California, the state that signed a precedent-setting privacy law, fields more than 220 notifications of potential breaches from licensed facilities per month, according to numbers released by the state's Department of Public Health.
From January 1, 2009, when law AB 211 went into effect, through May 31, 2010, entities have reported a total of 3,766 breaches. The law calls for health providers to prevent unlawful access, use, or disclosure of patients' medical information and to report violations to DPH and the individuals affected.
The California Department of Public Health (CDPH), which enforces the law, receives notification of a little more than seven breaches a day. While California law calls for licensed entities to report any and all potential breaches, federal regulation currently allows providers a backdoor out.
In the HITECH interim final rule on breach notification, providers through the "harm threshold" provision may conduct a risk assessment to see if the potential breach causes a significant risk of financial, reputational or other harm to the patient.
If it doesn't, no notification is required.
Congress did not write this into the HITECH Act. But the Office for Civil Rights (OCR), which on the federal level enforces the HIPAA privacy and security rules, included it through regulation.
In that regulation, published in the Federal Register August 24, 2009, many commenters suggested OCR add a "harm threshold such that an unauthorized use or disclosure of [personal health information] is considered a breach only if the use or disclosure poses some harm to the individual."
Today, one year later, that rule is in effect, but on an interim basis. OCR submitted a final rule on breach notification for review by the Office of Management and Budget (OMB) but withdrew it earlier this month.
OCR did not specify why it withdrew the final rule, but some speculate OCR may remove the "harm threshold" and be more like California, where all breaches are reported.
Of those 3,766 breaches reported in the Golden State, California's investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be "substantiated medical breaches."
One California attorney says a harm threshold would help avoid the need to report innocuous breaches such as a fax going to the wrong provider.
"You add a huge expense and worry people" by reporting harmless breaches, said Paul Smith, partner with Davis Wright Tremaine LLP of San Francisco and co-chair of its health information privacy practice.
Most healthcare entities handle breaches in a "conscientious" way, Smith says.
"They understand that if there is a risk to the patient, it's in everyone's interests to provide notification."
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, agrees that sending notification upon notification can unnecessarily panic people "who really are at no risk of harm." "Secondly," he says, "getting breach notifications every time a truly low-risk potential disclosure occurs will result in 'warning fatigue.'"
It's like the boy who cried wolf, and "people will ignore notices they get when there really is something to worry about," says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, "HIPAA's New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations."
"Some things we do out of an abundance of caution, because there's really little or no downside to doing so," Drummond adds. "Here, there really is a potential downside for giving warnings that aren't really necessary."
However, Drummond said he would not be surprised if the harm threshold were eliminated because Congress did not intend for it to be included in the final breach notification structure.
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
In whose hands did the PHI land?
Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
When asked this week by HealthLeaders Media if it were considering removing the harm threshold, OCR deferred to its earlier statement posted on its website.
"This is a complex issue, and the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," OCR said of its reason to further review the breach notification final rule.
California, meanwhile, continues to operate without a harm threshold and as of May 31, the state has been able to investigate 51.8 percent of the cases reported.
The reported breaches break down as such:
2,914: Unintentional breach to person outside facility/healthcare system. Example: A patient's prescription is faxed to the wrong number and ends up in a lawyer's office instead of the corner pharmacy.
559: Unintentional breach by healthcare worker within the facility/healthcare system. Example: A nurse faxes a patient record to cardiology instead of radiology.
147: Malicious breach by healthcare worker. A healthcare worker looks at the medical record of a patient without any medical reason to do so.
125: Breach of computer system theft, loss of electronic device/ medical records. Example: A hospital laptop is stolen from an employee's personal car.
21: Malicious breach by person other than a healthcare worker. Example: Someone visiting the hospital sees a medical file on a desk and decides to pick it up and start reading.
Healthcare has seen its share of egregious data breaches in the past year, especially with the launch of the Office for Civil Rights website with posts of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals.
However, healthcare may actually be the best industry at securing information, according to a study.
Healthcare accounted for the least amount of data breaches according to the Verizon and US Secret Service "2010 Data Breach Investigations Report." The industry represented just 3% of breaches, while "financial services" accounted for the most at 33%.
The full list of industries that accounted for the breaches in the study is:
Financial services: 33%
Hospitality: 23%
Retail: 15%
Manufacturing: 6%
Tech services: 5%
Business services: 4%
Government: 4%
Media: 4%
Healthcare: 3%
Other: 4%
"The targeting of financial organizations is hardly shocking; stealing digital money from information systems rather than vaults is basically just a less primitive form of bank robbery," the report states. "It represents the nearest approximation to actual cash for the criminal. Also, and perhaps more importantly, financial firms hold large volumes of sensitive consumer data for long periods of time."
