Insights From HIPAA Summit
HIPAA Lawsuit Training, Audits and MoreThat update came from Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Service's Office for Civil Rights. The HITECH Act enabled attorneys general to file HIPAA lawsuits, and the training is long overdue. McAndrew also revealed that later this year, her office would conduct one or more pilots of methods for conducting HIPAA compliance audits. The HITECH-mandated audit program is overdue as well.
Consultant Phyllis Patrick offered some tips on how to prepare for the inevitable HIPAA audits, including conducting annual self-audits for compliance.
HIPAA Privacy Cases
Valerie Morgan-Alston, the Office for Civil Rights' new director for enforcement, noted that in addition to the recent high-profile HIPAA privacy rule violation settlements with Cignet Health and Massachusetts General Hospital, the office last December settled a case with Management Services Organization Washington. That case, which involved inappropriately providing patient information to a subsidiary for marketing purposes, resulted in a $35,000 settlement plus a corrective action plan.Policies and procedures can't be something just sitting in notebooks on shelves gathering dust. They must be an everyday part of an organization's culture.
The new HIPAA enforcement director also offered some compliance tips: "Policies and procedures can't be something just sitting in notebooks on shelves gathering dust. They must be an everyday part of an organization's culture," she said.
"Covered entities must conduct regular internal audits to find noncompliance themselves rather than waiting for complaints or for OCR to come in. Covered entities should be training their employees that compliance is as essential as patient safety. And there should be a prompt action plan in place to respond to (security) incidents that do occur."
In other news, Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, said the office intends to develop standards that would give patients the ability to exclude clinicians from accessing certain portions of their electronic health records.
Another speaker, Dan Steinberg of Booz Allen Hamilton, stressed that encryption alone is an inadequate way to protect patient information. "Encryption must fit as part of a large, more robust security program," he stressed. He noted, however, that encryption now "is reasonable and appropriate" and should be extensively used by all organizations implementing electronic health records.
And Greg Porter of Allegheny Digital contended that far too many healthcare organizations "focus too heavily on meeting regulatory objectives" and neglect basic risk management steps, such as preparing to detect and respond to malware attacks.
Finally, I'd like to thank the summit organizers for presenting me with the 2011 HIPAA Summit Distinguished Service Award. The award goes to those inside and outside of government who have made an enduring contribution to dialogue about, development of and compliance with the laws relating to healthcare privacy and security in the United States.
