New Director of Office of Civil Rights Speaks About HIPAA Enforcement

Posted on October 14, 2011 by Joseph Lazzarotti

"Enforcement promotes compliance" according to the new director of the Department of Health and Human Services' Office for Civil Rights, Leon Rodriguez, during an interview with HealthcareInfoSecurity's Howard Anderson. In September, Mr. Rodriguez replaced Georgina Verdugo, and enters his post with significant relevant experience. He was formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, a health care attorney in privacy practice, and a prosecutor at the federal and state level. 

On the upcoming HIPAA audits, Director Rodriguez had the following to say:

This is the first time we're doing it, so the first thing ... is for us to 'go to school' on how best we will run an audit program. In part, this is what you might call a pilot. We're going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals? 

The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit. Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program.

With HIPAA audits scheduled to begin in the next few months, covered entities and business associates should become familiar with HHS' new Director of Office of Civil Rights and his mission.

Tags: , , ,

HHS Announces Proposed Changes to HIPAA Privacy Rule

Posted on June 1, 2011 by Joseph Lazzarotti

Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS' Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual's electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person's name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user's action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State's medical suitability determinations, to government programs providing public benefits, and for workers' compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

Tags: , , , , ,

Inter-agency Cooperation Nabs HIPAA Violator for HHS

Posted on May 9, 2011 by Joseph Lazzarotti

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO's owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

  • impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM'S purpose of marketing Medicare Advantage plans to those individuals; and
  • did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

  • adopting written policies and procedures to be reviewed and approved by HHS;
  • obtaining a signed certification from all workers concerning the policies and procedures;
  • changing its policies and procedures only with HHS approval; and
  • conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.  

Tags: , , , ,

HHS Posts On Its Website Covered Entities Reporting HIPAA Data Breaches

Posted on February 22, 2010 by Joseph Lazzarotti

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

Tags: , , , ,