A HIPAA Trifecta: OCR Audit Results, HHS Proposed Privacy Rule Changes & Indictments for Stealing PHI

As 2020 comes to a close, three items related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) emerged.

First, the highly anticipated Department of Health and Human Services Office for Civil Rights’ (“HHS OCR”) 2016-2017 HIPAA Audits Industry Report (Dec. 2020) was released. OCR’s periodic audits are required under the HITECH Act in order to ascertain compliance with the Privacy, Security, and Breach Notification Rules (“HIPAA Rules”).

Second, HHS published proposed changes to the HIPAA Privacy Rule, which center around increasing an individual’s rights and access to his/her protected health information (“PHI”), expanding information sharing for purposes of care coordination, providing disclosure flexibility in select situations (i.e., opioid overdose, COVID-19), and reducing administrative burdens on covered entities.

Lastly, a recent indictment highlights the notion that stealing PHI and using it for the purpose of personal gain rises to the level of criminal conduct.

OCR’s Audit Results

The long-awaited results from OCR’s second audit (“Phase 2”) of select covered entities and business associates was presented to Congress in early December 2020. As part of its obligations under Section 13411 of the HITECH Act, HHS is required to “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”

Phase 1 of OCR’s pilot program was conducted 2012, with 115 covered entities being assessed. Phase 2, which occurred between 2016-2017, included both business associates and covered entities, most of which were providers. Initially, 166 covered entities were audited, which required them to provide a list of their respective business associates. From there, a pool of business associates was created, and 41 business associates were ultimately chosen. Therefore, the number of entities audited increased by 92.

An individual entity was rated on a scale of 1-5, with No. 1 being compliant and No. 5 being severely out of compliance. Some of the audit findings are eye-opening:

• Only 2% of covered entities fully met the Notice of Privacy Practices requirements, including not having a written notice with the required content;
• Only 11% of covered entities correctly implemented the individual right of access, including inadequate policies and procedures; and
• Only 14% of covered entities and 17% of business associates were adequately fulfilling their requirements to safeguard ePHI and conduct an annual, comprehensive risk analysis.

These outcomes, although for a limited group, should be alarming and signal a call to action. Class action lawsuits, as well as the U.S. Government agencies’ warnings of increased cybersecurity attacks, are just significant consequences that cannot be overlooked. The best place to start is to do the following five items: (1) conduct a comprehensive, annual risk analysis; (2) make sure business associate agreements are executed; (3) encrypt data at rest and in transit; (4) ensure annual HIPAA and cybersecurity training for workforce members; and (5) implement adequate policies and procedures.

HHS Privacy Rule Proposal

As value-based initiatives continue to become more prevalent, in an effort to remove barriers that are perceived to impede care coordination between providers and health plans, on December 10, 2020, HHS announced proposed changes to the HIPAA Privacy Rule. The notice of proposed rule making gives the public 60 days after publication in the Federal Register to comment on the proposed changes.

The three laws implicated are: HIPAA, the HITECH Act, and the 21st Century Cures Act. The key areas to focus on are as follows: reinforcing an individual’s right to access his/her own PHI, including ePHI; improving the sharing of information for purposes of care coordination; facilitating greater family and care giver involvement through appropriate disclosures during crisis situations (i.e., the COVID-19 pandemic, opioid crisis); and reducing administrative burdens on providers.

It is important to note that OCR will continue to protect individual’s health information privacy interests. And, if the past two years are any indication, the trend of penalizing providers who fail to provide patients with their PHI will continue.

Indictment for Stealing PHI

A recent indictment serves as a reminder that breaches involving the wrongful taking and use of PHI can have criminal consequences. On December 7, 2020, the United States Department of Justice for the Eastern District of Texas announced that two individuals pleaded guilty, while another individual awaits additional charges, for allegedly breaching a healthcare provider’s electronic medical records system for the sole purpose of stealing patients’ PHI and personally identifiable information (“PII”) and utilizing it to commit subsequent illegal acts. Specifically, the stolen PHI and PII “was then ‘repackaged’ in the form of false and fraudulent physician orders and subsequently sold to durable medical equipment (DME) providers and contractors.”

Over a period of nearly eight months, the defendants netted in excess of $1.4 million in ill-gotten gains from the sale of the stolen information. Additionally, there were superseding indictments, whereby the defendants allegedly conspired to “pay and receive kickbacks in exchange for orders from physicians that were subsequently used to obtain payments from federal health care programs” in violation of the Anti-Kickback Statute. As a result of selling the physicians’ orders to each other, as well as other DME suppliers, another $2.9 million accrued from the criminal scheme.

This case serves as a reminder that the HIPAA criminal statute, 42 U.S.C.A. §1320d-6 applies when “[a] person who knowingly and in violation of this part – (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individual identifiable health information to another person, shall be punished as provided in subsection (b) of this section.” Overall, the stealing, as well as the illegal sale and use of the PHI rises to the level of a criminal violation under HIPAA.

Conclusion

Healthcare industry participants have a lot on their plates. In light of the government’s announcements of increased cybersecurity attacks targeted towards the U.S. healthcare sector participants, HIPAA compliance cannot be overlooked. The costs of breaches from a reputational, financial, regulatory, and legal standpoint cannot be overlooked.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}