Written by Dianne J. Bourque and Stephanie D. Willis
Earlier this week we attended the National Institute of Standards and Technology (NIST) and HHS Office for Civil Rights (OCR) 6th Annual Safeguarding Health Information Conference in Washington, D.C. (the NIST-OCR Conference). The agenda focused on recent amendments to the privacy and security laws, including changes under the HIPAA Omnibus Rule, as well as technological developments aimed at improving quality of care while maintaining the integrity of patient information. The NIST-OCR Conference also provided a forum for participants to discuss new requirements with regulators. The agenda includes links to all of the presentations.
Among the interesting discussion points were the following:
- NIST acknowledged that it has withdrawn Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations. This standard was previously one of the HIPAA standards for securing PHI in electronic form (ePHI). NIST indicated that the standard is being updated and that it will be republished.
- OCR is still reviewing comments submitted in response to the proposed HIPAA Privacy Rule Accounting for Disclosures under HITECH but did not indicate when the final rule would be published – the OCR staff was consistently coy in response to questions about the agency’s thinking on the rule.
- There was extensive discussion regarding the “conduit” exception to business associate compliance requirements. The conduit exception applies to entities that merely transmit PHI, such as the U.S. Postal Service or internet service providers. Conduits are not required to comply with HIPAA’s business associate requirements because they do not access or use PHI. As HIPAA Omnibus Rule commentary discussed, and speakers at the NIST-OCR Conference confirmed, the conduit analysis turns on whether the entity has continued, persistent custody of PHI (even if access is not intended by the parties). Custody triggers business associate compliance obligations for the entity storing the PHI.
- OCR staff discussed the new, four-factor risk assessment under the Breach Notification Rule and indicated that additional guidance regarding the new analysis was forthcoming.
The session on the Pilot Privacy, Security and Breach Notification Audit Program (the “Audit Program”) provided both covered entity and business associate attendees with updates about OCR’s audit program and related compliance concerns. OCR completed its pilot Audit Program in 2012, which is now undergoing independent review by PricewaterhouseCoopers. Upon completion of the review, OCR will examine the findings and use them to modify the ongoing Audit Program’s design and focus. OCR is also planning to update its audit protocol to incorporate the HIPAA Omnibus Rule’s requirements and to include business associates as potential audit targets.
Verne Rinker, the OCR Health Information Privacy Specialist who presented on the Audit Program, stated that two-thirds of entities audited in the pilot did not have a “complete and accurate” assessment of their risks under the Security Rule. Moreover, the Audit Program findings showed that nearly a third of HIPAA violations occurred because an entity was unaware of an explicit requirement in the rules. OCR also found in its pilot that some entities completely disregarded HIPAA requirements.
OCR Director Leon Rodriguez gave multiple key enforcement-related insights during his speech on the second day of the conference, emphasizing the collaborative nature of OCR’s enforcement approach. Rodriguez highlighted the fact that OCR has only imposed 13 monetary Resolution Agreements out of the approximately 80,000 complaints it has received and emphasized that OCR normally reserves significant monetary sanctions for ongoing failures to comply with sets of rules – not to penalize single violations that are identified and resolved quickly. As an example, Rodriguez cited OCR’s largest enforcement action to date, the $4.3 million civil monetary penalty imposed for a continued denial of access to patient records by Cignet Health. In line with this approach, he also pointed to OCR's first Resolution Agreement of 2013, a $400,000 penalty and corrective action plan levied against Idaho State University for its incomplete HIPAA security risk analysis that resulted in a 10-month period of exposure of 17,500 patient records to potential unauthorized use.
Overall, Director Rodriguez emphasized and the NIST-OCR Conference sessions affirm that the HIPAA Privacy, Security, and Breach Notification Rules require an ongoing compliance process; not a static or one-time compliance effort.