Medicare Compliance & Reimbursement

Ignoring assessments and issues is not an option, OCR punishment suggests.

Organizations big and small find managing HIPAA's complex rules and requirements challenging. One group's recent failure to address risk and implement suggested safeguards highlights the importance of following the rules. And this large-scale healthcare provider's hefty financial penalty suggests the HHS Office for Civil Rights (OCR) won't tolerate negligence no matter the size or scope.

Context: Fresenius Medical Care North America (FMCNA), a provider and supplier of a variety of chronic kidney-failure services, reported numerous HIPAA breaches at five different branches in January of 2013. The events occurred "between February 23, 2012 and July 18, 2012," and exposed the ePHI of these "five separate FMCNA-owned covered entities," indicated an HHS Office for Civil Rights (OCR) release last month. The potential violations ran the gamut from HIPAA Privacy rule charges to failure to register and integrate measures that are required under the Security rule.

Read the OCR release at: www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html.

"The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity," said OCR Director Roger Severino in the release. "Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law."

Result: The five breaches, which happened at FMCNA facilities in Florida, Alabama, Arizona, Georgia, and Illinois, cost the group $3.5 million in penalties paid to OCR. In addition, the feds required Fresenius to institute a "comprehensive corrective action plan, in order to settle potential violations of HIPAA," the release noted.

Quell Violations with This Advice

FMCNA's recent HIPAA issues emphasize the importance of extensive risk assessment and management controls.

Most of the problems identified in the organization's five breaches could have been solved with better compliance protocols and follow-up. Take a look at the separate breaches and what you can do to fix problems like these before they bring down your practice.

1. Confirm physical safeguards are rock solid. Two FMCNA branches did not aggressively protect their locations from "unauthorized access, tampering, and theft" even though the HIPAA Security rule required them to do so, reported the OCR.

Ensure your practice has tight controls over not only electronics like workstations, laptops, mobile devices, and medical equipment to avoid illegal access, but also security for the facilities themselves that stop intruders from damaging and stealing equipment. Ask yourself these questions about the physical safety of your office and equipment:

• Is there a security system to protect the practice from unlawful entry?
• Are all devices inventoried?
• Is there a list of who has access to the building and the health IT?

Tip: "The high impact cases OCR moves forward with are intended to send a message to the industry," explains attorney Kathleen D. Kenney of Polsinelli LLP in Chicago, Illinois. "With that in mind, I advise our clients to use these cases as learning opportunities.

"Ask 'could this happen to my organization?'," Kenney stresses. "And, if the answer is 'yes,' use it as an opportunity to voluntarily take corrective measures."

2. Outline the access, movement, and removal of practice HIT. One of FMCNA's sites lacked the proper HIPAA protocols to fully protect its "hardware and electronic media that contain ePHI" from moving in, out, and around the facility, the OCR release mentioned. Consider these questions related to the "Administrative Safeguards" section of the HIPAA Security rule that specifically reference the movement and control of health IT:

• Have you designated an employee or staff as "security personnel" to oversee your risk management and the HIPAA compliance?
• Are your security protocols in line with your risk analysis and practice needs?
• Do your employees know who the compliance officer and health IT staff are?

Tip: "As devices get smaller and more portable, the potential for lost or stolen or misplaced data increases - and so does the risk for a breach," warns Peter Arbuthnot, regulatory analyst with American HealthTech in Jacksonville, Mississippi. That's why it's essential to clearly state who's in charge of the maintenance, care, and updates of practice technology.

3. Encrypt ePHI and maintain device control. More and more large-scale breaches fall prey to device management issues that lead to the loss of ePHI, and FMCNA failed to implement encryption strategies. When you encrypt and decrypt ePHI, set strong password protection on your mobile devices, and implement at-rest and remote access rules, you are protecting your patients and your livelihood. Check these three questions and see if you risk the exposure of ePHI:

• Is there a plan in place to protect your data if your devices go missing?
• Are you utilizing multifactor authentication and at-rest protocols for your devices?
• Is your data encrypted and decrypted appropriately, meeting Security rule standards?

Tip: "If you do have a breach in your networks, or if a device containing PHI is stolen, proper encryption can be a lifesaver," points out Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. "If your data is properly encrypted using industry-accepted encryption strengths, you don't have a breach. And it's also a requirement for HIPAA."

Resource: For a closer look at the HIPAA Security rule, visit www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.