was stolen from one of its employee’s car.
The first case involving business associates was reported in 2012 involving the Minnesota Attorney General and the Accretive Health, Inc. The Minnesota Attorney office instituted a civil proceeding against Accretive Health for its violation of HIPAA and violating privacy and security terms of the business associate agreements. According to the lawsuit, Accretive Health, Inc had violated numerous HIPAA following an investigation after an encrypted, password protected laptop containing PHI of over 23,500 hospital patients was stolen Accretive employee’s car. The lawsuit culminated into a $2.5 million fines to compensate those affected by the breach and the banning of Accretive Inc from operating in Minnesota for at least two years.
In another landmark settlement agreement, HHS indicated the importance of all entities regardless of their size to address security issues. In early 2013, HHS reached an agreement with a small Idaho hospice for $50,000 regarding the theft of a laptop that had PHI for less than 500 patients. The hospice had notified HHS of the theft and HHS investigated the case. According to the HHS investigation, the hospice had failed to investigate the potential risk of confidentiality breach in its portable devices.
In June 2013, Shasha Regional Medical Center agreed to settle $ 275, 000 after an investigation by HHS about potential violation of HIPPA Privacy Rule. In addition, SRMC agreed to a comprehensive CAP to update its policies and procedures on PHI safeguard from its impermissible uses and disclosures. The settlement came of two senior leaders of SRMC met the media to discuss medical services provided to a patient with his valid written authorization. In the following month (July, 2013), Wellpoint, a managed care company was fined $1.7 million to settle its potential violation of HIPAA Privacy and Security Rules (BUTLER, 2014). According to OCR”s investigation, Wellpoint failed to implement appropriate administrative and technical safeguards. It was the first case involving online PHI. Wellpoint had failed to implement policies and procedures for access authorization to ePHI maintained in its web-hosted application database consistent with applicable security rule requirements. The company also failed to perform adequate technical evaluation in response to a software upgrade.
Two more cases were recorded in the same year (2013) involving violation of HIPAA. The cases involved Adult and Pediatric Dermatology, P.C of Massachusetts and Affinity Health Plan. Affinity Health plan, Inc agreed to pay $ 1,215,780 for disclosing PHI information of 344,579. According to OCR’s investigation, Affinity Health plan failed to incorporate ePHI stored in its copier hard drives. Adult and Pediatric Dermatology of Concord, Massachusetts agreed to settle $150,000 and implement CAP. The covered entity was accused of failing to protect its unsecured electronic protected ePHI (Murray, Calhoun, & Philipsen, 2011). An unencrypted thumb drive with ePHI information was stolen from an employee’s car. According to OCR, APERM failed to conduct the necessary risk analysis to identify possible risks and vulnerability. In addition, the covered entity was inadequate in implementing administrative requirements of the Breach notification rule. In 2014, five cases had so far been settled. However, there is no private right infringement to sue under HIPAA, several state courts have ruled that HIPAA’s nondiscrimination and other portability provisions may be enforced under ERISA Section 502. Example of cases that have indicated the possible of privately initiated processes include Werdehausen V. Benicorp Ins. Co.
Compliance dilemma and common themes in HIPAA and HITECH violations.
Numerous technical, administrative and legal challenges remain for covered entities and business entities in the implementing HIPAA omnibus final rule. A survey by the Ipswitch among healthcare administrators indicates that HIPAA is the most demanding information technology regulation to implement. According to Shoniregun, Kudakwashe and Mtenzi (2010) a significant challenge that emerged from HIPAA is to integrate and enable interoperability between proprietary claims system and legacy software with the new HIPAA standards. The implementation of HIPAA also requires constant upgrades and improvement. Foremost barriers to compliance with HIPAA include the comprehension and interpretation of the legal requirements. Secondly, the achievement of successful integration of new policies and procedures and the resolution of issues arising with the third party are impending HIPAA success.
An analysis of the reported cases indicates that all organizations are vulnerable to HIPAA violations. However, a large proportion of the reported cases involve theft or storage data from portable devices at the hand of employees or theft of data from portable devices. Such violations emanate from lack of both administrative and physical safeguards. Implementing and evaluating administrative safeguards that relate to assessing potential risks and correct response system appears to a major challenge to most organizations. Brost (2013) described the most vulnerable devices to compliance. According to Brost (2013) devices without unique login or access log, uncoordinated information across departments and devices not identified in the risk assessment are the most vulnerable. Therefore, Physical safeguards including controlled access are critical improving compliance.
In most Corrective Action Plans, most organizations committed to implement employees training to increase their compliance levels. Darril (2014) notes that effective training of employees forms the foundation of successful HIPAA compliance. Training can improve involved employees response to breaches and also improve their observance of the regulations. For example, training employees on how to transport portable devices with PHI may help reduce theft of devices from employees’ hands. The difficulty in comprehending and interpreting the law has been deemed as the most difficult aspect of implementing HIPAA precautionary measures and actions. Shoniregun et al. (2012) noted that the implementation of HIPAA will continue to face a myriad of barriers until security education and training are widely accepted as core aspects of securing e-health information.
The Center for Medicare and Medicaid conducted analysis of issues influencing HIPAA compliance. According to the 2008 report, the major areas in which organizations are struggling include workstation security, security training, risk assessment, encryption and workforce clearance. Three years after the report the same theme appears in most HIPAA violation cases. Poor risk assessment has been noted in most OCR investigation. Most organizations were pardoned for not instituting comprehensive risk assessments to identify potential risk. Workplace clearance and access to PHI has contributed to a number of cases. However, most of these cases not involve unauthorized individuals, but rather part of the organization workforce.
Brost, D. (2013). Identifying the most vulnerable devices to HIPAA compliance. Health Management Technology, 34(2), 28.
BUTLER, M. Top HITECH- HIPAA Compliance Obstacles Emerge. Journal of AHIMA. 85, 4, 20-25, Apr. 2014. ISSN: 1060-5487.
Downing, Kathy, MA, RHIA, C.H.P., P.M.P., & McMillan, Mac,F.H.I.M.S.S., C.I.S.M. (2013). OCR releases results of HIPAA compliance audit pilot. Journal of AHIMA, 84(10), 60-2. Retrieved from http://search.proquest.com/docview/1438037426?accountid=11809
HIPAA compliance audits begin with a pilot program. (2012).Healthcare Risk Management, 1-2.
Murray, T. L., Calhoun, M., & Philipsen, N. C. (2011). Privacy, Confidentiality, HIPAA, and HITECH: Implications for the Health Care Practitioner. Journal For Nurse Practitioners, 7(9), 747-752. doi:10.1016/j.nurpra.2011.07.005
Radware Network (2010). Attack mitigation system & HIPAA HITECH Compliance. Retrieved from www.locked.com/sites/default/files/AMS%20Hipaa%20Hi%20-Tech%20Compliance.pdf on 10/29/2014.
Walters-Salas, T. (2012). Social Media and HIPAA Compliance. Bariatric Nursing & Surgical Patient Care, 7(2), 85-86. doi:10.1089/bar.2012.9984.
Nahra, K. (2002). HIPAA privacy challenges for employers and their health plans. IT Health Care Strategist, 4(7), 9-10.
Shuren, A., & Livsey, K. (2001). Complying with the Health Insurance Portability and Accountability Act: privacy standards.AAOHN Journal, 49(11), 501-507.
Author is an academic writer and an editor and she offers college essay writing service. Thus, people that doubt their own writing abilities can use the best custom paper writing service and forget about their fears and lack of confidence by visiting MeldaResearch.com.