As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR. But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months.
According to Law360, Jerome B. Meites, Chief Regional Civil Rights Counsel Region V – Chicago, indicated at a recent American Bar Association (ABA) conference that OCR’s last 12 months of enforcement activity will “pale in comparison to the next 12 months.” To put that into perspective, consider that since June 1, 2013, HHS OCR has published nine resolution agreements that have resulted in over $10 million in monetary settlements, including a record $4.8 million monetary settlement announced in May 2014. “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Mr. Meites said.
When asked by Law360 as to why the increase in activity, Mr. Meites pointed to previous statements made by HHS OCR regarding an increasing desire to send strong messages – statements like the one made by OCR Director Leon Rodriguez at the announcement of the Final Rule:
“The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
“They think they can affect the industry with high-impact cases,” Mr. Meites added. The increase in OCR enforcement activity may be attributable to OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. The report focused on the shortfall in OCR’s action to ensure covered entity compliance with the Security Rule.
At the ABA conference, Law360 also reported that Mr. Meites discussed the next round of HIPAA audits, which he expected would begin later this year and end in 2015. According to Mr. Meites, HHS OCR is still working to identify which organizations will be audited from a list of over 1,200 candidates. Eight hundred of these candidates are covered entities—health care providers, health plans, or health care clearinghouses—and the remaining 400 being the business associates that store or process the information maintained by those covered entities. The audit firm KPMG noted at the NetDiligence conference in Philadelphia on Friday that HHS has not indicated how it will select the business associates.
Law360 also reported that Mr. Meites had some words of advice regarding HIPAA compliance. “Portable media is the bane of existence for covered entities,” Mr. Meites said. “It causes an enormous number of the complaints that OCR deals with.” Mr. Meites reportedly went on to note that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the cases involving monetary settlements. “You really have to think carefully about what a risk analysis involves, and it can’t just be the obvious,” Mr. Meites said. “Everywhere in your system where [patient information] is used, you have to think about how to protect it.”
Based on the resolution agreements issued to date, the last round of HIPAA audits, as well as Mr. Meites’ statements at the ABA conference, covered entities and their business associates must continue to evaluate portable media, analyze risk, conduct ongoing risk management, and review routine information system activity as part of an effective HIPAA security compliance program. The Security Risk Analysis continues to be one of the most important aspects of the HIPAA security program, including during an OCR investigation.