Insurers and insurance brokers could face fines over what seem to be strange, or even unfair, health privacy and data security cases, and that’s how the system works.
Stephen Serfass, a partner in the Philadelphia office of Drinker Biddle & Reath, said the covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) health information rules need to learn how the U.S. Department of Health and Human Services Office for Civil Rights sees the rules.
When it comes to deciding how reasonable OCR HIPAA enforcement is, “beauty is in the eye of the beholder,” Serfass said in an interview.
Some decisions to find an entity responsible for a violation “could lead you to scratch your head,” Serfass said.
But Serfass, a member of Drinker Biddle’s privacy and data security group, said some of the head scratchers could be a sign that OCR believes the breach described is a symptom of an entity’s deeper health information protection problems.
“These privacy and data security requirements are meant to be taken very seriously,” Serfass said.
The U.S. Department of Health and Human Services (HHS), the parent of OCR, classifies issuers of major medical insurance and long-term care insurance (LTCI) as covered entities for HIPAA purposes. Any vendors or other entities that share protected health information with covered entities are the entities’ business associates.
For health and LTCI insurers, the list of business associates includes agents and brokers.
A few years ago, OCR organized a wave of audits that focused more on gathering information and educating covered entities than on imposing penalties. OCR is now organizing a second round of audits, the HIPAA Phase 2 audits. The HHS Office of Inspector General has been pushing OCR to be tougher on entities with violations.
OCR seems to be in the early stages of developing the audit target lists, Serfass said.
“A business associate could certainly be the target of an audit,” Serfass said.
Some of the investigations that OCR has already completed may startle laypeople.
In February, OCR announced that it had imposed a $239,800 HIPAA penalty on home care provider. A former employee had violated company rules by taking records home. Her husband filed a complaint about eight years ago, when he found the records in his home after she left him.
Earlier this week, OCR said Raleigh Orthopedic Clinic P.A. of North Carolina has agreed to pay $750,000 to settle a case involving 17,300 X-ray films. In 2013, the clinic sent the films to a vendor that promised to digitize and then destroy the films. The vendor never digitized the films. Instead, the vendor sent the films, which included the patients’ full names, to a silver recycling company. The vendor, and the recycler, never gave the clinic any legally valid confirmation that the films had been destroyed. Even though the clinic was the victim of a bad vendor, and tried to comply with HIPAA, OCR went after the clinic because of the clinic’s failure to get the vendor to execute a business associate agreement, according to OCR.
To avoid running into situations like that, an entity subject to the HIPAA health information rules needs to make championing privacy and data security part of its culture, Serfass said.
The HIPAA health information protection effort has become a big, growing focus of interest for law firms. At Drinker Biddle, for example, about 5 percent of the lawyers have something to do with health information protection, and Serfass estimates that HIPAA-related issues may take up roughly an average of about a quarter of their time in any given month.
Serfass said OCR has been doing a good job of updating the health information protection community about the Phase 2 audits.
“OCR seems to be committed to communicating very clearly about what’s happening,” Serfass said.
Are you following us on Facebook?