HIPAA Final Rule imposes tougher standards

HIPAA is getting tougher based on a recent Final Rule published by the government. Going forward, just about any impermissible use or disclosure of a patient’s information will be considered a breach and is therefore reportable to the Department of Health and Human Services (DHHS).

The Office for Civil Rights (OCR) will determine if the disclosure was due to “willful neglect” in order to determine if they are obligated to investigate the breach.  Each violation carries a penalty of up to $50,000.  So, situations such as a fax sent to the wrong number, a patient’s statement stuck to the back of another patient’s statement, or a lost jump drive likely will be considered a breach, and therefore must be reported.

Are these situations considered “willful neglect” requiring a review by OCR?

It is hard to say at this point, but they certainly could be treated as such. One factor that may play into determining willful neglect is the timeliness of mitigating the damages and reporting the breach. By responding quickly we improve our outcome when OCR investigates, including the fine per violation, which is tiered from $100 to $50,000 per violation (to a maximum of $1.5 million annually), depending on the circumstances and efforts to mitigate.

Things to think about in response to the new Final Rule include:

  1. Take time to verify that you are only sending the correct information to the correct party when you fax, mail, email, or share information.  Also, take time to verify names, addresses, and content to be certain wrong or excess information is not being sent.
  2. Avoid storing patient information on mobile devices or removable media (laptops, tablets, jump drives, CD/DVDs, smart/cell phones.)  If you must store patient information on mobile devices or removable media, it must be protected by encryption.   Contact the manufacturer or the support service through which the device or media was issued for assistance on encryption.
  3. Do not store patient information on mobile devices or removable media (some cell phones, cameras) that cannot be protected by encryption.
  4. Do not transmit patient information via your personal email account (e.g., Gmail, Yahoo, etc.) or text message.

If you have questions, concerns, or if you need to report an incident, please contact your Privacy, Security, Legal, or Compliance Offices. You may also report an anonymous incident by calling the Compliance Hotline at 1-800-362-2921 for UNC Hospitals and the UNC School of Medicine or 1-877-227-3739 for Rex.

More info about encrypting cell phones