September 14, 2009
Pulling It Together — The HITECH Act & HIPAA
By Elizabeth S. Roop
For The Record
Vol. 21 No. 17 P. 10
The HITECH Act fills in gaps and steps up enforcement of HIPAA’s privacy and security regulations.
Characterizing the enforcement of privacy and security regulations under HIPAA can be accomplished in just one word: lax.
Of the nearly 45,000 complaints filed with Health and Human Services’ (HHS) Office for Civil Rights (OCR) since the law took effect in 2003, only about 775 cases were referred to the Department of Justice or the Centers for Medicare & Medicaid Services (CMS) for investigation. None has resulted in direct civil monetary penalties.
However, the tide could be turning. Sweeping changes under the HITECH Act close many of the gaps that complicated enforcement and add regulations that ratchet up accountability and penalties for violations. They are changes that many in the healthcare industry applaud as giving privacy and security regulations the clarity and teeth necessary to enable progress in the push for HIT advancement.
“Overall, we thought [the changes] were a very positive step forward toward building the public trust necessary to support widespread adoption of health information technology,” says Deven McGraw, director of the Center for Democracy & Technology’s Health Privacy Project, which is focused on developing and promoting workable privacy and security protections for electronic personal health information.
She adds: “We do still have some serious steps to take for implementation. It will be a struggle to get information out to providers and the public about the changes and to get providers and health plans up to speed. … I’m not naïve about the implementation challenges that are ahead of us, but by and large, they are a good thing. We are in a much better place than we were six months ago.”
McGraw, who is also a member of the federal advisory Health Information Technology Policy Committee, considers the most significant changes under the HITECH Act to be those related to enforcement. In particular, she points to increased penalties, the extension of enforcement authority to state attorneys general, and a much clearer federal enforcement mandate, the lack of which carries much of the blame for lax enforcement under HIPAA.
“Without the clear mandate to impose penalties in certain cases, HHS was making generous use of its authority to informally resolve complaints. As a result, OCR and CMS have used their authority to extract monetary settlements in only two cases. It’s hard to believe that in five years, these were the only two that involved serious offenses under HIPAA,” she says.
Enhanced Privacy Enforcement
The HITECH Act not only introduces the concept of “willful neglect,” but it also increases civil monetary penalties. At the lowest end, when violations are not willful or occurred without the violator’s knowledge, the fine is $100 per violation, capped at $25,000 per calendar year. At the highest end, for violations of willful neglect that were not corrected, the fine is $50,000 per violation up to $1.5 million per calendar year.
“What this [change] means is that HHS got wind of the fact that some healthcare organizations or physicians were simply saying it wasn’t worth it to go all out in complying with the regulations, if they looked at it from a strictly business perspective. It was worth taking a chance because, to date, HHS has not assessed a civil penalty for security violations,” says Kate Borten, CISSP, CISM, president of The Marblehead Group, which specializes in helping healthcare organizations understand and comply with privacy and security regulations.
Instead of levying monetary fines, HHS has allowed violators to correct problems. Now, however, with clearer mandates regarding what constitutes a punishable violation, that practice is expected to change. Further fueling those expectations is the extension of enforcement authority to state attorneys general, a change that means more resources to pursue action against violators.
Equally important are the changes HITECH makes regarding breach notifications, which are slated to take effect this month. While many states had enacted notification mandates, such actions were never part of HIPAA at the federal level. And while HITECH doesn’t supersede state-level notification mandates, it does ensure that all breaches are reported, regardless of where the violator or victims are located.
Under the HITECH Act, individuals affected by a breach must be notified in writing “without unreasonable delay,” but within 60 days:
• For breaches involving 500 or more individuals, HHS must also be immediately notified, and notification must be sent to major local media outlets. HHS will maintain a list of organizations involved in breaches of this magnitude on its Web site.
• For smaller events, the organization may maintain a breach log, which is submitted annually to HHS.
For many healthcare organizations, compliance with breach notification laws will likely mean starting from scratch to prepare formal processes and procedures for identifying when a breach has occurred and how any resulting notification should be handled.
“I do think that this is an area many organizations have not done a thorough enough job to begin with,” says Borten. “The breach notification component logically sits within incident handling. HIPAA already requires organizations to have a formal process for defining the incident, educating the workforce to recognize and report an incident, and then steps for responding, which should include breach notification when applicable. All this is already supposed to be in place, but quite a few organizations simply don’t have that structure. They might have a policy [and] that’s a good starting point, but it’s not enough.”
Breach notification requirements also extend to business associates (BAs). Under HITECH, BAs are now directly accountable for violations. Further, if a BA becomes aware of a violation on the part of a covered entity (CE) with whom it works, it has an obligation to report the breach if the CE does not take steps to remedy the situation.
As a result, BAs that have not already done so will need to implement security and notification policies and procedures of their own, as well as work with CEs to reach agreements on how notifications will be handled.
In most cases, this will require BAs to carefully evaluate and revise existing contracts not only with CEs but also with any subcontractors that may handle personal health information (PHI) on behalf of clients.
