7 Critical Lessons You Should Learn 

By Mike Semel, August 17, 2016

4001847 - stack of several million dollar bills isolated on white

The ‘HIPAA Police’ are on a rampage. In 2015 there were just over $ 6 million in penalties. In 2016- with over 4 months still to go- the Office for Civil Rights (OCR) has issued penalties of more than $ 20 million. The fines, known as case resolutions or civil money penalties, will get rolled into funding more enforcement.

The three most recent penalties, in July and August, 2016, were $ 2.7 million,  $ 2.75 million, and $ 5.5 million- more than all of last year. In addition, recently an orthopedic clinic paid $ 750,000 for missing paperwork. The OCR isn’t kidding around.

Time is running out for those who have a cavalier or casual attitude towards HIPAA compliance. For those who are diligent about HIPAA, it’s time to validate your efforts. Rather than risk millions in fines, you should get a second opinion with an independent third party assessment.

Items that were revealed during recent investigations include:

  • Failure to implement and follow HIPAA policies and procedures to protect patient information
  • Knowing about data security vulnerabilities but not fixing them
  • Lack of Business Associate management
  • Use of generic user names and shared passwords
  • Failure to encrypt devices that store ePHI

Here are SEVEN BIG LESSONS to be learned.

LESSON 1 - Consider that the name of the enforcement agency is the Office for CIVIL RIGHTS.

56369778 - 3d illustration of civil rights title on legal documents. legal concept.


They believe that a confidentiality or data breach is a violation of the patients’ CIVIL RIGHTS, not just missing paperwork. If you wonder how far the federal government will go to protect your civil rights, go back to the 1960’s and look at the Civil Rights movement.

Do you want to be fined and become famous for violating someone’s civil rights?

LESSON 2 – Policies & Procedures must be followed, not just documented.

During our audits clients show us policy manuals that have never been shared with their employees.

Some organizations don’t follow the policies they have created. They show us policies that are very specific, like “Passwords must be changed every 60 days.” When we look at their network we see that all passwords are set to never change.

The we-make-HIPAA-easy “HIPAA-in-a-Box” or, now, the “HIPAA-in-the-Cloud” packaged solutions you can buy, can be feel-good placebos that make you believe you have a viable compliance program. The true test is if you really comply with HIPAA, not that you have a book on a shelf or documents stored in a cloud portal.

We were recently shown a HIPAA cloud portal that gives you a compliance score that increases as you save documents. Their example was adding a software inventory. When they uploaded the document the score automatically increased. I asked if it mattered whether the file contained the names of unsupported operating systems and programs, or consumer-grade file sharing applications that are not compliant with HIPAA. They said no, that the client was responsible for knowing the rules.

They reward you with a passing score even if the information you provide doesn’t comply. What good is that?

Are you really feeling good about your compliance program, or is just the placebo effect?

LESSON 3 - You need to get serious about managing your Business Associates.

DoctorShakingHandsThe orthopedic practice paid $ 750,000 for sharing Protected Health Information (PHI) with a vendor without having executed a Business Associate Agreement. Oregon Health & Science University (OHSU) paid $ 2.7 million partly for storing data with a cloud service without a Business Associate Agreement in place.

Some have argued that this is a ‘victimless crime’ and that $ 750,000 - $ 2.7 million is a lot to pay for not having your paperwork in place. The federal government obviously disagrees. They consider this the unauthorized release of protected health information, a Civil Rights violation.

Your list of Business Associates is probably a lot longer than you think.

From the Federal Register

The HIPAA Rules define “business associate” generally to mean a person (or entity) who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.

Your attorney is a Business Associate if he/she sees patient records while representing you in matters like malpractice suits, collections, or billing investigations. Your accountant, or revenue cycle financial advisor, is a Business Associate if they see patient billing records during audits or reviews. Your copier and IT vendors are Business Associates. So are billing companies, coding companies, and many others.

Each must sign Business Associate Agreements, and build a complete HIPAA compliance program including HIPAA policies and procedures, HIPAA workforce training, a HIPAA security risk analysis, and a lot more.

You can be liable when your Business Associate screws up. North Memorial Health Care of Minnesota paid $1.55 million after a Business Associate had a breach of their patient records.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

If your vendors refuse to comply with HIPAA is it worth an extra $ 750,000 - $ 2.7 million to continue to work with them?

LESSON 4 - Cloud services and data centers are Business Associates.

cloud1This seemed clear when the 2013 HIPAA Omnibus Final Rule re‑defined Business Associates to be any person (or entity) that “maintains protected health information on behalf of a covered entity… even if the entity does not actually view the protected health information.”

