HHS may target HIPAA violations by smaller-scale health care practices; proper encryption provides protection

February 9, 2013

In January, an Idaho hospice agreed to pay $50,000 to settle allegations that it failed to properly safeguard the electronic protected health information (ePHI) of 441 patients. That was the first Health Insurance Portability and Accountable Act (HIPAA) security breach settlement involving fewer than 500 individuals and is part of the U.S. Department of Health & Human Services’ (HHS) expanding enforcement of the federal HIPAA Security Rule beyond major health care institutions.

“While the government has yet to announce any HIPAA Security Rule enforcement actions directly against small health care practices, optometrists should take this settlement as a warning that substantial penalties are now a real possibility for any health care office in which electronic patient information is lost or compromised, even if only a limited number of patients are affected,” said Roger Jordan, O.D. chair of the AOA Federal Relations Committee.

He urged practitioners to review the HIPAA Security Rule and, in particular, to secure electronic patient information through encryption, an electronic coding process used to make information indecipherable to any parties not authorized to view it.

Properly encrypted data is exempted from the reporting requirements.

All EHR systems certified for use in federal incentive programs must provide encryption capabilities.

“Encryption is an easy method for making lost information unusable, unreadable and undecipherable,” said Leon Rodriguez, director of the HHS Office for Civil Rights (OCR).

The HIPAA Security Rules requires all health care practices that maintain or transmit patient information electronically to establish written policies on safeguarding that information in line with federal requirements.

“This (enforcement) action sends a strong message to the health care industry that, regardless of size, (HIPAA-covered) entities must take action and will be held accountable for safeguarding their patients’ health information,” Rodriguez said.

AOA members can find information on compliance with the HIPAA Security Rule at www.aoa.org/HIPAA.

Practitioners should conduct a “gap analysis,” as outlined in the HIPAA security regulations, to spot potential vulnerabilities in their ePHI security measures including patient information stored on laptop computers, CDs, cell phones or other mobile devices that could be easily lost or stolen.

For step-by-step instructions on developing practice security policies, conducting gap analysis, and other measures required under the security rule, see the AOA HIPAA Security Manual (www.aoa.org/HIPAA).

Dr. Jordan warned practitioners who fail to implement HIPAA security policies and conduct security gap analysis are at risk of penalty.

Protect your patients’ data

A new educational initiative, “Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information,” offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.

The initiative was launched by the HHS Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology.

More information is available at www.HealthIT.gov/mobiledevices.


Until now, HIPAA Security Rule enforcement has been directed toward large health care-related entities such as hospitals, universities, or insurance companies, and cases in which information on thousands of individuals has been lost or improperly accessed.

Under the HIPAA Security Rule, all health care institutions and practitioners who maintain or transfer patient information electronically must take steps, outlined in the rule (http://tinyurl.com/HIPAA Security), to safeguard that information from loss or unauthorized access.

However, encryption is just one part – albeit very important – in a comprehensive HIPAA Security Rule compliance program that virtually all optometric practices should now have in place, Dr. Jordan added.

Breach notices due March 1

Health care practices that experienced breaches of electronic protected health information security during 2012 must file notification reports by March 1.

Health care practitioners are required under HIPAA to report all losses, thefts, or unauthorized access of unsecured ePHI to the HHS.

Security breaches involving more than 500 individuals must be reported within 60 days.

However, incidents involving fewer individuals can be reported on an annual basis.

Covered entities must notify the HHS by submitting a breach report form at http://tinyurl.com/HHSOCRreports.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: