Since amendments to the bill in 2009, the focus of the Health Insurance Portability and Accountability Act has shifted primarily to issues of patient confidentiality, Medical Economics detailed. Patient privacy is of paramount concern to the Department of Health and Human Services, given the shocking number of data breaches that have occurred as a result of the widespread implementation of digital platforms, such as electronic health records, in the healthcare sector. The Office of Civil Rights, which is a branch of the DHHS, enforces HIPAA compliance by investigating reports of data breaches from clinics and hospitals, as well as conducting routine audits to ensure that providers are meeting HIPAA standards. According to Dentistry IQ, audits from the OCR are set to increase this year, after a number of notable violations were uncovered in 2015.
Two leading hospitals pay substantial financial penalties
Two high profile HIPAA violation pay-outs came at the tail end of last year. In December 2015, both the University of Washington Medicine and the University of Rochester Medical Center were found guilty of violating HIPAA and were forced to pay out substantial financial penalties: The University of Washington Medicine reached a settlement that saw them liable for a $750,000 fine, while the University of Rochester Medical Center were instructed to pay out a substantially smaller, but still notable, $15,000 settlement.
The University of Washington Medicine was first investigated by the OCR after the facility suffered a significant security breach. The incident occurred after a staff member inadvertently opened an email that contained malicious software. As a result, over 90,000 digital patient health records were accessed and compromised. Many of the records contained highly sensitive information, such as social security numbers, addresses and billing details. A subsequent OCR investigation revealed that UWM had failed to implement a comprehensive framework designed to prevent security transgressions. Furthermore, the organization had neglected to conduct risk assessments at its affiliated hospitals and clinics. The settlement was reached at the end of December 2015.
The University of Rochester Medical Center was found culpable of a similar security breach involving personal health records earlier in December 2015. The OCR launched an investigation after it was revealed that a former nurse practitioner took the personal health records of some 3,403 patients with her when she left her job with the organization, Health IT Security detailed. Alongside the $15,000 settlement reached with New York's Attorney General Eric Schneiderman, URMC was ordered to hold training seminars for its staff about HIPAA guidelines and effective compliance.
Risk of violations lessened if certain steps are followed
Given the rapid expansion of digital technology, especially within the healthcare sector, the risk of data and security breaches remains. While it is perhaps impossible to eliminate the risk of a HIPAA violation entirely, there are a number of steps that healthcare organizations can take to curtail the probability of an infraction. According to Dentistry IQ, examples of helpful steps include holding regular training seminars, developing a framework of concise office guidelines, carrying out risk assessments and even hiring a HIPAA security officer to oversee all aspects of HIPAA compliance.