Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, as Public Law 104-191.   HIPAA Administrative Simplification provisions in Subtitle F, Title II included transactions and code sets, privacy, security, and unique identifiers.  Except for several identifiers, the federal government promulgated enabling regulations under the Administrative Procedure Act.  For example, the Privacy Rule required compliance by healthcare providers, healthcare clearinghouses, and health plans—Covered Entities—by April 14, 2003, and the Security Rule required compliance by April 20, 2005, with small health plans for each rule having an additional year in which to comply.

On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the so-called stimulus package known as the American Recovery and Reinvestment Act (Public Law 111-5).  Enhanced privacy and security provisions—including extension of requirements to Business Associates of Covered Entities, specification of breach notification requirements for unsecured protected health information, and substantially increased penalties for noncompliance—were included in the HITECH Act.  These provisions have been encapsulated in notices of proposed rulemaking and interim final rules.  The federal government has indicated that Final Rules for Privacy, Security, Breach Notification, and Enforcement will be published in the Federal Register simultaneously—no later than the end of 2011, and expected in September as noted by the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB), with HDM Breaking News on July 7, 2011, reporting that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) “confirms that anticipated timetable.” If so, and with compliance required by Covered Entities and Business Associates for privacy and security changes 240 days following publication, compliance would be required most likely in May 2012.  Note, that as interim final rules, breach notification requirements and enforcement penalties, already require compliance and are effective, respectively.

On Sunday, August 21, 2011, we say HAPPY 15^th ANNIVERSARY, HIPAA! We also note that, up until passage of the HITECH Act, the Congress was penurious in providing enforcement funding, the federal government was lax in delivering meaningful enforcement, even given the resources it had, and penalties were trivial for HIPAA violations.  See the June 2, 2011, HHS news release, Security Gaps May Threaten Electronic Health Records, which provides links to two Office of Inspector General reports. A measure of the laxity is the public disclosure of breaches since September 23, 2009, when public disclosure was required by regulation under the HITECH Act on OCR’s Web site.  As of August 17, 2011, there have been almost 11.6 million individuals impacted by 300 breaches affecting a minimum of 500 individuals per breach.  Approximately 3 out of 4 of these breaches involve electronic media, the rest hard copy such as paper or film, and about 18% involve a business associate of a covered entity.  In addition, HDM Breaking News on August 3, 2011, reported OCR has acknowledged that from inception of public disclosure in September 2009 through mid-May 2011, there have been 31,000 breaches affecting fewer than 500 individuals per breach, which only have to be reported to HHS annually.  As a result of federal enforcement laxity, a large number of covered entities have been dismissive of or just given lip service to the need to invest in securing protected health information, including conducting risk assessments, developing policies and procedures for safeguarding such information, and training their workforce members on implementing and practicing those safeguard procedures.  This is evidenced by the incidence of stolen mobile and portable electronic devices containing protected health information that are not encrypted, as shown by an analysis of the publicly disclosed breaches on the OCR Web site, studies in the literature, and anecdotally.

HIPAA.com recommends that if you are working for or represent a Covered Entity or Business Associate that you review examples of Corrective Action Plans in HHS Resolution Agreements, such as the Corrective Action Plans Between the United States Department of Health and Human Services and the General Hospital Corporation and Massachusetts General Physicians Organization, Inc (February 14, 2011), and Between the United States Department of Health and Human Services and the Regents of the University of California (July 6, 2011). These Corrective Action Plans will give you an appreciation of required measures and strict timelines that you likely will face following a breach, complaint investigation, or compliance audit where it is determined that your business is not in compliance with HIPAA Privacy, Security, or Breach Notification Rules.

Below, we provide excerpts from provisions of the referenced Corrective Action Plan (CAP) for UCLA Health System that is part of the Regents of the University of California Resolution Agreement:

“III.  Term of CAP

The period of compliance obligations … shall begin on the Effective Date [July 6, 2011] and end three (3) years from the date of OCR’s approval of the Monitor Plan….

