As high-profile data security breaches have recently been making headlines and HHS Office for Civil Rights (OCR) audits are set to get underway this month, some in the industry question the efficacy of government regulation when it comes to enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rule. One insider sees litigation as being the change agent for privacy and security compliance in the industry, rather than governmental regulation.
Those in the healthcare industry have been eagerly awaiting the clarifications expected to come out of the U.S. Department of Health & Human Services' (HHS) final rule, which will strengthen HIPAA privacy and security safeguards. At a Nov. 9 hearing of the Senate Subcommittee on Privacy, Technology, and the Law, Sen. Al Franken (D-Minn.), the subcommittee’s chairman, along with others, called for stricter penalties for health data breaches and stronger enforcement of protections, reported the Minneapolis Star Tribune.
Franken was also reported as saying at the hearing that only one out of 22,500 data breach complaints received by HHS has resulted in civil monetary penalties. When Franken asked Leon Rodriguez, who replaced Georgina Verdugo as director of the OCR in September, when the enforcement rules would be finalized, Rodriguez was unable to offer a timetable. Franken then replied: "OK, well, hurry up."
Mac McMillan, national chair of the HIMSS Privacy and Security Policy Task Force and CynergisTek CEO, estimates that about 17 to 18 million medical records have been exposed in the last two years from close to 350 data breaches. Currently, the HHS website, informally known as the “Wall of Shame,” lists 108 entities that have experienced data breaches affecting 500 or more individuals. Of the recent breaches, says McMillan, only three entities have been fined. “What’s really going to happen in healthcare is we’re going to see it change by way of civil penalties, civil lawsuits, and civil class action suits,” he says.
Legal Penalties Outweigh Civil Fines
To that end, last week, The Sacramento Bee reported that a class-action suit was filed on Nov. 21 on behalf of plaintiff Karen Pardieck in Sacramento Superior Court against Sutter Health. Sutter Physicians Services and Sutter Medical Foundation (SMF)—two affiliates within the Sacramento, Calif.-based Sutter Health network—had announced in October the theft of a company-issued, password-protected unencrypted desktop computer from SMF’s administrative offices in Sacramento. Although no medical records themselves were on the computer, some medical information, including demographic information, dates of services, and descriptions of medical diagnoses and/or procedures used for business operations, was exposed.
McMillan points out that lawsuit penalties sought for data breaches far outweigh civil fines against them. That was certainly the case McMillan says, in the breach that took place in September at Stanford University Hospital (Palo Alto, Calif.), when the names and diagnosis codes of 20,000 emergency room patients were posted on a public website. The maximum federal fine was $1.5 million, whereas the hospital is now embroiled in a $20-million class-action complaint, as reported by the Palo Alto Daily News. “If those lawsuits are going to start being upheld and people start receiving $20 million settlements, you’ll see industry behavior change,” says McMillan. “What I think is going to happen—like we saw in other industries like the credit card and banking space—is that it’s the general public that’s eventually going to fix the problem, and it’s either through litigation or taking their business elsewhere.”
According to the OCR website, about 20 privacy and security compliance audits will be conducted in an initial wave to test protocols set to begin this month. The results of the initial audits will inform how the rest of the audits will be conducted, and all 150 pilot audits are to be completed by the end of 2012. McMillan has serious doubts though that the OCR will finish its audits by the prescribed date. “It’s tough to have teeth now because you’ve got ICD-10, ACOs, and meaningful use, and you’re going to step up enforcement now,” McMillan asks. “There are no easy answers out there for any of it.”
Susan McAndrew, deputy director for health information privacy, OCR, told Healthcare Informatics earlier this year that her office is serious about enforcement. “It is HHS' expectation that covered entities and their business associates take these requirements seriously. HHS will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules,” she said. “While HITECH may be an incentive for covered entities, self-evaluation should be standard practice. To ensure compliance, covered entities and business associates should conduct regular internal audits, hold regular trainings for their employees, and have a prompt action plan in place to respond to incidents.”
A recent study from the Traverse City, Mich.-based Ponemon Institute cited that healthcare organizations’ two most significant barriers to achieving effective data protection were dealing with the complexity of compliance and regulatory requirements, followed by lack of leadership around security. This was cited by 23 percent of the sample of 718 experienced IT and IT security practitioners who self-reported that their organization had achieved best practice status in data protection. Others in the sample that were from mainstream organizations (not identifying their organizations as achieving best practice status) were more likely to see lack of monitoring and enforcement of end users as their biggest challenge.