News

Office for Civil Rights offers HIPAA enforcement update

Don Fluckinger, News Director

Changes to Health Information Portability and Accountability Act (HIPAA) enforcement, spelled out partially in the HITECH Act, are changing the way the federal Office for Civil

    Requires Free Membership to View

Rights (OCR) investigates privacy violations and enforces penalties.

David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group, outlined the new process for attendees at the recent Healthcare Stimulus Exchange conference in Chicago. He also explained how new HITECH-mandated HIPAA regulations still under construction will define the process further.

Though the HITECH Act expanded and strengthened HIPAA rules, the legislation left it up to Mayer and his colleagues to pen stronger regulations for business associate liability; for the sale of protected health information, marketing and fundraising communications; and for strengthening the patient's rights to access electronic medical records and restrict the disclosure of certain information.

Interim final rules on data breach notification and HIPAA enforcement are in effect already. Those will give way to permanent regulations, which will first appear in a notice of proposed rulemaking that could be out as soon as July 9, Mayer said. The proposed rule will give the health care sector its first look at how OCR will handle HIPAA enforcement in the era of the HITECH Act.

The HITECH Act also empowers state attorneys general to file HIPAA cases against HIPAA-covered entities. The OCR will be training state officials in HIPAA enforcement soon, probably before year's end. "OCR worries that the attorneys general will not get it right," Mayer said.

Amy Leopard, a partner at the Cleveland law firm Walter & Haverfield LLP, and Mayer's co-presenter, said new willful-neglect clauses in the HIPAA rules as updated by the HITECH Act should spur health care providers to pay closer attention to HIPAA, because they are on the hook for institutional shirking of privacy rules, now more than ever. Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them.

"It's evolving. It's going to be like this for the next couple of years," Leopard said about the evolving rules, as well as HIPAA enforcement strategies now in their infancy. "What we do know is that the bar is going to continue to be raised."

Put policy, technology together to avoid HIPAA violations

Health care data breaches are not uncommon, and they are garnering attention -- HITECH Act rules force providers to disclose breaches of unsecured protected health information affecting more than 500 individuals.

One key step to avoiding a data breach is to implement data encryption technology, Mayer said.

Encryption not only makes a breach less likely to happen, it also serves as a safe harbor, Leopard noted. Under the HITECH Act, no HIPAA violations occur and no data breach notifications are required when encrypted data is lost, because thieves cannot access the information. Many hospitals, she said, now are requiring all business associates to use encryption, too.

Regularly training employees in an organization's HIPAA policies represents another strong step, Mayer said. He suggested that CIOs, following the lead of privacy policymakers and enforcers, build strong institutional HIPAA compliance. CIOs must understand the actions policymakers are taking, whom they are reporting to, and how quickly they respond to complaints. Automated audit trails help prove institutional due diligence, Mayer said, as long as a human is monitoring them at some point in the workflow.

Entrusting HIPAA compliance either to people or to technology -- but not to both -- can lead to problems, Mayer said. "Your IT people and your privacy people need to work together," he said. "As the world goes electronic, the two sides of the house have to talk to each other. Unless there's some meeting of the minds, the program is not going to be successful."

Ultimately, putting in place a program with clear training policies and administrative procedures can help an entity save face in the case of what Mayer deemed the toughest type of HIPAA violation to prevent and control -- a data breach deliberately caused by a rogue employee.

"It makes a huge difference in the kind of corrective action we will require, if in fact all of those things are in place and this truly was a rogue employee," Mayer said.

Let us know what you think about the story; email Don Fluckinger, Features Writer.


Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.