Last week during the regional Health Care Compliance Association (HCCA) conference in Nashville, I was lucky enough to host a gathering of executives from privacy and compliance for a private executive dinner with Adam Greene, an influential thought leader in privacy and partner with Davis Wright Tremaine. Adam moderated a robust discussion that explored HIPAA and OCR enforcement trends, the growing divide between state consumer protection laws and Federal regulations, and speculation on what the future holds for healthcare companies in an increasingly fractured consumer protection landscape.
The evening was well informed by Adam’s experience having worked for the Office of General Counsel at the Department of Health & Human Services Office for Civil Rights (DHS OCR) and his contributions drafting the first breach notification rule for HIPAA/HITECH. Adam maintains a close watch on OCR initiatives for his healthcare clients as they navigate delivering patient care under the increasingly complex compliance demands driven by consumer protection laws. I know I speak for my fellow dinner companions in expressing gratitude to Adam for the visibility he provided into the mercurial priorities at the Federal level as OCR enforcement policies are revised under the new administration.
Mounting Challenges to Healthcare Compliance
Privacy professionals in the US are caught up in the midst of a tempest of health delivery challenges. These challenges come in many forms, driven by the growing opioid and addiction crises, the ongoing private and public healthcare funding model debates, rapid digitization of healthcare records, keeping pace with record access rights, and the myriad of consumer protection laws.
The variables involved in the ways we deliver healthcare have grown dramatically in the past few years as well, including e-medicine, coordination of care, outcome-based incentives, and other developments. How are regulatory bodies keeping up with the pace of these changes, and providing privacy protection guidance that matches innovation in technologies? A lively portion of the discussions was centered on the OCR’s focus on Data Access Rights, and the inherent conflict between 42 CFR Part 2 and coordinating patient care. For Healthcare providers, this conflict is most apparent as companies sift through the vague language of the California Consumer Privacy Act (CCPA) which places equal contrasting corporate burdens on consumer records access and privacy protection. Compliance and privacy professionals are increasingly concerned about this balance while planning responses to administration-driven ebbs and flows in HIPAA and state enforcement trends.
2019 in Healthcare Compliance: A Balancing Act Between Access and Data Protection
Throughout 2019 we have seen the difficult balance regulators must strike between data access and data protection.
In September, the first ever Right of Access enforcement action and settlement from OCR was resolved with a Florida hospital for not providing a mother with timely access to her child’s medical records. The monetary settlement was combined with a corrective action plan with OCR, that includes one year of monitoring by the agency.
In April, HHS lowered its annual caps on HIPAA violations, in the least-severe cases by more than $1M. The new caps are based on what the department called "levels of culpability." The new penalty structure may already be having an effect: enforcement fines so far this year total just under $13 million, compared to 2018’s record $28.7 million. While none of these cases are likely to earn the record $16 million penalty of the 2018 Anthem breach settlement, how frequently and to what extent will OCR be pursuing access rights violations in 2020?
Year to date, OCR currently has 387 cases under investigation from 2019 alone. Over 90% of these involve healthcare providers, and 67% were caused by hacking, IT incidents, or theft. Interestingly, a business associate (BA) is present in only 6 of the cases, but all of those cases involve theft of personal information. Of the cases settled with penalties this year, OCR consistently cites the lack of an enterprise-wide risk assessment as evidence of negligence.
Evidence of willful neglect often includes failure to address known risks. Several of the organizations had failed to report incidents within the HIPAA-required time frame, and some were also fined for failing to publish or enforce policies protecting patient privacy. (Incredibly, in several cases, employees actually posted protected patient health information on social media.)
While the new technologies and regulatory challenges don’t remove the risk of fines for non-compliance, it does present an opportunity for those organizations that can document their HIPAA-compliant processes. A properly handled incident may incur little or no monetary penalty if the organization can show:
- Proof of regular, enterprise-wide risk assessment
- Documents showing assessments and decision criteria for incidents that did not meet HIPAA notification thresholds
- Timelines from occurrence to notification, proving that notifiable incidents were reported within required deadlines
The key lesson from the executive dinner was that compliance is a constantly moving target.
The race between technical advancements in medicine and regulatory responses to the new landscape mean privacy professionals in the field will experience greater complexity while working to adhere to breach notification laws. Care coordination in medicine will demand an increased focus on Business Associate agreements, and more staff training will be necessary to address growing pressure on consumer access to healthcare records.
Ultimately, when it comes to compliance, time is of the essence. Efficiently and consistently assessing incidents, from discovery and risk assessment to documentation and notification means saving time and building audit-quality records for each disclosure. Privacy professionals must work to streamline their processes and free up resources for strategic initiatives necessary to prepare for the challenges expected in 2020 and beyond.