The scope of Susan McAndrew's healthcare information technology oversight authority doubled this week when her boss, HHS Secretary Kathleen Sebelius, added security rule enforcement duties to those she already had, enforcing the privacy rule under the Health Insurance Portability and Accountability Act of 1996 as deputy director for health information privacy at HHS' Civil Rights Office.
Previously, the CMS had oversight responsibilities for HIPAA security rule enforcement since that rule went into effect in April 2005.
McAndrew said she did not know how many people or full-time-equivalent employees were fulfilling the security enforcement function at the CMS, but since the Civil Rights Office handles its privacy investigations out of 10 regional offices while CMS security investigators worked out one central office, she expects to gain efficiency by having both privacy and security investigators geographically closer to the company or institution being investigated.
On July 31, Sebelius posted an announcement of the change of authority, but language spelling out the consolidation of power at the Civil Rights Office wasn't officially published in the
Federal Register until Tuesday. The switch became effective immediately. The CMS will retain enforcement authority over the HIPAA “administrative simplification” provisions for transactions and code sets as well as HIPAA rules covering provider identifiers and the forthcoming conversion to International Statistical Classification of Diseases and Related Problems, 10th Revision, diagnostic codes, also known as the ICD-10.
The privacy and security rules themselves were unaffected and it won't be that much of a stretch for Civil Rights Office people to add the new duties, McAndrew said.
“Both the security and privacy rule build off of the same enforcement structure and that will remain the same whether we are administering it or CMS,” she said. “That will remain in place and is unchanged.”
The Civil Rights Office will have the authority to issue subpoenas to carry out investigations of possible security rule violations and the power to impose civil monetary penalties on security violators. It also will be able to determine when the federal security rule pre-empts state laws, just as the Civil Rights Office does now in privacy cases.
The power of the purse—to take money away from violators by whatever name such action is called—has been little used by either the CMS or the Civil Rights Office. McAndrew's office has yet to levy a civil monetary penalty against a privacy violator
despite having received nearly 45,000 complaints from the public alleging privacy violations and closing more than 8,700 cases it investigated through negotiated settlements without financial penalties.
McAndrew points out the
CMS and the Civil Rights Office reached a settlement agreement with Providence Health & Services, Seattle, capping a 2008 medical records breach investigation that included a $100,000 “resolution amount.” Pharmacy chain
CVS Caremark Corp. agreed to pay $2.25 million in February this year to settle a joint enforcement action taken by HHS and the Federal Trade Commission after television news reports were aired about patient-identifiable prescription information being tossed into trash bins behind CVS drugstores across the country.
No matter what the payments were called, McAndrew suggests the Providence and CVS settlements included a big enough financial bite for the hospital system and drugstore chain to both know “they've been taken to task” for HIPAA rule violations. Providence did not admit to privacy rule violations in the settlement agreement in the first-ever HIPAA privacy enforcement action by the Civil Rights Office that included money passing from a provider's hands.
From an administrative standpoint, a negotiated settlement is quicker and potentially more effective than taking the longer procedural route required to impose a civil monetary penalty, or CMP, McAndrew said.
“There is no magic to a CMP,” she said. “If we have to impose a CMP, that's a formal process and under the statute and under the regulations, before we can collect the CMP, the entity has a right to adjudicate that through a system of administrative law judges. So, if we are in a posture that we have to notice and impose a CMP, they have a right to demand a hearing and only if we have a hearing do we have a right to go and collect a CMP. While a CMP is a visible form of punishment, we don't ever want to be in a position of saying to entities, ‘Here, you can pay your fine and go and continue to violate.' They have to correct that and go forward with what the policies and procedures are. That's corrective action. The fastest way we can achieve that and negotiate that is to take that as a way to resolve the case or reach a settlement agreement to get that corrective action and to demonstrate through the resolution amount the seriousness of the past behavior.”
“We don't want to analogize what we're doing to a speeding ticket; you pay your fine and continue to go 70 miles an hour on the Beltway,” McAndrew said. “We want to stop the speeding. Our method of enforcement is really focused on the most effective and efficient way to get compliance behavior by these entities."
The new order also will eliminate the need to coordinate with the CMS on enforcement activities as was required in the past, since a large percentage of complaints involve both privacy and security rule issues, she said. Staffing is not an issue, she said.
“We have this past year actually had a bump up in our authority to hire and bolster our enforcement efforts,” she said. “I know we have been posting jobs to hire in the regional offices.”
According to HHS, the Civil Rights Office had 255 positions authorized for fiscal 2009, which began Oct. 1 last year, and has requested 270 positions for fiscal 2010. The office had 228 actual positions filled in fiscal 2008.
“The case load is not that big,” McAndrew said. “We're doing fine” on staffing resources.
The Civil Rights Office employees in the regional offices who will be taking on responsibility for investigating and resolving security rule complaints “are the same folks who were involved in the privacy side,” she said. “By and large they are the most experienced of our investigators. We're very confident” that the Civil Rights Office can handle the added security enforcement responsibilities.
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.
