The percentage of organizations effectively encrypting their portable devices is growing but it’s still not at the level where it should be. I frankly continue to wonder why encryption is still addressable at least with respect to portable devices but it was not addressed in the proposed rule or in HITECH so the landscape on that issue is still basically the same.

Q: It sounds as if the omnibus rule will not make your job all that much easier…

A: No, I don’t think so. It really just changes the nature of some of the analysis that needs to be done. But there’s still the ambiguity in the rule, which I think is unavoidable when you don’t have a bright line test on notification. And I understand the government’s decision not to impose a bright line test because the only bright line test you could really impose would be to say every time there’s a disclosure not permitted by the rule you have to notify and I don’t think that’s the right standard because you’ll end up getting huge numbers of notifications about innocuous situations. That’s not good for the industry of for consumers, who I think will start to tune it out if they believe that most of these notices are not situations that really threaten them. So I understand and agree with the decision not to impose a bright line standard but as long as you don’t have one there will be judgment calls and that’s going to continue to be the case.

Q: In some ways that alert notification fatigue you referenced might already be happening as breaches are at something of a fever pitch. Now, do you anticipate an uptick in OCR audits and fines?

A: Yes. We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties. It’s routine for OCR to investigate when breaches are reported, particularly when there are 500 or more individuals. In all of those cases, they’re following up with questions and making a decision about whether some more intensive investigation is warranted so that’s already in progress. And I think that trend will definitely accelerate.

This was true in the proposed rule as well. One of the really significant provisions of the rule is extension of privacy and security obligations on business associates whereas before HITECH the security rule didn’t clearly apply to business associates and the government didn’t have clear authority to put penalties on business associates. And now those things have changed. Business associates should now really be looking at their own compliance programs and deciding whether they need to be enhanced because their risk is really escalating under this rule. All the vendors out there that took comfort in the fact that they weren’t covered entities are now in very much the same position as the covered entities and need to have very strong security and privacy programs.