Certainly, healthcare hasn't been perfectly secure either.
In February of 2009, CVS dumped millions of patients' prescription bottles in public Dumpsters without shredding the information and settled for $2.25 million with OCR and the Federal Trade Commission, and the same investigation found similar violations by Rite Aid, who agreed to pay $1 million to the same government agencies. OCR confirmed it is looking into the nation's largest pharmacy, Walgreens.
And of course, there's the list of 138 entities on the OCR website of entities who report breaches affecting 500 or more individuals. AvMed, Inc. leads that list with a breach that affected 1,220,000 individuals because of a stolen laptop.
As for what is behind data breaches, the Verizon/Secret Service report says 70% resulted from external agents, while only 11% implicated business partners. Nearly half of the breaches (48%) were caused by insiders, and 27% involved multiple parties.
On the "OCR 500" list, business associates were involved in 21% of the 138 cases.
Other notable numbers from the report include:
48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% employed social tactics
15% comprised physical attacks
98% of all data breached came from servers
85% of attacks were not considered highly difficult
96% of breaches were avoidable through simple or immediate controls
In all, the report surmises that the biggest problem may be stolen and/or weak credentials.
"The amount of breaches that exploit authentication in some manner is a problem," the report says. "In our last report it was default credentials; this year it's stolen and/or weak credentials. Perhaps this is because attackers know most users are over-privileged. Perhaps it's because they know we don't monitor user activity very well. Perhaps it's just the easiest way in the door. Whatever the reason, we have some work to do here. It doesn't matter how hardened our defenses are if we can't distinguish the good guys from the bad guys."
Verizon and the Secret Service also offered these data security tips:
Restrict and monitor privileged users. "Insiders, especially highly privileged ones can be difficult to control but there are some proven strategies. Trust but verify," the report says. "Use pre-employment screening to eliminate the problem before it starts. Don't give users more privileges than they need (this is a biggie) and use separation of duties."
Watch for "minor" policy violations. Actively search for such indicators rather than just handling them as they pop up. They could lead to major violations.
Implement measures to thwart stolen credentials: Keep credential-capturing malware off systems. That's "priority number one." Consider two-factor authentication where appropriate.
Monitor and filter egress network traffic: Incoming traffic is one thing, but monitor, understand, and control outbound traffic.
Change your approach to event monitoring and log analysis. "In most attacks, the victim has several days or more before data are compromised," the report says. "Breaches take a long time to discover and when that finally happens, it usually isn't the victim who finds it. Finally, almost all victims have evidence of the breach in their logs. It doesn't take much to figure out that something is amiss and a few changes are in order."
A data breach bill filed August 5 requires entities that hold consumers' sensitive information to create a robust data compliance protection plan and holds them to strict breach notification requirements.
According to the language in the bill, healthcare entities and their business associates (BAs) would be in the clear so long as they complied with the Health Information Technology for Economic and Clinical Health (HITECH)Act or any other federal laws that satisfy similar or stronger requirements.
It is unclear, however, if compliance with the FTC's Red Flags Rule for identity theft protections would exempt entities from the requirements in the new bill.
E-mails to each Senator's office were not immediately returned.
No matter to whom the bill applies, healthcare entities should watch the bill's progress in light of new privacy and security laws in HITECH that call for greater patient rights to protected health information (PHI) and greater penalties for breaches of unsecured PHI.
The bill extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:
$5 million for each violation of the security and compliance requirements
$5 million for all violations of the breach notification requirements
Such security and compliance requirements include:
Security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information
Identification of an officer or other individual as the point of contact with responsibility for the management of information security
Process for identifying and assessing any reasonably foreseeable vulnerabilities and regular monitoring for a breach of security
Process for taking preventive and corrective action to mitigate against any vulnerabilities
Process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information to make permanently unreadable or indecipherable
The bill's breach notification requirements include:
Nationwide notification. Following the discovery of a breach of security, the covered entity must:
Notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security
Notify the FTC
Third-party/service provider notification requirements. Much like a BA of a healthcare covered entity, a third-party or service provider handling sensitive information must notify the covered entity of the breach of security.
Reports to credit agencies. If a breach involves more than 5,000 individuals, the covered entity must notify the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis.
