The Security Scrutinizer with Howard Anderson

Insights From HIPAA Summit

HIPAA Lawsuit Training, Audits and More

The most significant news at the National HIPAA Summit last week was the announcement that state attorneys general soon will receive training on how to file federal civil lawsuits for HIPAA violations.

That update came from Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Service's Office for Civil Rights. The HITECH Act enabled attorneys general to file HIPAA lawsuits, and the training is long overdue. McAndrew also revealed that later this year, her office would conduct one or more pilots of methods for conducting HIPAA compliance audits. The HITECH-mandated audit program is overdue as well.

Consultant Phyllis Patrick offered some tips on how to prepare for the inevitable HIPAA audits, including conducting annual self-audits for compliance.

HIPAA Privacy Cases

Valerie Morgan-Alston, the Office for Civil Rights' new director for enforcement, noted that in addition to the recent high-profile HIPAA privacy rule violation settlements with Cignet Health and Massachusetts General Hospital, the office last December settled a case with Management Services Organization Washington. That case, which involved inappropriately providing patient information to a subsidiary for marketing purposes, resulted in a $35,000 settlement plus a corrective action plan.

The new HIPAA enforcement director also offered some compliance tips: "Policies and procedures can't be something just sitting in notebooks on shelves gathering dust. They must be an everyday part of an organization's culture," she said.

"Covered entities must conduct regular internal audits to find noncompliance themselves rather than waiting for complaints or for OCR to come in. Covered entities should be training their employees that compliance is as essential as patient safety. And there should be a prompt action plan in place to respond to (security) incidents that do occur."

In other news, Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, said the office intends to develop standards that would give patients the ability to exclude clinicians from accessing certain portions of their electronic health records.

Another speaker, Dan Steinberg of Booz Allen Hamilton, stressed that encryption alone is an inadequate way to protect patient information. "Encryption must fit as part of a large, more robust security program," he stressed. He noted, however, that encryption now "is reasonable and appropriate" and should be extensively used by all organizations implementing electronic health records.

And Greg Porter of Allegheny Digital contended that far too many healthcare organizations "focus too heavily on meeting regulatory objectives" and neglect basic risk management steps, such as preparing to detect and respond to malware attacks.

Finally, I'd like to thank the summit organizers for presenting me with the 2011 HIPAA Summit Distinguished Service Award. The award goes to those inside and outside of government who have made an enduring contribution to dialogue about, development of and compliance with the laws relating to healthcare privacy and security in the United States.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.