1. Sept. 23, 2013 compliance deadline for new requirements.
On Jan. 17, 2013, the U.S. Department of Health and Human Services released the long-awaited omnibus final rule pursuant to the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Non-Discrimination Act of 2008. The Final Rule is effective as of March 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013.
The key compliance tasks for covered entities related to the Final Rule are as follows:
2. HITECH mandated audits have commenced
The HITECH Act requires HHS to perform periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The Office for Civil Rights implemented a pilot program whereby KPMG LLP, a public accounting firm, developed an audit protocol and conducted 115 audits of covered entities from November 2011 through December 2012. The audit protocol is posted on the OCR website and provides a useful tool for providers to ensure they comply with the Privacy and Security Rules and Breach Notification standards.
3. Larger providers are facing maximum penalties for violations
While almost two years have passed since the monumental settlement between Massachusetts General Hospital and HHS requiring MGH to pay $1 million, the MGH settlement was only the beginning of a trend of imposing substantial penalties on larger covered entities for HIPAA violations.
On March 13, 2012, Blue Cross Blue Shield of Tennessee agreed to pay HHS $1.5 million to settle potential violations of the Privacy and Security Rules. The investigation resulted from BCBST's report to HHS of the theft of 57 unencrypted computer hard drives containing PHI of over 1 million individuals. A few months following the BCBST settlement, HHS announced a settlement with another larger covered entity for $1.7 million to settle potential violations of the Security Rule by the Alaska Department of Health and Social Service. The investigation of ADHSS followed a breach report to HHS by ADHSS regarding the theft of a USB hard drive. Later in September 2012, HHS announced it had reached an agreement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively, MEEI) to settle potential violations of the Security Rule for $1.5 million. Despite deciding to accept the settlement, MEEI stated its belief in a press release that the size of the settlement was excessive.
While the Final Rule contains many provisions that amplify penalties for violations of HIPAA, OCR cannot automatically impose the maximum civil monetary penalty for a violation. Rather, OCR must first consider four factors, which may be mitigating or aggravating, before determining the amount of a CMP. However, its analysis of such factors can still result in the imposition of the maximum CMP amount, particularly for larger covered entities. The factors generally evaluate (i) the nature of the violation, (ii) the extent of the harm caused, (iii) past HIPAA compliance, and (iv) the financial condition of the perpetrator. While evaluation of the financial condition of the covered entity or business associate may lead HHS to issue a more lenient penalty against small providers, it will not generally benefit larger providers.
4. Security Rule compliance is focus of OCR enforcement actions
Recent HIPAA enforcement actions publicized by OCR demonstrate a pattern of sanctioning entities that are out of compliance with the Security Rule. As of Feb. 28, 2013, OCR had 258 open complaints and compliance reviews specifically pertaining to the Security Rule. In June 2012, following a $1.7 million settlement of Security Rule violations, OCR Director Leon Rodriguez cautioned, "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices." Also in June 2012, following agreement by MEEI to pay HHS $1.5 million to settle potential Security Rule violations, Dir. Rodriguez commented, "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices." While Security Rule compliance may not have been a focus of providers in the past, it is an area where an increased effort towards compliance may render significant benefit to covered entities and business associates.
5. New Standard for Breach of Unsecured PHI
HIPAA requires notice to affected individuals, HHS and, in certain circumstances, the media when covered entities or their business associates discover a "breach" of unsecured PHI. HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. Previously in the Interim Final Rule, HHS defined the phrase "compromises the security or privacy of the PHI" to mean that the acquisition, access, use or disclosure "poses a significant risk of financial, reputational, or other harm to the individual," which became known as the "risk of harm standard."
After considering public comments, HHS determined that the risk of harm standard was too subjective and could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of "breach" to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. To determine whether there is a low probability that the PHI has been compromised, the covered entity or business associate, as applicable, must conduct a risk assessment that considers certain factors to determine the overall possibility that the PHI has been compromised.
On Jan. 17, 2013, the U.S. Department of Health and Human Services released the long-awaited omnibus final rule pursuant to the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Non-Discrimination Act of 2008. The Final Rule is effective as of March 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013.
The key compliance tasks for covered entities related to the Final Rule are as follows:
- Revise and redistribute Notices of Privacy Practices to patients.
