The following is a Q&A between HCPro, Inc. and an Office for Civil Rights (OCR) spokesperson. HCPro, Inc. Senior Managing Editor Dom Nicastro sent the questions to OCR when news broke Tuesday, March 13, about the $1.5 million settlement between Blue Cross Blue Shield of Tennessee and OCR for HIPAA violations.
HCPRO: Were it not for the HITECH requirement to report 500-plus breaches to OCR/media, is there a chance OCR may not have known about this breach?
OCR: Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification. The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light.
HCPRO: As for the breach itself, what kind of steps can entities take to ensure this doesn’t happen?
OCR: The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to evaluate risks and vulnerabilities in their environments and to implement policies and procedures to address those risks and vulnerabilities. Both risk analysis and risk management are standard information security processes and are critical to a covered entity’s Security Rule compliance efforts. OCR has posted guidance on the risk analysis requirements under the Security Rule to our website. A meaningful HIPAA compliance program includes: up-to-date policies and procedures, a well-documented training program, regular internal audits, and ongoing monitoring.
HCPRO: Are there any more investigations pending on entities on that 500-plus list?
OCR: Absolutely. Every 500-plus breach case is investigated. When OCR completes an investigation of a breach affecting over 500 individuals, a summary of this case is posted on OCR’s website under the list of Breaches Affecting More than 500 Individuals. The remaining cases you see on the list are all open and active investigations.
HCPRO: Does OCR have a timetable on release of the breach notification final rule? Or any other HITECH/HIPAA rules?
OCR: OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the Privacy and Security Rules can be made available uniformly to consumers across the country. OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.
HCPRO: If the BCBS breach occurred in 2009 and was just now settled in 2012, is the three-year investigation period normal? Or is OCR backed up? Or is it a matter of prioritizing breach investigations?
OCR: As one can see from OCR’s list of breaches over 500, many of these cases have been resolved quickly through corrective action. More complex cases take time to move from investigation to resolution.
HCPRO: Are all 500-plus breaches investigated? If not, how does OCR filter which are not?
OCR: Yes, each and every one of the 500-plus breaches are investigated to ensure first that appropriate breach procedures were followed, and that the root cause of the impermissible disclosure was remedied to prevent a similar breach from occurring in the future.
HCPRO: Does OCR investigate every breach report it receives – even the ones under 500?
OCR: All breach reports are forwarded to regional HHS offices, and these offices have discretion as to whether to open an investigation of small breaches.