Leon Rodriguez, director of the Office for Civil Rights at the U.S. Department of Health & Human Services, is a serious looking guy. It would be no stretch to say intimidating, even, as the tall, broad-shouldered director represents the face of the more-stringent-than-ever HIPAA Omnibus Rule -- compliance date of Sept. 23. The new rule promises to bring hefty fines, more audits and added enforcement pertaining to the issue of patients' protected health information.
In reality, however, although Rodriguez has affirmed that organizations will indeed be held accountable for violating HIPAA privacy and security rules, he has also proved himself to be industry-conscious, practical and fair.
Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.
"It's a relatively small part of what we do here," he said. Most cases OCR handles involve corrective action rather than monetary fines.
Don't let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that's most likely going to continue.
"It's going to continue to be a small but very important part of the story," he said. "I think it's important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them."
And although an official and permanent audit program is not yet fully established -- and most likely won't be until 2014 -- breach investigations are, as some organizations can attest to, at full force.
Breach blunders
ellPoint, one of the nation's largest health insurers, is one among 16 organizations thus far that has come to better understand what's expected in regards to HIPAA privacy and security rules.
Just this July following an investigation, OCR ordered WellPoint to hand over $1.7 million after leaving the protected health information of 612,402 individuals accessible over the Internet. The data compromised included patient names, dates of birth, Social Security numbers, telephone numbers and health information.
According to the report, WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade.
"I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable," Rodriguez said.
When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It's the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," he said.
Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.
Case in point is what transpired at Idaho State University's Pocatello Family Medicine Clinic two years ago, when clinic officials notified the Department of Health and Human Services of a breach involving electronic protected health information for some 17,500 patients.
Following an investigation, OCR determined that the PHI of those 17,500 patients was left unsecure for 10 months due to the disabling of an ISU firewall.< /p>
Furthermore, the ISU clinic failed to conduct risk analysis of the confidentiality of the ePHI for more than five years. As a result, this May, ISU agreed to pay $400,000 to HHS to settle HIPAA breach allegations.
Ted Kobus, New York-based attorney for BakerHostetler who specializes in privacy issues and data breaches, said another area where covered entities and business associates are failing in privacy and security arenas pertain to the issue of properly handling old data. The "forgotten data, old data that the organization hasn't accounted for," proves a frequent reason for a breach, says Kobus.
This reality resonates with New York-based Affinity Health Plan, which just this August agreed to pay OCR $1.2 million after failing to clean patient data from a photocopier hard drive. CBS News then purchased the photocopier, previously leased by Affinity, and discovered it contained the protected health information for 344,579 patients.
Following an investigation, OCR officials found Affinity neglected to include the electronic photocopier data in any of its risk analyses.
The HIPAA Security Rule requires CEs and BAs to clear, purge or destroy the devices containing ePHI before the devices are available for re-use, but that's just not happening at the level it should, says Sean Magann, vice president of California-based Sims Recycling Solutions.
"What's happened over the past five or six years is that bad guys got really smart," he told Healthcare IT News' Mike Miliard last month. "They realized there's more value in the information than in the actual commodities. It's a numbers game. You buy 100 hard drives, 99 of them will be erased and done properly. But the one that you do get contains a treasure trove of information: Social Security numbers, patient data, everything a bad guy needs."
And this time around when a BA or CE break the rules, they're going to be paying much heftier fines than what was originally set forth in the interim rule.
Whereas organizations only faced penalties up to $25,000 for identical violations per calendar year under the interim rule, the final rule increases that amount to $1.5 million for a repeating violation per year.
For willful neglect breaches -- meaning the organization failed to correct the issue - each individual violation is pegged at $50,000. The smallest penalty amount organizations could face is $100 per violation.
What's new?
One of the first changes to note in the final rules pertains to the very definition of breach. The interim rule originally stipulated that a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual -- often called the harm standard.
In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as "impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised."
"There are two changes there," said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. "First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can't be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach."
Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.
This should have come as no surprise to BAs, said Rodriguez. "We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations," he said.
Despite this, many BAs are still lagging behind in many regards, said Kobus. From his line of work, he sees many business associates much less prepared than covered entities. "We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," he explained.
Kobus said that between 30 to 70 percent of privacy and security breaches involve a vendor, which gives the government tremendous pressure to also make BAs liable and follow up with investigations.
