What Will HIPAA Enforcer Do in 2015?Former OCR Attorney Offers Predictions for Year Ahead
Time to rub the dust off my crystal ball to predict what we might see from the Office for Civil Rights' in 2015 when it comes to regulatory activities and enforcement of the HIPAA privacy, security and breach notification rules.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
But first, note that 2014 represented a year of significant changes in leadership and approach for OCR, the unit of the Department of Health and Human Services that's responsible for HIPAA enforcement. Jocelyn Samuels joined OCR as its director in July. She was tapped to lead the agency by HHS Secretary Sylvia Mathews Burwell when Leon Rodriquez was confirmed as director of the U.S. Citizenship and Immigration Services.
I expect the agency will launch more high-profile enforcement actions in 2015.
Additionally, OCR's health information privacy division is being led by an acting deputy director following the retirement of Susan McAndrew.
The OCR division responsible for overseeing the work of its regional offices, including enforcement efforts, is also being led by an acting deputy director. In addition to the leadership changes in Washington, three of the 10 managers leading OCR's regional offices were newly appointed this year. That's a lot of leadership change in a short period.
The recent OCR settlement in which an Alaska mental health organization paid a $150,000 fine and agreed to a corrective action plan over shortcomings in their security rule compliance program is the first since director Samuels took over the agency.
This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2015.
Through the 2009 HITECH Act, Congress mandated HHS to make a number of significant changes to the privacy regulations, expanding the jurisdiction oversight to business associates, and encouraging the development of new tools for enhanced regulatory enforcement.
The tools include self-funding HIPAA enforcement authority from fines and penalties collected by OCR and an audit program to measure industry compliance. However, significant provisions of the HITECH Act have not been adopted or are in some stage of development. What are the prospects for the remaining provisions of HITECH to be enacted in 2015?
Accounting of Disclosures
The HITECH Act mandated an expansion of the HIPAA Privacy Rule's current standard for covered entities to provide individuals an accounting of unauthorized disclosures, which exempts disclosures made for purposes of treatment, payment or healthcare operations, or TPO. Congress called on HHS to revamp the standard by requiring accounting for disclosures to include TPO disclosures by covered entities and businesses using electronic health records.
In its 2011 proposed rulemaking, HHS sought to give individuals an accounting of uses in addition to expanding the disclosures to be reported. Under intense pressure to scale back the scope of the proposed rule, HHS had its panel of outside experts, the Privacy and Security Tiger Team, made recommendations in December 2013. The team has since disbanded with HHS taking no action on their recommendations. Nor does publication of a final rule appear to be in the offing anytime soon.
Under HITECH, Congress called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches.
The first step was for the Government Accountability Office to make recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. Although the GAO apparently has delivered its recommendations, the HHS regulatory agenda does not include a proposal under development or being reviewed.
With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.
The HITECH Act also called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. With funding provided through HITECH, OCR developed and implemented a pilot audit program through which 115 audits of covered entities were conducted.
Beginning in early 2015, OCR plans to audit 200 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by up to 400 audits of business associates to measure their compliance with the security rule and how they intend to approach their obligations under the privacy and breach notification rules.
In comments at the the September 2014 HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR's Iliana Peters said it was the agency's intention to use the audit findings as a tool in the enforcement arsenal. Covered entities found to have significant gaps in their HIPAA compliance will be ripe for follow-up compliance reviews and could face penalties.
With millions of dollars of monetary penalties collected from covered entities since adoption of the HITECH Act changes, this is the one OCR initiative that seems on track. Don't wait for your notice from OCR to prepare for your HIPAA compliance audit. Take action now by going through the steps to ready your organization if it were to be randomly selected for one of those audits.
David Holtzman is vice president of privacy and security compliance services at the consulting firm CynergisTek. Previously, the attorney was a senior adviser at OCR.