HITECH Tidbits: An Editor's Notebook
In a one-on-one interview with HealthcareInfoSecurity.com, Susan McAndrew, OCR's deputy director for privacy, revealed that the random HIPAA compliance audits called for under the HITECH Act will begin later this year, if all goes according to plan. "I'm fairly sure audits will be outsourced," McAndrew explained.
Other OCR officials who spoke at the conference, "Safeguarding Health Information: Building Assurance through HIPAA Security," offered other important tidbits of information:
OCR has received more than 6,000 reports of smaller breaches since last September.
Breach rule revisions
A "final-final" version of the HITECH breach notification rule will be issued sometime later this year, said Christina Heide, senior health information policy specialist. Many who have commented on the interim final rule, issued last September, have complained about the "harm threshold," she acknowledged. "So we're looking at all those comments."
Under the interim final breach notification rule, health care organizations must determine whether a particular data security breach presents "significant risk" of harm and thus needs to be reported. This has proven controversial because it means federal regulators are largely leaving it up to healthcare organizations to determine if they need to give notification of a breach.
Let's hope the final version of the breach notification rule spells out in much more detail how to determine "significant risk." Otherwise, members of Congress may have to step in to force regulators to remove the harm threshold altogether.
The approximately 80 major breaches reported to OCR so far have involved notifying more than 2.4 million individuals, Heide says. But remember: Nearly 1 million of those came from one case: BlueCross BlueShield of Tennessee.
Heide stressed that when organizations notify local media of major breaches, as required under HITECH, those notices must contain all the same content as letters sent to affected individuals.
This is an important reminder, given that many of the media announcements we've seen lack such basic information as the total number of patients notified, even though those numbers are available on the OCR's official breach list.
Under HITECH, organizations must report to OCR within 60 days breach incidents affecting more than 500. They must report smaller breaches once each year, by about March 1.
OCR already has received more than 6,000 reports of smaller breaches since last September, Heide revealed.
The office has received its share of criticism for lack of high-profile enforcement for cases involving violations of the HIPAA Privacy Rule, which it has enforced since 2003.
But David Holtzman, an OCR attorney, said the office has investigated 10,000 cases that resulted in changes in practices and other corrective action.
Examples of corrective action, according to Holtzman, include such steps as "stronger locks on doors, retraining of staff and encryption" in a case involving a stolen computer.
Until recently, the Centers for Medicare & Medicaid Services enforced the HIPAA Security Rule. But OCR took on that responsibility as a result of the HITECH Act. And it certainly makes sense to have one government agency enforcing both rules, given that privacy and security are so interrelated.
OCR has been quiet about what enforcement action it's taken in the aftermath of the major breaches reported so far.
But Holtzman says that in each case, OCR investigators: Conduct a compliance review to determine the root cause of the incident, identify gaps in compliance with the HIPAA privacy and security rules that led to the breach, and then look for evidence that the organization has taken action to close those gaps.
Officials at the conference, however, went out of their way to stress that HITECH also carries the threat of beefed up penalties for HIPAA violations.
For example, in cases involving "willful neglect" that is not corrected, organizations can be fined $50,000 for each violation, and up to $1.5 million for multiple violations of the same provision in the same calendar year.
Several conference attendees were overheard muttering that what the industry really needs is a high-profile case involving a penalty in the millions. Maybe then, hospitals, physicians' offices and others will invest in encryption and security training and take other action that will lead to a significant decline in breaches.