Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...
By Genevieve Douglas
Department of Health and Human Services Office for Civil Rights Director Leon Rodriguez told attendees of the IAPP Privacy Summit March 8 that reports of breach notifications will continue to grow in the foreseeable future, but that the agency's goal is to receive fewer notifications as breaches decline over time.
“The goal of our enforcement is not to have breach notifications grow, but we are learning that there is still a tremendous amount of security vulnerability,” Rodriguez said.
Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act (ARRA), there was no federal mechanism to identify and report health data security vulnerabilities, and breach notification has become a great vehicle for doing so, he said.
Rodriguez told conference attendees that the majority of data breaches reported are still physical breaches—not electronic breaches—such as thefts of laptops, smartphones, and paper records. A small number of reported breaches are due to unauthorized electronic access to records, he said.
Rodriguez recommended that covered entities and business associates under the Health Insurance Portability and Accountable Act (HIPAA) focus on encrypting data, adequately training employees in privacy and security practices, and continuing these efforts over time.
Rodriguez said OCR is finalizing the long-awaited omnibus HIPAA rule that will include updates to the HIPAA Privacy and Security rules, breach notification rule, HIPAA enforcement rule, and the Genetic Information Nondiscrimination Act rule.
In addition to the omnibus rule, Rodriguez said, OCR is working on rules for data breach restitution, security and privacy aspects of the Common Rule, and requirements under the Patient Protection and Affordable Care Act to extend anti-discrimination rules.
Widespread adoption of health information technology and electronic health record systems has led to an increased focus on electronic personal health information and safeguards organizations must employ to protect that information, Rodriguez said.
A major difference between electronically stored data and paper records is that a breach of electronic data is more likely to affect larger numbers of individuals, David Holtzman, health information privacy specialist at OCR, told conference attendees.
According to Holtzman, best practices for ensuring the privacy and security of electronic health information require evaluating the risk to PHI when at rest on removable media, mobile devices, and computer hard drives, and taking “reasonable and appropriate” measures to safeguard PHI. Examples of these measures include:
OCR is in the process of conducting the first round of its audit program pilots at 20 organizations, Rodriguez said. The agency plans to conduct audit program pilots at 115 organizations overall, a decrease from the original estimate of auditing 150 organizations.
“As the audit program matures and becomes a permanent fixture, it will become part of the overall picture of our enforcement activities,” Rodriguez said.
The audit program was launched in November, and OCR contracted with KPMG to conduct the pilot phase. The pilot will run through December, Holtzman said.
While the pilot audits are intended to be a compliance learning tool and not punitive in nature, there may be instances where OCR opens compliance reviews based on audit findings, Holtzman told conference attendees. This would happen in extreme circumstances of negligence, he said.
More information on OCR enforcement activities is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)