Archive for December, 2010
By the time the New Year arrives, HITECH will have been signed into law for approximately 23 months. Some regulations, such as the breach notification interim final rule, have been in effect, but we wait on others like modifications to the HIPAA privacy, security, and enforcement rules.
So as the New Year arrives, it’s time to analyze what we’ve gotten out of HITECH. What is its effect on the healthcare industry right now? Qui bono? Patients, providers, or the government regulators?
The answer? It’s probably too early to tell.
Perhaps the biggest question over the past two years has been what kind of enforcer will the Office for Civil Rights (OCR) be under HITECH and HIPAA? Will it be the Federal Trade Commission-shark type (20-year probation periods, etc.). Or will it maintain its “soft” image, a proactive enforcer that issues guidance and best practices?
After all, since the HIPAA Privacy Rule came into force April 14, 2003, the Department of Health and Human Services (HHS, and OCR’s boss) has yet to levy any civil penalties against any covered entities (and now business associates).
Yes, there was the $2.25 million settlement with CVS in February 2009 and the $1 million settlement with Rite Aid for privacy violations in July 2010. OCR says it is required to use those funds under HITECH for enforcement efforts.
But those investigations began before HITECH, and, technically, they weren’t fines, but rather agreements that included corrective action plans.
It’s difficult to forecast OCR’s enforcement methods for a couple of reasons: Some final rules await, and the enforcer’s “periodic audit plans,” as required by HITECH, have yet to be released.
“I do not think OCR will jump on the bandwagon with heavy fines, for two reasons,” says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP. “First, it’s not in their nature. They want to fix problems prospectively, not punish bad guys. And they know that most of whom they deal with aren’t intentional violators. Secondly, when they do come across a true bad actor, they’ll hand it over to the tough guys: the Department of Justice. I expect OCR to remain ‘civil,’ and to let the DOJ deliver ‘justice.'”
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, agrees that OCR has been soft in enforcing civil and criminal penalties. However, he says it may be premature to make a call on OCR’s enforcements patterns.
“A fair amount of activity is occurring at HHS, and the department is under a lot of pressure to meet the HITECH Act rule writing/enforcement deadlines,” Apgar says. “So the fact that the HITECH Act has not changed any enforcement practices resulting in civil penalties is not necessary surprising. The question, though, is will the HITECH Act really have an impact in increasing HIPAA Privacy and Security Rule compliance? We wait and see.”
The Ponemon Institute did not wait to see how providers feel about HITECH and HIPAA compliance. The organization surveyed 65 hospitals and published a November 2010 report that found that 71 percent of hospitals say federal regulations like HITECH have not improved the safety of patient records.
The same percentage of respondents say they have inadequate resources to prevent and quickly detect patient data loss.
Maybe they’re right about HITECH. There is hardly any tangible evidence that HITECH has significantly changed the landscape of protecting patients’ privacy. But it has given organizations plenty of reasons to be vigilant in their HIPAA compliance efforts.
For starters, bad publicity. Just look at OCR’s breach notification website, which lists the more than 200 entities who have reported a breach of unsecured PHI affecting 500 or more individuals. That information was not public prior to HITECH.
And, state attorneys general have lawsuit powers through HIPAA violations, and Connecticut wasted no time when in 2010 its attorney general, Richard Blumenthal, went after insurer Health Net for failing to secure the private medical records of 1.5 million policyholders and for the insurers’ delay in reporting the breach. The verdict? A $250,000 fine on the company for HIPAA and HITECH violations and the requirement to adopt rigorous security and notification measures.
And just months after, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state’s insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
Now there’s some tangible evidence that HITECH is working.
Though OCR officials would not connect Connecticut’s breach bulletin to HITECH, it did praise HITECH for its “heightened vigilance” around HIPAA compliance.
“The HITECH provisions have helped strengthen OCR’s efforts to encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” an OCR official tells HealthLeaders Media. “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
As the industry moves closer to total EHRs across the board, privacy and security naturally take a front-row seat.
