By Angelique Carson
If the $1 million settlement reached by Massachusetts General Hospital and the Department of Health and Human Services Office for Civil Rights (OCR) last month is any indication of what’s to come, the OCR plans to take healthcare privacy enforcement seriously.
That message was confirmed recently by OCR Deputy Region 1 Manager Susan Rhodes, who discussed recent federal investigations and offered advice on how to stay compliant with HITECH security and privacy regulations.
At an IAPP KnowledgeNet event hosted by McDermott Will & Emery LLP in Boston last week, Rhodes pointed to a “significant” increase in complaints related to data breaches in 2010—242 compared with 60 in 2005. Of the complaints that were investigated, 70 resulted in corrective action. Rhodes said as electronic health records are increasingly implemented, the Security Rule will likely be increasingly implicated in OCR complaint investigations.
“We expect to issue a final rule this year but cannot provide more specific information,” Rhodes said, responding to a multitude of questions on when to expect the rule. The HITECH Act will require HIPAA- covered entities to report data breaches to OCR and, in cases involving more than 500 individuals, the media. HITECH was passed as part of the American Recovery and Reinvestment Act of 2009. It increases penalty amounts for violations of HIPAA and encourages prompt corrective action. Prior to February 18, 2009, the maximum penalty for a HIPAA violation was $100 with a cap of $25,000 per year. Now, the penalties range from $100 to $50,000 or more per violation with a $1,500,000 cap per calendar year.
“The ways to count fines vary depending on the violations and can include fining per violation per number of days that an organization is out of compliance,” Rhodes said.
She added that where OCR has previously focused on correction action and providing technical assistance, it is “now taking a stronger enforcement approach. There’s a real push from us to really enforce.”
Implementation of HITECH Act enforcement has strengthened the HIPAA protections and rights related to an individual’s health information, she said.
OCR data shows that between September 2009 and December 2010, there were 221 reports of a breach affecting 500 individuals or more. Theft and loss accounted for 67 percent of those breaches, and 38 percent involved laptops or other portable devices.
The meeting intended to give attendees insight into OCR investigations and enforcement actions. Rhodes discussed the Mass General investigation, which she said was the result of a media report and a complaint from an individual whose personal health information was lost. The settlement involved a $1 million fine, a three-year corrective-action plan and a requirement that the hospital actively monitor compliance internally. The impermissible disclosures were “definitely avoidable,” Rhodes said. Though policies and procedures were in place at the hospital, appropriate checks were not conducted on departmental levels, resulting in an employee leaving unprotected health information—197 patients’ information that for some included HIV/AIDS diagnoses—on the subway. The information was not recovered.
“There was no checking to make sure that information taken home was in compliance. Covered entities need to ensure that protected health information is safeguarded,” Rhodes said. She added that If employees are taking protected health information home, a covered entity needs to make sure there are appropriate policies and procedures including “assessment of minimum necessary, training and safeguards and--in cases of electronic information--possibly encryption and other safeguards and policy implementation.” Massachusetts General is now working on comprehensive safeguard policies for the way information is transported, she said.
OCR advises healthcare professionals to reduce security and privacy risks by storing data on networks or enterprise storage as opposed to local devices; encrypting data stored on desktops or portable devices; establishing and documenting clear administrative safeguards on storage devices handling electronic health records, and raising the security awareness of employees.
Rhodes noted that, under HITECH, state attorneys general are authorized to take action under HIPAA. Connecticut’s attorney general launched an investigation into a health plan’s recent breach, a trend Rhodes expects will gain traction.
“We’re training AGs throughout the country on enforcement. Connecticut is the first state AG to bring action in the U.S. Other AGs in New England are interested and active and looking at cases. So, yes, I do expect there’s going to be more state actions,” she said.