HHS Enforcement of HIPAA Safeguards and Personal Health Information (PHI)
White Paper
|
OCTOBER 2020
c) Organization failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI in accordance with 45 C.F.R. 164.310(b).
d)Organization failed to implement a mechanism to encrypt and decrypt PHI in accordance with 45 C.F.R. 164.310(a)(2)(iv).
e) Organization failed to implement policies and procedures to address security incidents in accordance with 45 C.F.R. 164.308(a)(6)(i).

2. Non-secure Transport Violations result in 100 thousand-dollar fines

a) Organization impermissibly disclosed PHI by leaving the PHI in an unlocked truck in the organization parking lot, or by granting permission to an unauthorized person to remove the PHI from organization and leaving the PHI unsecured outside the organization facility.

3. Inventory Violations result in 100 thousand-dollar fines

a) Organization needs to evaluate risks to its own systems, apps, and equipment, as well as complete inventory for all its facilities, electronic equipment categories, data systems, and apps that maintain, store, or transmit PHI. The results are due to OCR with 30 days of the effective date.
The Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA safeguards and many organizations were found to have given unauthorized personnel access to PHI data or to system or devices that hold PHI. Per HHS guidelines, finding PHI or unauthorized handling of devices having PHI are violations.
The basic principles of safeguarding PHI are:
  • Patient Health Information (PHI) must be secure
  • PHI cannot be viewed by unauthorized individuals
  • Documented risk mitigation plans must be followed and managed
  • Employers are responsible for employees contractors that do not follow policies
Enforcement Examples

The following three cases capture the HHS and State strict adherence to best practices in safeguarding PHI:

1. Physical Safeguard Violations result in 3.5 million-dollar fines

HIPAA physical safeguard rules were violated when the:
a) Organization failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tempering, and theft in accordance with 45 C.F.R. 164.310(a)(2)(ii).
b) Organization failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility in accordance with 45 C.F.R. 164.310(d)(1)