Linda Sanches, Senior Advisor, Health Information Privacy, at OCR, DHHS, spoke with Tom Sullivan (@GovHITeditor) at the HIMSS Media #HITprivacy and security conference in Boston today (September 9, 2014) about OCR HIPAA compliance audits. See the Storify after the jump.
The HITECH Act made some significant changes to the HIPAA Privacy Rule, updating some provisions and increasing protections for individuals. Improvement of regulatory schemes that are a little long in the tooth is laudable, since technical and societal changes, of necessity, make for a perpetual game of catch-up. However, it is a challenge for regulators to pick the right battles to fight, and the challenge is made that much more difficult to navigate when, as in the case of the HITECH Act, Congress gets into the weeds with extremely detailed statutory language, thus limiting the regulators' range of discretion. Since it is often difficult for Congress to act, and even more difficult for it to act rationally, the detailed language of the HITECH Act hamstrings the regulators and the regulated community.
The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.
OCR planning for the next round of HIPAA compliance audits continues.
A new information collection request will be filed soon (two months from now or so), according to the HIPAA audit questionnaire burden estimate published Monday, February 24. (H/T Art Gross, HIPAA Secure Now.) The filing shows that OCR intends to administer 1200 questionnaires to a mix of covered entities and business associates. The questionnaires are estimated to take 30 minutes to complete.
Once those questionnaires hit the street, the full force of OCR will not be far behind. In light of the latest multimillion dollar HIPAA penalty -- this one levied by the Puerto Rican government against an organization that might actually be around long enough to cough up the big bucks, as opposed to Cignet (and there's no telling what OCR might do in addition to that) -- let's just say it behooves all covered entities and busienss associates out there that have not yet put their house in order from a HIPAA/HITECH compliance perspective to do so now.
With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.
Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.
Here are the questions and my answers; follow the link above to read 12 other perspectives.
I spoke yesterday at the StrataRx conference in Boston, as part of the data liquidity track. This was sort of a blue sky presentation (as you can tell from the first slide); the thought was to explore the notion of building big data analytics on top of a data store populated by health record information obtained as a result of patient requests. Why? Because doing it that way would bring the data out from under HIPAA and HITECH regulations. Patients could contribute as much or as little of the data as they wish, patients could be compensated for their contributions, and other pesky HIPAA restrictions would fall by the wayside. I used one company's newly-announced service as an example, but there are others in this space as well.
With H-Hour (the HIPAA Omnibus Rule compliance date) just a week away, the federales have come through, delivering a useful compliance tool with the HIPAA Notice of Privacy Practices requirements -- a set of model forms released during the Consumer Health IT Summit. At first blush, the forms seem extremely user-friendly, and they are certainly briefer, and are written in a tongue that bears a closer resemblance to English, than the NPPs with which most of us have had to labor. Kudos to the agencies for undertaking the effort to draft and field-test these forms.
While the field-testers' favored format, we are told, is the booklet, I much prefer the layered online form. The first page has a high-level summary of the HIPAA privacy and security rules as they pertain to patients, and details are set forth on the pages that follow.
I was disappointed, however, with one of the examples given in the model NPP:
"Serve a paper and sue me ...." Is this really the only way to get HHS to agree to promulgate long-promised guidance for medication adherence contractors and others that face "restrictions on remunerated refill reminders and other communications." under the HIPAA Omnibus Rule?
Apparently it is.
The final rule was promulgated eight months in advance of the compliance date coming up on September 23, yet Adheris (great name, eh?) found it necessary to seek an injunction earlier this month barring HHS/OCR from enforcing the Omnibus Rule insofar as it would infringe on the company's constitutionally-protected right of free (commercial) speech.
Skilled nursing facilities (SNF) are required to develop a care plan for each beneficiary and provide services in accordance with the care plan, as well as to plan for each beneficiary's discharge. These requirements are essential to ensuring that beneficiaries receive appropriate care and safely transition from one care setting to another. Several OIG studies and investigations found that SNFs had deficiencies in quality of care, did not develop appropriate care plans, and failed to provide adequate care to beneficiaries. In fiscal year 2012, Medicare paid $32.2 billion for SNF services. This study is part of a larger body of work about SNF payments and quality of care.
For 37 percent of stays, SNFs did not develop care plans that met requirements or did not provide services in accordance with care plans. For 31 percent of stays, SNFs did not meet discharge planning requirements. Medicare paid approximately $5.1 billion for stays in which SNFs did not meet these quality-of-care requirements. Additionally, reviewers found examples of poor quality care related to wound care, medication management, and therapy. These findings raise concerns about what Medicare is paying for. They also demonstrate that SNF oversight needs to be strengthened to ensure that SNFs perform appropriate care planning and discharge planning.
The OIG found, and CMS agreed, that CMS administrative enforcement efforts need to be beefed up on care planning and discharge planning, and that payment for services needed to be more closely tied to quality of services.
The negative findings implicate about 1/3 of skilled nursing facility stays, and over 15% of Medicare payment for skilled nursing facility stays.
In other arenas where health care providers are found to be out of compliance with Medicare conditions of participation, the Department of Justice tends to initiate actions under the False Claims Act to recover Medicare payments. (One example that leaps to mind involves the physician supervision requirements for diagnostic imaging under the OPPS rule.) Clearly, recoupment of $5.1 billion per year would be disastrous for the nursing facility sector, and since the OIG's recommendations included a mandate to clarify the regulations it is an unlikely result of this report. However, nursing facility operators should take note of this report and begin to address these areas of concern sooner rather than later.
The current report comes on the heels of a report issued late last year highlighting Medicare billing errors by nursing facilities that resulted in overpayments of $1.5 billion in 2009. CMS committed to take appropriate action following receipt of that report, which could include recoupment of overpayments.
The OIG is currently looking at adverse events in skilled nursing facilities, which will be the subject of an upcoming report.
In the first three years that the HITECH data breach notification rules have been in effect (September 2009 - September 2012), almost 500 breaches affecting more than 500 individuals have been reported. As of this spring, over 57,000 data breaches affecting fewer than 500 individuals have been reported.
Most data breaches are accounted for by theft or loss (2/3 of breaches, over 4/5 of breached records); the balance are accounted for by unauthorized access or disclosure, incorrect mailing, hacking and improper disposal
Hacks are on the rise, and given the likely underreporting of all breaches and the ease with which theft and loss of devices and records are detected, chances are that security improvement efforts are not being targeted appropriately
The weak link for most data breaches are laptops, paper records and mobile media (3/4 of breaches, 2/3 of records); the balance are from desktop computers, network servers and system applications
The trend in number of data breaches over time is encouraging, but there have been upticks in late 2011 and early 2012
Hospitals, health plans and business associates are getting better at securing their data over time; physician practices are getting a little worse, particularly in smaller practice which, since they are often linked to community hospital EHRs, expose the hospitals as well