HHS and OCR promise the Omnibus Final Rule – compliance date of Sept. 23 – will be the toughest yet

Ready or not: HIPAA gets tougher today

By Erin McCann
10:06 AM
Leon Rodriquez OCR HIPAA

Leon Rodriguez, director of the Office for Civil Rights at the U.S. Department of Health & Human Services, is a serious looking guy. It would be no stretch to say intimidating, even, as the tall, broad-shouldered director represents the face of the more-stringent-than-ever HIPAA Omnibus Rule – compliance date of Sept. 23. The new rule promises to bring hefty fines, more audits and added enforcement pertaining to the issue of patients’ protected health information.

In reality, however, although Rodriguez has affirmed that organizations will indeed be held accountable for violating HIPAA privacy and security rules, he has also proved himself to be industry-conscious, practical and fair.

Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.

"It’s a relatively small part of what we do here," he said. Most cases OCR handles involve corrective action rather than monetary fines.

Don’t let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that’s most likely going to continue.

"It’s going to continue to be a small but very important part of the story," he said. "I think it’s important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them."

[See also: Behemoth breach sounds alarm for 4M and At $1.2M, photocopy breach proves costly.]

And although an official and permanent audit program is not yet fully established – and most likely won’t be until 2014 – breach investigations are, as some organizations can attest to, at full force.

Breach blunders
WellPoint, one of the nation’s largest health insurers, is one among 16 organizations thus far that has come to better understand what’s expected in regards to HIPAA privacy and security rules.

Just this July following an investigation, OCR ordered WellPoint to hand over $1.7 million after leaving the protected health information of 612,402 individuals accessible over the Internet. The data compromised included patient names, dates of birth, Social Security numbers, telephone numbers and health information.

According to the report, WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade.

[See also: Another data breach for Sutter Health and Kaiser Permanente sends out breach letters after email gaffe.]
 
"I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable," Rodriguez said.

When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," he said.

Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.

Case in point is what transpired at Idaho State University’s Pocatello Family Medicine Clinic two years ago, when clinic officials notified the Department of Health and Human Services of a breach involving electronic protected health information for some 17,500 patients.

Following an investigation, OCR determined that the PHI of those 17,500 patients was left unsecure for 10 months due to the disabling of an ISU firewall.

Furthermore, the ISU clinic failed to conduct risk analysis of the confidentiality of the ePHI for more than five years. As a result, this May, ISU agreed to pay $400,000 to HHS to settle HIPAA breach allegations.

Ted Kobus, New York-based attorney for BakerHostetler who specializes in privacy issues and data breaches, said another area where covered entities and business associates are failing in privacy and security arenas pertain to the issue of properly handling old data. The "forgotten data, old data that the organization hasn’t accounted for," proves a frequent reason for a breach, says Kobus.

This reality resonates with New York-based Affinity Health Plan, which just this August agreed to pay OCR $1.2 million after failing to clean patient data from a photocopier hard drive. CBS News then purchased the photocopier, previously leased by Affinity, and discovered it contained the protected health information for 344,579 patients.

Following an investigation, OCR officials found Affinity neglected to include the electronic photocopier data in any of its risk analyses.

The HIPAA Security Rule requires CEs and BAs to clear, purge or destroy the devices containing ePHI before the devices are available for re-use, but that’s just not happening at the level it should, says Sean Magann, vice president of California-based Sims Recycling Solutions. "What's happened over the past five or six years is that bad guys got really smart," he told Healthcare IT News' Mike Miliard last month. "They realized there's more value in the information than in the actual commodities. It's a numbers game. You buy 100 hard drives, 99 of them will be erased and done properly. But the one that you do get contains a treasure trove of information: Social Security numbers, patient data, everything a bad guy needs."