It’s a pretty rare opportunity as HIPAA geek to sit in a room with the Director of the Office of Civil Rights for HHS and hear his perspective and ask him questions.
I got to do that today through my attendance at the HCCA Compliance Institute in National Harbor, MD.
Almost too much for me to take in all it once.
But in the spirit of blogging and sharing knowledge, I was typing and tweeting frantically not wanting to miss a nuance .
Leon Rodriguez was appointed to his role as “HIPAA Enforcer in Chief ” (my term) about twenty months ago.
Here are some things I learned during his talk and some accompanying shifts in my thinking and issues raised in my own mind for further consideration. (I welcome comments as well)
- OCR was founded in 1967 after passage of the civil rights act in 1964. Leon Panneta was first OCR director when HHS was known as the Department of Health, Education and Welfare. Panneta chose to enforce desegregation laws, much to chagrin of many in roles of authority. Mr. Rodriguez shared that at one point, Attorney General John Mitchell, the architect of Nixon’s “southern strategy,” called Nixon and told him to “fire that prick in the basement of HEW.” So I gleaned from this bit of history that the OCR director is historically a bit of a scrapper.
- Patient privacy is deemed to be a kind of civil right. The role of OCR is to protect the patient’s privacy, because if a patient does not feel secure, the substance abuser won’t get help, the abuse victim won’t get treatment, the mentally ill will be fearful to disclose their suffering and get assistance. From this, I see that OCR views a breach of patient privacy as a civil rights violation although it’s perhaps not equivalent to having to attend a segregated school or drink from a different water fountain.
- Rodriguez views OCR as being similar to the SEC. Just as the SEC is supposed to enhance investor confidence in the fairness of the markets, so the OCR is supposed to enhance patient confidence in the confidentiality of their health records. Query: I wonder if people view these governmental agencies as fulfilling these roles or even know that there are agencies playing these roles? Another query: does increased enforcement activity enhance patient or investor trust in the healthcare or financial system?
- There is one OCR investigator for ever 3 million Americans. They are stretched pretty thin.
- OCR is becoming even more proactive in their enforcement.
- Well over half of breaches that occur take place at the Business Associate level.
- The vast majority of breaches are due to human mistakes and not technological errors. Major breach causes are theft (51%), unauthorized access and disclosure and loss.
- Hacking is not a major cause of HIPAA breaches.
- Electronic records are more secure than paper records. Paper records account for 25% of breaches.
- In the first decade of HIPAA we were in “learning” mode. We are now in “enforcement” mode, which is part of the reason the fines have gone from a maximum of $25,000 per violation to 1.5 million per violation per year.
- The most important things a covered entity can do after a breach are to notify affected individuals promptly, identify why the breach occurred and the root cause for it and take decisive action to fix the problem.
- One reason OCR wants a database of all breaches is to be able to examine and understand where vulnerabilities are industry-wide.
- Even with all the publicity around fines, it’s still the case that a relatively small portion of cases reported result in any monetary fine. Majority of cases are resolved through corrective action and technical assistance.
- Most big fine cases are usually one of two things 1. A longstanding pattern of repeated violations of multiple violations 2. Cases where you have a particularly unforgivable set of disclosures and a failure to prevent the disclosure. A common thread present in both 1 and 2 is that the entity discovers the problem and fails to take decisive action.
- Mr. Rodriguez truly believes enforcement promotes compliance. He has a strong prosecutorial background.
- However, he was also a defense lawyer and DOES believe “Government can overreach” and that enforcement should be conducted in a balanced and constructive way that focuses monetary fines on the most egregious cases.
- Another commonality among big fine cases is lack of appropriate risk analysis. The entity fails to fully inventory the information it has, where the information is kept, and how the information is secured.
- If an investigation is conducted and OCR sees that a risk analysis is done properly and there are appropriate mitigation and contingency plans, the more likely the office is to settle the violation through corrective rather than monetary fine.
- Encryption is an addressable requirement under HIPAA. If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based. Succinctly, show your work! (Like you were supposed to in 5th grade math!)
- Mr. Rodriguez takes his job quite seriously. He sees part of his role as someone who routinely engages with compliance professionals to hear their concerns and educate them. He is not “hiding the ball” and seems extremely open, transparent and reasonable although oriented towards the interests of the patients rather than the provider which is appropriate given the mission of OCR.
It was great being able to have dialogue with him today! Grateful for the chance!