HIPAA Administrative Simplification was enacted on August 21, 1996 as Subtitle F of Title II of Public Law 104-191. The so-called HITECH Act “Omnibus” regulation that modifies HIPAA privacy and security provisions will be published in the Federal Register by the end of this summer, according to the head of HHS’ National Coordinator for Health Information Technology, Farzad Mostashari, M.D. Based on the timeline in the Notice of Proposed Rule Making, compliance by all covered entities and their business associates would be required 240 days after publication, most likely sometime in May 2013, assuming the end-of-summer deadline is met. All covered entities and their business associates will be required to comply with provisions of the Omnibus regulation.
From enactment of HIPAA Administrative Simplification in August 1996 through issuance of HIPAA privacy (April 2003) and security (April 2005) enabling regulations until enactment of the HITECH Act, federal enforcement was lax and covered entities evinced attitudes of “we’re compliant,” without understanding what compliance entailed, or “the feds will never check on whether I am compliant or not.”
Be forewarned: detection and enforcement has increased markedly, both at federal and state levels, and is about to get much tougher with the release of the Omnibus regulation (especially you, Texas). Further, penalties for violations of privacy, security, and breach notification provisions are substantial. Currently, as a covered entity, your organization is subject to HHS’ privacy and security enforcement agency, Office for Civil Rights (OCR), compliance audits that were initiated earlier this year, and to investigations relating to complaints and to breaches of protected health information (PHI).
Achieving compliance is a time-consuming process. Here are five activities your organization should be doing NOW in advance of release of the Omnibus regulations and that it needs to complete before compliance kicks in sometime in May 2013.
1. Conduct a thorough risk analysis or update an existing risk analysis.
The foundation of safeguarding your organization’s oral, hard copy, and electronic PHI is the risk analysis that identifies threats and vulnerabilities to PHI that your organization creates, maintains, receives, or transmits, and consideration of risk mitigation strategies and tools that are the basis for your organization’s policies and procedures for safeguarding its PHI. Failure to have conducted a new risk analysis or review periodically an existing risk analysis is evidence of non-compliance, and the penalties are such to imperil your organization as a viable business. Failure to conduct a risk analysis is tantamount to willful neglect!
2. Document your privacy, security, breach notification polices and procedures.
On June 26, 2012, OCR issued audit procedures by security, privacy, and breach notification implementation specification identifying the inquiries that will be addressed to senior management and the written documentation that compliance auditors will need to review, and in some cases, take samples of, as evidence of compliance. Your documented policies and procedures will be the next step after completing a risk analysis or its update, the findings of which will be the basis for the safeguard policies and procedures. Failure to document may subject your organization to willful neglect—not corrected violations, for which the penalty is a mandatory $50,000 per violation up to a maximum of $1.5 million for repeat of a specific violation in a calendar year. Those penalties were raised in 2009 from $100 per violation up to a maximum of $25,000 for repeat of a specific violation in a calendar year. In addition, participants in the Medicare and Medicaid Financial Incentive Programs for Adoption and Meaningful Use of Certified Electronic Health Record Technology must document risk analysis and Core security policies, and are subject to compliance audits that began in July 2012.
3. Train your workforce members, including management.
When privacy, security, and breach notification policies and procedures are in place, as they should be now and modified later to reflect the HITECH Act Omnibus regulatory provisions, covered entities are required to provide each workforce member access to them and to train each workforce member on their implementation so that its PHI is safeguarded. Workforce members are required to have “awareness and understanding” of the safeguards and to follow the policies and procedures, and the covered entity must document that such training has occurred. A review of case examples and HHS resolution agreement “corrective action plans” shows that training is a key element in demonstrating compliance in an audit and as part of the remediation enforcement process. For example, in reference to the Blue Cross Blue Shield Tennessee (BCBST) resolution agreement, in which BCBST paid a fine of $1.5 million, the Director of OCR, Leon Rodriguez said: “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” The three pillars of that compliance program will be risk analysis, documented policies and procedures, and privacy and security training.
4. Encrypt your protected health information on mobile and portable devices.
As of August 23, 2012, OCR has publicly disclosed 487 breaches involving 500 or more individuals since September 23, 2009, affecting a total of just over 21 million persons. Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 73% of the breaches involve electronic sources and 27% paper sources. Of the total irrespective of source, just under 19% involve a business associate. Of the electronic sourced breaches, just over 60% involved a laptop or other portable electronic device, and just under 92% of those are reported as stolen or lost. Many of these incidents could be avoided if the data were secured through encryption, which is required under OCR Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
5. Remember the 1981 Oil Filter commercial adage: “You can pay me now or pay me later.”
Remediating breaches is costly, not only financially, but also in time, potential damage to reputation and customer goodwill, and lost business. The Ponemon Institute, a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study. According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data). Looking just at OCR’s publicly disclosed 487 breaches, affecting just over 21 million individuals, potentially the cost is just under $4.5 billion for remediation. The August 3, 2011, HDM Breaking News article, What Happens After a Data Breach? states: “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.” As the old automotive oil filter TV ad stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.
If your organization has already performed items 1-3 above, it will have to address those items again to reflect HITECH Act modifications in the Omnibus regulation.