It’s about the patients, it’s about safeguarding privacy, and it’s about trying to avoid making the same mistakes twice, said Office for Civil Rights Director Leon Rodriguez to hundreds of HIMSS13 attendees Monday morning at “A Dialogue On HIPAA/HITECH Compliance: Considerations Now That the HITECH Regs are Here.”
Rodriguez emphasized the changes included in the final Omnibus HIPAA rule, spoke about the enforcement to come and dispelled notions of irrational fear. Breaches will happen, he said. It’s the “willful neglect” that could lead to trouble for a covered entity or business associate.
“The real purpose of breach notification is for covered entities to identify the vulnerabilities that resulted in the breach, (and) remedy those vulnerabilities in an immediate and decisive manner,” said Rodriguez, “And also for us to learn from those breach reports where those vulnerabilities are.”
Rodriguez pointed out that although some 65,000 breach reports have been filed with the OCR since 2009, only a couple of those have actually resulted in enforcement action.
With that said, lax policies, irresponsible behavior and the lack of proper risk analyses are nothing to joke about. Some groups have had to pay serious money for improperly handling data breaches. “We are now at a point where we have collected a total of over $15 million from our enforcement activity,” said Rodriguez, with the lion’s share coming from resolution agreements with the covered entity.
He cited the case of Alaska Department of Health and Social Services, which had to pay $1.7 million to the OCR relating to a stolen USB device containing the personal health information of some 2,000 patients. This is not the typical fine, however, Rodriguez added. “A lot of the deficiencies and violations that we identified in that case,” he said, “continued well beyond the reported breach, and there was weak evidence of an effort to remedy that breach.”
Rodriguez went on to say that no one type of provider is immune from enforcements. When the auditing firm KPMG conducted an audit on 115 different kinds of entities, Rodriguez said, a number of diverse entities were found to have an ineffective risk analysis. “We found there were entities that encrypted and entities that did nothing at all.”
One of the most foolish things to do, he said, is to forgo encryption. And ultimately, Rodriguez added, it’s more cost effective for a covered entity to get their HIPAA house in order before a breach than to risk the enforcement following one.
Some of the big provisions included in the final rule include:
- Subcontractors of a business associate, or BA, are now defined as a BA
- BAs must comply with security rule
- Patient’s have a right to an electronic copy of EHR
- Prohibition on sale of personal health information without patient’s consent
- Requires “genetic information” to be treated as PHI
The final rule is effective starting March 26, 2013, but Rodriguez said covered entities have until Sept. 23, 2013 to be in compliance.