Pathology/Lab Coding Alert

Best defense is good compliance plan.

If you experience a reportable privacy breach, you could be in big trouble if your underlying HIPAA compliance plan is weak.

In fact, some organizations have been hit with million-dollar fines when the HHA Office for Civil Rights (OCR) investigated a breach notification — and kept looking.

Read on to learn what happened, and how you can avoid the same fate for your lab or pathology practice.

OCR Searches for ‘Widespread Noncompliance’

The OCR recently instituted a “robust” Corrective Action Plan (CAP) and a whopping $3.5-million payout from Triple-S Management Corporation, formerly American Health Medicare Inc. 

Interestingly, this settlement was “the outgrowth of privacy breaches that [Triple-S] had reported to OCR, which, in turn, triggered further investigations by the agency,” noted partner attorney Laurie Cohen in a recent blog posting for Nixon Peabody LLP. “The OCR investigation uncovered ‘widespread noncompliance’ with the HIPAA Rules.”

The alleged HIPAA violations the OCR uncovered included:

• Failure to implement appropriate administrative, physical, and technical safeguards to protect its beneficiaries’ PHI;
• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement (BAA);
• Use or disclosure of more PHI than was necessary to carry out mailings;
• Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

In addition to the hefty $3.5-million payout, the settlement also involves a CAP that requires Triple-S to establish a comprehensive HIPAA compliance program, which includes:

• A risk analysis and a risk management plan;
• A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
• Policies and procedures to facilitate compliance with the HIPAA Rules’ requirements; and
• A training program covering the HIPAA Privacy, Security, and Breach Notification Rules’ requirements, intended for all workforce members and business associates providing services on Triple-S premises.

Takeaway: This case and other recent settlement agreements are “a reminder that when investigating a breach, OCR may look beyond the particular incident and review the covered entity’s or business associate’s overall compliance with HIPAA,” warned attorneys Elizabeth Hodge and Thomas Range of Akerman LLP in an analysis of the case. And the next round of HIPAA audits will begin in early 2016, which will only increase the scrutiny of covered entities’ and business associates’ compliance efforts.

Best bet: Make sure your lab or pathology practice has a strong HIPAA compliance plan in place now — both to minimize the risk of having a reportable breach, and to maximize the chance that you can withstand OCR scrutiny if an investigation occurs.

Link: The OCR’s Resolution Agreement and CAP with Triple-S is available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/TRIPLES.html.