V.  Corrective Action Obligations

• Policies and Procedures

1. …Shall review, revise and maintain, as necessary, existing policies and procedures and develop, implement and maintain, as necessary, written policies and procedures related to the Covered Conduct that comply with the Federal standards [under the Privacy and Security Rules].
2. …Shall provide such Policies and Procedures, consistent with paragraph 1 above, to HHS within 60 days of the Effective Date for review and approval.  Upon receiving any recommended changes to such Policies and Procedures from HHS, …shall have 60 days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to HHS for review and approval.
3. …Shall implement such Policies and Procedures within 60 days of receipt of HHS’ approval.

• Distribution and Updating of Policies and Procedures

1. …Shall distribute the Policies and Procedures in section A to all members of its workforce who have access to protected health information within 30 days of HHS approval … and to new members of the workforce who have access to protected health information within 30 days of their beginning of service.
2. …Shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who have access to protected health information, stating that the workforce members have read, understand or know where to seek information about and will abide by such Policies and Procedures.  Such written or electronic certification must be received [by the Covered Entity]… within 30 days of any workforce member’s receipt of the Privacy Policies and Procedures and if such certification is not received that workforce member shall not be permitted to perform any services for [the Covered Entity] that involves protected health information until and unless such certification is received.
3. …Shall assess, update, and revise, as necessary, the Policies and Procedures at least annually and more frequently if appropriate.  …Shall provide such revised Policies and Procedures to HHS for review and approval….  Within 30 days of the effective date of any approved substantive revisions, [the Covered Entity] shall distribute such revised Policies and Procedures to all members of its workforce who have access to protected health information, and shall require and obtain new compliance certifications from all members of its workforce who have access to protected health information.

• Minimum Content of the Policies and Procedures and Reportable Events

The Policies and Procedures shall include but not be limited to:

1. Instructions and procedures (a) that address permissible and impermissible uses and disclosures of protected health information by various categories of workforce members and (b) that address security awareness standards, information access management standards, workstation use standards, authorization and/or supervision standards and workforce clearance procedures.
2. Application of appropriate sanctions against members of the Covered Entity’s workforce who fail to comply with Policies and Procedures provided for in [paragraph 1] above.
3. Protocols for training all members of the Covered Entity’s workforce who have access to protected health information to ensure that they know how to comply with the Policies and Procedures provided for in [paragraph 1] above.

• Training

1. All members of the workforce who have access to protected health information shall receive specific training related to the Policies and Procedures within 90 days of the implementation of the Policies and Procedures or within 30 days of their beginning as a member of the workforce.
2. Each individual workforce member who is required to attend training shall certify, in writing or in electronic form, that he or she has received the required training.  The training certification shall specify the date training was received.  All course materials shall be retained….
3. …Shall review the training annually, and, where appropriate, update the training to reflect changes in federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
4. …Shall prohibit any member of its workforce from using, disclosing, or disposing of protected health information, if that workforce member has not completed the requisite training required by [paragraph 1] above.”

In addition to the provisions outlined above, the Corrective Action Plan also requires that [the Covered Entity] “shall designate an individual or entity to be a monitor to review [the Covered Entity’s] compliance with this CAP,” and outline duties of the monitor, documentation retention requirements, and reporting schedules to HHS regarding fulfillment of the compliance obligations under the CAP.

From previous postings on hipaa.com, you know that remediating breaches is costly, not only in financial terms, but also in time and potential damage to reputation and customer goodwill.  The Ponemon Institute, a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study. According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data).  Looking just at OCR’s publicly disclosed 300 breaches, affecting nearly 11.6 million individuals, potentially the cost is just under $2.5 billion for remediation.  The August 3, 2011, HDM Breaking News article referenced earlier also mentions that “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.”  As the old automative oil filter TV ad stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to protected health information is a cost-effective and wise investment, especially with toughened enforcement and significantly higher financial penalties for noncompliance just around the corner.

Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST).  Then, prepare, document, and retain your required policies and procedures for safeguarding protected health information based on risk assessment outcomes. Finally, train your workforce members (including management) on HIPAA/HITECH Act privacy, security, and breach notification requirements, with information on online privacy, security, and breach notification awareness and understanding training and testing available at hipaa.com’s sister entity, HIPAA School, or, if you are a member of the American Medical Association, at AMA HIPAA School.

Final privacy, security, breach notification, and enforcement rules will be out soon and the time to achieve compliance–240 days from publication in the Federal Register–is short.  We recommend that you start now.