By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules.  Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.

The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act.  Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace.  As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards.  Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.

Lack of Insight into Industry Security Compliance

According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011.  Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.”  As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.

OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.”  Going forward, however, Rodriguez said he expects that OCR "will leverage more civil penalties" and that OCR will be permitted to use collected penalties to fund enforcement actions and "to maximize funding [for] our auditing and breach analysis" activities.  OCR has already committed $4.5 million from monies it collected from prior enforcement actions.

Interestingly, this is not to suggest OCR has not been active in promoting security compliance.  For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations.    Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended.  In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.

OCR is Transforming into OIG

As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model.  OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG's fraud enforcement now needs to be applied in the HIPAA environment."  Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.

Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement.  According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance.  Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.

In short, the health care industry should expect even more audits and enforcements in the future.

Follow Alaap Shah on Twitter: @HealthITLawyers

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.