Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
April 2011Volume 11Issue 4
The HHS Office for Civil Rights has a “clear message” for covered entities and business associates, in case the $5.3 million in penalties it assessed less than two months ago wasn’t strong enough. “We are serious about enforcement,” said the new OCR hire who actually has “enforcement” in her title — Valerie Morgan-Alston, OCR’s new deputy director for enforcement and regional operations.
But Morgan-Alston said the “most important message” is that covered entities (CEs) and business associates (BAs) need to create what she termed a “culture of compliance.”
Other OCR officials who joined Morgan-Alston at the recent 19th National HIPAA Summit in Washington, D.C., echoed those sentiments. They also shared OCR’s “lessons learned” from the privacy and security incidents and complaints the agency has been handling, and provided some compliance tips.
Morgan-Alston was recently “elevated” to her new job after serving as a regional OCR director based in Chicago, said Sue McAndrew, OCR deputy director for health information privacy.
“In light of OCR’s clearly articulated intention to aggressively enforce the HIPAA privacy and security rules, covered entities and their business associates should review their current HIPAA compliance programs,” Morgan-Alston said at the HIPAA Summit.
She noted that a “robust compliance program” includes employee training, vigilant implementation of policies and procedures, regular internal audits and an action plan to respond to incidents.
Security Corrective Actions Are Rising
“CEs should be training their employees that compliance is as essential as patient safety,” she said. “Policies and procedures can’t be something just sitting in notebooks on shelves gathering dust. They must be an everyday part of an organization’s culture.”
Alston tried to hammer home the need for audits, saying “CEs must conduct regular internal audits to find noncompliance themselves rather than waiting for complaints and OCR to come in.”
At the conference, McAndrew gave an overview of recent corrective actions by OCR (RPP 3/11, p. 1). She noted that since 2003, OCR has investigated a total of 19,460 privacy complaints and obtained “corrective action” in 12,781.
But the public is still apparently confused about what is and isn’t covered by HIPAA. OCR statistics indicate that “two out of every three cases” that OCR gets to add to its “resolved” side of the ledger are closed because they were simply ineligible for federal action, involving circumstances over which OCR has no “jurisdiction,” McAndrew said.
As with privacy complaints, OCR investigates each security complaint it receives, but also has a policy of opening a case, called a “compliance review,” each time an entity reports to OCR that it has suffered a security breach affecting more than 500 individuals.
In 2010, OCR counted a total of 243 security cases opened, reflecting both complaints and compliance reviews. Prior years’ case volume data are not comparable because the breach notification rule was not in effect until September 2009, and OCR did not take over enforcement of the security rule from CMS until July 2009 (RPP 8/08, p. 1). McAndrew was followed at the summit by David Holtzman, OCR’s health information privacy specialist, who provided more details about security enforcement. Holtzman explained that the purpose of the automatic compliance review is “to attempt to determine the root cause of the breach and to assure that corrective action has been taken to not just address the root cause, but that there is appropriate compliance action taken to prevent similar breaches or security incidents in the future.”
Holtzman shared a chart showing approximate percentages for the number of security cases CMS and OCR handled from 2006 to 2010, and the disposition of the cases (see table).
HHS Security Case Results 2006 - 2010 | |||
Corrective action obtained | No violation found | Closed without investigation | |
2006 (partial data) | 15% | 10% | 75% |
2007 | 31% | 18% | 51% |
2008 | 12% | 30% | 58% |
2009 | 10% | 48% | 42% |
2010 | 55% | 13% | 32% |
SOURCE: HHS Office for Civil Rights | |||
According to the data, it would appear that since OCR took over, it has been more successful in obtaining corrective action than CMS; still, at least 30% of cases fall outside OCR’s jurisdiction or do not address a security issue under HIPAA. While this percentage is less than OCR’s experience with privacy, it is still significant.
Administrative Violations Outnumber IT
Holtzman revealed the “most frequent” issues arising in security rule violations and complaints over the course of the past five years. Surprisingly, “technical” comes in a distant second, accounting for 141 cases, versus 449 for “administrative,” meaning policies and procedures either don’t exist or were violated. “Physical” safeguards were an issue in 84 cases and all were categorized as failings in “work station security.”
Regarding “administrative,” the most frequent issues involved (and their regulatory sections) are:
· Response and reporting (CFR164.308(a)(6)(ii)),
· Awareness and training (CFR164.308(a)(5)(i)), and
· Information access management (CFR164.308(a)(4)(i)).
Holtzman also described the reasons CEs and BAs have had to issue breach notifications for those affecting more than 500 people, and where the large breaches occurred (see tables below). For information on small breaches, see story, p. 5.
Compliance Solutions Include Network Storage
The fact that 50% of the breaches involved electronic PHI came as a surprise to Holtzman, he says. “[T]his is astounding. This is a no-brainer. We have to reduce the risk of data being lost or stolen through these portable devices,” Holtzman says. “We can do that by adopting network or enterprise storage as an alternative to storing electronic PHI on the hard drive of a laptop, or the hard drive of a desktop computer.”
Another “lesson learned,” Holtzman says, is to encrypt. “That seems to be the most effective mechanism to avoid the loss of electronic PHI,” he said. (See story, p. 3.)
Holtzman, like Morgan-Alston, stressed the need for a workplace environment that supports compliance. In businesses that have a “culture of compliance, you will be less likely to be subject to these types of security incidents that result in breaches,” he said.
Policies and procedures need to be “indoctrinated through a culture of compliance through our organizations, from top to bottom,” Holtzman said.
He suggested that a way to build such a culture is through raising worker awareness and using “security reminders.” As an example, Holtzman said that the cafeteria of the U.S. House of Representatives has information security messages stuck on napkin holders.
Such activities “keep the message” present for the workers who are more likely than higher-ups to be involved in possible privacy and security violations, Holtzman said.
“It’s not the chief executive officer or the board of directors who are going to determine if a laptop is left in an airport, if paper files are left on a subway train, or your thumb drive is left in the back of a cab,” he said. “So it’s really important that we reach [workers], that we teach a message of the culture of compliance to the folks who work with electronic PHI and other PHI on a daily basis.”
Visit www.hipaasummit.com
Reasons for Breach Notification | |
Theft | 51% |
Unauthorized access, disclosure | 21% |
Loss | 16% |
Hacking/information technology incident | 6% |
Improper disposal | 5% |
“Other” | 1% |
Where Large Breaches Occur | |
Laptops | 24% |
Paper records | 21% |
Desktop computer | 16% |
Portable electronic device | 14% |
Network server | 10% |
Other | 10% |
E-mail | 3% |
Electronic medical record | 2% |
No comments:
Post a Comment