OCR: 'Pay attention to details'
HIPAA "has seen a lot of action lately," said Susan McAndrew, deputy director for health information privacy at the Department for Health and Human Services' Office For Civil Rights, at HIMSS14 on Monday.
To say the least. Speaking at a session titled, "HIPAA Compliance: Stepping It Up in 2014," McAndrew first offered a run-down of the rule changes and enforcement actions of 2013. Then she offered OCR's forecast for the year ahead.
She confirmed what most in the audience probably already suspected: "Compliance and enforcement is really where the action is going to be," in 2014.
That includes "investigating our new friends, business associates," said McAndrew, serving notice to BAs and subcontractors that they're now liable for data breaches under the updated 2013 HIPAA omnibus rule.
Patient access to data is also a key priority for HHS, she added – pointing to the omnibus rule's mandate for expanded electronic access to health information and the change earlier this month to 1988's Clinical Laboratory Improvement Amendments, giving patients and their designees direct access to lab test reports.
The past year has seen some hefty enforcement action from OCR, including whopping settlements from Affinity Health Plan ($1.2 million) and WellPoint ($1.7 million) for leaving personal health information vulnerable on an old photocopier and the Internet, respectively.
McAndrew was hardly sympathetic. "This is just common IT stuff," she said, advising the audience to "pay attention to details."
As HHS gets an additional 200 privacy complaints per week from the public thanks to recently-installed Web portals, it seems clear that now is the time for healthcare organizations to tighten up their processes and heighten their awareness. To not do so could be extremely costly.
As attorney James Wieland put it, there's been a "sea change" since HIPAA has been updated, on both on the privacy and security fronts.
"The right of the consumer is now more frequently recognized because more and more records are now stored in electronic form, and more and more people, in all age ranges, are aware of their access rights," said Weiland, a principal at Ober|Kaler's Health Law Group. "Some people say (HIPAA) has not really changed much; I would suggest otherwise."
Now, with the stakes this high, it's incumbent on covered entities and their business associates to have processes that are "much more analytically rigorous, much better documented," he said.