Feds Send Security Warning Shots

Staff at the Department of Health and Human Services’ Office for Civil Rights co-hosted the Safeguarding Health Information conference May 11-12 in Washington. They came across as smart, dedicated public officials who want to enforce the HIPAA privacy, security and breach notification rules in a fair and common sense manner.


 

Staff at the Department of Health and Human Services' Office for Civil Rights co-hosted the Safeguarding Health Information conference May 11-12 in Washington. They came across as smart, dedicated public officials who want to enforce the HIPAA privacy, security and breach notification rules in a fair and common sense manner.

But they also made clear that OCR finally has the means--expanded jurisdiction, stronger penalties and higher funding--to crack down on organizations that still don't take protection of health information seriously.

That means organizations being investigated for privacy rule violations, which includes a breach, also will face scrutiny on how well they comply with the security rule. "Without a sound security policy, privacy will just be a principle," says Susan McAndrew, deputy director for privacy at OCR. The nation's top health privacy cop further notes that OCR has added investigators in 10 regional offices to boost enforcement of the security rule, after jurisdiction of that rule last year moved to OCR from the Centers for Medicare and Medicaid Services. "We're hoping to move security to the forefront and make it a real partner with privacy in our efforts."

Since February, OCR has published the names and circumstances of about 80 organizations that have experienced a breach affecting at least 500 individuals. But the public listing is only one federal penalty for breaches, not to mention damaged reputations in the organizations' communities. They also face OCR investigations and heavy fines if they do not cooperate in developing a remedial information security program. Even those who cooperate can find themselves paying a "resolution fee" and having OCR oversee their information security programs for three years.

David Holtzman, a health information privacy specialist at OCR, walked conference attendees through the new tiers of penalties for violations of the privacy and security rules. The most serious level of violations result from "willful neglect" of an organization to protect health information, with a fine of up to $50,000 per violation annually capped at $1.5 million for all identical violations. When OCR investigates privacy and security violations, it will be looking for evidence that an organization took appropriate safeguards to cover against "reasonably anticipated" threats to protected health information.

Take one look at the 80 organizations on OCR's breach list, and you'll see 80 threats that should have been reasonably anticipated. Encryption is an easy way to stay out of trouble, says Mac McMillan, CEO at CynergisTek Inc., an information security and regulatory compliance firm.

McMillan spoke at the conference and expressed amazement at how many organizations on the breach list didn't encrypt portable computing devices, particularly laptops. "You have to ask yourself: How hard to you have to get hit before learning that lesson?"

Asked if OCR would like to see the lack of password protection and encryption as presumptive evidence of willful neglect, Holtzman said the issue would be addressed in forthcoming rules. That means "yes," count on it.

If OCR wants to set a good federal example of safeguarding, it would do well to make sure the government's own house is in order. We recently learned that a VA contractor had an unencrypted laptop containing protected health information and Social Security numbers on more than 600 VA patients stolen in April.

The theft occurred about four years after the VA had a breach involving 28.7 million--yes, million--individuals. The contractor in the new theft has 69 different contracts with the VA and a review shows that 25 of the contracts did not include an information security clause. That follows a comprehensive review last year of 22,729 VA contracts that found 6,440 contracts did not have the clause and 578 of these contractors refused to add it, "without any apparent VA action to enforce its I.T. security actions," Rep. Steve Buyer (R-Ind.) wrote recently to VA Secretary Eric Shinseki.

Buyer wants to know when the VA will stop permitting use of unencrypted computing devices to hold information on those it serves. Let's hope OCR also wants answers.

For more information and Buyer's letter, click here.

 

More for you

Loading data for hdm_tax_topic #reducing-cost...