OCR HIPAA Enforcement Continues During Pandemic
by Kapua Iao
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR) HIPAA enforcement continues during the pandemic.
This year, OCR has already settled with three covered entities (CEs) following investigations into their reported breaches.
Such settlements remind healthcare organizations of the importance of HIPAA compliance and strong cybersecurity even during health crises.
What is HIPAA?
SEE ALSO: What is HIPAA? Or is it HIPPA?
Most commonly associated with HIPAA are Title II and its significant provisions:
- Privacy Rule (2003) – covers PHI protection and compliance standards
- Security Rule (2005) – sets security standards to protect electronic PHI (ePHI)
- Enforcement Rule (2006) – sets HIPAA enforcement standards
- HITECT Act (2009) – promotes the adoption and meaningful use of technology
CEs and their business associates (BAs) are HIPAA compliant if they make a concerted effort to protect PHI from a breach.
And while a breach does not always result in a HIPAA violation penalty, any breach that affects more than 500 people must be reported to OCR for investigation, and it will be published on HHS’ Breach Portal, aka the “wall of shame.”
OCR then decides if the CE is at fault, as is the circumstance in the three cases settled this year.
Recent OCR settlements
|Date breach filed||2013||2011||2017|
|Date settled in 2020||March 3||July 23||July 27|
|Misc. penalty||Corrective plan||Corrective plan||Corrective plan|
|# affected individuals||500||1,263||20,431|
|Type of breach||Improper disposal||Phishing||Theft of laptop|
|Why a violation||· No risk analysis conducted
· Failed to implement security measures
|· No risk analysis conducted
· Did not adhere to Security Rule
· Did not provide training until 2016
|· Failure to encrypt
· Lack of media/device controls
· Absence of a business associate agreement (BAA)
In general, OCR focused on the lack of security as related to:
- Risk analysis and management
- BAs and BAAs
- Employee awareness training
Each CE could have avoided the violation by implementing security measures, if not from the beginning, then as soon as their problem was discovered.
According to OCR Director, Roger Severino, “Providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Accountability and security
Without enforcement, compliance may not be a top priority, especially during a pandemic; accountability ensures strong cybersecurity.
And as stated by HHS in the past, HIPAA and compliance reviews are never suspended.
Paubox Email Suite encrypts all emails sent from a customer’s existing email platform. Emails are delivered directly to a patient’s inbox with no extra steps or passwords required.
Paubox Email Suite is perfect for helping CEs avoid a HIPAA violation when protection is needed the most.