60-day requirement. Notification must be made not later than 60 days following the discovery of a breach of security, unless the covered entity providing notice can show that providing notice within such a timeframe is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.
The bill is in the hands of the Committee on Commerce, Science and Technology.
Covered entities and business associates reporting breaches of unsecured personal health information (PHI) affecting 500 or more individuals to the Office for Civil Rights (OCR) together could spend nearly $1 billion because of those breaches.
According to a report from the Health Information Trust Alliance (HITRUST), 108 entities submitting the breach reports to OCR since September 23, 2009 could spend up to $834.3 million in total costs to address violations of the Health Insurance Portability and Accountability Act (HIPAA).
HITRUST used the 2009 Ponemon Institute study that found the average cost for a compromised record to be approximately $144 in indirect costs and $60 of direct costs, for a total cost of $204.
OCR's breach notification website list has grown since the HITRUST report, published this month. As of Wednesday, August 11, 130 entities have reported breaches of 500 or more.
Chris Hourihan, manager of development and programs for HITRUST and the author of the report, says organizations err on the side of caution and provide notice to OCR even if a risk analysis may determine no harm done from their breaches.
The breach notification interim final rule includes a "harm threshold" provision that allows entities to get off the hook from reporting breaches if they determine the incident does not pose significant risk of financial, reputational or other harm to the individual.
"What I'm seeing is that organizations are not taking any chances," Hourihan says. "If a breach has the slightest chance of harm, they're going to do the notification."
Based on his research, Hourihan offers these tips:
Encrypt portable devices. With the theft of laptops being the No. 1 cause for the type and location of breaches, Hourihan says organizations should "at the very least" make sure any portable devices are encrypted. And, if you can help it, remove any sensitive information.
Don't store information locally. A better option here is to get your information on network drives, providing users with an easy-to-use centrally managed and protected option. "Make sure nothing gets stored locally," Hourihan says.
Ensure BA compliance. BAs composed only 1/5 of the breaches on the OCR website, but Hourihan sees that climbing. "Across all segments of the industry, our data shows that third party security management is the least mature in control," says Hourihan, "and the BAs aren't the ones being called out when there's a breach."
Other notable numbers from the HITRUST report include:
4,089,670 individuals affected
38% of breaches include hospital/provider networks (No. 1)
79% of individuals affected involve insurance plans (No. 1)
The Office for Civil Rights (OCR) confirmed this week its investigation into the nation’s largest drugstore chain, Walgreens, based on the same television media reports that led to million-dollar settlements with CVS and Rite Aid for potential HIPAA violations.
The HIPAA privacy and security rule enforcer’s investigation into CVS and Rite Aid began September 27, 2007, according to each pharmacy chain’s consent agreement with the Department of Health & Human Services (HHS).
The agreement included a $2.25 million settlement for CVS (announced February 18, 2009) and a $1 million payment by Rite Aid (announced July 27, 2010) with HHS.
Though neither consent agreement mentioned an investigation into Walgreens, OCR confirmed this week that it is looking into the HIPAA compliance practices of the Deerfield, IL, company.
Walgreens operates the most number of drugstores in the country ahead of No. 2 CVS and No. 3 Rite Aid.
“We don't comment on whether or not an investigation is being conducted,” says Jim Cohn, Walgreens Media Relations manager. “If HHS has something to announce, we would defer to them. We have high confidence in our HIPAA compliance program and believe we have strong procedures to ensure compliance."
HHS’ consent agreements with CVS and Rite Aid revealed the pharmacies disposed pill bottles and prescriptions that included protected health information (PHI) in trash containers without proper safeguards.
WTHR, the Indianapolis television outlet that broke improper disposal practices after a nationwide “dumpster-diving” investigation four years ago, reported that Walgreens was one of the pharmacies where it found PHI in Dumpsters with easy access by the public.
“The mound of PHI just kept building up,” says Bob Segall, lead investigator on the case for WTHR. “It was irrefutable.”
In addition to paying HHS $1 million, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.
CVS, meanwhile, had to implement a robust corrective action plan that requires:
Privacy rule compliant policies and procedures for safeguarding disposed patient information
Employee training on HIPAA
Employee sanctions for noncompliance
In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.
Rite Aid’s corrective action plan is similar.
The money collected by OCR through these settlements goes to “enforcement activities under the HITECH Act and the HIPAA Privacy and Security regulations,” OCR wrote in an e-mail to HealthLeaders Media.
John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and chair of the team that created the HIPAA Security Rule, says he doesn’t think HIPAA enforcement action will quiet down any time soon.
