OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs
It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ). However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.
As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus. The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.
Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors). Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released. The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit. In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.
This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data. A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.
As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,
"We're just on the back side of the curve of adoption of more robust security. I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."
For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules. And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon".