HIPAA enforcement reached an all-time high in 2018, with financial settlements ranging from $100,000 to $16,000,000. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for providing oversight and ensuring HIPAA compliance. Last year alone, OCR resolved a total of 25,089 complaints of HIPAA violations and required at least 632 entities to adhere to Corrective Action Plans which document how those entities will attain and maintain compliance with all applicable components of the HIPAA regulations. While last year’s numbers set records and gained significant attention, those numbers are only expected to increase.
As compliance professionals and media outlets focus on the latest hacking incident or security breach, some may wonder how breaches of health care data are impacting the great state of Alabama. While Alabama has a population of fewer than 5 million people, it is no stranger to OCR investigations. In fact, a look back at the last 15 years of OCR HIPAA enforcement data reflects that the same vulnerabilities that plague states with much larger populations align with issues that burden Alabama covered entities, as well. Alabama, Florida, Minnesota, New Jersey and Ohio are identical with regard to OCR complaint resolution percentages. In these states, OCR concluded that 28% of the complaints received required corrective action on behalf of the HIPAA covered entity. Only 6 percent of complaints in these states were determined not to be violations and 66 percent of complaints were resolved after the intake and review process.
Several breaches impacting the PHI of 500+ individuals have been reported within the state of Alabama. The most recent was the 2018 breach of FastHealth Corporation, a HIPAA Business Associate which contracted with covered entities to perform website and operational services. An unauthorized third party accessed FastHealth’s web server and acquired information from their databases, impacting 1,345 Alabamians. This breach followed a previous breach by the same organization occurring in June 2017 that likewise involved their network server and affected 9,289 individuals.
While large breaches generally receive the most publicity and attention, smaller breaches can be equally as devastating. For instance, breaches involving mental health or communicable disease information can be harmful to the patient whose information was breached, even if it is just one individual. Pursuant to state statutes, breaching this type of information can open an entity up to civil liability, even if numerous individuals are not affected.
Alabama Breach Notification Statute – A Wake-Up Call
When Alabama passed the Alabama Data Breach Notification Act of 2018, many health care providers were pleased to note that there was a specific exemption for entities that were required to adhere to HIPAA. However, a careful review of the exemption language is warranted. Pursuant to Section 11, an entity that is subject to HIPAA regulations and complies with those standards are exempt so long as they do the following:
- Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance.
- Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.
- Timely provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.
Thus, to be exempt from the Alabama statute, HIPAA covered entities must do more than simply assert exemption status due to HIPAA regulations. The entity must also demonstrate that it is in compliance with HIPAA.
New Day for Breach Notification Rule Adherence
According to Linda Sanches, Senior Advisor for HIT & Privacy at OCR, it is going to be tougher for entities to conceal breaches. It has come to the attention of OCR that there are HIPAA covered entities who do not report their breaches and have found success staying “under the radar of HIPAA enforcement.” However, Ms. Sanchez announced at the 2019 Health Care Compliance Conference that OCR was not only considering more severe action against entities that did not follow the regulations but that in the future OCR would be observing news reports, interviewing past and disgruntled employees and placing more resources towards seeking out entities that disregarded the regulations.
Alabama covered entities face the same federal regulatory authority as any other state, regardless of size, population or economy. Thus, it is important for health care providers to understand the requirements and ensure that their entity and their workforce is aware of the regulations and how those regulation impact their organization. The most recent national trends on the location and type of breaches from 2018 can be reviewed in the charts below.
Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP. The Dunson Group, LLC, is an official partner with the Medical Association.