HIPAA Enforcement: A 2011 Priority?Security Expert Questions Whether Resources Are Available
"You have to really wonder whether there are enough dollars and enough people to see a notable increase in enforcement activity," she says.
In an interview (full transcript below), Roe says:
- A final version of a rule modifying HIPAA privacy, security and enforcement rules will be among the first regulatory initiatives of 2011, along with the final version of the HITECH Act breach notification rule.
- The revised HITECH breach notification rule likely will not eliminate the controversial "harm standard," but instead will refine the standard to better define how to determine whether a breach represents a significant risk of harm and merits reporting.
- Healthcare organizations should go beyond a focus on privacy and security regulatory compliance to demonstrate to their clients that their information will remain secure, especially as electronic health records are more widely used. A key step is staff training.
Roe is principal at The Health Law Consultancy, Chicago. Her nearly two decades of experience includes working on health information technology initiatives, health information privacy, data security and electronic transactions, among other areas. She is a member of the American Health Lawyers Association, the American Bar Association and a fellow with distinction in the Life Management Institute.
HOWARD ANDERSON: The HITECH Act mandated a long list of new federal rules, regulations, and programs designed to protect the privacy and security of healthcare information. Many of those are long overdue. What would you say are the most important rules and regulations that healthcare organizations should be on the look out for in the year ahead?
KATHY ROE: Well, I think you probably want to start with the one that is assuredly coming down based upon recent comments, as well as HHS recently issued their semi-annual agenda setting forth their anticipated rule-making activity for the next six months. There, and in the recent comments, the focus has been on the final rule to modify the HIPAA privacy, security and enforcement rules to bring those rules into compliance with the obligations under the HITECH Act. The suggestion has been made that this rule may also include the final breach notification rule, which would make sense to sort of bring them all together, but I think there is still a question out there as to whether or not that will be included. But that is probably the other rule that I would be looking in 2011.
HITECH Breach Notification Rule
ANDERSON: The final version of that breach notification rule was placed on hold earlier this year for revisions. Do you anticipate changes in the harm standard in that rule?
ROE: I definitely think the HHS Office for Civil Rights wanted to take another look at the harm standard, because you've had the comments from members of Congress indicating that HHS enacted the rule in a manner that wasn't consistent with legislative intent, and you also certainly had a number of consumer advocacy organizations coming out with concern, if not complaints, about the harm standard. I'm not sure that OCR will completely reverse itself because there was ample push back from the other side of the fence -- in terms of if you have to give notice for every breach, you're likely giving notice in many instances where there really isn't cause for concern about the information that has been accessed or disclosed in a way that is not compliant with the HIPAA privacy rule.
So I think where OCR may go is trying to refine how you would go about making the business judgment as to whether or not there has been a significant risk of harm, which would keep the federal standard more in line with many state standards for breach notification. And I also think when you consider the number of other legal obligations that health plans and providers will need to be coming into compliance with at the federal level over the next few years, and if the government thinks about those compliance obligations for healthcare organizations and the manpower and the dollars, it may argue for refinement of the breach notification harm standard, but not complete reversal.
ANDERSON: Just to make sure people listening understand the interim final breach notification rule's harm standard, can you explain it?
ROE: Currently, what the rule provides is that if you have a breach of unsecured PHI (protected health information) and the health plan or the healthcare provider that is subject to HIPAA determines that there is significant risk of harm to those individuals who were the subject of the unsecured PHI that was breached, then the healthcare provider or the health plan must give notice to each of those impacted individuals and potentially also to HHS and the media, depending upon the size of the breach. In considering whether there's been a significant risk of harm, the harm can be in the nature of economic harm, physical harm or reputational harm -- anything that would be a source of injury to individuals.
