Proposed rules aimed at strengthening HIPAA privacy and security requirements have put CIOs and security officers at provider organizations on alert. Experts weigh in on how the changes will play out and what it means for provider organizations.
In February 2011, when 900-bed Massachusetts General Hospital in Boston paid the government $1 million to settle potential violations of the HIPAA Privacy Rule [one element in the federal Health Insurance Portability and Accountability Act of 1996], it sent shock waves through the industry.
“People were surprised because this seemed like a run-of-the-mill data breach,” explains Christine Arevalo, director of Healthcare Identity Management at ID Experts, a Portland, Ore.-based consultancy. “There was no willful neglect involved.” Mass General's was the very first fine for the loss of protected health information under the Health Information Technology for Economic and Clinical Health (HITECH) Act, she adds, but there will likely be many more to come.
The U.S. Department of Health & Human Services' (HHS) website listing data breaches affecting 500 or more individuals is known informally as the “Wall of Shame.” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html)
Hospital CIOs, chief information security officers, and privacy officers are working diligently to keep their names off that wall. But they are dealing with a regulatory environment that is still in flux. A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. HHS also has proposed a rule for the accounting of disclosures from electronic records. The biggest shift under way may be a new enforcement regime as the HHS Office for Civil Rights (OCR) shifts gears from only reacting to data breach reports to begin random audits of the privacy and security safeguards of large and small providers and their business associates. Another new wrinkle under the HITECH Act is that state attorneys general can file civil lawsuits for HIPAA violations.
With providers eager to see how many resources OCR will apply to audits, one hint came in the form of a scathing May 2011 report from the HHS Office of Inspector General (OIG) criticizing OCR for not being proactive enough. The OIG independently audited seven hospitals and found 151 vulnerabilities in the systems and controls intended to protect patient data, of which 124 were categorized as high impact. It recommended that OCR continue to move forward with implementing procedures for conducting compliance reviews to ensure that security rule controls are in place and operating as intended.
“The response from OCR will probably be knee-jerk,” says Chris Apgar, president of consultancy Apgar & Associates in Portland, Ore. “They are likely to take that report seriously. We know they have hired many new investigators and they will feel prodded to do something.”
From OCR's perspective, hospitals have been especially delinquent, Apgar says. The agency has done investigations of breaches and found hospitals that didn't even have notices of their privacy practices posted.
“A common phrase OCR uses is ‘culture of compliance.’ What they mean by that is that the biggest sin is a lack of policies and procedures to document and correct issues,” Apgar says. Beyond that, he adds, providers should focus on training, disaster recovery, and making sure they have a security incident response team in place.
A PROVIDER'S PERSPECTIVE
Terrell Herzig, data security officer at UAB Health System in Birmingham, Ala., says one uncertainty for people in his position involves the proposed rule's data breach notification details. Initially, HHS established a harm standard that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual,” and the providers themselves would get to make that determination. When privacy advocates and members of Congress criticized that proposal, HHS pulled it back for further study.
“There is some frustration that if there isn't consideration of the harm standard, it will have an impact on patient confidence in healthcare institutions,” Herzig says. “If you report to them a breach when they really aren't impacted-for instance, if the information breached is just their name-patients will get shell-shocked and anxious.” It may make sense, he adds, to have a third party such as a government agency make the harm determination.
Herzig is also closely watching the new rules around business associates being covered by HIPAA. “We still go into meetings with some vendors who haven't read the HITECH Act,” he says. “We are negotiating contracts and we tell them they have to go back and read it. And they and their subcontractors are really unaware that they will have to comply.”
Herzig says he has a strong seven-person HIPAA compliance team, and is lucky to have his CIO, Joan Hicks, also serving as UAB's privacy officer. “That is unusual,” he says. “She is a busy person, but if a situation comes up, she is right on it.”
Strong documentation is a key to compliance, he says. UAB uses an intranet site to document policies, procedures, and internal controls, including metrics around each one. “It is critical to have that documentation,” Herzig says. “That is the tool you are going to use to communicate in the case that you are audited.”