Will We Be Fined for a Breach?HIPAA Enforcer Describes Factors to be Weighed
Federal HIPAA enforcers will weigh a number of factors when determining whether to impose a hefty financial penalty in the wake of a major data breach, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.
The office recently reached a settlement calling for a $1.5 million penalty and a corrective action plan in the breach case of BlueCross BlueShield of Tennessee. That incident, which involved the theft of 57 unencrypted computer hard drives, affected about 1 million individuals.
More than 400 major breaches have been reported to federal authorities since the HIPAA breach notification rule went into effect in September 2009 (see: Healthcare Breach Tally: 409 Incidents).
When investigating other breaches, Rodriguez says, "We're going to look at how many records were breached. We're going to look at what were the vulnerabilities that led to that breach. And we're going to look at how decisive were the steps taken by the company to remedy the vulnerabilities once those vulnerabilities were discovered."
Rodriguez says OCR investigators will pose such questions as "Do you have policies and procedures? Do you have a training program? Have you done a risk assessment? Do you have disciplinary policies? Have you evaluated the need for physical, administrative and technical safeguards? And do you live by the product of your evaluation?"
In a presentation at the National HIPAA Summit in Washington, Rodriguez noted: "The question we're asking is: 'Did you do, in good faith, do the very common-sense things that HIPAA requires you to do? And what we find in all of these [major breach cases that have been settled] is that at some point in the process there was, in fact, a failure to do the very basic, common-sense things that HIPAA requires you to do."
If an organization "takes the steps that it needs to take once it discovers a breach ... and does what it needs to do to remedy the problems," OCR will consider that when choosing an enforcement course of action, he adds.
Purpose of Investigations
OCR's breach incident investigations, as well as its ongoing HIPAA compliance audits, are not designed "to go fishing for enforcement cases," Rodriguez stresses. "It's not the purpose. The main purpose of those is, in fact, to explore vulnerabilities and, in a constructive way, find ways to fix those vulnerabilities."
He adds, however, "That does not mean that there will not be enforcement cases flowing either from breach notification or from audits. And we will look at the same factors we look at in our ordinary complaint-driven work ... to determine who should be the subject of monetary enforcement action."
Although OCR faces a proposed $2 million budget cut for fiscal 2013, money recouped through breach-related fines will help fund ongoing enforcement, Rodriguez notes. "We're going to use as much of the money as we can to increase our enforcement capacity, especially in this way: To move us from a complaint-driven enforcement environment to more of an affirmative enforcement environment."
In an interview at the conference, Susan McAndrew, OCR's deputy director of health information privacy, acknowledged that the office likely will announce other post-breach settlements, with financial penalties, along the lines of its recent settlement with BlueCross BlueShield of Tennessee.
Culture of Compliance
Rodriguez notes that most of the major healthcare information breaches have involved the loss or theft of electronic devices or paper records, rather than hacking. "The lesson here is that a culture of compliance matters," he stresses.
"So you have to talk about technical safeguards. You have to talk about physical safeguards. But it also really matters that your employees bring a certain level of understanding of the gravity of what [HIPAA compliance] means to what they do every day. A lot of the failures that we see in many of the breach cases are because [protecting privacy] is not part of the mindset yet."
And one important way to build awareness of the importance of privacy and security, Rodriguez says, "is for people to see enforcement actions" against organizations that fail to take the necessary precautions.