Tips on Preparing for HIPAA EnforcementFormer OCR Official Discusses 2014 Compliance Issues
Organizations need to keep in mind that many HIPAA enforcement actions stem from what started out as relatively minor consumer complaints "that are really customer-service oriented" and focus on how data is being used or disclosed, Holtzman says.
"Many of these [conflicts] could be resolved by the healthcare provider or facility," he says. But if organizations don't respond well to consumers' concerns, individuals may file a complaint with OCR, which then could conduct an investigation that could result in fines as well as federal monitoring of compliance with specific security recommendations, Holtzman says in the second half of a part-two interview with Information Security Media Group.
And if an organization receives an inquiry from OCR, Holtzman urges prompt action. "I was surprised in my experience at OCR by the number of organizations that did not respond in a timely manner to a simple inquiry from OCR advising them that a complaint, investigation or compliance review had been opened," he says.
Policies and Procedures
Holtzman, who recently joined the security consulting firm CynergisTek after serving for eight years as a policy adviser at OCR, also notes: "It's really important that organizations have policies and procedures in place to assure that they are following the requirements of the HIPAA privacy rule."
It's also important for organizations to clearly communicate the details of HIPAA privacy and security rule compliance policies and procedures to the workforce, he notes. Plus, they need to have "an appropriate and broad view and evaluation of the threats and vulnerabilities to their health information, whether it's electronic or printed, and then take appropriate measures to safeguard that information," he adds.
Too often, organizations consider compliance with the HIPAA privacy and security rules as an expense, when they should consider it a worthwhile investment, Holtzman says. That's particularly the case now that the HIPAA Omnibus Rule calls for non-compliance penalties ranging up to $1.5 million per violation.
Other Enforcement Issues
Another enforcement issue that Holtzman says will be "extremely important" in 2014 is the additional federal scrutiny of healthcare providers who receive electronic health records "meaningful use" payments under the HITECH Act.
"I envision that the inspector general's office and HHS are going to more carefully review healthcare providers and facilities to measure the accuracy of [HITECH Act] attestations and to make sure covered entities have, in fact, put the appropriate information security protections in place and have done the HIPAA security risk assessment they attested to, as well as the other meaningful use measures," he says.
Plus, OCR is developing a permanent HIPAA compliance audit program to be launched next year that will include reviews of business associates as well as covered entities, he notes. And, of course, OCR will continue to focus its investigations on larger data breaches, he adds.
In this interview, Holtzman also discusses:
- Advice for covered entities and business associates if faced with an OCR inquiry;
- Why there will be a greater emphasis in 2014 on "cybersecurity ... and raising awareness that health information in the healthcare sector is part of the critical infrastructure;"
- Why issues related to the interoperability of health information and secure data exchange are becoming of greater concern among regulators.
In part one of the interview, Holtzman discusses the importance of safeguarding protected health information as a business asset.
Holtzman, an attorney, joined CynergisTek in November as vice president of privacy and security compliance services. Previously, the was a senior adviser at the HHS Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. While at OCR, Holtzman also served as subject matter expert to other federal agencies in the planning, execution and resolution of complex investigations involving reviews of organizations' compliance with the HITECH Act and the HIPAA privacy and security rules. Before joining OCR, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.