This week, we heard about the first civil money penalty under the HIPAA Privacy Rule for failure to provide access to medical records and willful neglect -- and it was a whopper. The appearance of Adam Greene, Senior Health IT and Privacy Advisor to the Office of Civil Rights -- the enforcement arm of the Department of Health and Human Services -- at the HIMSS Conference in Orlando was timely, to say the least.
Contributed by Dianne Bourque from HIMSS
The Office of Civil Rights presented a break out session entitled HIPAA and Health IT: Trends in Privacy, Security & Breach Notification, and offered some insights into its experience with HITECH implementation and enforcement to date. The session also provided a glimpse at what regulated entities could look forward to in the future. According to Mr. Greene, some of the top security enforcement issues to date have been related to:
1. Impermissible uses and disclosures of protected health information (PHI)
2. Lack of reasonable/appropriate physical safeguards
3. Failure to provide access (more details about Cignet Health in this article from The Washington Post (registration required))
4. Failure to abide by the minimum necessary standard
5. Inadequate complaint processes
Mr. Greene indicated that his office averages 900 reports of breaches per month under HITECH and that 51% of these breaches relate to theft. Interestingly, hacking and IT security breaches only account for 7% of reported breaches.
Mr. Greene also indicated that final rules implementing various provisions of HITECH will be published sometime in 2011. The rules will include staggered compliance dates providing time for covered entities to update Notices of Privacy Practices, Business Associate Agreements and other forms. Mr. Greene indicated that the Office of Civil Rights is also preparing a HITECH outreach campaign, including educational videos and improved website navigation. Existing guidance documents will be updated and new guidance documents will be prepared. Finally, the Office of Civil Rights is planning its auditing approach for covered entities and a training program for state attorneys general who will be enforcing HIPAA under new authority from HITECH.
Mintz Levin will be monitoring all of these changes, so stay tuned.