Naturally, the healthcare industry has a tall order ensuring patients their records are totally secure in an electronic environment. And with that assurance comes tough enforcement.
Is OCR our savior?
Many didn’t think so in the beginning, Drummond says.
“When HIPAA was first passed and enforcement was given to OCR, it raised eyebrows among many health lawyers,” Drummond says. “OIG was a known bulldog, but OCR was generally perceived as being much more conciliatory. Folks expected OCR to take a softer approach to obtaining compliance, working with covered entities to fix problems rather than coming in with guns blazing, subpoenas flying, and heavy fines assessed. And that’s pretty much what we’ve seen.”
Heavy fines or not, Drummond says OCR has the “right approach.”
“The vast majority of participants in the healthcare field are meticulously cautious about dealing with patient privacy, always have been, and would be with or without HIPAA,” he says. “In the vast majority of cases, if there’s a breach, it’s an accident or a mistake, and shouldn’t result in a huge fine. Of course, there are bad apples in every barrel, but in healthcare, there is a pretty good culture of privacy.”
Share these tips about passwords with your staff:
Selecting a strong computer password—one that is easy for you to remember but difficult for someone else to guess—is an essential step in securing your organization’s information. Generally, you should select a password that:
- Includes both letters and numbers
- Consists of at least six characters (your organization may require seven or eight)
- Incorporates upper- and lowercase letters, if your system supports them
- Includes special keyboard characters (such as #), if your system permits
- Isn’t a personal name, special date, fictional character, or real word
This week’s question and answer was adapted from The HIPAA and HITECH Toolkit: A Business Associate and Covered Entity Guide to Privacy and Security. For more information about the book or to order your copy, visit the HCMarketplace.
A Dean Clinic physician’s personal laptop computer containing information for a specific group of patients was stolen in a home invasion robbery, according to a statement released by Dean Health Systems, Inc.
The Wisconsin State Journal reports that more than 3,000 patients may have been affected by the breech.
The laptop contained protected health information, including patient names, dates of birth, medical record numbers, diagnoses, procedures, and possibly pathology data. However, the laptop did not contain patients’ Social Security numbers, credit card information, home addresses, phone numbers or financial information.
Dean Health Systems, an integrated health system based in Madison, WI, sent letters to the affected patients on December 18. The hospital also advised affected patients to contact an identity protection services agency with whom the hospital partnered.
We hope all you privacy and security officers who need to work this day can get home fast to a warm home (or a cool one for those Miami and Phoenix officers). But before you leave, don’t forget a few things:
- Ensure all portable devices carrying PHI in a secure locked area
- Check to see if all computers with PHI are shut down or logged off
- Check the area for any loose paper medical records that carry PHI
- And last, but not least, if you’re taking your laptop with you home for the holidays, carry it with you at all times; don’t even trust a locked car!
Twas the night before Christmas, and all through the house, were privacy and security officers yearning for full HIPAA compliance. Here are some final holiday wishes. Happy holidays to all and to all here’s hoping for HIPAA compliance in 2011!
– Dom Nicastro, editor, HIPAA Update blog
Safe use of social networking websites. “I wish all social networking sites were equipped with tools that prevented anyone from posting any patient-related information,” says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal, HIPAA College, in Casa Grande, AZ. That would help mitigate people being surprised by “stuff” that originates from these sites, he says.
More safeguards to protect PHI. “I hope that technology continues to be enhanced to support patient privacy,” says Mikels. “This should be meaningful and non-burdensome to the user, and should support patient care and safety.”
Ruelas says he would deactivate any and all USB port functions which allow data to be downloaded and subsequently taken offsite in an unauthorized manner.
“These handy little devices, with all their storage capability, can create big issues,” Ruelas says.
Ponemon’s “Benchmark Study on Patient Privacy and Data Security” may be viewed here.