Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Changing HIPAA, HITECH Regulations Bring New Challenges to Healthcare Providers
Protected healthcare information is being stolen in this country, through cyber breaches and other methods, at a truly staggering pace. Compounded with new enforcement and compliance actions by the federal and state governments, this is leaving many healthcare providers—no matter how large or small—in a quandary as to how to stay ahead of the curve and avoid costly fines and penalties.
The U.S. Department of Health and Human Services (HHS) Office recently issued its “Annual Report to Congress on Breaches of Unsecured Protected Health Information” for calendar years 2009 and 2010. That report, which came out after the first 18 months that HITECH was in effect, said that 30,000 breaches occurred, affecting approximately 7 million people.
Several of the largest reported healthcare breaches have occurred in the time since the report was issued, including Nemours Children’s Hospital (affecting patients in Delaware, Florida, New Jersey and Pennsylvania), Sutter Health in California, and the TRICARE military health care system breach.i
“When you see those kinds of numbers in the first 15 months that regulations are in effect, you know that there’s a hotbed of activity,” said Lynn Sessions of Baker Hostetler in Houston.
“There probably isn’t a week that goes by that we don’t get some kind of data breach in. And the majority of those are in the healthcare industry,” she said.
HITECH, enacted in 2009, is still operating under the interim final rule. The Office for Civil Rights (OCR) recently sent its final rules on Health Insurance Portability and Accountability Act (HIPAA) and HITECH to the Office of Management and Budget (OMB) for final review. They are expected to be published in mid-2012.
This set of regulations “covers a numerous amount of topics under HIPAA that compliance officers and privacy officers and general counsel are going to have to quickly size up and integrate into their compliance programs,” said Katherine Keefe of Dilworth Paxon in Philadelphia.
She said that the new regulations will contain “several touch points,” including the finalizations of breach regulations.
“No one really knows how the breach notification rules are going to be changed or modified but there’s a lot of thought that it’s going to be around the issue of doing a risk assessment and what the risk assessment requirements are when there’s a breach,” said Keefe.
Although many healthcare organizations have taken major steps to be in compliance with HIPAA and HITECH regulations, many still have some catching up to do.
“There are a lot of folks that are coming late to the party. HIPAA compliance has been around since 2003 and that’s the foundation. If organizations don’t comply with HIPAA and then they have a breach—and the breach may have nothing to do with their non-compliance—they are completely exposed to the federal government, the OIG, the state attorneys general for investigation—and they throw the door open to everything they’re not doing and should be doing under HIPAA,” said Keefe.
Sessions agreed. “We are seeing that healthcare organizations may still not have their shop in order with respect to being compliant with HIPAA and HITECH,” she said.
“And so what happens is you have something as simple as losing an unencrypted iPhone®—and the iPhone is used for business purposes and contains emails that have spreadsheets that may have significant patient information on them—because they were not encrypted there’s no safe harbor under HITECH. So, all the patients whose information was included on that spreadsheet on that single email—they have to be notified depending on the type of information that was contained on it,” said Sessions.
“The reason that healthcare organizations are being targeted is because they have a gold mine of information about all of their patients. So, when a patient treats with a physician or in a hospital, they give their name, address, social security number, insurance information—the list goes on and on and on,” she said.
Steps To Take
So, for a healthcare organization facing possible government penalties for non-compliance, on top of the daily threat of cyber breaches and information theft, what kinds of steps should they take to avoid a costly and potentially business-ending event?
“To the extent that healthcare organizations can [do so, they should] encrypt. I think encryption provides them with the best safe harbor. So, if they can encrypt all of their devices, whether it’s mobile devices, or desktops, that’s going to provide them with the safe harbor under HITECH and state regulations,” said Sessions.
“There’s a cost-benefit analysis that goes on [in deciding] whether you’re going to encrypt every single computer and every single mobile device that you have in your organizations. And it’s just difficult to police, because unless you’ve got that kind of technology, anyone can walk in and download unencrypted patient information onto a thumb drive and you know what, maybe it gets lost on the subway or the train …” she said.
Sessions also advises companies and organizations to ensure that they’re compliant with HITECH and that they’ve done appropriate risk analysis.
“Have good policies and procedures in place so that you’ve got the framework and structure in place so that your organization is at least aware of what the rules are. And then you’ve got to educate your staff. They’ve got to understand the importance of privacy, they’ve got to understand the importance of HIPAA and HITECH and what the risk is to the organization if things are not compliant,” she said.
Organizations shouldn’t only view breaches as an IT function—many HIPAA breaches occur when paper health records are stolen, said Sessions.
Meredith Schnur of the Professional Risk Group of Wells Fargo Insurance said that general counsel should consider aligning themselves with a privacy attorney and/or a breach coach prior to a breach event. This individual’s sole responsibility is to educate the organization about privacy breach notification laws, can advise a company or organization about what to do and when and who to notify if a breach does occur.
“And that same breach coach may be very up to speed on the current litigation environment as well. If a client get sued as a result of a breach event, that attorney can provide further guidance,” she said.
She also said that, in addition to federal laws, there are 46 states that have privacy breach notification laws that dictate responsibilities in the event of a breach. The key point here is that it’s not where the organization is domiciled, it’s where their customers are domiciled. This will dictate notification requirements.
Keefe concluded compliance focus needs to sharpen as the result of the HITECH-mandated HIPAA audits, which are currently underway. Preliminary analysis from auditor KPMG includes that entities are not conducting risk assessments of both the privacy and security parts of their HIPAA compliance programs. Once final audit findings are made public by OCR, health care companies and providers will face even more pressure to improve.