There are a number of factors that you would want to look at in terms of the nature of the PHI that was disclosed -- the circumstances, who received it (was it a covered entity, some other organization that subject to HIPAA, or is it somebody that is not subject to HIPAA), and come to a conclusion as to whether such harm has occurred that triggers the notice obligation. If the organization concludes that such harm has not occurred after going through the analysis and documenting it, then the organization is not obligated under the law to give notice.
The discussion has been whether HHS, in response to some of the comments it has received, would do away with the significant risk of harm standard and require covered entities to give notice any time there was a breach of unsecure PHI.
ANDERSON: Do you anticipate a ramping up of enforcement efforts in 2011 as state attorney's general get training on how to file civil suits for HIPAA violations as now enabled under the HITECH Act, and as the federal HIPAA compliance audit program begins?
ROE: I guess I have real questions as to how significant an increase there would be in enforcement activities, when I consider the economics that are required for enforcement, particularly at the state level. Ever since HITECH was adopted, there has been discussion in the legal community and among others in the policy community as to whether state attorneys general would pursue actions under HIPAA. Part of the calculation is whether it makes economic sense, and I think the same economic question needs to be raised when you think about it at the federal level. Taking into account the passage of health reform and all that HHS has on its plate to implement reform, as well as to implement HITECH, you just have to really wonder whether there are enough dollars and enough people to see a notable increase in enforcement activity.
ANDERSON: So do you think the HIPAA compliance audit program, will begin in 2011? It was originally slated to begin in 2010.
ROE: I don't know. There really hasn't been much discussion of it, and I think probably the current focus would be on bringing to conclusion the final rule modifying the HIPAA privacy, security and enforcement rules. And if that rule-making activity does not include the final breach notification rule, then bringing that rule-making activity to a conclusion ... would be next. I would anticipate seeing movement on those two fronts before you see OCR picking up something new.
ANDERSON: So should healthcare organizations be taking steps to prepare for potential HIPAA compliance audits, or would their time be better spent on just general breach prevention efforts?
ROE: I wouldn't advise dismissing preparation for compliance audits. Regardless of whether the audits begin this year or at some point in the future, those audits can be a tool by which an organization can see how it is positioned in terms of complying with both the HIPAA privacy and the security rules, and I would encourage organizations to think about it from not only, do I satisfy the law, but consider: What do I need to do to be making my patients and my enrollees, my customers feel comfortable that I run a ship that will keep their information secure?
... So if hospitals and other providers that are seeking to qualify for HITECH electronic health record incentives really are interested in getting a return on the investment as well as qualifying for those incentives, those organizations should be looking at their privacy and security efforts as part of that effort so that they not only get the dollars from the government in the form of incentives, but they also increase the confidence of their personnel and increase the confidence of their patients that collecting their information electronically and sharing their information electronically is a good thing for those individuals as well as the healthcare system as a whole. So all of these pieces are sort of interwoven, and that is how I would encourage covered entities to be thinking about those pieces, not as just disparate items of compliance, but how they all work together to accomplish larger goals of making our healthcare system more effective and more efficient.
ANDERSON: Any other final advice on what should be the top investment priorities for security in the year ahead?
ROE: I would encourage covered entities to not only be looking at technology as a means of securing health information, but also looking at the human factor. If you follow the healthcare information breach reporting list on the OCR website, and you look at the details of the reports that have been submitted by covered entities that have experienced a breach, a common thing comes through: So many of the instances really relate to human behavior -- the losses of laptops and the mismanagement of technology so that it's not maintained in such a way that it won't be stolen. It really offers a way for organizations to potentially prevent breaches by focusing on ensuring that their personnel are effectively trained and have guidance and direction as to how to be using health information in a way and how to be maintaining health information in a way, and how to be handling PDAs and laptops and discs and back-up tapes in a way that doesn't put enrollees' and patients' protected health information at risk.
I think there is real opportunity if organizations spend the time to enhance their breach prevention efforts by looking at how they can better equip their personnel and manage the exposure that comes from their personnel's use and disclosure of PHI.