By: Alaap Shah and Ali Lakhani
Why is data breach such a rampant problem within the health care industry?
As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially. To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards. Health care companies also have resources to assist them with managing this risk. Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules. Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.
The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act. Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace. As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards. Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.
Lack of Insight into Industry Security Compliance
According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011. Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.” As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.
OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.” Going forward, however, Rodriguez said he expects that OCR "will leverage more civil penalties" and that OCR will be permitted to use collected penalties to fund enforcement actions and "to maximize funding [for] our auditing and breach analysis" activities. OCR has already committed $4.5 million from monies it collected from prior enforcement actions.
Interestingly, this is not to suggest OCR has not been active in promoting security compliance. For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations. Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended. In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.
OCR is Transforming into OIG
As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model. OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG's fraud enforcement now needs to be applied in the HIPAA environment." Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.
Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement. According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance. Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.
In short, the health care industry should expect even more audits and enforcements in the future.
Follow Alaap Shah on Twitter: @HealthITLawyers