“Hopefully, this action will serve as a underscored wake-up call to the healthcare industry that enforcement of HIPAA Privacy and Security under HITECH is both serious business and will be rigorously applied,” Parmigiani says. “I predict this type of enforcement action will be repeated numerous times as we move into an intensified compliance environment for covered entities and business associates.”
The Office for Civil Rights (OCR) called its withdrawal of the breach notification final rule from further review last week “routine, formal regulatory processes.”
In an e-mail to HealthLeaders Media, the HIPAA privacy and security rule enforcer says it needs further review to craft the final HITECH-required rule that sets the foundation for how covered entities and business associates (BAs) respond during a breach of unsecured protected health information (PHI).
“The final rulemaking will take into account the comments received on the interim final rule and our experiences with administering the new breach notification provisions since last September,” OCR writes in the e-mail. “These are routine, formal regulatory processes.”
OCR withdrew the rule from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies.
The breach notification interim final rule is still in effect. It was published August 24, 2009, in the Federal Register and went into effect about a month later.
The provisions in the rule include:
Notice to patients of breaches "without reasonable delay" within 60 days
Notice to covered entities by BAs when BAs discover a breach
Notice to "prominent media outlets" on breaches of more than 500 individuals
Notice to "next of kin" on breaches of patients who are deceased
Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
Annual notice to the Secretary of HHS of breaches of less than 500 of "unsecured PHI" that pose a significant financial risk or other harm to the individual, such as reputation
Several Congressmen objected to the breach notification interim final rule’s “harm threshold” provision, which allows covered entities to perform a risk assessment to determine the level of harm in a potential breach.
Essentially, it’s one way those entities can avoid breach notification. Congress did not write this provision into HITECH.
Asked if the withdrawal from OMB review had anything to do with the harm threshold, OCR wrote, “No further details are available at this time as the final rule withdrawn from OMB review is considered to be part of pre-decisional agency deliberations on regulations.”
Rite Aid Corporation could have avoided a $1 million fine by simply enforcing its HIPAA policies and procedures and providing ongoing staff training, experts say.
Rite Aid, of East Pennsboro Township, PA, and its 40 affiliated entities agreed to pay the Department of Health and Human Services (HHS) $1 million for potential HIPAA privacy violations in a settlement announced by HHS Tuesday.
An investigation by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, revealed the pharmacies disposed pill bottles and prescriptions that included protected health information (PHI) in trash containers without proper safeguards.
Rite Aid, the nation’s third largest pharmacy, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.
Just shy of 18 months ago, the nation's second largest pharmacy, CVS Caremark Corp., agreed to pay $2.25 million for nearly identical potential HIPAA violations affecting millions of customers. It also improperly disposed of patient information, such as pill bottle labels, in public trash containers.
“Since these incidents occurred in a variety of cities across the United States, this assumes a pattern of disregard and lack of attention to basic requirements of proper disposal of sensitive and confidential information,” says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder & managing director of AP Health Care Compliance Group, LLC, in Pittsburgh. “There are simple preventative measures that can be put in place to prevent these incidents from happening, and there is a tremendous amount of information available from OCR and the FTC to assist in these efforts. This new violation should serve as a second, even louder wake-up call for the industry.”
Cheryl Slavinsky, director of public relations for Rite Aid, said in a phone interview with HCPro, Inc. that the company does have comprehensive HIPAA policies and procedures and training for employees. However, she admitted that human error led to the charges of Rite Aid's improper safeguarding of PHI in the HHS and FTC consent agreements.
Rite Aid has not been notified that any individuals were affected by the potential breaches of PHI, Slavinsky said.
OCR's investigation timeline
Each investigation by OCR began on September 27, 2007, according to the HHS resolution agreements with CVS and Rite Aid.
OCR opened its investigation of Rite Aid after television media videotaped incidents showed disposed prescriptions and labeled pill bottles containing PHI in industrial trash containers accessible to the public.
Rite Aid's violations occurred between July 2006 and October 2006; CVS's violations occurred between July 2006 and May 2007.
WTHR, the Indianapolis television outlet that broke improper disposal practices by CVS, Walgreens and Rite Aid, reported Tuesday that federal regulators will next go after Walgreen's, the nation's largest pharmacy retail chain. (OCR did not immediately respond to a request to confirm this.)
