“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6th Annual Conference on Safeguarding Health Information: Building Assurance through HIPAA Security. Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance as providing the “super highways” to ensuring patient access to PHI and to safeguarding PHI. An organization, on its own, must figure out the “surface streets,” emphasizing once again the flexibility and scalability of HIPAA. Regardless of the type or size of an organization governed by HIPAA, the basic rules remain the same. To adequately safeguard PHI, HIPAA defines a process. HIPAA provides an organization with a series of decisions, policies and procedures, analyses, and plans. Above all, patient expectations govern.
Where does an organization draw the line between patient access and protecting PHI, especially in light of increased OCR enforcement of HIPAA/HITECH? To ease a covered entity’s and business associate’s anxiety, Director Rodriguez reassured organizations that OCR is not playing a game of “gotcha.” OCR is neither trolling for enforcement actions and civil monetary penalties (CMPs), nor seeking to punish a proactive organization for a single incident. In support of his statement, Director Rodriguez highlighted the fact that of the 74,554 complaints filed since 2003, and the 26,513 total cases investigated by OCR, 17,767 cases resulted in corrective action, and only 13 cases since 2008 resulted in a Resolution Agreement and CMPs.
Director Rodriguez acknowledged that breaches of PHI are going to happen, as risks exist even where organizations are doing everything right. OCR is interested in what an organization is not doing, and whether the proper analysis is being conducted. An organization must identify, remedy and change (if needed).
So what type of action/inaction ends up in an OCR monetary enforcement scenario? Director Rodriguez categorized two culprits: (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure. Regarding the first category, an ongoing failure usually exists over several months and/or years. Often times, a risk analysis is missing, including a lack of routine information system reviews. Director Rodriguez stressed the importance of conducting risk analyses to identify vulnerabilities. Once risk is identified, it must be properly evaluated and addressed. Another reoccurring ongoing failure is the lack of updating of policies and procedures after a change in business operations or a change in technology. Director Rodriguez summarized the routine case OCR falling under monetary enforcement scenario as an incident affecting a large number of records, a vulnerability that exists for a number of months, and a failure to assess risk (e.g. OCR’s May 21, 2013 Resolution Agreement with Idaho State University). The second category is an unforgivable disclosure of PHI that is borderline criminal (e.g. UCLA breach of celebrities’ privacy resulting in OCR’s July 6, 2011 Resolution Agreement).
Regarding CMPs, Director Rodriguez highlighted the guidance provided in the Final Rule regarding factors to consider in determining the amount of CMPs to assess. The Resolution Agreement in the Alaska DHSS, where there was an alleged lack of remediation over a long period of time, is an example used by Director Rodriguez to demonstrate how the failure to remediate over a prolonged period of time can increase a CMP. In Alaska DHHS, the Resolution Agreement required payment of $1.7M. Accordingly, in addition to identifying, assessing and responding to a breach incident, an organization must also timely remedy any vulnerability in order to keep the amount of any potential CMP low.
Director Rodriguez also commented on the vulnerabilities associated with mobile devices, which remains a topic of interest for OCR. Of the breach reports received by OCR, 25% are related to paper records and vulnerability of mobile devices. Director Rodriguez encourages all organizations to focus on securing mobile devices (a “great vulnerability”) and to use HHS resources regarding mobile device security.
OCR’s HIPAA audits were also discussed – specifically OCR’s findings regarding encryption. Not surprisingly, OCR found that encryption, an addressable implementation specification under the Security Rule, was not always implemented by organizations. Director Rodriguez stressed the importance of conducting an analysis – shopping for technology, evaluating the risks and costs with implementation, and how encryption might affect patient care in the clinical setting. An organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt. This lack of analysis regarding the adoption of encryption is a red flag.
Director Rodriguez, concluding his dialogue on HIPAA/HITECH compliance, recommended that every organization “be smart and implement best practices” and remember that the patient is most important. Organizations must determine how to best ensure patient access to PHI while also adequately safeguarding PHI. “[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”