Enforcement Trends: Lessons from the HIPAA Privacy Rule

by Sarah Harvey / February 15th, 2018

Enforcement of the HIPAA Privacy Rule

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule. Enforcement trends are the most direct way that the OCR can tell us what or where they’re looking at. In the most recent enforcement results, the OCR reports that it has received over 171,161 complaints since the HIPAA Privacy Rule took effect in 2003. These complaints have been against all types of covered entities, such as national pharmacies, medical centers, health plans, hospital chains, outpatient facilities, and private practices. 98% of these cases have been resolved through enforcement actions including investigations, fines, and corrective actions that require systemic changes in privacy practices and technical assistance.

From the OCR’s enforcement trends, we can see that the most frequently investigated compliance issues in relation to the HIPAA Privacy Rule are impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI. We can also see that the most common types of covered entities required to take corrective action are hospitals, private practices, outpatient facilities, pharmacies, and health plans. Let’s take a look at the most frequently investigated HIPAA Privacy Rule compliance issues to see what lessons your organization can learn from enforcement trends.

Impermissible Uses and Disclosures of PHI

To provide the best care possible, health care professionals need information. Treatment, research, quality, payment – it all requires information about patients. But, how do you determine when information sharing is permissible under the HIPAA Privacy Rule and when it is not? In general, HIPAA supports the sharing of PHI when it falls under treatment, health care operations, and payments. For example, a covered entity could disclose PHI to another covered entity or business associate in order to treat or coordinate care for patients, enable case management, for quality assessment or improvement purposes, and for population health purposes. Even with this general definition, there can still be misunderstanding over impermissible uses and disclosures of PHI. The U.S. Department of Health & Human Services’ guidance states, “Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information.”

Impermissible uses and disclosures of PHI is an enforcement trend because there’s so many situations where this could apply – employers, family members, other patients, law enforcement, media, etc. To help you understand impermissible uses and disclosures of PHI, let’s consider how the HIPAA Privacy Rule would function within a doctor’s office. The HHS describes this scenario: in a public waiting room, a member of a medical practice discussed HIV testing procedures with a patient. By discussing this in a public area and using a device that displayed PHI, the staff member disclosed PHI to the other individuals in the waiting room. Among other corrective actions, the OCR required this medical practice to revise and implement its policies and procedures regarding safeguards the communication of PHI. How do your organization’s policies and procedures cover impermissible uses and disclosures of PHI? Enforcement trends highlight that it’s vital to include details like these so that you can comply with the HIPAA Privacy Rule in any type of situation.

Lack of Safeguards of PHI

The HIPAA Privacy Rule requires that covered entities apply administrative, technical, and physical safeguards to protect PHI. These safeguards could be things like access controls, physical security measures, or secure disposal policies. Training your employees and implementing these safeguards is vital in protecting your organization from a lack of safeguards of PHI.

To demonstrate the danger of lack of safeguards of PHI, let’s look at this example: an employee of a pharmacy placed a customer’s insurance card in another customer’s prescription bag. Would you think that an insurance card is considered PHI? The pharmacy didn’t, but the OCR explained to the pharmacy that insurance cards do meet the definition of PHI. The pharmacy was required to amend its policies and procedures regarding PHI and re-train staff. From this enforcement trend, we can learn that organizations should evaluate the effectiveness of their safeguards by asking what risks for disclosure exist for each process and determining whether there are sufficient controls in place to prevent those risks from being exploited.

Lack of Patient Access to PHI

The HIPAA Privacy Rule exists so that patients know they have rights, what those rights are, and how those rights are respected; providing patients with easy access to their own PHI is a part of those rights. What if you couldn’t monitor a chronic condition because you didn’t have access to your medical records? What if you couldn’t identify all of your allergies because a covered entity refused to give you access to your medical records? A lack of patient access to PHI can make individuals feel out of control, or that they cannot make the most-informed medical decisions possible. Guidance regarding patient access to PHI states, “With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.”

To help you understand a lack of patient access to PHI, consider this scenario at a private practice. A complainant claimed that a private practice denied her access to her PHI because of an outstanding balance, which was confirmed during the OCR’s investigation. Corrective actions for this private practice included technical assistance to explain that, in general, a covered entity cannot deny a patient access to their PHI because of an outstanding balance. The covered entity was also required to provide the complainant with a copy of her medical record. Do your policies and procedures create obstacles to patient access to PHI? If so, you must determine whether they have a legal basis for maintaining those obstacles.

Use or Disclosure of More Than Minimum Necessary PHI

In many frameworks, it’s required that organizations make an effort to use, disclose, and request only the minimum amount of sensitive information needed for an intended purpose or to carry out a function; this is also the case for the HIPAA Privacy Rule. 45 CFR 164.502(b), 164.514(d) states, “PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI.”

The more people who have access to PHI, the more risk there is. At a dentist office, the OCR investigated claims that some medical records were marketing with an “AIDS” label on the outside cover, and records were handled in a way so that other patients and staff without need to know could read the sticker. To resolve this issue, the dentist office was required to immediately remove the “AIDS” labels and amend its policies and procedures to outline that labels such as these should be on the inside cover of medical records. From this enforcement trend, the lesson is to determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment.

If your organization follows the HIPAA Privacy Rule, you must pay attention to enforcement trends. These trends can help you focus on and re-evaluate controls that the OCR may audit. From recent enforcement trends, your organization can evaluate:

  • How do your policies and procedures cover impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI?
  • How do you evaluate the effectiveness of your safeguards?
  • Do your policies and procedures create obstacles to patient access to PHI?
  • How do you determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment?

Contact us to learn more about enforcement trends and how a HIPAA Privacy Rule Assessment can help ensure your compliance.