“It's like a rock that got kicked over,” Drummond says. “It's something that they're always doing, nobody knows why.” And then someone calls the practice into question and says, “ 'Wait a minute. Why are we doing it that way?' Then you try to reconstruct how far back it goes.”
According to the Office for Civil Rights list, one incident at the Duke University Health System, Durham, N.C., began in April 2004 and didn't end until February 2012. That case involved attaching billing summaries with some patient-identifiable information to filings on behalf of the organization in patient bankruptcy proceedings.
Industrywide, Drummond says, individual attitudes toward privacy and security are not as bad as the number of breaches might indicate.
“I think, as a whole, the healthcare industry is pretty good about protecting privacy,” Drummond says. “It's a cultural thing, a systemic thing, that everyone knows there are things you shouldn't talk about, things to keep private. So, as an industry, it's never been a Wild West.”
But attention to security “comes in waves,” he says. “There are a lot of things going on, and then you get a multimillion-dollar fine and people say, 'Oh, my God,' and they pay attention to it again.”
The Office for Civil Rights, which has jurisdiction over HIPAA privacy and security rule enforcement, which initially eschewed fines and tried to jawbone violators into compliance, has picked up the tempo since passage of the American Recovery and Reinvestment Act in 2009.
In an effort to invigorate HIPAA enforcement activities, Congress used ARRA to give state attorneys general the power to prosecute HIPAA violators and required HHS to conduct compliance audits among HIPAA “covered entities.”
Last year, in a pair of strongly worded reports, HHS' inspector general's office criticized the Office for Civil Rights for not aggressively enforcing the security rule and the Office of the National Coordinator for Health Information Technology at HHS for failing to promote data security. To test the waters, the inspector general's office conducted its own security audits of seven hospitals, finding 124 “high impact” security vulnerabilities.
Since then, beginning last November, the Office for Civil Rights has embarked on a pilot program of audits of as many as 115 healthcare organizations expected to run through December. Aside from publishing an audit protocol and hosting a progress report session this June, the Office for Civil Rights has kept mum about the targets and results of the audit program.
So far, Drummond says, “There haven't been any leaks of names of organizations that were subject to it.” A final report is expected, perhaps as early as the end of the year, he says.
“Supposedly, the pilots are going to help them determine what they need to do,” going forward, Drummond says. If the audits reveal “special attention is needed in certain areas, they'll confine their audits to those areas,” he says. “My understanding (is) the audit process will continue on an ongoing basis. I don't think they're going away.”
For the June update, the Office for Civil Rights released preliminary results of the first 20 audits, an admittedly “thin” sample, says the Office for Civil Rights' McAndrew.
“I think what we were finding was that most of the problems were with the smaller entities,” McAndrew says. “Most of them on the privacy side, the difficulties were scattered across the requirements.” With the security rule audits, undocumented risk assessments and the failure to address some of the particular HIPAA security requirements—for example, using technologies such as encryption to protect data—were common, she says
“The pilot is still ongoing,” McAndrew says, but ONC is in the wrap-up stages. “I do believe we have probably completed all of the field work” on about 115 audits, meaning all of the site visits to audited organizations have been made. “We're at the phase now of the analysis work with the entity to complete the final reports.”
Meanwhile, an omnibus privacy rule with modifications to HIPAA regs on privacy, security, enforcement and breach notification remains with the White House's Office of Management and Budget, where it has lingered since March.
Drummond says the original HIPAA privacy rule was released just as the Clinton administration was leaving office in December 2000 and the current privacy and security rule rework could be tied up for political reasons as well.
The new rules—which are to flesh out the many more stringent privacy provisions in the ARRA—will certainly displease some, and possibly everyone somewhat. HHS, for example, withdrew its final rule for breach notification in August 2010 after drawing fire from members of Congress, who felt their legislative prerogatives were being usurped.
As much discomfort as the breach reporting law and increased enforcement has created for the industry, it's been a good thing in that it has forced many organizations to at least recognize a security problem exists, says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society, a trade association for healthcare IT professionals. It's her job to raise awareness of the security problem and educate members on possible ways to solve it.
“I have always said that the way to get through to executives is for them to understand that this is something that has to be managed as a business risk,” Gallagher says. “Quite frankly, when there wasn't a lot of enforcement, (but) we couldn't make that connection, now we can. And I hope that translates into more resources.”