The current enforcement landscape

“Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up.” – Department of Health & Human Services OCR Counsel Jerome B. Meites, referring to the $10 million collected in HIPAA settlements from June 2013 to June 2014

The above quote, which has been cited several times in this blog, should give us a sense of where HIPAA enforcement is headed: straight up. A June article in Data Privacy Monitor on a Law360 interview with Meites, a regional attorney for the agency, at an American Bar Association meeting in Chicago. The ramifications for healthcare organizations, including hospitals and ASP’s (application service providers), are substantial since noncompliance is detrimental both financially and reputationally.

To further underscore the amplification of enforcement, he noted that the $10 million – a substantial chunk of which was a single $4.8 million settlement announced by the OCR (Office of Civil Rights, the HHS subagency charged with enforcement activities) in May – would “pale in comparison to the next 12 months.”

Meites said that the crackdown by the OCR was intended to set examples so that healthcare organizations would take the law more seriously. He referenced a statement made by Leon Rodriguez, Director of the Office of Civil Rights, regarding the Final Omnibus Rule that went into effect September 23, 2013.

Rodriguez remarked that the language within the rule represented the broadest adjustments to the privacy and security parameters of HIPAA since it was first enacted. More notably regarding compliance, though, he said that the new regulations don’t just improve data protections “but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections.”

Meites also hinted that the OCR will be going after some whales, commenting that HHS executives believe they can create a healthcare ripple effect via “high-impact cases.”

Data Privacy Monitor hypothesizes that, although Meites didn’t mention this report (which is probably an embarrassing document for the HHS OCR), the recent crackdown could be primarily in response to a November 2013 paper by the Office of the Inspector General (another office within the HHS). The report – which has the damning title, “The Office of Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule” – provides a relatively objective perspective that the OCR itself wasn’t compliant with the law, especially the Security Rule (which, like the Privacy Rule, falls under the more far-reaching Title II of the law).

What to do – compliance nuts and bolts

Last August, an excellent article was published by Medical Economics intended to help healthcare organizations protect themselves from hefty fines and loss of credibility. In the report, Jeffrey Bendix, MA, explains that the changes to the Omnibus Rule last year were brought about by the passage of HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009), according to Robert Tennant, MA, policy chief at the MGMA-ACMPE (Medical Group Management Association-American College of Medical Practice Executives). That act incentivized a transition to EMR (electronic medical records), which led the government to reconsider the strengths of data protection.

Health law attorney Kenneth Rashbaum of Rashbaum Associates (New York City) told Bendix that the reason HHS is “adamant about enforcement” has to do with the specific characteristics of computer information. Electronic data is unlike hardcopies in two core ways:

  1. The information is broader in scope.
  2. In a poorly protected environment, loss of information or accidental changes can occur instantaneously and without the organization even noticing.

The OCR enforces the Privacy Rule and Security Rule through two mechanisms:

  • investigation of any complaints made by patients or other concerned parties
  • compliance audits of covered entities and their relationships with business associates.

The agency flexes its muscles and publicly admonishes violators by presenting PHI (protected health information) security incidents involving 500+ patients. If a company is negligent with its security practices and a breach occurs, they could end up on that page, typically referred to as the “Wall of Shame” by security experts and policy specialists, per Tennant and Computerworld.

Keeping your hospital or ASP “off the wall” & within budget

The primary advice from Bendix to keep your firm off the HIPAA Shame Wall is to “be proactive,” echoing Tennant’s encouragement to “be really aggressive.” Obviously, it makes sense not to get into a bad position in the first place so that you can avoid the horror of a federal investigation.

Tennant is quick to argue that you do not need to bring in an outside security consultant for a risk assessment. Instead, take advantage of the free resources provided by HHS and professional associations.

We explore specific advice and resources for DIY HIPAA compliance below, but for now, here is the official OCR Guidance on Risk Analysis.

See the below link for the continuation of this piece.

We believe that protecting information is primarily about having the best possible information yourself. That’s part of our value as a hosting service specializing in HIPAA compliance solutions: reliable information. Check out our handy HIPAA Hosting options to learn more.

>>> Part 2: CYA’s, BAA’s & Cyber Insurance