As high-profile data security breaches have recently been making headlines and HHS Office for Civil Rights (OCR) audits are set to get underway this month, some in the industry question the efficacy of government regulation when it comes to enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rule. One insider sees litigation as being the change agent for privacy and security compliance in the industry, rather than governmental regulation.
Those in the healthcare industry have been eagerly awaiting the clarifications expected to come out of the U.S. Department of Health & Human Services' (HHS) final rule, which will strengthen HIPAA privacy and security safeguards. At a Nov. 9 hearing of the Senate Subcommittee on Privacy, Technology, and the Law, Sen. Al Franken (D-Minn.), the subcommittee’s chairman, along with others, called for stricter penalties for health data breaches and stronger enforcement of protections, reported the Minneapolis Star Tribune.
Franken was also reported as saying at the hearing that only one out of 22,500 data breach complaints received by HHS has resulted in civil monetary penalties. When Franken asked Leon Rodriguez, who replaced Georgina Verdugo as director of the OCR in September, when the enforcement rules would be finalized, Rodriguez was unable to offer a timetable. Franken then replied: "OK, well, hurry up."
Mac McMillan, national chair of the HIMSS Privacy and Security Policy Task Force and CynergisTek CEO, estimates that about 17 to 18 million medical records have been exposed in the last two years from close to 350 data breaches. Currently, the HHS website, informally known as the “Wall of Shame,” lists 108 entities that have experienced data breaches affecting 500 or more individuals. Of the recent breaches, says McMillan, only three entities have been fined. “What’s really going to happen in healthcare is we’re going to see it change by way of civil penalties, civil lawsuits, and civil class action suits,” he says.
Legal Penalties Outweigh Civil Fines
To that end, last week, The Sacramento Bee reported that a class-action suit was filed on Nov. 21 on behalf of plaintiff Karen Pardieck in Sacramento Superior Court against Sutter Health. Sutter Physicians Services and Sutter Medical Foundation (SMF)—two affiliates within the Sacramento, Calif.-based Sutter Health network—had announced in October the theft of a company-issued, password-protected unencrypted desktop computer from SMF’s administrative offices in Sacramento. Although no medical records themselves were on the computer, some medical information, including demographic information, dates of services, and descriptions of medical diagnoses and/or procedures used for business operations, was exposed.
McMillan points out that lawsuit penalties sought for data breaches far outweigh civil fines against them. That was certainly the case McMillan says, in the breach that took place in September at Stanford University Hospital (Palo Alto, Calif.), when the names and diagnosis codes of 20,000 emergency room patients were posted on a public website. The maximum federal fine was $1.5 million, whereas the hospital is now embroiled in a $20-million class-action complaint, as reported by the Palo Alto Daily News. “If those lawsuits are going to start being upheld and people start receiving $20 million settlements, you’ll see industry behavior change,” says McMillan. “What I think is going to happen—like we saw in other industries like the credit card and banking space—is that it’s the general public that’s eventually going to fix the problem, and it’s either through litigation or taking their business elsewhere.”
According to the OCR website, about 20 privacy and security compliance audits will be conducted in an initial wave to test protocols set to begin this month. The results of the initial audits will inform how the rest of the audits will be conducted, and all 150 pilot audits are to be completed by the end of 2012. McMillan has serious doubts though that the OCR will finish its audits by the prescribed date. “It’s tough to have teeth now because you’ve got ICD-10, ACOs, and meaningful use, and you’re going to step up enforcement now,” McMillan asks. “There are no easy answers out there for any of it.”