- Revise policies and procedures and train workforce on new requirements.
- Update breach definition and breach assessment tools to comport with the new "objective" breach standard (as discussed below).
- Evaluate all business associate relationships to ensure business associate agreements are in place as required under the expanded definition of business associate.
- Revise existing business associate agreements by September 23, 2014.
2. HITECH mandated audits have commenced
The HITECH Act requires HHS to perform periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The Office for Civil Rights implemented a pilot program whereby KPMG LLP, a public accounting firm, developed an audit protocol and conducted 115 audits of covered entities from November 2011 through December 2012. The audit protocol is posted on the OCR website and provides a useful tool for providers to ensure they comply with the Privacy and Security Rules and Breach Notification standards.
3. Larger providers are facing maximum penalties for violations
While almost two years have passed since the monumental settlement between Massachusetts General Hospital and HHS requiring MGH to pay $1 million, the MGH settlement was only the beginning of a trend of imposing substantial penalties on larger covered entities for HIPAA violations.
On March 13, 2012, Blue Cross Blue Shield of Tennessee agreed to pay HHS $1.5 million to settle potential violations of the Privacy and Security Rules. The investigation resulted from BCBST's report to HHS of the theft of 57 unencrypted computer hard drives containing PHI of over 1 million individuals. A few months following the BCBST settlement, HHS announced a settlement with another larger covered entity for $1.7 million to settle potential violations of the Security Rule by the Alaska Department of Health and Social Service. The investigation of ADHSS followed a breach report to HHS by ADHSS regarding the theft of a USB hard drive. Later in September 2012, HHS announced it had reached an agreement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively, MEEI) to settle potential violations of the Security Rule for $1.5 million. Despite deciding to accept the settlement, MEEI stated its belief in a press release that the size of the settlement was excessive.
While the Final Rule contains many provisions that amplify penalties for violations of HIPAA, OCR cannot automatically impose the maximum civil monetary penalty for a violation. Rather, OCR must first consider four factors, which may be mitigating or aggravating, before determining the amount of a CMP. However, its analysis of such factors can still result in the imposition of the maximum CMP amount, particularly for larger covered entities. The factors generally evaluate (i) the nature of the violation, (ii) the extent of the harm caused, (iii) past HIPAA compliance, and (iv) the financial condition of the perpetrator. While evaluation of the financial condition of the covered entity or business associate may lead HHS to issue a more lenient penalty against small providers, it will not generally benefit larger providers.
4. Security Rule compliance is focus of OCR enforcement actions
Recent HIPAA enforcement actions publicized by OCR demonstrate a pattern of sanctioning entities that are out of compliance with the Security Rule. As of Feb. 28, 2013, OCR had 258 open complaints and compliance reviews specifically pertaining to the Security Rule. In June 2012, following a $1.7 million settlement of Security Rule violations, OCR Director Leon Rodriguez cautioned, "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices." Also in June 2012, following agreement by MEEI to pay HHS $1.5 million to settle potential Security Rule violations, Dir. Rodriguez commented, "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices." While Security Rule compliance may not have been a focus of providers in the past, it is an area where an increased effort towards compliance may render significant benefit to covered entities and business associates.
5. New Standard for Breach of Unsecured PHI
HIPAA requires notice to affected individuals, HHS and, in certain circumstances, the media when covered entities or their business associates discover a "breach" of unsecured PHI. HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. Previously in the Interim Final Rule, HHS defined the phrase "compromises the security or privacy of the PHI" to mean that the acquisition, access, use or disclosure "poses a significant risk of financial, reputational, or other harm to the individual," which became known as the "risk of harm standard."
After considering public comments, HHS determined that the risk of harm standard was too subjective and could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of "breach" to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach requiring notification unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. To determine whether there is a low probability that the PHI has been compromised, the covered entity or business associate, as applicable, must conduct a risk assessment that considers certain factors to determine the overall possibility that the PHI has been compromised.
More Articles on HIPAA Compliance:
10 Steps for Ensuring HIPAA Compliance
5 Steps to Ensuring Hospital Data Security
Final Health Information Rule Strengthens Patient Privacy, Security Under HIPAA