How to Handle HIPAA Security Incidents, Breaches, Complaints, and Investigations

The Department of Health and Human Services has imposed civil money penalties (fines) as high as $4.8 million for breaches of patient confidentiality under HIPAA, and knowing how to respond to such incidents is crucial to avoiding or minimizing liability. The presenter has successfully defended seven health care providers in investigations by the Office for Civil Rights of DHHS for alleged breaches.

This webinar will cover everything that you need to know about how to handle HIPAA security incidents, breaches, and complaints and the Department of Health and Human Resources Investigations thereof. Not all security incidents are breaches, but all breaches of confidentiality are within the broad ambit of security incidents. Privacy rule violations, such as failing to give a patient a copy of his or her medical records, may also constitute a breach as the $4.2 million fine assessed against Cignet Healthcare of Prince George’s County, Maryland, dramatically proved. Handling an investigation properly is key to determining not only how to handle it to mitigate any harm and to take action to prevent it from happening again but also to determine whether it is reportable to affected individuals and to DHHS.

HIPAA requires a complaint procedure (policy). The webinar will suggest what such a document should contain as it also will for the required report procedure (what is reportable, who reports, to whom, and required/suggested contents of the report) and the required response procedure (what do the responsible officials do after receiving the report or the complaint).

Investigating a possible security incident is key. The webinar will cover how to conduct a thorough investigation of HIPAA security incidents, breaches, and patient complaints.

Finally, the second largest HIPAA civil money penalty or settlement, $4.2 million, was in large part due to the offender’s failure to cooperate with the DHHS investigation. The presenter has successfully defended his clients in seven such investigations and knows how to respond to them to avoid or minimize liability.

As of the so-called HITECH Act, covered entities and their business associates must report certain breaches of HIPAA to DHHS which can result in seven-figure fines, lawsuits, bad publicity, and other sanctions. Remediation costs may be immense, such as the $17 million incurred by Blue Cross/Blue Shield of Tennessee on top of the $1.5 million civil money penalty for not having sufficient security to prevent a burglar from stealing all their computer equipment and media with millions of individuals’ health insurance data. That is not the only method DHHS may learn of a breach, however. Civil money penalties have resulted from complaints by patients, and one even resulted from a newspaper story. Civil money penalties to date range from $50,000 to two in the $4 million range. And a $50,000 or low six-figure fine may doom a small practice. And these fines cannot be discharged in bankruptcy because they are imposed as a punishment rather than compensating the government for that money it had expended. The largest civil money penalty is reserved for breaches that are not handled properly, capped at $1.5 million for identical such breaches in a calendar year. And DHHS considers that, say, if you lose an unencrypted laptop with no other reasonable and appropriate security in its place, it constitutes a separate violation for each patient’s data on the lost laptop. In addition, patients and others who complain to DHHS may receive a portion of any fine, thereby providing an incentive to complain. Also, an audit by DHHS may lead to a civil money penalty.

Nor are these penalties reserved for large practices. Fines have been assessed against two-physician practices and a small hospice in North Dakota. Being not-for-profit provides no immunity, nor does being a government entity. Alaska Medicaid was fined $1.5 million; and a county government (Skagit County in Washington State), $215,000.

Thus, it is crucial to know how to avoid breaches, how to investigate a security incident, how to determine whether it is a breach, when you have to report a security incident to DHHS (and sometimes to state agencies), and how to mitigate (lessen) the harm of a breach. How a so-called covered entity responds to security incidents and breaches receives great scrutiny in DHHS audits and is a factor in determining whether a sanction is warranted and in lessening the fine from what it otherwise might be.

HIPAA requires covered entities to, in addition to its Privacy Officer, have a complaint procedure and a complaint official (who can be the Privacy Officer) in addition to having a report procedure and a response (how do you handle the report) procedure. Failure to have these elements of HIPAA compliance or having inadequate ones constitute a breach of the HIPAA requirements.

Topics which will be covered in the session (bulleted point)

• What is a security incident?
• What is a breach?
• What are the penalties for a breach?
• What types of breaches are likely to result in sanctions?
• What are the HIPAA requirements for handling breaches?
• The Report and Response Procedure.
• Investigating security incidents and patient complaints.
• Taking action on the breach—immediate and subsequent—including mitigation.
• What breaches are reportable to DHHS?
• How to respond to an investigation by DHHS.
• Conclusion and questions and answers.

This webcast will be of a valuable assistance to the below audience.

• HIPAA Security and Privacy Officers
• Healthcare Compliance Officers
• Healthcare Attorneys
• Directors of Health Information Management
• Medical Records Supervisors
• Health Care IT Directors and similar officials
• Office Managers
• Business Associates - those who provide services for covered entities involving health information, such as billing services, transcription services, and the like.