But, it's not only that the BAs are often lagging behind. Many covered entities are assuming they're more off the hook than before.
Kobus sees a lot of covered entities that have questions over whether or not they're off the hook and don't have to worry as much as they did in the past now that business associates will be held directly liable for violations. "The answer really is 'no'," said Kobus. "We still have to keep in mind the covered entities are still responsible for their own violations of the HIPAA privacy and security rules, and business associates are going to be responsible for their violations."
The final Omnibus Rule also expands the definition of business associate to include; health information organizations, e-Prescribing Gateways, certain PHR providers, patient safety organizations, data transmission service providers with access to PHI and contractors involved with PHI.
Additionally, the rule also stipulates that a contract between BA and subcontractor is required and it must be as stringent as the contract between a CE and a BA.
As far as patient control goes, in many ways, the rule imposed tighter restrictions on what organizations can do with patient data without their consent. Patients can now insist their health data is not shared with other groups if they pay for the specific medical services out of pocket, and certain patient information cannot be sold without that patient's consent.
BA Agreements
Lynn Sessions, Houston-based healthcare and privacy attorney with Baker Hostetler, works with many healthcare providers as they're updating their business associate agreements, primarily with the larger, more sophisticated BAs. What she's seeing are protracted, lengthy negotiations around BA agreements, particularly with respect to limitations of liability and indemnification.
"We're encouraging our healthcare clients to include indemnification and perhaps even insurance requirements as part of their business associate agreements so they've got protection should a breach take place or if there is a regulatory inquiry," said Sessions.
Some of the business associates are expecting it, she added, as they understand they're doing business in the healthcare arena. Others, however, who are new to the party, such as providers who thought they were never BAs in the first place are playing catch up. "And so, what used to be in some instances, just kind of the cursory, 'Sure I'll sign your business associate agreement' has become a much more detailed negotiation where some covered entities have had to hire counsel," said Sessions.
Now that this piece is more stringent, "I think OCR has gotten covered entities and now business associates' attention with the fines that have been levied over the last several years," she added.
Jeffrey Brown, chief information officer at the 178-bed Lawrence General Hospital in Lawrence, Mass., said the hospital's contracts with BAs haven't changed at this point, but they are in in the process of cataloguing all their third-party associates. "We're going back, doing a detailed review and analysis of the verbiage within those BAAs," he said. He estimates they have about 75 to 125 business associates at a minimum from an IS perspective. From an organizational perspective, that number is much higher, he says.
In many cases, however, he has noticed these third-party vendors are starting to be proactive, and so Brown is seeing addendums coming through.
Doing it right
Lawrence General Hospital has never experienced a HIPAA breach -- for good reason.
"I wouldn't say (we're) lucky," said Brown. "Privacy and security and compliance are something that is at the top of our priority list."
Hospital employees are not allowed to bring their own devices to use for clinical purposes; rather, the hospital provides cellphones and laptops to specific employees. All devices are password protected and updated with the latest encryption technology.
If someone loses a cellphone or an employee is terminated, officials have the ability to go in and wipe that cellphone clean of any kind of data. And they do.
Moreover, Lawrence General brings in consulting firms to conduct regular risk analyses and assessments, and a hospital committee meets monthly to discuss the ever-changing nature of privacy and security issues.
This element proves crucial, he says, as the matter is far from static. "Privacy and security in the old days was kind of looked at as a once-and- done deal," said Brown. "It was something that you did yearly or every two years. Risks and mitigations were presented to the organizations, and you kind of checked the box. And I think now what's happened is it really is a program and a process that organizationally, and I think culturally, needs to become part of the fabric of what all healthcare entities need to practice," he explained.
Brown admits there's an upfront cost to comply with these rules, but views it as a real return on investment. "When you update kind of this triad of people, process and technology, it not only puts the consumer in a better place to be protected but also the organization."
Kobus agrees. He says some of the biggest mistakes by CEs and BAs are lack of education and employee awareness, "people not understanding why it's critical to protect this type of information," he said.
But it's not always a clear cut procedure, especially for larger institutions, added Sessions, who said healthcare organizations notoriously have a lot of policies and procedures in place.
"What I can see is that policies and procedures get implemented, and there may be an area in the hospital that wasn't thought about," she explained. "There is so much information about patients that are used in healthcare organizations that to be able to ensure education to everybody, that they understand the policy and procedures that are in place and frankly that the drafters of the policy and procedures understand all the data out there can be difficult."
