OCR Will Address Almost Everything in HITECH Omnibus Rule

HealthDataManagementhas quoted Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services, OCR, as saying that the final rules implementing the HITECH Act are to be released within months, if not weeks.  Deputy Director McAndrew recently spoke at the Safeguarding Health Information conference OCR hosted with the National Institute of Standards and Technology (NIST) in Washington.

The long-awaited rule will be an "omnibus regulation" that is said will include final versions of:

  • the proposed rule to expand HIPAA privacy and security protections;
  • the Breach Notification Interim Final Rule; 
  • the Enforcement and Compliance Interim Final Rule; and
  • the GINA proposed rule.

Notably, McAndrew is quoted as saying:

We want to ensure that when we do the final HITECH action it contains as much activity as we can

Significantly, HealthDataManagement reports that the omnibus final rule will cover new information protection requirements for:

  • business associates and subcontractors,
  • electronic access,
  • research authorizations,
  • student immunization records,
  • restrictions on marketing,
  • restrictions on fundraising, and
  • prohibition on sale of protected health information.

McAndrew is also noted to have indicated that a separate proposed rule will be issued after the omnibus regulation, and will govern accounting for disclosures (AOD) even for payment, treatment and health plan operations.  McAndrew is quoted as saying that the AOD proposed rule is “very close” to being ready.

Class Action Sought for Charleston Area Medical Center Breach

Patients affected by a West Virginia hospital breach that went undetected for several months are seeking certification as a class action as reported by Health Data Management.  Five of the approximately 3,655 affected patients have filed suit against the Charleston Area Medical Center in circuit court seeking damages based on four counts:

  • breach of confidentiality
  • negligence
  • invasion of privacy by intrusion on seclusion
  • invasion of privacy by unreasonable publicity of private life

The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet.  A family member of a patient had found the information while searching the web.

Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011.  However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.

The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients.  Free credit reports were also made available to affected patients through the West Virginia Attorney General's Office.  In addition, after discussion with the Attorney General's Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.

The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services.  They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product.  In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs.  A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response.