Last month I attended the 6th Annual National Institute of Standards and Technology/Office for Civil Rights (NIST/OCR) HIPAA Security Rule Conference in Washington, D.C. and I greatly expanded my knowledge of emerging threats to health information security, including concerns over mobile devices, cloud computing and social media. And although these emerging technological threats were an interesting and flashy subject, the presentation that most caught my attention was about HIPAA/HITECH Compliance by Leon Rodriquez, director of the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR).
Rodriquez first talked about the breakdown of HIPAA complaints that have resulted in monetary payments and I was very surprised by the numbers. Between 2008 and 2012, OCR received 44,552 health information privacy and security complaints. Of this large number of complaints, OCR reports only 14 cases have resulted in the agency using its regulatory powers to impose a resolution agreement between HHS and a covered entity. Resolution agreements are reserved to settle investigations with more serious outcomes and thus far have always resulted in the payment of a resolution amount. When a covered entity does not demonstrate compliance or corrective action through other informal means, HHS may also impose civil money penalties (CMPs) for noncompliance against a covered entity. HHS has only applied one CMP since 2008. In total, HHS has collected $15,558,345 in resolution agreements and CMPs since 2008.
Though talk about money always seems to catch people’s attention, it was what Rodriquez said next that really got me thinking. All but one of the resolution agreements implicated HIPAA Security Rule violations either alone or in combination with Privacy Rule violations. Taken together, the Security and Privacy Rules work in tandem to safeguard protected health information (PHI). The Privacy Rule gives individuals rights over their own health information and sets standards for determining who has access to this protected information. The Security Rule protects electronic health information by requiring certain entities to use technical, physical, and administrative measures to restrict unauthorized access to health information.
The Security Rule violations cited by OCR mostly related to a lack of appropriate safeguards for PHI. These cases demonstrate that covered entities may violate the Security Rule by losing (or failing to properly dispose of) electronic and paper records. The Rule likewise requires that appropriate encryption systems be used to protect PHI if computer hardware is stolen or the system is otherwise compromised. The Security Rule also mandates the adoption of internal protocols to assure that only authorized persons are able to obtain access to PHI. Access to both physical and electronic records must be protected. Thus, for example, appropriate Security Rule protections must be in place before internet-based calendars are used to post PHI.
Of the 14 resolution agreements, only one involved a public health agency. In June 2012, the Alaska Department of Health and Social Services (DHHS) agreed to pay HHS $1.7 million to settle possible violations of the HIPAA Security Rule. OCR investigated a breach report that a USB hard drive possibly containing ePHI was stolen from the vehicle of a DHHS employee. But over the course of the investigation, OCR found that DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. During his presentation, Rodriguez cited the lack of a risk analysis as well as the extensive time lapse between the security breach and implementation of corrective action as reasons for the large resolution amount.
This imbalance between the Privacy Rule and the Security Rule intrigued me. So I analyzed the Network’s technical assistance requests related to HIPAA and was a little shocked to see that they were all Privacy Rule questions.Even though impermissible uses and disclosures have been the top issue investigated by OCR since 2004, security violations have been implicated in all but one resolution agreement or CMP. Are organizations focusing resources too heavily towards Privacy Rule protections and not doing enough to ensure the security of PHI? Do public health agency directors understand their organizations’ obligations under the Security Rule well enough to ensure their security officer is fully implementing the law’s requirements?
Changes to HIPAA under the Omnibus Rule take effect September 23, 2013. This includes the new tiered penalty structure for HIPAA violations. OCR has also implemented a new HIPAA audit pilot program to access the controls and processes that covered entities have implemented to comply with the Privacy, Security and Breach Notification Rules. It is important for public health agencies to think beyond just workforce Privacy Rule training and start critically assessing their entire organizational implementation of HIPAA.
This blog was prepared by Jennifer Bernstein, J.D., M.P.H., Staff Attorney, Network for Public Health Law – Mid-states Region at the University of Michigan School of Public Health.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state. The views expressed in this post do not represent those of the Robert Wood Johnson Foundation.