This includes free e-mail services, cloud storage, cloud backups, hosted voicemail and fax services, file sharing services, hosted electronic medical record services, and the data centers that house them.

Many cloud vendors and data centers are still in denial. They claim they don’t have access to client systems (which is usually wrong;) that data is encrypted; and that they don’t access the data.

None of this matters.

The OCR just issued a $ 2.7 million penalty against OHSU partly for “the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.”

Jocelyn Samuels, Director of the OCR, said, “OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI.

Data Centers contract directly with health care organizations, and are subcontractors to cloud services and IT vendors. ePHI is stored on servers and storage devices within their facilities, and it doesn’t matter if the racks are locked, or if the data is encrypted.

Cegedim told a client that it was just “simply acting as a landlord leasing space” and refused to sign a Business Associate Agreement even though the servers they housed were full of patient records.

The dirty little secret at data centers that claim they don’t have access to client equipment is that almost all offer technical services through on-site staff so you don’t have to drive across town, or fly across the country, to reboot a server. They have keys and open client racks all the time.

This article talks more about cloud vendors and data centers.

If your cloud vendor or data center won’t sign a Business Associate Agreement, you can’t use them.

LESSON 5 - You need a real Security Risk Analysis that is thorough and accurate.

The University of Washington Medicine (UWM) paid $ 750,000 after a data breach investigation revealed that their management of the risk analysis process was inadequate.

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels.  “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

Medical practices want a cheap way out so they purchase a ‘feel good’ do-it-yourself guide or web-based system to guide them through a risk analysis. Larger organizations with their own IT staff think they can audit themselves.

Every one of the hundreds of risk analyses we have done has either revealed information unknown to the client, including unprotected ePHI, or our analysis directly contradicted information we were provided that the client thought was correct. Just like practicing medicine, a risk analysis requires proper training, experience (with IT security,) and the right (technical) tools.

You need a lot of IT knowledge and expertise to validate your compliance with the HIPAA Security Rule. Most medical practices and Business Associates simply do not have the expertise or the tools to do a thorough and accurate HIPAA risk analysis. IT departments that have done their own assessments often missed things that we found later. Some ignored their failure to comply with their own policies and told everyone that things were fine. We heard this from their angry managers.

There are two ways to find out if an outsider will give you a passing or failing grade. Hire an independent consultant, or live on the wild side and wait for the government to audit or investigate you.

LESSON 6 - You have to fix the problems that were discovered during your risk analysis.

20329558 - manage your risk in a dangerous world, company, workplace or enterprise by reducing costs and liability, illustrated by these words on three red dice

A risk analysis is not just a document to be filed away. Policies and procedures are not just documents to be available in case of an audit, they have to be implemented and followed.

This requires action, which can be expensive and inconvenient.

In both the University of Mississippi Medical Center (UMMC) $ 2.75 million and the OHSU $ 2.7 million penalties, the investigations revealed that the organizations were aware of vulnerabilities but failed to correct them.

After the UMMC breach, OCR Director Jocelyn Samuels said, “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” After the OHSU breach, she said.  “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient…,

Management must provide the resources and the willingness to solve compliance problems.

LESSON 7 - As I have preached so many times before, including in a cover story for the Journal of Health Care Compliance, security and compliance are management responsibilities.

At each of the organizations that paid the big fines, ask yourself:

  • How long after being notified that they were being investigated do you think it took senior management to get involved?
  • How much time did senior management take away from their organizations’ mission to deal with lawyers, outside consultants, and the government?
  • Who in the organization approved paying $ 750,000, $ 1.55 million, $ 2.2 million, $ 2.7 million,     $ 2.75 million, or $ 5.5 million?
  • What did it really cost those organizations, when you add in attorney fees, notification costs, lost business, and lawsuits. (The recent Cost of a Data Breach report says a healthcare breach costs       $ 402 per record.)
  • Who had to answer the hard questions from the board of directors?
  • Who did the media want to talk with after the breaches became embarrassingly public?

By delegating compliance, senior executives are just delaying expensive and difficult decisions. There can even be criminal action if an executive violates the law, for example, by telling a compliance officer not to report a data breach. In the 2015 ‘Yates Memo’ the US Department of Justice said that corporate misconduct will be treated as criminal activity.

The OCR director recently said, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

The OCR already has $ 20 million, and will surely get more this year, for increased enforcement.

Hang on to your hats!