How Small Practices Can Avoid HIPAA Audits or Penalties

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is kicking off Phase II HIPAA audits, meaning that the clock is ticking for those who are noncompliant.  The cost of noncompliance?: fines up to $1,500,000 or criminal penalties.  If your breach affects 500+ persons, the HITECH Act requires that it be posted publicly on OCR’s website.  Health Information Technology for Economic and Clinical Health (HITECH) Act, section 13402(e)(4).

Costly mistakes are easy to make.

 Case studies in best + worst-case scenarios.

 Last fall, a HIPAA-covered entity (CE), Cancer Care Group, P.C., entered into a settlement agreement with OCR for potential HIPAA violations.  The 13-doctor private practice in Indiana paid a $750,000 fine and agreed to adopt a rigorous corrective action plan.  The alleged violation?  An employee’s laptop was stolen from a car, which contained the unsecured electronic protected health information (ePHI) of about 55,000 current and former patients.  When OCR investigated that breach, it discovered that the practice was noncompliant with many of the requirements of official written privacy policies and security measurements.  See Dep’t Health & Human Svcs., Office of Civil Rights, $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies, Press Release (Sept. 2, 2015).

Aside from fines, you may be required to take additional steps to ensure future compliance.  In another case last fall, Barrington Orthopedic Specialists, Ltd. reported that an employee’s laptop and EMG machine were stolen from her car.  Both the laptop and machine contained PHI.  The practice notified HHS, the affected individuals, and the media, and it filed a police report.  It then purchased additional EMG machines and stopped transporting them outside the office, it provided employee retraining, and it provided documentation of all details to OCR.  See Barrington Orthopedic Specialists, Ltd., OCR breach notification details (Sept. 24, 2015). While the practice was not fined by OCR, they certainly incurred significant costs as a result of the breach.

These aren’t isolated incidents.

Some other situations within Illinois that have resulted in HIPAA breach notifications:

  • An employee’s laptop stolen from her bag while she was making an admission visit in a patient’s home.  She had changed the security settings on her laptop, causing them to deviate from the hospice center’s encryption requirements.  (Rainbow Hospice and Palliative Care; May 26, 2010)
  • A CE realized that PHI was available on its network server and website. (Chicago Muscoskeletal Institute; Mar. 23, 2012)
  • A person misrepresented himself as an employee of a vendor contracted to dispose of the CE’s x-ray films, obtained access to a storage area, and stole about 1,500 films.  (SwedishAmerican Health System; July 12, 2012)
  • A CE misplaced billing invoices. (VHS Genesis Lab Inc.; April 5, 2010)
  • An electronic system error caused information about patients who were not Illinois residents to be accidentally submitted to the Illinois Department of Healthcare and Family Services as required by law for Medicaid.  (Plexus Group; Mar. 1, 2013)
  • A burglar broke into a CE’s facility and stole a laptop containing ePHI.  (Stoetzel’s Planet Chiropractic; March 25, 2014)
  • The employee of a CE’s business associate (BA) erred in sorting Excel spreadsheet data and accidentally mailed PHI to the wrong patients.  (OptumRx; April 30, 2014)
  • The storage facility where the CE kept its old medical records was sold, and unbeknownst to the CE, the new owner gained possession of the records for 5 days, although there was no indication that the records were compromised.  (Thomas H. Boyd Memorial Hospital; May 21, 2015)
  • A package shipped by a CE to a billing company was lost by the Post Office.  (Arturo D. Tomas, MD, Ltd.; Feb. 9, 2015)
  • A BA’s credit card processing data portal was hacked.  (BlackHawk; Oct. 9, 2013)
  • A CE’s computer settings allowed Google to detect and cache PHI in uploaded files.  City of Chicago; Nov. 29, 2013)

Aside from possible fines, some of the steps taken to satisfy OCR’s investigations have included:

  • Provide fraud and credit monitoring to all affected individuals
  • Retrain staff on technical safeguards
  • Notify media outlet(s) of the breach
  • Install a new security system in the office that requires the input of a code specific to each employee
  • Relocate to a new office facility
  • Create enhanced HIPAA policies and procedures

Perhaps not all of these breach scenarios could have been prevented – but the CEs could have had better policies in place to minimize the risk of breach and to govern their post-breach conduct.  The lesson here is that front-end compliance always trumps later remedial action.  It’s more cost-effective, it satisfies the purpose of the HIPAA requirements, and it significantly minimizes your stress level if you’re audited or you experience a breach.

(In case you’re counting acronyms, we’re at 8: CE, BA, HHS, HIPAA, HITECH, OCR, PHI, ePHI).

Your blind spot.

The security gap.

HIPAA has two general components: privacy and security.  Most of our clients do a great job with patient privacy: they know not to discuss PHI, and they are generally committed to ensuring that their patients’ information remains private.  However, HIPAA does not always place substance above form – and for good reason, if the breach examples provided above are any indication.  HIPAA contains innumerable “shall provisions” concerning security too.  This means that as a provider, you shall create policies and procedures (which often shall be in writing) to address the specific security safeguards in place at your practice.  Many of our clients’ policies fall far short of HHS’ requirements, thus making them vulnerable to a HIPAA audit.

The ‘small practice problem’

In the Phase I audits, small practices had the most violations – likely because they lack the in-house counsel or budgets of large hospitals.  However, investing in a quality HIPAA compliance plan is not discretionary.  You are required to comply with these rules, and they can be complex, onerous, and technical.  Also, HIPAA has changed dramatically in recent years, and the Phase I audits also shed light on possible weaknesses in your policies, so an older Compliance Plan should be immediately updated.  Your attorney should be reviewing your Plan annually and offering regular training to your entire staff about how to properly handle PHI. 

HHS identified the five most commonly investigated HIPAA issues.  They are:

  1. Impermissible uses and disclosures of PHI
  2. Lack of safeguards of PHI
  3. Lack of individuals’ access to their own PHI
  4. Lack of administrative safeguards of electronic PHI
  5. Use or disclosure of more than minimum necessary PHI

The parameters of what entails a permissible use, proper safeguard, or improper disclosure of PHI are specifically set forth by the applicable laws and regulations.  They should be included in your written policies and reviewed in your regular risk assessment analyses (which you’re conducting and documenting, right?).

Some of the questions we ask our clients when preparing their HIPAA Compliance Plans include: Do all providers in your practice have access to the other providers’ patient files?  Do you have a written policy concerning how you would handle a broken laptop?  Or a policy concerning how you protect against hacking, including of your credit card processor?  When was the last time you performed a formal risk analysis, and how did you document it? 

If these questions make your eyes glaze over, or if you’re taking your chances on an audit, reach out to us.  Our initial call won’t cost you anything, and we can discuss the steps required to get your practice up-to-speed, whether you have no HIPAA plan, or whether you just want a compliance check-up.  If you are selected for an audit, the process will likely move quickly, and OCR is encouraging CEs to prepare, for example, lists of their qualifying BAs now.

HIPAA compliance is not only required by law, but it ultimately serves your patients, who are truly entitled to privacy of their medical records, identities, and conditions.

This is not a substitute for legal advice from your attorney.  If you have questions about this or any other matter relating to your practice, e-mail me today at