WASHINGTON (Legal Newsline) – Health care providers need to be mindful of two recent major Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlements to avoid being similarly targeted, two industry attorneys say.
"Health care providers need to stay vigilant and proactive in maintaining HIPAA compliance in all facets of operations," Bruce D. Armon and Karilynn Bayus, both of Saul Ewing in Philadelphia, said in a joint email to Legal Newsline.
"Regular internal self-audits of HIPAA compliance and active review of policies and procedures and forms can help ensure good conduct. Mistakes can always occur.
"Creating and maintaining a committed culture of compliance can help mitigate circumstances that can lead to HIPAA investigations and/or payment of fines and entering into a corrective action plan."
Armon is chair of the Health Care Practice and managing partner of the firm's Philadelphia office. Bayus represents and counsels health care entities and providers in transactional, regulatory and administrative matters. Both have blogged about the recent HIPAA settlements with New York Presbyterian Hospital and Raleigh Orthopaedic Clinic, announced last month.
Raleigh Orthopaedic Clinic agreed to a $750,000 settlement of charges over alleged violation of HIPAA rules for failing to execute a business associate agreement before turning over personal health information of 17,300 people to a potential business partner. Raleigh Orthopaedic operates clinics and an orthopaedic surgery center in greater Raleigh, N.C.
The settlement includes a monetary payment of $750,000 "and a robust corrective action plan," according to the announcement on the Health Information Privacy's website.
New York Presbyterian Hospital reached a $4.8 million HIPAA settlement over a data breach, according to the Health Information Privacy's announcement. That settlement resulted from a 2010 incident in which New York-Presbyterian Hospital and Columbia University Medical Center sustained a breach of its unsecured electronic protected health information, according to the resolution filed in the settlement.
In that breach, an "errantly reconfigured" hospital server led to the personal health information of 6,800 patients becoming available on internet search engines, the resolution said.
"These two settlements are continuing a pattern in 2016 of significant payments as part of settlement agreements with the federal government for HIPAA compliance issues," Armon and Bayus said. "Providers of all sizes without regard to geography or even the same allegation of HIPAA non-compliance have been affected."
HIPAA was enacted by the U.S. Congress Aug. 21, 1996 and signed by President Bill Clinton the same year to equal health and human services access to certain and protect health information privacy and security.
The U.S. Department of Health and Human Services' Office for Civil Rights has investigated and resolved almost 25,000 cases that required changes in privacy practices and corrective actions, according to Health Information Privacy statistics.
Those changes in privacy practices and corrective actions included technical assistance and changes in otherwise noncompliant process. OCR also has reached more than $33 million in settlements.
"The federal government continues to emphasize the importance of HIPAA compliance for so-called covered entities and business associates," Armon and Bayus said. "There have been more payments assessed so far in 2016 as a result of HIPAA compliance settlements than there were in all of 2015 or 2014."