Among other issues, the reviews by OCR and the FTC indicated that Rite Aid:
Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
Failed to adequately train employees on how to dispose of such information properly
Did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information
"The lack of disposal controls, policies and procedures appears to have been a long time security problem with Rite Aid," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. "Improper disposal of information, in all forms, is one of the weakest links in information security in most organizations. And the safeguards for disposal really are some of the most straight-forward activities, more policies- and human-focused, and much less expensive than the much more expensive network security technology controls that organizations need to implement on their networks."
Rite Aid's corrective action plan
Under the HHS resolution agreement, Rite Aid must implement a corrective action program that includes:
Revising and distributing its policies and procedures regarding disposal of PHI and sanctioning workers who do not follow them
Training workforce members on these new requirements
Conducting internal monitoring
Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS
Rite Aid also agreed to external independent assessments of its pharmacy stores' compliance with the FTC consent order. The HHS corrective action plan will be in place for three years and the FTC order for 20 years.
The HIPAA Privacy Rule requires health plans, healthcare clearinghouses and most covered entities, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
The HITECH breach notification interim final rule, in effect since September 2009, includes shredding as a proper disposal method of paper records.
"It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA," Georgina Verdugo, director of OCR, said in a statement. "We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of the HIPAA College in Casa Grande, AZ, says Rite Aid simply failed to "take care of the basics."
"This isn't a case of some high tech, innovatively devised scheme that cracked or bypassed safeguards to protect PHI," Ruelas says. "Rather, it is representative of a failure to implement basic safeguards that likely would have saved Rite Aid the $1 million dollars it is paying in settlement of this violation and the cost of lost business that this is likely to generate with its customer base."
CVS, Rite Aid response
In light of its settlement, CVS Caremark Corp. implemented a chain-wide shredding program months after the February 2009 settlement with HHS and the FTC.
Rite Aid has already enhanced its HIPAA training program and reinforced compliance with its disposal program, according to Slavinsky.
Rite Aid stores filled approximately 300 million prescriptions and served an average of 2.2 million customers per day during fiscal year 2010, according to OCR. The settlements apply to all of Rite Aid's nearly 4,800 retail pharmacies.
The Rite Aid news comes three weeks after HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates and strengthening patient rights to health information privacy.
Editor's note: Visit the OCR privacy website to view the following additional information:
If your organization is paying close attention to the HIPAA proposed rule published in the Federal Register July 14, keep paying attention.
However, perhaps lost in the shuffle of the proposed rule is the July 6 announcement by Connecticut Attorney Richard Blumenthal’s office of the $250,000 settlement Health Net and its affiliates agreed to pay for a breach of protected health information (PHI) affecting nearly a half million Connecticut enrollees.
The settlement is a landmark one. Blumenthal’s office is the first to cash in on the new HITECH-granted authority for state attorneys general to pursue HIPAA lawsuits.
How eager was Connecticut’s state attorney general to use the HITECH power?
HHS has yet to levy any civil penalties against any covered entities (and now business associates) since the HIPAA Privacy Rule was in force April 14, 2003, according to Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.
That’s more than seven years. Blumenthal’s settlement with Health Net came a little more than one year after HITECH became law.
Blumenthal isn’t alone.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: “There are 50 new sheriffs in town.”
“Most state AGs are elected, and almost all of them do everything they can to get re-elected,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”
“That means they'll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there's a ‘good story’ behind the breach. They want to be seen as protecting the little guy, and they're much more incentivized” than the Office for Civil Rights (OCR), which enforces HIPAA for HHS.
Drummond says the power to state attorneys general also means 50 additional state courts where litigation may occur, which could “lead to multiple different interpretations of particular provisions of HIPAA.”
“So, it's almost a certainty that there will be more enforcement litigation, and that litigation will likely lead to different standards in different states,” Drummond adds.
Now, it’s a matter of waiting to see what other states besides Connecticut will do, Apgar notes.
“California didn’t wait for HITECH and enacted its own laws that already have had an impact on healthcare entities in California,” Apgar says. “Given that, I would not be surprised to see the California AG getting into the act in the near future.”
Naturally, state attorneys general are not the only enforcers of HIPAA. OCR will release an enforcement audit plan per HITECH. It already posts names of entities reporting breaches of unsecured PHI affecting 500 or more individuals; that number, since the breach notification website went live in February, is up to 121 as of Monday, July 26.
Further, this month’s proposed rule clarifies that the HHS secretary will investigate any HIPAA violations involving “willful neglect,” or when a covered entity or business associate has no control over preventing a breach and does nothing to correct other breaches.
However, state attorneys general in the enforcement mix means covered entities and BAs are more on the hook for breaches than ever—starting with Health Net.
