Questions for Carol Richardson
Date: April 1, 2010
Hopkins Privacy Officer
As the privacy officer in the Johns Hopkins HIPAA Office, Carol Richardson is part of a seven-member staff who sees that the workforce has the resources needed to keep patient and health plan member information confidential. In addition to lost trust, the ultimate consequences of revealing protected health information (PHI) could mean hefty fines, civil penalties and even jail time. Dome sat down with Richardson to talk about the latest changes to HIPAA.
What are the implications of the new regulations covering confidentiality breaches through the Health Information Technology for Economic and Clinical Health Act?
The HITECH Act, issued in February 2009, had many pieces, and one portion relates to privacy. There are regulations yet to be issued regarding certain provisions of the law and this has been the focus of our recent broadcast messages to help raise awareness. The interim final regulations were issued in early fall that clarified breach notification requirements of the act. The act itself identified increased penalties and fines for HIPAA violations.
What do you mean by increased penalties?
Previously, HIPAA violations could have resulted in civil action, mainly against institutions. The HITECH Act not only introduced stiffer civil penalties against institutions, but individuals also can be charged criminally and civilly.
For example, any employee who misuses protected health information may be subject to criminal penalties, which can include jail time of up to 10 years. Civil monetary penalties have significantly increased and carry a maximum penalty of $1.5 million during a calendar year for each type of violation. Plus, state attorneys general can bring legal actions against institutions to collect damages and attorneys’ fees on behalf of individuals harmed by the HIPAA violations.
What else did HITECH change?
Before the HITECH Act, privacy violations were reported to our office and we conducted an investigation and tracked inappropriate disclosures. But when we were required to evaluate issues related to the breach notification requirements, we had to implement another process. Now when a privacy issue is reported to us, we may have at least three different processes to go through regarding that issue. Since Sept. 23, 2009, we’ve evaluated 785 inappropriate uses or disclosures of PHI in regard to the breach requirements.
Can you give a couple examples of these breaches and what the institution did?
Before the breach notification requirements, we had issues with lost, unencrypted flash drives and laptops containing PHI. One of our larger issues was an identity theft investigation performed in conjunction with Corporate Security. In December 2009, a former employee involved in this identity theft situation was sentenced to 18 months in federal prison and ordered to pay over $200,000 in restitution for her role in the identify theft. Her co-defendant pled guilty early in the year and was sentenced to five years in prison and ordered to pay restitution as well.
While there is a risk of a larger event occurring, since the breach notification requirements, the inappropriate disclosures most commonly reported to our office involve faxes sent to the wrong party.
How has investigating privacy complaints differed since HIPAA started in 2003?
In 2003, privacy complaints were easier to investigate. We typically received the majority of the details, and we knew which system to obtain access logs from if the issue related to electronic access. We have always investigated privacy complaints, whether they involve electronic access, information on paper or verbal sharing.
Over time, our investigations have become more complicated. Sometimes we don’t get all the details or there are many systems for which access logs may need to be reviewed. We may have a lot more work to do on gathering as many details as we can before we work with the applicable human resources contact. Plus, since the breach notification requirements went into effect, we now have to evaluate the same privacy issue in regard to these regulations.
Is this job tough?
Yes, if you start with the premise that the Johns Hopkins HIPAA Office can’t make a Johns Hopkins entity compliant. We’re a resource. We can interpret the regulations, provide forms, develop policies and conduct training. But it’s the daily activities that faculty and staff perform that make Hopkins compliant. And management has to hold people accountable. We all have a stake.