The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.
The report identifies four key priority areas and outlines next steps to take in each area:
I. Promote the Use of Quality Management Principles; II. Identify, Develop, and Adopt Standards and Best Practices; III. Leverage Conformity Assessment Tools; and IV. Create an Environment of Learning and Continual Improvement
This report should be read together with the FDA framework for regulation of mobile medical applications which was supposedly up in the air pending release of this report. It now seems that they are directed at related, but different, parts of the ecosystem. Both are part of a bigger story, including pending legislaton.
A Perspectives piece I wrote was published this week by iHealthBeat - Unlocking the Power of Health Data. In it I argue for patient-controlled sharing of rich data, as opposed to HIPAA-regulated stripping of identifiers in order to eliminate the risk to patient privacy as data is shared for research and other purposes. Googler Larry Page and Josh Stevens of Keas have argued recently in favor of broader uses of health data, but the issue of HIPAA keeps coming up in those conversations. Most connected patients seem comfortable with the idea of sharing health data, and as more of us get connected, this sentiment is only likely to spread.
As I wrote at iHealthBeat:
I have discussed the patient donation of data before, and the first objection I heard was from a data scientist who worried that the volume of patient records collected in this manner would be too small to yield any meaningful insights. While this may be true at first, I believe that over time patients will come to prefer to set their own limits on data sharing rather than be stuck with the one-size-fits-none approach available under HIPAA. In addition, the data made available through these repositories will be more valuable than that available as de-identified data for research precisely because there are more identifiers attached.
Are we ready for a new paradigm in data sharing and big data analysis?
Well, the company has gone through a number of personnel changes at the top, plans to make some deep staffing cuts, and is working on restating its financials to account for earlier irregularities. The latest restated financials aren't ready to be filed -- they haven't been fully audited yet -- and as a result the company's stock is about to be delisted (but it may still be traded on the OTC market).
The recent FTC decision in the LabMD case (pdf) (full docket here) has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security. The FTC has confirmed that it considers itself to have overlapping jurisdiction to enforce HIPAA under its general enabling legislation.
Here's my take: For a covered entity or business associate that has all its ducks in a row – HIPAA Privacy, Security and (for Covered Entities) Breach Notification policies and procedures, a completed risk analysis, training and testing of workforce documented – FTC regulation should not be problematic. I think that the FTC would be hard-pressed to find an entity that is in compliance with HHS HIPAA rules and relevant state law to be in violation of the FTC Act’s prohibition of “unfair … acts or practices.”
I am quoted in a couple of year-end / new year pieces on health IT, appearing this week in iHealthBeat and FierceHealthIT.
With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.
Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.
Here are the questions and my answers; follow the link above to read 12 other perspectives.
For years, I have been helping covered entities, business associates and downstream contractors understand HIPAA and other federal and state health care data privacy and security laws and regulations, and develop and maintain policies and procedures that will help them comply with the law. These businesses range from startups with consumer-facing or health care provider-facing apps and web-based services, to big data analytics shops to health care providers of all sorts. Now that OCR -- the federal HIPAA policeman -- is enforcing the HIPAA / HITECH omnibus rule through random audits, complaint investigations and sanctions, it is more important than ever for covered entities, business associates and downstream contractors to maintain a robust HIPAA compliance program. HIPAA enforcement efforts will likely be stepped up in 2014 (see the November 2013 OIG report on OCR's enforcement efforts, and OCR's response including its plans for the future.)
The Harlow Group is pleased to announce the first of a number of HIPAA-related partnerships with ...The HIPAA Survival Guide. (Keep reading for discount information.)
Is this sort of "Big Brother" approach OK, or was it taken too far? (Follow the link to a discussion of the British case I mention in the article.)
Medical ethicist Art Caplan, my brother at the (HIPAA) bar Adam Greene and I were quoted in the AIS Health article. Greene noted that HIPAA does not cover the posting of information by or about a patient on a social network and its review by a provider. Caplan and I agreed that what's public is public, and what's private is private.
I spoke yesterday at the Massachusetts Bar Association's "Hot Topics in Healthcare" program. (Webcast live, and available behind a paywall at the link.)
CIO.com covered the presentation I gave at Strata Rx on the idea of patient-controlled donation of data for purposes of data analysis. Putting control in the hands of patients avoids some potential HIPAA issues and may make for richer data sets.
Healthcare IT News ran a cover story in its November issue on the use of Open Notes at Beth Israel Deaconess Medical Center. See further discussion of the piece and links to more information on Open Notes at e-patients.net. I was interviewed on the issue of patients' rights to access their own medical records.
