HIPAA enforcement is increasing, and industry experts expect scrutiny in 2014
Role and obligations of business associates still in question
Executive summary
The Department of Health and Human Services (HHS) is enforcing the Health Insurance Portability and Accountability Act (HIPAA) vigorously, and the push is likely to continue. Data breaches are more likely to be discovered now even if the provider doesn't report them.
-
Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS relied on complaints to become aware of HIPAA violations.
-
Business associates and covered entities continue to disagree over their roles and responsibilities.
-
Class action lawsuits involving data breaches are on the rise.
Healthcare providers are under the gun more than ever when it comes to compliance with the Health Insurance Portability and Accountability Act (HIPAA) because of recent changes that make it easier for the government to learn of breaches and to prosecute them, warns Stephen Treglia, JD, legal counsel at Absolute Software, a consulting firm in Austin, TX, that assists healthcare providers with HIPAA compliance.
A primary change spurring the increased enforcement was the Health Information Technology for Economic and Clinical Health (HITECH) Act. Before HITECH, Treglia explains, HHS had to rely solely on submitted complaints to become aware of HIPAA violations. (See the story on p. 2 for more on what is driving the increased enforcement.)
Changes to the definition and responsibilities of business associates (BAs) also are leading to conflicts that could complicate data security and make things messy if one occurs, Treglia says. "There's a big battle between providers and business associates," he says. "Business associates are trying to deny they are associates and making it hard for the covered entities that want them to become HIPAA-compliant. That's never good when two parties that both have a lot to lose can't work together to comply with the regulation."
Even if you're not arguing with your BAs, a covered entity might put too much confidence in the BA agreements (BAAs) required by HIPAA. Simply having one in place does not shield the healthcare provider from liability in the event of a breach, Treglia has learned.
Treglia recently attended a meeting with Leon Rodriguez, the Office for Civil Rights (OCR) director who has since been nominated to become the Director of the United States Citizenship and Immigration Services office of the Department of Homeland Security. Rodriguez told attendees at the meeting that the OCR was hiring more staff and planning to conduct more audits of HIPAA compliance. The subject of BAAs came up, and Treglia asked Rodriquez if having one in place was sufficient to protect the covered entity from liability related to a breach caused by the BA. Many covered entities seem to think so, Treglia told Rodriquez.
"Is it more in the form of governance that you're seeking?" Treglia asked the OCR director.
"That's exactly what we're looking for," Treglia recalls Rodriquez replying. "We're not looking for a one-shot relationship between the business associate and the covered entity. It's more of a partnership in which the covered entity should be providing guidance and governance to their business associates as to how to protect their patients' information."
The struggle to define BAs and refine the working relationship regarding HIPAA will likely continue for a couple of years, Treglia says. Rodriguez told the group including Treglia that OCR is taking "a very broad view of the definition of business associates."
"So that is probably where the battleground is coming up next," Treglia says.
More class action lawsuits
In addition, Treglia says the plaintiffs' bar has seen gold in the hills of HIPAA. Banking on support from a more empowered HHS to prosecute data breaches, trial lawyers are eager to file class-action lawsuits against entities that have been identified as having their medical records breached.
"When HHS prints a public listing of the breached entities, that makes them sitting ducks for class action suits," Treglia says. "A lawyer can go down the list and see who has the deepest pockets."
But what about encryption? Isn't that the solution that everyone proposes for HIPAA compliance? If the data is encrypted, even a stolen laptop full of protected health information (PHI) doesn't amount to much of a problem, according to many experts.
Treglia is more skeptical about encryption being the ultimate solution. He points out that encryption only works when the person attempting to access the data doesn't have the decryption keys, and sometimes they do. HIPAA data breaches have involved healthcare provider employees with access to decryption keys, Treglia notes. Huping Zhou, a former UCLA Healthcare System surgeon, was the first person sent to prison for intentionally viewing the PHI of co-workers, supervisors, and celebrities after being told he was fired, and encryption would not have stopped him, Treglia says.
"We're most aware of the loss of data, when someone steals a laptop for instance," Treglia says. "But we're realizing now that hacking is a real threat as well, in which the data never leaves your facility and there is no indication that a breach has occurred. The data has been compromised, and that's a breach just as much as a laptop left at Starbucks."
Treglia's advice is to expect 2014 to be a tough year for HIPAA compliance.
"We've only seen the tip of the iceberg. This trouble with business associates and the other issues, that is only going to increase in the years ahead," he says. "The enforcement push is not going to slow down in the near future."
Source
- Stephen Treglia, JD, Legal Counsel, Absolute Software, Austin, TX. Telephone: (512) 600-7455.