There have been nine OCR HIPAA enforcement settlements so far in 2017, highlighting the need for covered entities and business associates to focus on audit controls, risk management, and business associate agreements. While there has been a new administration leading the way, healthcare data privacy and security experts do not expect an exceedingly different approach when it comes to ensuring entities remain compliant.
Health data privacy concerns have not lessened, and organizations continue to have more questions on how best to keep information secure as technology evolves, stated Foley Hoag Associate Jeremy Meisinger.
Toward the end of 2016, people were starting to realize that the more devices that are connected to the internet, there are more places that health information can potentially leak out of. This started many organizations to become increasingly worried.
Under the current administration, OCR is taking a “back-to-basics” approach in terms of enforcement, Meisinger told HealthITSecurity.com. Rather than making policy statements, the agency is interested in enforcement.
“What they’re saying about enforcement is not a sharp change because they’ve been saying it for a number of years,” Meisinger explained. “They’ve been saying, ‘We don’t have the ability to investigate every data breach in the country, but we do have the ability to make examples of people.’”
That approach very much comes out in what OCR has said recently and done recently, which is that it wants to do big, exemplary cases, he added.
“Going after those big exemplary cases, it doesn’t hurt that OCR’s enforcement activity is now largely funded by the settlements in those cases,” Meisinger noted. “That, too is not entirely a departure. That had been occurring, but it is more explicitly now their view that the enforcement activities need to pay for themselves and potentially even pay for other things.”
OCR HIPAA settlements have been taking place, and have been going aggressively, topping close to $15 million so far in 2017, he said.
Some questions were raised when Roger Severino was appointed as head of OCR, largely because of Severino’s conservative-leaning positions on certain issues. And while Severino did not necessarily have HIPAA-specific experience, he has stated that the agency will work hard to make an example of particularly egregious HIPAA violations.
Going after the organizations that were part of a large-scale data breach is a normal and sensible thing to do, especially when trying to establish HIPAA credentials, Meisinger said.
“He has a law enforcement background, and while not necessarily a HIPAA background, it makes sense to do that,” he stated. “Although, one doesn’t have to look far to see examples of data breaches in the media that get people talking and that cause a lot of vitriol to be directed from the public to a particular entity, and that’s certainly not limited to health information.”
“People are aware that this stuff happens and that when it happens, it’s a big deal,” Meisinger continued. “But I think it’s a sensible way to kick things off as the new head of an agency to say, ‘Yeah, I want to bag a big case.’”
Reed Smith Partner Brad Rostolsky explained in a separate interview with HealthITSecurity.com that it’s still a little early to really know how the administration is impacting current enforcement. Most of the cases in enforcement coming through the pike are a little bit older than current administration time, he said.
“But there have been statements from the people at the top of OCR indicating that they have every intention of being as aggressive as the previous administration,” Rostolsky stated. “OCR is even indicating that it’s looking to make examples out of egregious offenders.”
While that might not make healthcare organizations “feel all that warm and fuzzy,” in terms of harkening back to how OCR previously approached compliance, Rostolsky said it is not too much of a change at all. Enforcement has been slowly increasing over the past number of years, and no one likely expected that to radically change.
When the OCR director says the agency is going to make an example of entities that are not compliant, it would be foolish to not pay attention to that statement, he added.
“But at the same time, the on the ground reaction should be to continue what you’re doing if you’re doing it right,” Rostolsky stressed. “And if you’re not doing it right, or there are areas to improve, continue to make those adjustments and improvements.”
The biggest risk that entities don’t have as much control over is the potential for an outside force, whether it’s criminal or not, to negatively impact their privacy or security, he said. For example, there are a lot of disaster related considerations being discussed, such as what happens to your backups? What happens to your overall system structure in the midst of a natural disaster?
“Overall, the biggest challenge right now with HIPAA isn’t one that your stereotypical healthcare provider or business associate needs to deal with: it’s more the folks that are entering into the healthcare world for the first time, especially as a vendor,” Rostolsky said. “The bar is a lot higher than for those that have entered in the past and had more time to get used to it.”
