HIPAA Crackdown on Security Hacks

Image courtesy of Flickr/Perspecsys

Health care security breaches are on the rise with headline-making hacks at insurer Anthem Inc. and NewYork-Presbyterian Hospital, giving employers reason to be concerned.

This year, the Department of Health & Human Services’ Office for Civil Rights is conducting Health Insurance Portability and Accountability Act, or HIPAA, compliance audits, and HR departments need to prepare, according to Gordon Rapkin, CEO of Archive Systems Inc., an HR document manager based in Fairfield, New Jersey. The office hasn’t announced when audits will commence. 

“Employers need to know that they are obligated to protect this information, they must show that they are capable of protecting this information and prove that their employees have been trained to do so,” Rapkin said. “You must be able to prove all that in a very short window of time if you’re unfortunate enough to be selected for an audit.”

Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients.

In 2011 and 2012, the HHS conducted a pilot phase of the audits selecting 150 “covered entities,” which include providers and health plans, including employers that sponsor them, according to the HHS. Those chosen have 10 business days to provide supporting documents, Rapkin said.

“You don’t want to be in a situation where you are tagged for an audit and can’t respond in a timely fashion,” he said. “That triggers fines, and the fines have been hefty. It’s like a disaster plan. It’s incumbent on organizations to have one in place.”

In 2014, Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients. In 2013, Anthem Inc. (then known as WellPoint Inc.) was fined $1.7 million when the health records of more than 600,000 patients were made available to unauthorized users.

Rapkin urged employers that have not yet conducted a HIPAA risk assessment to do so as soon as possible.

He said employers should focus on training employees to understand HIPAA policies and procedures and take an inventory of safeguards to protect physical and electronic information. If a breach occurs, employers must be vigilant about notifying individuals whose information was compromised.

“In the past it was easier to sweep things under the rug,” he said. “You can’t hide by saying, ‘Well someone left a laptop at Dunkin’ Donuts, but we don’t know if it’s been breached.’ You must notify any individual affected even if you only have reason to believe that you’ve been breached.”

Initially HIPAA was about health information portability — the ability to take records from one vendor or provider to another, he said. “It advanced to be much more about security as requirements like the HITECH Act came into play.”

The HITECH, or Health Information Technology for Economic and Clinical Health Act of 2009, required that organizations publicly report breaches that involve more than 500 patients, increased fines for violations, mandated that the HHS conduct audits, and extended the rules to third parties that work with health care organizations.