For Covered Entities and Business Associates, There Can Be No Such Thing as “HIPAA Lite”

It has been well over a decade since health care providers (and other HIPAA Covered Entities) started handing out their Notice of Privacy Practices as required by the HIPAA Privacy Rule. Patients have become so accustomed to the Notice that many never read it, even though signing that they have not only read it but understand it. The question is, when was the last time the provider’s Privacy Officer or the entity’s CEO read the Notice? Do key personnel understand the terms of the Notice? And does the provider comply with its own Notice, maintaining the policies and procedures that are represented in the Notice?

In smaller organizations, the practice manager often fills the role of Privacy Officer and Security Officer. HIPAA is just one of many regulatory burdens on the manager’s plate and it is probably not the highest priority. The same is true for HIPAA Business Associates who may or may not understand their substantial obligations under HIPAA and under those Business Associate Agreements they signed. So it is understandable that HIPAA compliance may have morphed into “HIPAA Lite,” with providers and their Business Associates hoping that what they have in place will suffice and that they will fly under the radar of the U.S. Office for Civil Rights (OCR).  This was much easier to do in past years, when OCR enforcement focused on advising and assisting with compliance and OCR lacked resources to do much more.

But times have changed. In recent months, the OCR has entered into resolution agreements with both Covered Entities and Business Associates that include the largest financial settlement obtained by OCR from a HIPAA-regulated entity ($5.55 million from Advocate Health Care Network for breaches involving its physician-led medical group). The Advocate settlement noted the extent and duration of noncompliance, in some cases dating back to the inception of the Security Rule in 2005.  OCR’s settlement with Catholic Health Care Services, a HIPAA Business Associate to skilled nursing facilities, imposed a $650,000 fine and a two-year corrective action plan focusing on Catholic’s lack of a risk analysis, risk management plan and at least fifteen mandated policies.

Expanding the scope of its enforcement efforts, OCR has also announced an initiative to more widely investigate the root causes of smaller breaches, i.e., those in which under 500 persons are affected and which are reported by Covered Entities on an annual basis. These smaller breaches will likely draw the OCR’s attention if they involve theft of or improper disposal of unencrypted PHI or involve unwanted intrusion into an IT system. Once the OCR starts investigating one aspect of HIPAA compliance, the door is open for it to look at the organization’s entire HIPAA and data breach compliance efforts.

Increasing your efforts to ensure HIPAA compliance is not easy.  Capehart Scatchard is offering a seminar to help Covered Entities and Business Associates be prepared when the OCR comes calling.


Tags: , , , ,

Denise L. Sanders, Esq.

About the Author

About the Author:

Denise leads Capehart Scatchard’s Privacy & Security Practice and is a Shareholder in the Healthcare Law Group. She has extensive experience representing healthcare providers in complying with HIPAA and HITECH requirements and advising private businesses and governmental entities on cybersecurity issues.

She participates in New Jersey’s Cybersecurity & Communications Integration Cell and has written and presented extensively on these topics.


Post a Comment

Your email address will not be published. Required fields are marked *