Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) discuss the penalties that the Office for Civil Rights can levy.

Part 9 of a 13-part series (Return to Part 8)

CHRIS: If we go to the enforcement process, this is an excellent resource because you can visually see what they do. And one of the things that I want to point out here is, they literally have the option to refer this to the Department of Justice. That alone should be an indication of how serious this is. They do a review, they validate the situation, and determine if there is a criminal violation. So again, there's a potential with HIPAA security that you are criminally negligent. That could get referred to the Department of Justice, and that could be really serious. So just keep that in mind throughout the process. 

what is hipaa

CHRIS: Generally speaking, though, if it does go through the OCR, they're going to tend toward conducting an investigation unless they make a determination not to, and then they're just going to provide technical assistance down that resolution path. And I think a lot of these scenarios end up falling into intake and review resolution. Possible HIPAA rule violation, decide not to investigate, and they just make technical assistance available or recommendations. 
 
But that, again, is sort of the point. If you're getting those, you need to take it seriously and understand, yeah, maybe they didn't decide to investigate at that point or refer it to the DOJ even. But you've gotten some grace potentially, so fix it permanently if there are issues they tell you about, take it seriously. 
 
If it does go into investigation, then there are a lot of options here for how they output from that. One of the biggest things is they can obtain voluntary compliance, corrective action, they can charge penalties. And some of the penalties are nuts, per incident or per-patient breach cost or violation. [These] can be dramatic, it can be very substantial. 
 
But one of the things that you can see, like if you have hundreds, thousands, tens of thousands or more patients, if there's a per-patient incident that occurs, this can add up really fast. Some of the EMR/EHR systems have paid literally tens of millions of dollars because of issues and violations. So please take this seriously.  

But you don't want to be just overly scared about it either. And I know that's an oxymoron almost. But the bottom line here is that, if you look at what they're saying here, they're basically going through this progressive process where they're trying to see if something serious happened. And one of the biggest things I can tell you is if there is an investigation or a review, they're probably going to be asking for what your processes were, what are your documentation processes, what did you actually note as risk, and then address?  

This is probably one of the biggest things that I see most folks missing, so just keep that in mind. Ultimately that is going to show goodwill, and at least that you are going to be a good actor in this space. Even if you miss something, generally that's going to put them in a better position to not have to be as aggressive with you. 
 
One of the other things that I would note is if you go to the enforcement data page. This is also a little bit more detailed. But you can see that they list the cases that they close fall into these five different categories. You see this on that visualization, but this gives some links and it provides detailed text around each of these. If you scroll down beyond that, you can see they go into enforcement results by year, enforcement results by state, top issues in investigating cases. And these are just really, really helpful. You can actually see some of the types of HIPAA eCommerce problems that occur.  

If you go into the top five issues in investigating cases, this is sort of a repeating situation. Impermissible uses and disclosures, that's the number one issue. Access and safeguards, that's number two and number three, depending on the year, they flip-flop. Administrative safeguards, and then finally it gets into some of these other aspects, HIPAA breach notice to individual technical safeguards and minimum necessary.  

But there's a common theme here. It's basically like, “Are we limiting use [access to data], making sure that folks aren't doing things with the data that they shouldn't? Like doing marketing stuff that's going to be impermissible, use and disclosure, for example. Maybe someone internally has access to it that shouldn't. Do we have any safeguards in place and administrative safeguards?”

what is hipaa

CHRIS: Then it goes into technical safeguards and minimum necessary [HIPAA security]. So these are a theme that you want to get from the OCR about their investigating cases, and they're saying these are the ones that were closed with corrective action. So from looking at this data, it's pretty clear that they're saying— they even go on to talk about it in different cases. But these are baseline things that anyone can do. Even if they aren't perfect, they can really tighten things down and lock them down.  

You almost want to think about it like a government base, for example, where everyone on the government base is willy-nilly talking about the classified information that they're working on. And if whoever is in charge of that base doesn't tell everyone, “Hey you need to stop talking about this. This is classified and it could cause the secrets to get leaked out. And hey, let's compartmentalize some of this information. So it’s less likely to leak out easily.” I mean, these are just basic things that you can do. It's the same concept in general, but with ePHI data.  

So anyway, I think this is really helpful to reinforce, and that's the whole point of it is to reinforce the actual rules and executing on them. Again, if you take a look at the resolution agreements page on the official HIPAA website, you can see some really interesting cases. A lot of folks have problems getting internal buy-in to do the work and put the time in in order to reach a certain level. This is really ammunition for that scenario.  

You have years of data...in the list, there are millions of dollars that were paid in these resolution agreements. Some of them are quite large amounts. And these are settlements, essentially with the OCR, where they're basically ending up charging millions and millions of dollars for HIPAA violations. So isn't it much less expensive—not to mention the credibility hit—isn't it so much less expensive to just fix the issues and operate like a classified government base? To keep the information compartmentalized, minimize the information that's getting out. That's the same type of concept.

what is hipaa

CHRIS: There are also details here. We went through some of the case examples and talked about how those are available. There are also examples on the audit program and how it works. There's really a walk through of that. You can take a look at the audit program. You'll see that some of this is relatively older and there was essentially a program to go through, do an audit, and have it go through a certain process. 

But in general, I think the biggest thing you want to note here is that the OCR, from their communication and even some of their most recent messaging for settlements, really imply clearly—and they don't always come out and say it—but they really imply clearly that, if you just have some of these baseline pieces in place, there won't be as much negative impact if you do have a breach or you have an issue. 

If you're trying and you're doing your best, you're documenting it, you're training your staff, you're identifying risks, and you're going through the process of complying with HIPAA, it's most likely that you will prevent issues with that. So if there is an issue with your HIPAA-compliant eCommerce platform, there's going to be more grace is the implication. Again, I'm not the OCR and I wouldn't say they're guaranteeing that in any way, but that does seem to be the implication in general. 

RON: On that last one we just looked at on the agreements, there were two that just were settled like three weeks ago. So they're very active. 

Continue to Part 10 to get advise on first steps to HIPAA compliance.