“The damage to Health Net is the adverse publicity and the potential for the filing of civil suits by individuals who believe they have been harmed,” says Apgar. “Given the size of Health Net there isn’t really any sting from the fine itself— more the publicity and the aftermath.”
According to Blumenthal’s office, Health Net allegedly lost a computer disk drive in May 2009 containing PHI and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.
The company delayed notifying consumers and law enforcement authorities for about six months from the time of the breach, Blumenthal’s office reported.
The settlement between Health Net and the state includes:
Two years of credit monitoring by Health Net
$1 million of identity theft insurance and reimbursement for the costs of security freezes
“Corrective Action Plan,” including:
Continued identity theft protection
Improved systems controls
Improved management and oversight structures
Improved training and awareness for its employees
Improved incentives, monitoring, and reports
$250,000 payment to the state representing statutory damages
Additional contingent payment to the state of $500,000, if the lost disk drive is accessed and personal information used illegally, impacting plan members
Timeline of the Attorney General's Office: Connecticut Attorney General Richard Blumenthal’s actions regarding data breaches after HITECH was signed into law February 17, 2009:
The proposed rule that modifies the HIPAA privacy, security, and enforcement rules has been published in the Federal Register for about a week.
And while it may not be time to flip your HIPAA compliance program upside down—it is, after all, a proposed rule that could go final anytime after the last comment is sealed by HHS Sept. 13—you should take note of several items from the rule.
The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will be co-hosting the HCPro, Inc. audio conference, "HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations," Tuesday, August 31:
HIPAA and HITECH applies to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I've spoken to many BAs who still believe that they only have to have the BA agreement in place, and I've had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much more clear that the CEs' responsibilities must go beyond just having a BA agreement.”
New definition of “standard.” Herold calls replacing “individually identifiable health information” with “protected health information” in the definition of “standard” a strong idea. “This has always been a point of confusion for many/most CEs, and then last year for BAs.”
Subcontractors now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They provide many of the breaches.” It’s also a good thing to see the following entities included under HITECH, such as:
Patient Safety Organizations (PSOs)
Health Information Organizations (HIO)
E-Prescribing Gateways
Other persons that facilitate data transmission, as well as vendors of personal health records
Updated definition of "Electronic Media." The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”
No protection of PHI for those who have been deceased for more than 50 years. According to the proposed rule, "We believe this will reduce the burden on both covered entities and on those seeking the protected health information of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons."
Required changes to the Notice of Privacy Practices (NPP). This will require changes throughout all the CEs, Herold says. “The trick will be how to get the wording to a point where the average patient/consumer can understand what it is saying,” she says. “This has been a problem in the past.”
The proposed amendments to the NPP would include:
Language about the use and disclosures of PHI that would require an authorization under the proposed rule
Changes to language regarding the CE contacting an individual to provide appointment; contacting the individual for fundraising; or to disclose information to the health plan
HHS statements on BA compliance. Herold says organizations should note the following passage from HHS in the proposed rule: "In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden. For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards."
Asking CEs and BAs to step up compliance teaching efforts. The proposed rule “more clearly and explicitly establishes that CEs and BAs must take a more active role in ensuring their associated BAs are in compliance with HIPAA/HITECH,” Herold says, “and that they will be held liable for doing so.”
HIPAA privacy and security concerns with the government's EHR certification program are so great that hundreds of practitioners have called for the program's cancellation, the Department of Health & Human Services (HHS) announced in its final rule on meaningful use released Tuesday.
It hasn't happened, of course.
The final rule, issued through the Centers for Medicare & Medicaid Services (CMS), defines "meaningful use" for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.
HHS released a second final rule the same day, through the Office of the National Coordinator for Health Information Technology (ONC). It establishes an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.
Through its technology standards final rule, HHS addresses privacy and security concerns by requiring organizations to perform risk analyses and correct security deficiencies and by requiring the EHR technology to include among other security functions:
Encryption capabilities
Auditing capabilities including read-only access to patient records
Automatic log-off capabilities
File and message integrity checking
"It's good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information," said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. "Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they'll be used."
Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. "It will still be up to the eligible provider to implement the security technologies in a reasonable manner," she says.
In all, Borten calls the security standards in the EHR certification program "all good security controls."
"Most are basic and have been required by the security rule since 2005 (like unique user IDs)," she adds. "Some that are 'addressable' in the security rule are required to be built into the EHR technology such as automatic logoff."
Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.
"The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information," Verdugo said in an e-mail to HealthLeaders Media when asked about providers' concerns with privacy and security. "While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas."