Leon Rodriguez, Director Office for Civil Rights, U.S.
Leon Rodriguez, Director Office for Civil Rights, U.S. Department of Health and Human Services shared unexpected insights from early analysis of breach statistics and the audit pilot at the American Healthcare Lawyers Association conference, HIPAA in a HITECH World, along with key messages the new ruling imparts to Covered Entities and Business Associates. This keynote address is summarized from the AHLA’s HIPAA in the HITECH World conference in Baltimore, Maryland:
Since the HITECH Act, HIPAA complaint traffic geometrically increased. In the last 3 years, there have been over 70,000 HIPAA violation complaints. It’s impossible to enforce every complaint, and we don’t want to. The approach to enforcement needs to be smart and educational. Enforcement needs to highlight learnable moments, and so monetary enforcement is only pursued for those cases that will highlight those vulnerabilities that correlate to a high risk of PHI breaches.
HHS appreciates that so many of were waiting … and waiting … for the final rules to be released. Finally they are here and go into effect March 26, 2013, but Business Associates will have until September to come into compliance.
One of the most transformative elements of the rules in the imposition of liability on Business Associates and on their subcontractors. Previously, the only way to assess BA compliance was through Covered Entities. The only enforcement was the rescission of Business Associate Agreements, which wasn’t always realistic or easy for Covered Entities to do. So it was difficult to ensure that Business Associates were compliant before the rules were released. Reviewing the breach statistics, HHS learned that the majority measured by number of records breaches occur at the Business Associate level. This showed there is real vulnerability in the Business Associate space that needs to be addressed.
In many respects, HIPAA compliance and enforcement is a lot like high school math. It’s all about showing your work. It’s all about showing you have comprehensive policies and procedures in place and are treating is as an ongoing, living process. Compliance is continual, not done once and set aside when inconvenient. You can live 100% right, and still have a breach. The world is not perfect, and breaches are still going to happen. What we’re going to look at is, have you done everything you reasonably can do to prevent breaches? Have you done a risk assessment on an ongoing basis?
Pre-HITECH, the maximum penalty per year per provision violated was $25K. Now it’s $1.5M. Before the new rules, willful neglect had to be proven to pursue any type of penalty. Any lesser measure of culpability was not actionable through penalties. But consumers need confidence that there is an effective enforcement entity if they are going to feel comfortable being forthright in sharing sensitive health information.
Breach notification structure has been changed in the final rule. Now we have an objective standard which means a presumption of disclosure when you have information breached unless a risk analysis proves there is a low risk of harm as a result of the breach. In this case, it may provide safe harbor from having to report an event.
Here’s my prediction about this. We’ve seen a higher number of breach reports. At the end of the day, the analysis under the interim and final rules will have the same outcome. There will actually be a very small small number of cases where the new rule will actually make a difference.
We’re asking ourselves, why is the number of breaches reported higher? Personally, I believe we are still not seeing 100% of all of the breaches being reported. For example, one place where we see a real challenge is at the small provider level. They don’t often have the resources or the bandwidth to do what they need to do to be compliant with this rule. My expectation is that we would see cases of failure report and through various compliance activities that we would learn there was a conscious and unforgivable failure to report – we haven’t seen much evidence of this yet. It’s critical if we make the breach exercise work, that Covered Entities fully disclose breaches.
What did we learn from the breaches and pilot audit so far? The most counter-intuitive learning is that a relatively small number of breaches are actually from hacking – only 7%.
The majority of the breaches are the result of theft, loss, or unauthorized access or disclosure (i.e. by employees). The vulnerabilities tend to be low-tech vulnerabilities – not high-tech vulnerabilities. That matches with where we see the breaches happening. One-fourth of the breaches are from paper records (examples: the CVS and Rite-Aid cases). Paper records are as vulnerable, or more, than electronic records.
We also see the greatest vulnerability in mobile devices: phones, tablets, laptops, desktops, etc. What this means for CIOs and compliance officers is that they really do need to be paying attention to HIPAA privacy and security safeguards with respect to the mobile environment to ensure compliance. They need to pay attention to training and discipline. It doesn’t mean firing anyone who loses a device, but there needs to be a real consequence. You have to pay attention to the physical, administrative, and technical safeguards that will prevent and mitigate the consequences of losing these mobile devices.
We’ve been slowly ramping up enforcement. It’s worth noting that the HITECH act permitted the Office for Civil Rights to retain the recoveries and utilize them for 2 purposes:
- Fund more enforcement, which is what we’ve done with the proceeds until now, and
- To make restitution to the victims. We are now developing a formula for restitution.
I’ve been a legal practitioner on both sides of the law as a prosecutor and defense attorney; I realized how important it is to be careful in the cases we select for enforcement. We want them to be a teachable roadmap for Covered Entities and Business Associates to show what they need to be most concerned about and which will place them at greatest risk of enforcement from us. We’ve really emphasized staying away from “breach corner” because the mainstream media will want to talk about the charts in the dumpster and left on the Metro. But from a regulatory perspective, the real issue is adherence to the compliance rules that correlate to a high risk of breach. Do your best to keep the information safe. Perform a risk assessment. Maintain an ongoing commitment to compliance.
Examples: Last year we had a $1.5M settlement with BCBS TN that had 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Rather, the penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. They could have turned that storage facility into Fort Knox, and it might have still been breached. But the problem was they didn’t implement any preventive policies or procedures or appropriate administrative or physical safeguards. This is a great example of the lack of ongoing attention to compliance.
This was the result of a breach report. But only 3 of the 14 cases mentioned came from breach reports. ONC does not not look at the breach as the cherry tree from which to pick cases. The real purpose is to make sure Covered Entities are are of the breaches that occur, know the vulnerabilities that caused the breach so others can learn from it, and to add to a shared pool of knowledge that others can learn from.
In another case, a portable device was stolen from a bar. The penalties applied were due to:
- Failure to have adequate HIPAA compliance policies and procedures as administrative safeguards,
- Failure to complete HIPAA security training for their staff,
- Failure to implement access controls as physical safeguards,
- Failure to encrypt the information on the device or an equivalent protection
What’s not apparent about the Alaska case is that the problems continued LONG after the breach report. Originally, Alaska was only subject to the $25K penalties. But they remained out of compliance after the original breach for so long, that they became eligible for the $1.5M penalty level as well. When a breach occurs, you need to act decisively to fix the vulnerabilities. Failure to fix the problem will automatically drive ONC to make sure penality recommendations reflect lack of due diligence.
ONC does not have a particular priority in terms of kinds of entities audited. As each enforcement case comes out, reporters call ONC asking if there is a new focus on this type of practice or facility. Absolutely not. ONC wants to make sure the cases present a long-standing pattern of violations of multiple provisions associated with a high risk of breaches.
Along those lines, one of the issues that comes up in every single case prosecuted is the failure to conduct an ongoing and regular risk analysis. Lack of ongoing risk analysis is the key hangup of most of the enforced cases.
One of the other areas ONC is focusing on is ongoing audits. The KPMG audit exercise was not a cherry tree exercises, but ONC did have Covered Entity compliance officers come and ask if they could have audits before enforcement became active. Enforcement will become more a part of the audit process now that the audit pilot is complete.
Across the full spectrum of large institutional providers and smaller single offices involved in the KPMG pilot audit, a great number of entities failed to do a risk analysis. Either they did not do one at all, or it was woefully inadequate across all of the organization’s workflow process.
My (Leon Rodriguez) favorite finding was about encryption. It’s an addressable requirement, which means you either do it, or have a good reason for not doing it and instead have an equivalent protection. Many entities did not address the requirement at all. ONC doesn’t yet know why. Our theory is that if you do the analysis and think about it, CEs and BAs will encrypt because it’s cost-effective and reliable. The other possibility is that they didn’t think about it. As we do more audit evaluations, ONC will learn more about which one it is.
It will take another few months to evaluate and assess the audit pilot and determine what the final audit program will look like. We spent about $14M on the 150 audits that we did. Our annual budget is now around $40M, and audits are now a formal part of our budget. In the future, the audits will continue, but they will become even more strategic to focus on specific areas of vulnerability looking at a greater number of entities.
If you look at what our cases look like pre-HITECH, they were mainly driven by patient complaints. But patients can only see from their perspective at the counter – they can’t see all the areas of vulnerability like the backend office workflows or data centers or cloud providers. It’s critical for ONC, and the Covered Entities, to see all the potentials for violation on the backend.
The ONC business model will continue to focus on technical systems, education as a critical piece. One area of concern is the area of small providers; they are different from large providers. They don’t have CIOs or compliance officers, so their ability to implement safeguards is different. Just implemented mobile device security toolkit targeted to give simple, easy to understand rules of the road to how to implement security requirements. HHS is about to release more MedScape videos about security and compliance. One was filmed along with a physician in Maryland about how she and her practice were able to implement a robust program of thoughtful compliance
ONC needs to hear from the providers, Business Associates to understand how together, we can reach a level of compliance. If you are an HIV patient and do not trust that health information will be kept private or secure or confidential, you might withhold critical health information from your physician. This isn’t just bad for the patient, this is bad for the entire community. Patient confidence is critical for good quality of care.
Question & Answer:
Q: There are many questions about cloud computing. When will we have guidance about cloud computing?
A: We’ll be working on those issues in the coming months. This area is very complex and we’ll need some time to investigate the risks and issues and make recommendations. If you have a cloud provider that has access to PHI in some way, they will be treated as Business Associates. These providers have responsibilities to protect patient information.
Q: In the statute, it makes reference that a Business Associate has an obligation to report Covered Entity practices if they reflect a pattern of non-compliance that threatens the Business Associate Agreement or rescind the contract. Can you speak to that?
The most important thing is that Business Associates document what’s going on, try to remedy the issue, and be diligent about addressing it within their realm of reach. Rescinding the contract would be a last resort.
Q: What do you recommend for Covered Entities who have a BA that refuses to sign a BAA?
A: We’ve only done 14 monetary enforcement cases out of 70,000. I would urge you to have them call us and seek our support. We have never initiated enforcement because of a phone call asking us for advice, and we are a long way away from doing that.
Q: What happens when you have unknowing Business Associates?
A: We will find and fix those situations as we come across them.
Q: There are millions of BAs. How far back in history does one have to go to see when contracts end. The vendor is disengaged and the provider continues practicing but PHI might have been retained. If the BA relationship is gone now, but the CE doesn’t know if the old BAs retain PHI, does there need to be a revised agreement?
A: There is a rule of reason that we need to apply.
Q: If a law firm comes into contact with PHI by means of subpeona, are they subject under HIPAA?
A: No, only if they received PHI via a channel that makes them a Business Associate.
Q: If a law firm represents a health plan, and has PHI from this type of client, do they need to protect historical, present, and future records?
A: Yes. In this case, PHI is received through a channel that makes the law firm a Business Associate, and they need to implement the safeguards to protect PHI accordingly.