bility for investigating HIPAA viola- tions was given to HHS’ Office of Civil Rights (OCR), with set procedures for investigations and hearings. The HITECH Act further modified OCR enforcement power in 2009, increasing the minimum and maximum penalties possible and creating a new tiered pen- alty system based on violator culpabil- ity. Since 2003, the OCR has received more than 186,000 HIPAA complaints and imposed civil penalties totaling $78.8 million. The majority of breach investigations are instigated by unau- thorized access or disclosure of PHI, with hacking/IT incidents as the sec- ond most frequent cause. The following are selected OCR enforcement actions from recent years that highlight vulnerabilities that ASCs should consider:

Memorial Health System What happened: The login cre- dentials of a former physician office employee were not terminated, caus- ing impermissible access to the PHI of 115,143 individuals. This informa- tion was then disclosed to affiliated staff. The access occurred over the course of a year between April 2011 and April 2012. Memorial Health Sys- tem (MHS) did have workforce access policies in place but failed to imple- ment procedures related to review- ing users’ rights of access as required under HIPAA. MHS agreed to a $5.5 million settlement and a robust correc- tive action plan. Takeaway for ASCs: As with most health care facilities, ASCs have constantly rotating clinicians and affiliated staff. Access to PHI is strictly provided to authorized users, and ASCs should implement con- trols and audits to ensure that autho- rized user lists are up to date. While a health system with multiple hospitals and ancillary facilities driving reve- nue can withstand a settlement of this magnitude, a single ASC might not recover from a similar breach.


ASCA’s HIPAA Workbook for ASCs assists you in designing, updating and evaluating your facility’s HIPAA compliance program. ASCA members can download this valuable workbook for free. hipaaworkbookascs

Raleigh Orthopedic Clinic of North Carolina What happened: To digitize patient records, the Raleigh Orthopedic Clinic gave X-rays and PHI for 17,300 patients to a potential business partner. Before doing so, however, the clinic did not execute a business associate agree- ment. OCR fined the clinic $750,000 and required it to revise its HIPAA pol- icy, as well as designate a person on its staff as the responsible individual for HIPAA-related issues, particularly business associate agreements. Takeaway for ASCs: This scenario highlights that HIPAA does not affect only large hospital systems. This rela- tively small clinic was held to the same standards as a large hospital. The head- line stories on HIPAA violations usually involve large actors, but that does not mean smaller health care providers are not violating the regulations. In addition, as ASCs are innovators in the health care market and might be trying to be inno- vative their medical records, they should review HIPAA guidelines during these endeavors and changes. Business associ- ate agreements are often overlooked but are vital to protecting your ASC.

The University of Texas MD Anderson Cancer Center What happened: MD Anderson is an academic institution and cancer treat- ment and research center in Houston.

Three separate data breaches occurred in 2012 and 2013, resulting in the loss of a laptop and two unencrypted USB drives containing PHI for more than 33,500 individuals. The required set- tlement of $4.35 million was the fourth largest amount ever awarded in a set- tlement for HIPAA violations. Takeaway for ASCs: The founda- tion for this settlement goes all the way back to MD Anderson’s device encryp- tion policies. OCR found that MD Anderson had written specific encryp- tion policies in 2006, identifying device encryption as a possible secu- rity vulnerability. Despite this, they failed to adopt any enterprise-wide solution until 2011, and even then, the solution was rolled out sporadically. The ramifications for not encrypting devices are extremely serious since, as seen here, loss of a small number of unencrypted devices could mean expo- sure for thousands of individuals’ PHI.

Resources for Compliance HHS maintains several HIPAA-related resources at Perhaps most helpful is the monthly OCR Cyber Awareness Newsletter, which assists health care entities in under- standing vulnerabilities and what security measures can be taken to reduce the chances of a breach. Top- ics from the 2018 newsletters include phishing, workstation security and guidance on disposing of electronic devices. OCR also provides an abun- dance of enforcement data, including national and state case volume, exam- ples and resolution agreements. ASCA provides a bi-annual HIPAA

update on the ASC Focus website that details enforcement actions during the most recent half year. For more information, write Alex Taira at

Alex Taira is ASCA’s policy analyst. Write him at


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30
Produced with Yudu -