“Agreements will have to be amended to reflect that the nature of the relationship between the business associate and covered entity has changed, such that the BA actually has affirmative duties to take certain steps,” says Helen Oscislawski, JD, a health law attorney with Fox Rothschild LLP. “For one, BAs now have a direct obligation, if they are aware a covered entity has engaged in a breach, to report the breach to HHS if the CE fails to take steps to remedy the breach and terminating the contract is not an option. This was in reverse before. Now we have a bilateral, mirrored obligation on both ends. It changes the dynamic between these parties in many ways.”
Further, while previously the determination of whether a BA would be held accountable for breaches was handled in contracts, they are now directly at risk for the same statutory and civil monetary penalties as covered entities, including those pursued by state attorneys general.
Given the scope of services provided by BAs, which ranges from staffing and IT to transcription, release of information, and billing, one of the greatest challenges to achieving compliance will be to identify and revise all BA contracts that fall under the new regulations. Adding to that challenge for the BAs is the need to also ensure any contracts in place with subcontractors and third-party vendors are revised.
“[BAs] were a little lax about doing that because they weren’t directly held accountable for adhering to the standards of HIPAA, they weren’t subject to penalties, and many covered entities didn’t adequately protect themselves with contractual language,” says Oscislawski. “Now, those BAs that engage in subcontracting to third-party vendors need to make sure that they have high-level assurances that those third parties will function at the same high level [as the BA] … because it’s a real source of direct risk for the BAs.”
According to Rick Kam, president of ID Experts, which specializes in breach prevention and remediation, the sheer magnitude of BAs—he estimates the number at around 500,000—that will be affected by the new regulations means that both BAs and CEs need to start now to ensure their contracts are compliant.
Their first area of focus should be on identifying and addressing areas that present the greatest challenge, whether that is agreeing on a set of notification policies or assessing and correcting vulnerabilities in PHI security. What is critical is ensuring that the actions agreed to are fully addressed in contracts, along with any penalties.
“It’s a financial forcing function,” says Kam. “In the contract, if they’re held accountable to pay for the breach … it will force the BA to reevaluate how it is protecting that information even before the HITECH Act is finalized.”
An Encrypted Safe Harbor
In terms of protecting electronic PHI, the HITECH Act offers CEs and BAs safe harbor from breach notification. Under the new regulations, if encryption utilizing commonly accepted standards renders PHI unusable, unreadable, or indecipherable to unauthorized individuals, organizations are relieved of breach notification obligations.
“That is motivation for them to put in policy-based encryption so they don’t have to get involved in what is a pretty significant burden with breach notifications,” says Geoff Bibby, vice president of corporate marketing with Zix Corporation, which provides e-mail encryption and e-prescribing services.
However, it’s not as simple as just encrypting PHI data where they reside. Bibby notes that e-mail is currently the most efficient electronic means by which healthcare organizations exchange information. As such, it is important to ensure that PHI remains encrypted as it moves from one organization to another.
The importance of doing so is illustrated in a sampling by Zix of more than 8 million e-mails sent or received by 73 healthcare organizations, none of which had secure e-mail messaging solutions in place. What they found was a conservative average exposure rate in outbound e-mail flow of approximately 2%. For a smaller organization that sends 5,000 messages per week, that represents 100 occurrences of unsecured PHI leaving the organization each week, or more than 5,000 each year. For larger organizations, that exposure rate can easily be as many as 50,000 occurrences per year.
“The value of e-mail is also its greatest danger; it’s simple to use and simple to make mistakes,” says Bibby. “E-mail continues to be the major communication backbone of many small ambulatory practices and the transaction backbone between covered entities and their business associates. Sending ePHI in an e-mail will trigger the need to have a breach notification. But something as simple as policy-based e-mail encryption … avoids that.”
Kam also recommends that healthcare organizations encrypt not just PHI but all associated personally identifiable information. Such a strategy is necessary because today’s technology makes it possible to reassemble previously encrypted data and also because PHI and personally identifiable information are equally vulnerable to fraud.
The first step is to conduct a risk assessment to understand where the data are, who has control and access, and how the data are currently protected at both the CE and BA levels. This will identify the greatest areas of vulnerability, which often are found to be people with access to the data and the processes that control how data are utilized and shared.
“As we’ve worked with dozens of providers responding to a breach, their IT systems are typically very well protected. The perpetrators trying to get access to data are very smart. They’ll go to the weakest point. Paper is easier to compromise, as is an overworked and underpaid healthcare professional,” he says, adding that in many cases a simple process plan dictating how a breach is handled is the missing link in an organization’s security.
Kam expects that little substantive action will be taken until a few large fines have been levied under the HITECH provisions. Waiting, though, is taking an unnecessary risk.
“A few have to feel the pain before they’ll take notice. Healthcare organizations and their business associates are probably thinking ‘this can’t happen to us.’ But when they see a string of reports in the news, they’ll wake up,” he says. “It’s not a matter of if, but a matter of when.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.