HIPAA violations prompt maximum fines

Recently, there was a ruling for a HIPAA violation by a Texas cancer center ordered to pay $4.3 million dollars in penalties. This was the fourth largest amount, granted in summary judgment by a US Department of Health and Human Services Administrative Law Judge (ALJ) to the Office for Civil Rights (OCR) on all issues. OCR’s investigation found The University of Texas MD Anderson, both an academic institution and cancer treatment and research center in Houston had previous encryption policies that were put into place in 2006 and failed to take action after the medical center performed its own risk analysis, finding a high risk to security of ePHI. An enterprise-wide implementation of encryption within the organization wasn’t adopted until 2011. It was discovered that MD Anderson failed to encrypt electronic devices thereafter, spanning months in 2011 and into 2013.

The recent ruling is a great example of how severe penalties for HIPAA non-compliance can be. Even entities that claim that they aren’t in violation of HIPAA are subject to serious efforts to protect health information privacy by OCR. It is a myth that organizations that don’t see patients won’t be held to the same strict regulations as others in healthcare. The rules of HIPAA apply to any organization that obtains the sensitive PHI of individuals, and the repercussions can be just as relentless as with the ruling against MD Anderson. The organization suffered penalties for each day, including each individual record of ePHI that was breached.

MD Anderson argued against the implications that it had violated HIPAA regulation. One assertion included a claim that the ePHI was being used for research. The new guidance provided below helps to remind those in healthcare of the extensive nature of privacy regulations and reaffirms the value of a commitment to the protection of private health information. HIPAA regulations allow for access of PHI for research and innovation, but it’s important to stay informed on the most up-to-date guidance.

New Guidance on Research Authorization by OCR

On June 14, 2018, the US Department of Health and Human Services Office for Civil Rights (OCR) issued a notice titled, “New Guidance on HIPAA and Individual Authorization of Uses and Disclosure of PHI for Research.” The notice and new guidance implement the 21st Century Cures Act or 2016 Mandate, which is designed to aid in driving the processes in place for drug approval and improve medical research. This is meant to streamline the process of receiving approval under HIPAA for the use of PHI in medical research.

In the newly updated guidance, OCR addressed three areas of the Cures Act. First, it provides a description of the importance of future research initiatives. Second, it describes the settings under which covered entities are required to provide reminders to individuals relating to their right of revocation. Lastly, it covers the system used for revocation.

The guidance requires the Secretary of the Department of Health and Human Services (HHS) to clarify circumstances regarding the authorization of Protected Health Information (PHI):

(1) the circumstances under which the authorization for use or disclosure of protected health information, with respect to an individual, for future research purposes contains a sufficient description of the purpose of the use or disclosure, such as if the authorization

  • (A)sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research,
  • (B) either
    • (i) states that the authorization will expire on a particular date or on the occurrence of a particular event or
    • (ii) states that the authorization will remain valid unless and until it is revoked by the individual, and
  • (C) provides instruction to the individual on how to revoke such authorization at any time;

(2) the circumstances under which it is appropriate to provide an individual with an annual notice or reminder that the individual has the right to revoke such authorization; and

(3) appropriate mechanisms by which an individual may revoke an authorization for future research purposes, such as described in paragraph (1)(C).

The mandate is limited to a focus on “situations in which an entity obtains the individual’s HIPAA authorization for uses and disclosure of PHI for research.”

The Requirements for authorized use of PHI

An authorization for the use of PHI for research should be communicated in plain language and include a clear description of the following:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion,

  1. The names or other specific identification of the persons authorized to disclose and receive the information,
  2. A description of each purpose of the requested use or disclosure,
  3. An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.

In addition to these specifications, an authorization must clearly state information that satisfactorily notifies the individual of:

  1. The individual’s right to revoke the authorization in writing
  2. The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and
  3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule
Future research

The Cures document goes on to give specific instruction on authorization for use or disclosure for future research cases, based on whether they offer sufficient descriptions so that an individual would view it as reasonable for the PHI to be used. OCR determined that a future research purpose is compliant “if the description sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.”

The document also provides valuable guidance on the expiration of authorization and right to revoke authorization accordingly. These guidelines allow for an individual to revoke authorization in writing at any time and must include an expiration date or an expiration event.

To learn more about HIPAA compliance and cybersecurity management contact Digital Forge at (877) 369-1831 or visit our website to engage with a qualified compliance expert.

You Might Find These Articles Interesting:

May Cybersecurity Recap Video

HITRUST® Releases First Ever Certification Program for the NIST Framework

Cybersecurity in the Legal Sector: Using Compliance Frameworks to Boost Protection