In this era of HIPAA enforcement, it is important to understand the fundamental role of the privacy regulations. Privacy outlines the big picture for compliance. Failing to understand and implement privacy's administrative, technical and physcial safeguards can be a costly miscalculation.

Privacy regulations have been in effect since 2003 and are updated regularly on the Department of Health and Human Services’ (HHS) website.

These regulations list compliance requirements for protected health information (PHI) in all formats (oral, paper or electronic). Security regulations are a subset of privacy limited to PHI in electronic format (ePHI). Privacy encompasses the big picture for compliant access, use, and disclosure of all PHI, including ePHI. Investing the staff, resources and time necessary to meaningfully implement privacy regulations is the entrée to compliance and a prudent business decision.

Prior to 2009, regulated organizations were primarily self-monitoring. The lack of outside accountability precipitated the major investment of staff and resources allocated for HIPAA compliance being directed towards building and supporting electronic health records systems. Fewer resources were dedicated to the less concrete, yet more comprehensive, role of privacy. Responsibility for patients’ and clients’ rights; uses and disclosures of PHI; role-based access issues; business associates; and other privacy issues were disbursed over many departments. This resulted in insufficient compliance, lax oversight and a high occurrence of violations.

HITECH’s enactment in 2009 refocused HIPAA enforcement on the privacy regulations.

HITECH mandates the implementation of complaint and breach report procedures, requires accountability for management of PHI, establishes higher sanctions for violations including a new category for willful neglect, and initiated a random audit program for an expanded list of regulated organizations by HHS’ Office of Civil Rights (OCR).

More federal and state regulatory agencies, including FTC and states’ attorney generals, now coordinate with HHS’ enforcement actions. Their websites regularly post results of enforcement actions as notice and guidance for regulated organizations. Most violations settle with corrective action plans (CAPs); some include fines tipping millions of dollars.

Many CAPs require hiring auditors to monitor and report to HHS on CAP compliance, particularly revising policies and procedures and workforce training programs (basic privacy administrative safeguards) over a period of years. As the following three cases from HHS’ website confirm, HHS is serious about privacy compliance.

Cignet Health failed to respond to requests of 41 patients to access their medical records, a right guaranteed by privacy regulations. These patients filed complaints directly with HHS. OCR investigated and demanded release of the records. Cignet failed to cooperate or engage in any reasonable resolution. OCR then subpoenaed the records; Cignet did not comply. OCR’s subpoena was enforced by the District Court whose Final Determination mandated their release, levied a $1.3M fine for its breach of patients’ privacy rights and an additional $3M fine for willful neglect of privacy regulations and failure to cooperate with OCR. It took a $4.3M fine for Cignet to implement privacy regulations.

CVS Caremark (CVS) incurred a $2.25M fine for disposing PHI on labels of medication vials and old prescriptions with its regular trash. Privacy regulations confirm that CVS is responsible for its PHI from creation until its secure destruction. Unsecured trash containers are an all too common source of confidential information for identity thieves today. This issue was the focus of a local news investigation which reported on CVS’s trash disposal practices. FTC coordinated with OCR’s investigation addressing consumer protection issues. CVS agreed to a CAP which included a $2.25M fine and required it to implement policies and procedures for secure disposal of PHI as well as accountability procedures for staff violations, and workforce retraining programs throughout the corporation. CVS was also required to retain an independent auditor to report back to HHS on its CAP compliance for a three year period. Further, CVS was subject to FTC monitoring for 20 years.

Affinity Health Plan paid a $1.2M fine for failing to erase PHI from photocopier hard drives before returning the photocopiers to its leasing agents. CBS news uncovered the breach as a part of an investigative report wherein it purchased a photocopier previously leased by Affinity and analyzed its hard drive. It contained the PHI of over 300,000 of Affinity’s patients, the type of PHI protected directly by the privacy regulations. Affinity self-reported the breach to HHS, notified its clients, and agreed to a CAP requiring revision of policies and procedures and workforce training programs, completing regular internal risk analyses to identify threats and vulnerabilities to its PHI, and implementing a plan including technical safeguards to purge and dispose of PHI in all formats in a private and secure manner. The CAP also required Affinity to use its best efforts to retrieve all hard drives returned previously to leasing agents.

These are costly errors for regulated organizations’ failure to implement privacy regulations into their compliance plans. Patients and the public are aware and looking for violations. OCR audits are scheduled to start up again in October 2014 but violations can generate an OCR contact at any time. Privacy regulations, at a minimum, require organizations to remain on top of the flow of all PHI, including ePHI, under its control from the time of its creation, throughout its lifespan, to its secure destruction. Don’t miss the big compliance picture by a myopic focus on ePHI.