Adam Greene, senior health IT and privacy advisor in the OCR, outlined a slew of changes to existing regulations. The final HITECH privacy, security and breach notification rules will arrive in 2011 and be issued together, Greene said, to minimize staggered compliance dates and changes to notices of privacy practices. The rules need to be revised to reflect the more widespread use of electronic data and electronic health records, Greene said.
He told a packed room at HIMSS11 that financial penalties for single privacy and security violations will be increased to $50,000 per violation, with a maximum penalty per year of $1.5 million per provision of the rules. He noted that these penalties could be enormous considering that many breach incidents are found to contain multiple violations.
Some of the key changes the Office for Civil Rights is seeking:
* If patients ask for their treatment information, and it’s not in a readily available format they requested, the default will be to provide them direct electronic access to that information.
* If patients want restrictions how what data is shared among health care entities (Greene used an example of a patient who didn’t want treatment information he paid for out-of-pocket to be sent to a health insurer) then EHRs must be able to handle those restrictions.
* Business associates can be held directly liable for privacy and security rules (240 days after the final rules are issued). Business associates already can be found directly liable under the breach notification rule. In addition, subcontractors will be held to the same liability as business associates.
* In accounts of disclosures of patient information, treatment, payment and health care operations information must be tracked and disclosed.
Greene also said that new restrictions would be put on the use of patient data for marketing and fundraising, and the sale of protected health information. He also discussed data breaches, noting that more than 220 organizations have had to publicly report breaches of information of 500 individuals or more, and the OCR has been notified of more than 14,000 breaches of patient information affecting less than 500 individuals. The theft or loss of portable devices such as laptops were the root cause of 66 percent of large breaches, he noted, while only 7 percent were caused by computer hacking.