Before enactment of the HITECH Act in 2009, there were very few examples of enforcement action for reported violations of the HIPAA Privacy Rule or Security Rule. Perhaps in response to widespread criticism about lax enforcement, the HITECH Act significantly expanded the penalties that may be imposed for HIPAA violations, granted State Attorneys General enforcement authority over HIPAA violations affecting state residents, and created a national breach notification and reporting requirement for certain violations. Enforcement activity remained minimal, however, until this spring.
Several recent events indicate that the Office for Civil Rights ("OCR") and others are poised to ratchet up HIPAA enforcement activity. First, on February 4, 2011, OCR fined Cignet Health Center $4,351,600, of which $3,000,000 was a penalty for failure to cooperate. The facts of this incident should serve as a primer to covered entities on how not to respond to an OCR investigation: the fine was imposed for Cignet's failing to provide medical records to dozens of patients who had requested them and for failing to cooperate with a subsequent government investigation for over a year, despite repeated requests from authorities. In response to a court order to produce the records, Cignet then improperly delivered thousands of additional medical records unrelated to the investigation.
Second, this spring OCR is offering HIPAA enforcement training to help State Attorneys General and their staffs use their new authority to enforce the HIPAA Privacy and Security Rules. The training will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states. Attorneys General in Connecticut, Vermont, and Indiana already have brought highly-publicized actions against covered entities who committed breaches of health information affecting large numbers of consumers within those states. Expect more of these suits as other states' lawyers get up to speed on the process and the financial benefits.
Last year, OCR announced that it would investigate all reported breaches involving the PHI of more than 500 individuals. In OCR's Fiscal Year 2012 budget proposal, submitted this spring, OCR seeks an additional $1,335,000 so that it can hire additional full-time equivalent employees specifically to investigate smaller and mid-sized breaches, as well. OCR also requested $2,283,000 to hire regional privacy officers to provide guidance and education to covered entities, business associates, and individuals about their HIPAA Privacy and Security Rule rights and responsibilities, and $1,000,000 for Security Rule enforcement. Any covered entity that has responded to an OCR investigation of an alleged Privacy or Security Rule violation knows that although such investigations do not necessarily result in enforcement action by OCR, the time and cost involved in responding to such investigations can be significant.
Most recently, on May 16, the Office of Inspector General ("OIG") issued two audit reports criticizing both OCR and the Office of the National Coordinator for Health Information Technology ("ONC") for failing to adequately protect patients' electronic PHI ("EPHI"). 1 OIG issued the reports simultaneously because it "found weaknesses in the two HHS agencies entrusted with keeping sensitive patient records private and secure." In its report to OCR, the OIG concluded that the Centers for Medicare and Medicaid Services ("CMS") and OCR failed to provide sufficient oversight and enforcement actions to ensure that covered entities effectively implemented the Security Rule, and that this failure left EPHI vulnerable to attack and compromise. In 2009 and 2010, OIG conducted a security audit of seven hospitals in several states and found 151 security vulnerabilities, of which 124 were described as "high impact," including unencrypted wireless connections; unencrypted mobile devices, including laptops; inadequate or unchanged default passwords; uninstalled security patches; and a taped-over door lock on a data storage room, among numerous others. The OIG criticized both OCR and CMS for failing to undertake security compliance reviews except in response to complaints, and it recommended that OCR implement procedures for conducting compliance reviews of covered entities, including those against which no complaint has been filed.
In its report to ONC, the OIG found that although ONC has security application controls in the interoperability specifications for information exchange for electronic health records, ONC has issued no general health IT standards. The OIG specifically criticized ONC for failing to require encryption of data stored on mobile devices or two-factor authentication for systems containing EPHI. Noting that its "experience with HIPAA implementation in hospitals does not support ONC's position that HIPAA provides adequate general IT security," OIG recommended that ONC "broaden its focus from interoperability specifications to include well-developed general IT security controls for supporting systems, networks, and infrastructures," and "coordinate its work with CMS and OCR to add general IT security controls where applicable."
The result of these reports undoubtedly will be an increased emphasis by OCR on compliance with the Security Rule—including proactive audits of covered entities and business associates—and reported breaches likely will serve as the means by which OCR identifies the next covered entities and business associates to schedule for compliance reviews.
Given these recent events and the fact that a majority of large HIPAA breaches involve Security Rule violations—through April 2011, of the 265 reported breaches involving the PHI of more than 500 individuals, 53% involved compromised laptop or desktop computers or portable media—how can covered entities and business associates respond to the specter of stricter enforcement and hope to avoid a State Attorney General action or investigation by ONC? The Security Rule requires covered entities (and now business associates) to manage the security of EPHI by implementing policies and procedures to prevent, detect, contain, and correct security violations. In implementing such a process, covered entities must (1) conduct a risk analysis, (2) implement security measures sufficient to reduce risks to EPHI, (3) apply appropriate sanctions against workforce members who fail to comply with the policies and procedures, and (4) regularly review information systems activity to monitor risk. Each of these activities should be made a priority, as they are directly relevant to the prevention, detection, and mitigation of breaches of PHI. In particular, we suggest reviewing the full list of "high impact" security vulnerabilities the OIG detailed in its recent report to the OCR and using this list to evaluate and address any such vulnerabilities to reduce the likelihood of HIPAA violations. Focus your efforts on preventing theft and loss of portable devices and media, including the possibility of encryption.
1 Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069) ("OCR Report"), May 16, 2011, http://oig.hhs.gov/oas/reports/region4/40805069.pdf; and Audit of Information Technology Security Included in Health Information Technology Standards (A-18-09-30160) ("ONC Report"), May 16, 2011, http://oig.hhs.gov/oas/reports/other/180930160.pdf.