As first reported in our story on the HIPAA omnibus rule earlier this week, if patients ask to have their health data sent via unencrypted email, it’s not the health care provider’s fault if that data is hacked once it leaves the facility. Provided, of course, the provider explains to the patient that unencrypted email is less safe, and the patient says “So what? Send it anyway.”
“We do not expect covered entities to educate individuals about encryption technology and information security,” U.S. Health and Human Services Office for Civil Rights (OCR) authors wrote by way of explanation in the regulation. “If individuals are notified of the risks, and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request [or once it’s delivered].”
The 563-page omnibus rule will certainly put health care providers on edge, and we’ll surely be interviewing sources for the next five years complaining of its onerous, business-paralyzing compliance tentacles. Partly it’s fear of the unknown: OnceOCRcreates an enforcement pattern and guidance arises around avoiding the same mistakes, some people will relax and get to business. Partly it’s because of the toxic political environment in which anti-government sentiment will poison all ideas from D.C., good and bad.
But read through the comments and OCR’s responses to them, and you’ll see one theme throughout. Providers are to protect patients’ data and make sure it’s available to the patient when they ask for it. If you peel away the layers of dos and don’ts and sometimes prescriptive wordings without a lot of technical guidance, you’ll see the overarching idea that the patient comes first. And no, it appears that regulators don’t expect physicians to teach patients the ins and outs of IT technicalities for which they aren’t experts, either.
Good luck, health IT leaders. You and your OCR-estimated 200,000-500,000 business associates have until mid-September to comply, and after that, it’s go time. Double good luck to the first wave of providers who will get visits from OCR now its audit program is coming out of pilot and going live. In an email, the agency indicated to SearchHealthIT that 115 providers were audited in the 2012 pilot. A report will be issued later this year based on those proceedings. After that, they said, “OCR is looking to stand up a permanent audit program.”