At the HIMSS Conference in Orlando, FL on February 24, 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) outlined its compliance audit intentions for 2014, starting with a survey of covered entities and business associates pertaining to readiness for audit. In an earlier posting in this blog, we highlighted changes coming in May 2014 in the insurance industry that will necessitate separate cybersecurity coverage as breach coverage will be excluded from standard commercial liability policies.
Sue McAndrew, Deputy Director for Privacy of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said on February 24, 2014, at the HIMSS Conference in Orlando, FL, that “’[c]ompliance and enforcement is really where the action is going to be’ in 2014” for HIPAA Privacy and Security and HITECH Act Breach Notification Rules.
The Department of Health and Human Services’ Office for Civil Rights (OCR) published in the February 24, 2014, Federal Register a Notice indicating that OCR would conduct a HIPAA Covered Entity and Business Associate [Compliance] Pre-Audit Survey, for which OCR is requesting public comment on the type of information to be collected and the collection burden. Public comment on the Information Collection Request (ICR) is due on or before April 25, 2014.
The importance of covered entities and business associates conducting a risk analysis, implementing safeguard policies and procedures, and training workforce members is illustrated by the February 2014 Redspin Breach Report 2013: Protected Health Information (PHI), which is available online at: http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-Protected-Health-Information-PHI-Redspin.php.
This posting examines the definition of unsecured protected health information and the Office for Civil Rights’ (OCR) Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, as discussed in the January 25, 2013, Final Rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Unser the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” which is available on line at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
An important provision of HITECH Act Breach Notification, Administrative Requirements and Burden of Proof, at 45 CFR 164.414, was not modified in the January 25, 2013, Final Rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Unser the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” which is available on line at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Nevertheless, the preamble or commentary in the Final Rule makes two important points about this provision:
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Version 1.0 of “Framework for Improving Critical Infrastructure Cybersecurity.” The first two paragraphs of the Executive Summary describe the background of this document:
The January 25, 2013 HITECH Act Final Rule that modified HIPAA Privacy and Security Rules and the HITECH Act Breach Notification Rule and required compliance by September 23, 2013, specified that subcontractors were business associates. [78 Federal Register 5566-5702] The Final Rule defines subcontractor as “as person to whom a business associate delegates a function, activity, or service, other than in the capacity of the member of the workforce of such business associate.” [78 Federal Register 5689]
Before enactment of the HITECH Act, civil penalties for HIPAA safeguard violations were $100 for each violation or $25,000 for all violations of the same provision in a calendar year. [74 Federal Register 56131] Under the HITECH Act, penalties were significantly raised and have been divided into four tiers. The maximum penalty for all violations of an identical provision in a calendar year increased 60-fold to $1.5 million.
On Thursday, February 6, the Department of Health and Human Services (HHS) published in the Federal Register its Final Rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and HIPAA Privacy Rule to facilitate patients’ access to their test reports. This Final Rule is effective on April 7, 2014, and requires compliance by HIPAA covered entities by October 6, 2014. Here is a summary of the Final Rule (79 FR 7290):