|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story Sept. 11, 2009
With New Authority, HHS Office for Civil Rights Vows ‘Vigorous Enforcement’ of HIPAA Security as Well As Privacy Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. Covered entities, as well as business associates, should expect stepped-up federal enforcement of both the privacy and security rules now that the HHS Office for Civil Rights was granted authority for investigating alleged violations of the HIPAA security rule, complementing its role as the enforcer of the privacy rule. Since 2005, the security rule had been enforced by the Centers for Medicare and Medicaid Services, while privacy was OCR’s job. That changed on August 4 when incoming HHS Secretary Katherine Sebelius re-delegated that authority to OCR. In a detailed phone interview with RPP, Susan McAndrew, OCR’s top privacy (and now security) official, repeatedly made the point that OCR — “public perception aside” — has been a tough overseer, and will bring a similar approach to its security-rule efforts. She also raised the prospect that more CEs could see fines for violations of both rules in the future. “Having the rule transferred to OCR actually puts us in an excellent position for more cases going forward with us seeking a resolution agreement on both the privacy rule and security rule side,” McAndrew says. Reviews to Continue Amid New Audits In addition to describing the impact of OCR taking over security enforcement, McAndrew outlined a series of changes at OCR that are also likely to enhance enforcement, including an increase in manpower and funding and better positioning of security investigative staff in regional HHS offices. McAndrew is OCR’s deputy director for health information privacy, and reports to the new director. Another reason for staying on top of compliance efforts: McAndrew says the HITECH Act gave it new authority to undertake audits, which could be conducted without cause. Some believe that covered entities finally began to take HIPAA seriously when the HHS inspector general conducted audits of certain providers and when CMS contractors performed at least 10 “compliance reviews.” McAndrew could not say whether OCR would fully embrace or adopt CMS’s practice of conducting security reviews, but said some version of the reviews would continue and now include security and privacy rule issues. The reviews could actually reflect a more serious “audit,” she says. And she said that the OIG audits were a “singular event,” that stemmed from CMS’s perceived weaknesses in enforcement of the security regulations. This summer, CMS released the results of 10 such compliance reviews. Regarding the compliance reviews, McAndrew says OCR “has done a number of them, and we would continue to do compliance reviews on both privacy and security rule issues, where the information warrants that kind of approach. For instance, if we have a media-type incident that occurs and we don’t receive a complaint about that particular incident, we may decide to open a compliance review.” She adds that the HITECH Act gave OCR the specific authority to conduct privacy and security audits, and that these audits might be conducted of CEs that have not been subject to a complaint or experienced a high-profile incident — in contrast to how CMS chose the CEs it reviewed. “We are going to be looking at what is the best way to manage the audit function, and to determine how that audit function ought to relate to the enforcement efforts,” she says. “It may well be that the type of reviews [and OIG audits]…really might take on more of an audit-type role, as opposed to an incident or a potential violation inspection that would call up a compliance review.” Audits to Complement Other Efforts OCR wants to use its new authority to conduct audits in a way that “complements and doesn’t duplicate what we are able to achieve through our enforcement effort,” she says. Audits by the OIG grew out of its review of CMS “and how they were doing enforcement reviews,” McAndrew says. The OIG lacks the authority to actually audit CEs directly. As part of its CMS review, the OIG “did field visits on entities and checked on their enforcement” of the security rule, she says. The OIG has not done a similar review of OCR but it could in the future, McAndrew says. She defended OCR’s enforcement record, saying “OCR has really a very vigorous enforcement program.…We have resolved over 8,000 cases, which swamps the number of cases that were handled by CMS under the security rule,” McAndrew says. She also said both agencies have been following the same “enforcement scheme,” which stresses voluntary compliance. That will not change, McAndrew says. OCR to Go It Alone Without CMS Staff OCR plans to carry out its new functions without using CMS security staff. McAndrew says that OCR is expecting an increase in personnel in fiscal year 2010, but says the request was submitted prior to the assumption of security rule enforcement. OCR, which currently has 255 positions, hopes to go up to 270. The agency has been advertising for privacy specialists, but those positions are not new and are for existing vacancies; they also are not investigatory, McAndrew adds. CMS, which conducted security rule investigations from its Maryland headquarters, expects to use its, existing manpower in each of HHS’s 10 regional offices to conduct investigations involving violations of either rule. “We currently do our privacy cases with investigators in our 10 HHS regional offices and it is that staff that would absorb the security rule workload,” McAndrew says. “The majority of cases are actually dual cases, so that staff is already involved in those complaints from a privacy side.” Security Violations Not Criminally Prosecuted Cases that might result in criminal prosecution are also referred to the Department of Justice (DOJ), but only those that involve the privacy rule, according to McAndrew. Since the privacy rule went into effect, OCR has referred a total of 460 cases to DOJ. Shift Contemplated Long Ago CMS ended up with security rule enforcement for almost the same reason it has now given it up. McAndrew says CMS got the authority because of a “workload distribution,” implying the OCR could not take on the responsibility in 2005 that it is now assuming, four years later. She says giving CMS the security rule “did grow out of their work in the transactions and code set community, which really focused them on the electronic side of HIPAA.” McAndrew tells RPP that although the actual combination of privacy and security enforcement under OCR became effective last month, it had been contemplated “for some time,” and long before the HITECH Act was passed. Officials realized over time that separating privacy and security was an artificial and ineffective construct, she says. ‘Two Sides of the Same Coin’ “What prompted the move was essentially the growing sense that the privacy and security aspects of HIPAA really were two sides of the same coin…[that] they really were more entwined than we had originally thought” when CMS was delegated enforcement authority in 2005, she says. Many of the security complaints that CMS handled, it received from OCR, she adds. “There were very few cases that really implicated only the security rule,” McAndrew says. “When the HITECH Act came along; it really shined the light on the need to bring these two rules together, at least for investigatory purposes, [and for] just the efficiencies in having the case handled only out of one office, as well as the integrated nature of the issues.” OCR and CMS jointly requested that Sebelius make the change. McAndrew says there was never any thought to giving privacy to CMS, which would also achieve the goal of having one central enforcer for both privacy and security. “It [would have been] just too much of a workload shift to have gone in that direction and too much of a learning curve to get all that investigatory expertise transferred to CMS,” she says. “From CMS’s point of view]…they really received a lot of other responsibilities under the HITECH Act and they really needed to start redirecting their resources. They really have a lot on their plate, and this was just the best fit for the security rule.” Lack of Expertise Questioned Some experts told RPP they were concerned OCR would lack the expertise to enforce the security regulation and investigate potential violations. But McAndrew is confident this will not be an issue, and said OCR would use outside experts that had worked previously with CMS. “We are essentially expanding [privacy staffs’] role to also look at the security rule for potential violations and, of course, corrective actions,” she says. “We will be assisting them with respect to the security rule and largely the technical requirements under the security rule, from headquarters. We expect to be working with the same experts that assisted the CMS folk when they were handling these cases. OCR Regions ‘Can Handle’ Security She adds, however, that “there are many aspects of the security rule that don’t require that kind of technical expertise, and we fully expect our investigators in the regions would be able to handle the administrative and in some cases the physical safeguard requirements that are imposed by the security rule.” OCR could see some sort of funding boost as CMS gives up security rule enforcement. McAndrew says that OCR “didn’t need to transfer actual staff from CMS to privacy in order to carry out this function.” The two agencies are talking “to reach agreement on any internal transfers that might be necessary in 2010. I think that will mostly translate into funds,” McAndrew adds. |
| ||||||||
