Since September 23, 2009, the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has been required to publicly disclose breaches involving 500 or more individuals discovered and reported by covered entities and their business associates. As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals. Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals: a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals. Together, these two recently reported breaches represent 54.4% of the total number of individuals affected by the publicly disclosed breaches by OCR over the past 25 months.
OCR has indicated on several occasions this year that the final Omnibus Privacy, Security, Breach Notification, and Enforcement Rules will be published in the Federal Register by the end of 2011. Documentation from the Office of Information and Regulatory Affairs (Reginfo.gov) of the Office of Management and Budget (OMB) shows the timetable for final action indicated a September 2011 date, which is now past.
What is taking so long to get these Final Rules released and published in the Federal Register? Since its enactment, HIPAA Privacy and Security Rules were characterized as having lax enforcement and accountability, and low financial penalties for non-compliance. Such an environment leads to complacency. That environment changed with enactment of toughened enforcement requirements and significant increased penalties in the HITECH Act, which HIPAA.com has discussed in earlier posts.
Enforcement examples include extension of privacy and security requirements to and direct federal regulation of business associates, random compliance audits in addition to complaint and breach investigations, civil enforcement by state attorneys general in federal court, individual liability for certain violations, breach notification requirements, and guidance on securing protected health information.
Although only one of several enforcement agreements this year, HHS’ July 2011 costly and onerous Resolution Agreement/Corrective Action Plan with UCLA Health System, which requires that policies and procedures for safeguarding protected health information are in place and that workforce members are trained on those safeguards, is indicative of the severity of consequences to come for non-compliance with full enablement of the Omnibus Final Rules. HIPAA.com recommends that you read the provisions of the Corrective Action Plan to understand the extent of the risk assessment, policy and procedure documentation, and workforce safeguard training requirements.
It is time to get the enabling Final Rules published in the Federal Register. Perhaps then, and certainly after expected compliance with the Rules is required in 2012, covered entities and their business associates will sharpen focus on safeguarding protected health information that is created, stored, in motion, or disposed of, thereby lessening the likelihood and consequences of breaches and detection of non-compliance via audits and investigations.
HIPAA.com directs your attention to two recent October 2011 articles in Government Health IT that will help covered entities and their business associates address compliance issues and handle breach investigations. The first article is entitled: “3 Tips for surviving an OCR breach investigation.” Titles of these tips are: 1. Be prepared before an incident occurs; 2. Educate the investigator; and 3. Ask for help. The second article is entitled: “9 steps to take during an OCR data breach investigation.” Titles of these steps are: 1. Learn your HIPAA status; 2. Get HIPAA/HITECH complaint; 3. Get help; 4. Determine who is financially responsible; 5. Aim for an ‘informal resolution’ in an OCR investigation; 6. Create a defensible response strategy; 7. Don’t flunk the ‘attitude test’; 8. Make a clean finish; and 9. Exceed OCR’s expectations if a settlement is required. HIPAA.com recommends that you access these articles and consider the advice under each tip and step.
HIPAA.com reiterates a concluding paragraph from its preceding post, entitled Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines:
Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST). Then, prepare, document, and retain your required policies and procedures for safeguarding protected health information based on risk assessment outcomes. Finally, train your workforce members (including management) on HIPAA/HITECH Act privacy, security, and breach notification requirements, with information on online privacy, security, and breach notification awareness and understanding training and testing available at hipaa.com’s sister entity, HIPAA School, or, if you are a member of the American Medical Association, at AMA HIPAA School.