The omnibus rule, which kicked in a little over a month ago in September, establishes a new set of expectations and possibilities on the enforcement front.
HIPAA provisions now apply to Business Associates, creating new accountabilities for vendors doing business with healthcare, which increases the Office for Civil Rights (OCR) flexibility in pursuing formal action, and provides for an expanded set of subjective criteria for determining fines. It is not likely to dramatically change OCR’s approach to enforcement, however, or the office’s commitment to the protection of patient information through appropriate compliance as the primary goal of its enforcement activities.
Indeed, there is plenty to understand about the Final Rule on Privacy & Security.
1. Sharing responsibility
The omnibus rule clearly delineates who is a business associate and when that liability occurs and at the same time makes it clear that vendors doing business with healthcare entities will be subject to the same level of scrutiny as their covered entity counterparts. It also describes a new focus on incidents occurring with a business associate being a shared responsibility, assumes a closer degree of collaboration between covered entities and business associates, and emphasizes that covered entities have a clearer understanding of their vendor’s ability to protect their data appropriately. It assumes due diligence prior to contracting, evaluation of capabilities during contracting, and monitoring throughout the contract. Covered entities who do not take this seriously run the risk of possible implication during a review or investigation of one of their vendors by the OCR as a result of a breach or complaint. HIPAA’s security rule provides for remedies when faced with a vendor who has demonstrated some form of noncompliance. The entity can terminate the relationship or provide them with some period of time to fix the issue. If that doesn’t work, the next step is to report the vendor to OCR. There is an important lesson here. Organizations that do not follow this process, and who become aware of a noncompliant situation, fail to remedy it and continue to utilize the vendor in question, will increase their own liability for enforcement action in the event of an incident.
2. Lifted constraints
OCR has long had a policy of focusing on compliance before enforcement and an even-handed approach to dealing with those that had incidents. Early on the OCR folks coined the phrase “culture of compliance” to describe what they believed organizations should create. In addition to this philosophy they also had to contend with an enforcement provision that essentially tied their hands in many respects when addressing noncompliance because it required seeking informal resolution prior to recommending civil monetary penalties.
[See also: With omnibus HIPAA, breaches will get worse before better.]
As a result, an overwhelming majority of complaints and incidents resulted in Corrective Action Plans as opposed to Resolution Agreements and fines. OCR received criticism from some that they too, like their predecessor Centers for Medicaid & Medicare Services (CMS), were too lenient when, in fact, they were following the mandate as written. Omnibus has lifted this constraint and fundamentally changed the potential landscape for outcomes making it easier for OCR to go to formal resolutions following investigations. However, again I believe it is highly unlikely that OCR will abandon its belief in compliance as the goal. I do believe we’ll see more formal resolutions and fines, but that they will be reserved for those that demonstrate willful neglect or negligence in their programs or in regards to the incident involved. OCR director Leon Rodriguez has repeatedly, since Omnibus was issued, reiterated OCR’s commitment to fairness in handling its enforcement responsibilities and reinforced this while signaling more formal actions could be forthcoming.
3. The formulary has changed
While the creation of accountability for business associates and the lifting of constraints when seeking formal penalties in enforcement are significant, probably the most significant change to come from the Omnibus Rule is the addition of subjective criteria for determining financial penalties. Prior to Omnibus there was a simple chart with maximum amounts that could be assigned for noncompliance without regard for mitigating circumstances. When assigning penalties for running a red light this might make sense, but when addressing privacy and security incidents and all of the different factors that could potentially contribute to those, this was far from adequate. So Omnibus gave OCR greater latitude in determining financial penalties by providing several subjective criteria that could be considered. Again, demonstrating their commitment to even-handedness, these criteria also include consideration for the financial condition of the offender to avoid placing a healthcare entity in financial trouble inadvertently. The goal of HIPAA is not to put organizations out of business. These criteria permit OCR to differentiate between those that have incidents by evaluating sensible criteria such as whether they are a repeat offender, the magnitude of the incident, and whether there was evidence of documented harm to any individuals. Those organizations that continue to have incidents will be more likely to have a formal resolution imposed.
4. Greater specificity and easier recognition
Omnibus, like other rules issued from the HITECH Act of 2009, continue to provide greater specificity of what is required under the Privacy and Security Rules, and as a result are making it easier to recognize noncompliance. Further, the guidance being published by OCR with respect to the Omnibus changes to certain elements of Privacy and Security are making it a lot harder for organizations to say “I don’t understand the requirement, or what is required of us” as was heard many times during the 115 random audits OCR performed in the pilot year of that program.
[See also: This little change in HIPAA could be a big surprise to providers.]
The results of those audits and the OCR audit protocol have also contributed to a better understanding of what is required of entities. At the same time these also make it easier for organizations to review their programs and controls and take corrective action. So as the rules become more specific, the guidance more precise, the lens for determining noncompliance will be more focused, contributing to the possibility of more penalties being meted out.
5. Take reasonable steps to manage risk
You could easily come to the conclusion that all of these regulatory changes and activities are conspiring to raise the chances of issuing more penalties, but I don’t think that is the case. Instead I believe the commitment to compliance is still there, the desire to be fair and even handed in enforcement is still the goal, and that those organizations that can demonstrate a reasonable commitment to the protection of patient information and the establishment of an appropriate program with proper controls will find that enforcement is not a threat. What this does instead is makes it harder for those not serious about privacy and security to hide or avoid penalty when discovered. Even in the best of programs incidents are likely to occur; it’s unavoidable. Organizations that take reasonable steps to manage risks, however, are far less likely to be the subject of formal enforcement action.
Here’s what should you do:
- Stay abreast of privacy and security requirements
- Invest in your program wisely, people and technology, and make privacy and security a priority
- Conduct risk analysis in an objective manner, and address findings
- Enhance training for workforce members
- Establish governance to ensure oversight and accountability
- Establish privacy and security programs using industry standards/frameworks
- Test, audit, monitor and review on a regular basis
Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek.
