Changes to Health Information Portability and Accountability Act (HIPAA) enforcement, spelled out partially in the HITECH Act, are changing the way the federal Office for Civil Rights (OCR) investigates privacy violations and enforces penalties.
David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group, outlined the new process for attendees at the recent Healthcare Stimulus Exchange conference in Chicago. He also explained how new HITECH-mandated HIPAA regulations still under construction will define the process further.
Though the HITECH Act expanded and strengthened HIPAA rules, the legislation left it up to Mayer and his colleagues to pen stronger regulations for business associate liability; for the sale of protected health information, marketing and fundraising communications; and for strengthening the patient's rights to access electronic medical records and restrict the disclosure of certain information.
Interim final rules on data breach notification and HIPAA enforcement are in effect already. Those will give way to permanent regulations, which will first appear in a notice of proposed rulemaking that could be out as soon as July 9, Mayer said. The proposed rule will give the health care sector its first look at how OCR will handle HIPAA enforcement in the era of the HITECH Act.
The HITECH Act also empowers state attorneys general to file HIPAA cases against HIPAA-covered entities. The OCR will be training state officials in HIPAA enforcement soon, probably before year's end. "OCR worries that the attorneys general will not get it right," Mayer said.
Amy Leopard, a partner at the Cleveland law firm Walter & Haverfield LLP, and Mayer's co-presenter, said new willful-neglect clauses in the HIPAA rules as updated by the HITECH Act should spur health care providers to pay closer attention to HIPAA, because they are on the hook for institutional shirking of privacy rules, now more than ever. Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them.
"It's evolving. It's going to be like this for the next couple of years," Leopard said about the evolving rules, as well as HIPAA enforcement strategies now in their infancy. "What we do know is that the bar is going to continue to be raised."
Put policy, technology together to avoid HIPAA violations
Health care data breaches are not uncommon, and they are garnering attention -- HITECH Act rules force providers to disclose breaches of unsecured protected health information affecting more than 500 individuals.
One key step to avoiding a data breach is to implement data encryption technology, Mayer said.
Encryption not only makes a breach less likely to happen, it also serves as a safe harbor, Leopard noted. Under the HITECH Act, no HIPAA violations occur and no data breach notifications are required when encrypted data is lost, because thieves cannot access the information. Many hospitals, she said, now are requiring all business associates to use encryption, too.
Entrusting HIPAA compliance either to people or to technology -- but not to both -- can lead to problems, Mayer said. "Your IT people and your privacy people need to work together," he said. "As the world goes electronic, the two sides of the house have to talk to each other. Unless there's some meeting of the minds, the program is not going to be successful."
Ultimately, putting in place a program with clear training policies and administrative procedures can help an entity save face in the case of what Mayer deemed the toughest type of HIPAA violation to prevent and control -- a data breach deliberately caused by a rogue employee.
"It makes a huge difference in the kind of corrective action we will require, if in fact all of those things are in place and this truly was a rogue employee," Mayer said.
Let us know what you think about the story; email Don Fluckinger, Features Writer.