Micky Tripathi, chief executive officer of the Massachusetts eHealth Collaborative, also offered insight into how to handle a breach properly when it occurs from the perspective of someone who has been through one.
Back in 2011, Tripathi reported that an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee's locked car. After going through the process of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi learned a few things.
No one, he said, is immune from data breaches. But, an organization can be immune from much of the aftermath depending on how it's handled.
"We tried to be very transparent about everything we did," he said at the HIMSSMedia and Healthcare IT News 2012 Privacy and Security Forum. In addition to the legal responsibilities, "we had a certain ethical responsibility," said Tripathi. "We came clean with the whole thing...we were standing up for our mistake and we were going to do whatever we had to do to rectify the situation."
Despite not getting slapped with state or federal fines, MAeHC did pay up. The total costs of the data breach reached $228,808, which is no nominal number for a nonprofit. Tripathi said $150,000 of that went to legal fees, and more than $6,000 went to credit monitoring for patients.
They could have paid a lot more, however, and Tripathi realized that. And the lesson that went along with the experience was invaluable. Encryption is key, and the failure to encrypt devices "was a big miss from a management perspective," he said.
Kobus also explained the significance of notifying patients in the proper manner and without jumping the gun. BAs and CEs should only notify individuals affected and the public once they know exactly what happened, how it happened, what they're doing to protect patients in the future and what they're doing to prevent a breach like this from happening again.
"If you answer them, they're not going to be happy about what happened, but they're going to understand that you have control over the situation, you understand the seriousness of the situation and that you're trying to make yourself better," he said.
Omnibus Opinions
Overall industry reactions to the final rule have been decidedly mixed.
Brown, for one, thinks it's a benefit for the industry, although he concedes that difficulties do exist.
"There are going to be some challenges organizationally, in terms of just wrapping your head around the complexities," he said. "I'm always an advocate for the patient and the consumer, and I think what these updated rules are doing further protects (them)... this really should give them a greater level of confidence in the overall ecosystem around how their health information is going to be protected now and in the future."
Russ Branzell, chief executive officer of CHIME, says naturally there are pros and cons. And the cons really pertain to the sheer amount of process and policies that CEs have to follow and implement, and that can really strap down CIOs who already have lengthy to do lists. "I think there are parts of the rule that I'm sure most CIOs would say were needed and required," Branzell said to HealthInfoSecurity. "There are also parts in there that they would say, 'Wow, there's just so much more I've got to do."
Many privacy advocates have also weighed in on the final rule. Deborah Peel, MD, chair of Patient Privacy Rights advocacy group, who bills herself as a "privacy warrior," said there are privacy improvements, but the rule still didn't go far enough.
Peel pointed to the example pertaining to patients who pay for services out of pocket who can request that their health information isn't shared with other groups. "HHS did not require segmentation technologies so that (patient health information) can be protected and selectively shared. Instead, the information should be 'flagged' so only the 'minimum necessary' information is disclosed," she said to amednews.
Peel went on to say that rules and contracts don't guarantee they'll be followed or enforced properly.
Others see considerable limitations to the final rule. Kobus, for example, thinks the language complicates things by eliminating the harm standard. "It makes things more subjective," he said, taking "away the ability at least in some part for the organization to take a look at individualized harm and places the emphasis elsewhere, and I think that can be problematic because in reality, isn't this about protecting patients and making sure patients can protect themselves if they're at risk, and over notification does no one any good."
From Sessions' perspective, many BAs and CEs are actually going beyond what they are required to do by law in terms of reporting - clients who would rather be safe than sorry. "We think there's going to be over-reporting with the final rule," she said.
However, according to Rodriguez, overall, the number of entities over- reporting is nominal. "There's a little bit of that, but mostly not," he said, adding that the general pace of reporting has remained relatively consistent. "I think for the most part, we're getting appropriate reports. You know, in other words, we're not having folks reporting that don't need to be reporting."
Rodriguez says that the feedback he's heard from industry officials is generally positive. "I would say for the most part, and certainly within the traditional covered entity community, I think this rule is very much welcome," he said. "There have been questions about narrow, specific requirements in the new rule, and we're certainly working with all the stakeholders to provide clarification, to provide training material, to provide guidance as these issues come up. But as a whole, my sense is that both industry and consumers are pretty comfortable with where we've gone in the final rule."