Let the Audits Begin . . .

Following the mandate set forth in HITECH, OCR has just announced that it's piloting a HIPAA compliance audit program beginning this month in order to assess HIPAA compliance efforts.  During this pilot phase, which is expected to last through December 2012, OCR will audit up to 150 covered entities from "as wide a range of types and sizes of covered entities as possible."  At least for now, Business Associates will not be included in the pilot program.  OCR has engaged KPMG LLP to conduct the audits, and has made public a sample initial notification letter.  

Each audit will include a request for documents and information, a site visit, and a draft audit report.  Covered entities will have the ability to comment on the auditor's report before its finalized.  While OCR states that it primarily will be using the audit reports to help develop technical assistance and evaluate the efficacy of corrective action plans, OCR is retaining the right to initiate a compliance review to evaluate any serious compliance issues uncovered during this process.  At the conclusion of the pilot program, OCR will "broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges."  What happens after the pilot program, however, remains to be seen.            

Clarification of HITECH's Amendments to HIPAA's Civil Monetary Penalties

Recognizing the confusion surrounding HITECH's significant amendments to HIPAA's Enforcement Rule, the Department of Health and Human Services ("HHS") published the Interim Final Rule on HIPAA Enforcement ("Interim Final Rule") on October 30th.  The Interim Final Rule seeks to clarify the revised civil monetary penalty scheme established in HITECH, noting that many covered entities "may be unaware they are currently subject to significantly greater penalties for violations of the HIPAA rules."  Indeed - the increase in the maximum aggregate penalties from $25,000 to $1,500,000 is big news for all covered entities (and now business associates too).  HHS felt that this information was so important, it waived the notice and comment period and proceeded straight to the interim final rule, which becomes effective on November 30, 2009.     



Congress Calls on HHS to Strengthen Breach Notification Rules

In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.

The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA).  Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data. 
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.

According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.

OCR Will Now Enforce the HIPAA Security Rule

In an effort to consolidate HIPAA administration and enforcement within the Office of Civil Rights ("OCR"), the Secretary of the Department of Health and Human Services ("HHS"), Kathleen Sebelius, has moved the administration and enforcement of the HIPAA Security Rule away from the Centers for Medicare & Medicaid Services and has delegated that authority to the OCR, the office that administers and enforces the Privacy Rule.  According to Secretary Sebelius, “Privacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”  This reconfiguration provides further evidence that HHS is gearing up to increase HIPAA enforcement in light of the changes set forth in the HITECH Act.

Significant HIPAA Modifications in the American Recovery and Reinvestment Act

The American Recovery and Reinvestment Act of 2009 (commonly called the "Stimulus Bill") contains sweeping changes to HIPAA.  HIPAA has been expanded to reach entities not previously governed by HIPAA, and the penalties for violating HIPAA have increased dramatically.  The devil is in the details, however, and those details remain unknown until the implementing regulations are issued.  For a more detailed summary of the Stimulus Bill's changes to HIPAA, please see our DGS client alert on this issue.