When the Office for Civil Rights replaced the CMS as the HIPAA security rule enforcement authority, the CMS had investigated 428 security complaints but had not levied a single civil monetary penalty against a violator since the security rule became effective in April 2005. It was not until this February that an Office for Civil Rights probe led to a civil penalty, a $4.3 million fine against Maryland-based Cignet Health for HIPAA privacy violations. Also that month, Massachusetts General Hospital, Boston, entered into a $1 million settlement agreement with HHS over the loss of 192 paper medical records an employee left on a subway train.
While McMillan agrees with the recommendation that the civil rights office should conduct random security audits, he applauds the office for increasing—by a factor of four—the number of complaints it has settled with resolution agreements compared with the CMS' record.
“When you read this report, the first thing you come away with is that everybody is doing a crappy job,” McMillan said, and that is not the case. “Have they fined a bunch of people? No,” he said, but the Office for Civil Rights “is doing a much better job than CMS ever did. They're taking it a lot more seriously.” However, McMillan backs the inspector general's conclusion that the ONC needs to better promote security to healthcare industry data handlers.
The auditors concluded the ONC did well in drafting parts of its final rule for testing and certification of electronic health-records systems. The rule, released last summer as part of the incentive payment program under the American Recovery and Reinvestment Act, requires that certain security measures be part of certified EHR systems.
What the ONC lacked, however, the inspector general's office said, were more “general IT security controls,” such as insisting encryption is used to protect patient data stored on laptop computers and mobile devices. In the HIMSS survey, only 39% of organizations required encryption on mobile devices.
The Office for Civil Rights, under a provision of the stimulus law, publishes reports of breaches involving 500 or more unencrypted patient records, and most of the 203 breaches of electronic data involved laptop computers and other portable devices and media, such as CDs and backup tapes (See chart above). Sixty-one reported breaches involved paper records.
“We're looking at them (the ONC) to provide guidance so we have some standards to benchmark against,” said Lori Pilcher, the assistant inspector general for grants, internal activities and information technology audits. The ONC at this point should be able to promote EHR adoption and ensure patient data security, according to Pilcher. “To say our focus is on ramping it up, I have difficulty with that—to think my records are part of a system where security hasn't been the focus,” she said.
Daniel Gottlieb, a Chicago-based privacy and security lawyer and partner in the firm, McDermott Will & Emery, said the auditors “reviewed the ONC's security standards in a vacuum without looking at the broader regulatory environment in the healthcare industry.”
Gottlieb asserts that HIPAA already requires much of the data protection the inspector general's office wants to see coming from the ONC. “I don't think there's a need for overlapping standards,” he said. Getting more specific would likely become unworkable, he added, given HIPAA has to stretch to cover everything from a rural physician's solo practice to a massive, national health insurance company.
Gottlieb affirmed that the Office for Civil Rights is doing more investigations than the CMS used to. “I still think that OCR is trying to work more with providers on compliance than working on more big fines,” he said, adding that might not be the best tactic to maximize compliance.
Indeed, said Lisa Gallagher, senior director of privacy and security at HIMSS, the Office for Civil Rights needs to be more forceful not so much to punish the wicked, but to empower the virtuous. “I continue to hear from folks who work in security, that as long as there is not visible enforcement, it hurts their chances to getting the resources and budgets and employees they need,” she said. “For the person who has to do security and ask for the funding and do the training, having a visible, ongoing audit program would give them the leverage.”
Gallagher also serves on the privacy and security workgroup of the federally chartered Health IT Standards Committee, which reports to the ONC. She disagrees that the ONC needs to have done more—for now—in promoting security. “I think for Stage 1 what they did, requiring the risk assessment, I think that's reasonable and appropriate. I think ONC is already looking at some of the areas” the audits listed, she said. “I see very deliberate consideration of what they're going to do next.”