Some of those organizations, often including those in the device manufacturing world, are using and developing connected apps with various partners, he continued. Those partners might be regulated and they might not.
“It’s important to ensure that as technology changes and people are pushing the boundaries with respect to what’s being offered to consumers, patients, and providers, you’re thinking about those things within the context of HIPAA appropriately,” Rostolsky stated.
How state attorneys general approach cybersecurity, compliance
When Trump was elected, there were many state attorneys general who feared that the federal government would stop enforcing numerous things, Foley Hoag’s Meisinger pointed out. Some state legislatures were passing explicit kinds of laws, directing the attorneys general to pick up the slack, but in most cases, it wasn’t necessary.
“The big blue state AGs were more than happy to be getting out on the stump distinguishing themselves from Trump and saying that whatever the federal government didn’t do, they were going to be able to do,” he said. “A lot of that is in the field of consumer protection, and a lot of that is in the field of FTC types of things.”
Data breaches are looming large in the public’s mind though, and state attorneys general are very aware of the increasing concern with cyber criminals. There is a clear trend in the way that state attorneys general are going, and this is an issue that when and if it happens, they will be more than happy to become involved.
In terms of a national data breach notification standard, Meisinger said there have been numerous efforts over the past few years to make the laws more uniform.
“There are tricky issues sometimes, because in some states you are directed to notify the attorney general and to not make individual notifications until the attorney general says it’s not going to impede the investigation,” he stated. “But yet in other states, you have a direction from the statute to inform people after a certain number of days.”
“Given that information can cross state lines, questions come up such as ‘Whose state laws do you attempt to honor?’ This creates all sorts of headaches,” Meisinger added.
A national data breach notification standard seems like it would get some traction, especially in the wake of large-scale breaches like Equifax, but Meisinger said it is difficult to pinpoint currently how it would move forward.
Reed Smith Partner Divonne Smoyer also explained in a separate interview with HealthITSecurity.com that data privacy and security is a bi-partisan issue.
“Outside of the space, dealing with the federal government and federal agencies has become very politicized, with democrats attacking and republicans defending the attorneys general,” she said. “But in the space of data privacy, unless OCR comes out and does something radical in the eyes of the democratic AGs’ perspectives with charges and mandates, they’re going to continue to work with them cooperatively.”
With regard to a potential national data breach notification standard, Smoyer said there have been perennial bills introduced previously. Large-scale data breaches are often a triggering factor into pushing them to the forefront. There is more of a current awareness of the need to normalize data breach notification.
“Right now, with the Trump Administration in power, the Democratic AGs are emboldened to enforce state’s rights, whereas with the prior administration it was the Republicans to enforce state’s rights,” Smoyer explained. “It’s going to be a struggle. But among state AGs right now, there is a general awareness that we can’t have all of these laws that are constantly evolving that tend to slow down on the breach notification process.”
“There’s going to be a fight about what to extent federal regulations like HIPAA and HITECH, can be enforced,” she continued. “Inevitably, the state AGs will probably get what they want, but the real question is, can there be pre-emption of state laws in this space?”
Regardless of the state in which a healthcare organization is located, it is essential to talk with their attorney to ensure both state and federal laws are followed, Meisinger advised.
With fees for accessing medical records for example, distinctions can be drawn between different state laws and what they represent in terms of the guidance, he said.
“The guidance calls for what it says is a reasonable cost-based fee, and then it gives these complicated ways of determining what a reasonable cost-based fee is,” Meisinger said.
It is all very state-dependent at times, and entities need to ensure they are doing everything in their power to remain compliant at all levels.
Reed Smith’s Rostolsky concluded that organization is key for any entity, whether it is a local or regional provider or one with national reach.
“It’s about making sure that you’re staffed well enough to ensure you’re paying attention to all of the rules,” he said. “They’re not complicated, but there can be a lot of them. Making sure you’re on top of the rule book is the best play.”