More than 500 individuals affected; five new enforecement actions published.
The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) released breach data based upon 2020 breaches affecting more than 500 individuals. Additionally, five new enforcement actions were published. Both underscore the continued focus by HHS-OCR on both privacy and security violations of HIPAA and the HITECH Act.
Pursuant to the HITECH Act, section 13402(e)(4), HHS lists breach cases (affecting 500 or more individuals) currently under investigation. Of the nearly 349 data breaches reported thus far in 2020, the following types of incidents are the most prevalent:
The prevalence of hacking/IT and unauthorized access/disclosure incidents should not be surprising, especially because they can often go hand-in-hand. A recent report from CynergisTek found that “only 44% of healthcare organizations, including hospitals, health systems and third-party vendors, are meeting national cybersecurity standards.” (emphasis added). And, “bigger healthcare institutions with larger budgets didn’t necessarily perform better when it comes to security,” and some “performed worse than smaller organizations or those that invested less.” Armed with this knowledge, the best way for any provider to mitigate the risk of a cybersecurity incident and/or privacy violation is to have a third party conduct a comprehensive risk analysis. When I conduct annual risk analyses for my clients, we evaluate technology in relation to the regulations and NIST standards and look for appropriate, but cost-effective ways to mitigate risk and remain compliant.
Another focus of HHS-OCR is Privacy Rule violations continues to be a patient’s right to access his/her health records and designated record set. Recently, HHS announced, OCR Settles Five More Investigations in HIPAA Right of Access Initiative. The five entities ran the gamut in terms of size and types of persons. The five settlements include the following:
There are a couple of items to consider in relation to these five settlements. First, HIPAA does not use the term “mental health records” but instead refers to psychotherapy notes, which have a very different meaning. Some states, including Texas, use the term “mental health records.” Second, substance use disorder records may also implicate violations of 42 CFR Part 2. Finally, some states have laws protecting certain types of information that a parent or legal representative may request regarding a minor. Each individual state law should be checked first before agreeing or not agreeing to provide a minor’s protected health information.
In sum, HHS-OCR remains committed to HIPAA violations. Covered entities, business associates, and subcontractors alike should pay attention and continually monitor compliance initiatives.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.