WIXLIB

September 2011Report on Patient Privacy“circumstances that would make it unreasonable for thecovered entity, despite the exercise of ordinary businesscare and prudence, to comply with the administrativesimplification provision violated.”“This change appears to fill in any potential gapsbetween violations of the lowest tier such as unknowingviolations, and violations due to willful neglect,” according to Greene.Willful neglect comes into play in the third and highest penalty tiers, which differ based on whether the CEor business associate corrected the violation or suspectactivity within 30 days.Patient Complaints, Audits May Trigger ‘Willful Neglect’OCR has indicated it intends to pursue cases of“willful neglect” in the coming months as the finalregulations augmenting HIPAA with HITECH Actprovisions are released and go into effect. In the proposed rule, issued in the Federal Register on July 14,2010, OCR provided these three examples of what itconsiders willful neglect to be:u “A covered entity disposed of several hard drivescontaining electronic protected health information inan unsecured dumpster, in violation of §164.530(c)and §164.310(d)(2)(i). HHS’s investigation reveals thatthe covered entity had failed to implement any policies and procedures to reasonably and appropriatelysafeguard protected health information during thedisposal process.u “A covered entity failed to respond to an individual’s request that it restrict its uses and disclosuresof protected health information about the individual.HHS’s investigation reveals that the covered entitydoes not have any policies and procedures in placefor consideration of the restriction requests it receivesand refuses to accept any requests for restrictions fromindividual patients who inquire.u “A covered entity’s employee lost an unencryptedlaptop that contained unsecured protected healthinformation. HHS’s investigation reveals the coveredentity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by§164.400 et seq.”In these situations, OCR said, the CEs “had actualor constructive knowledge of their various violations.”Because they either lacked “compliant policies andprocedures” or inadequately responded to incidents,they were guilty of “either conscious intent or recklessdisregard with respect to their compliance obligations.”OCR noted that the CE in the second examplecould be found guilty of two acts of willful neglect:one for lacking policies for imposing requested restrictions on records, and a second for failing to honor anysuch requests.3How about the actual lack of encryption on laptops and other portable media? Although the securityrule — which has never been altered on this topic —calls for encryption to be an “addressable,” rather thanmandatory, standard, CEs and BAs are offered the safeharbor of not having to report a breach only if the lostdata were encrypted.According to Adam Greene, former senior healthIT and privacy advisor at OCR and an attorney inprivate practice, the lack of encryption on a lost laptopshould not present a situation of willful neglect if theorganization went through the required process ofdetermining that it would not be reasonable or appropriate to encrypt data on portable devices.“On the other hand, if you have not addressedencryption at all and laptops go missing, and there isno policy on encryption,” this could present a differentscenario as far as liability goes, Greene says.All of the examples OCR gave would appear tohave been uncovered based on patient complaints ordisclosure by the CE or perhaps news media. Actionsthat are most likely to get CEs and BAs in trouble forwillful neglect are those that affect patients, Greenesays, such as refusing to provide a medical record.Yet, actions that leave large amounts of information at risk through a lack of security also could trigger a willful neglect case. The complaints submittedby patients are more likely to be privacy-driven, as theprivacy aspect of HIPAA protections — or lack thereof— is more obvious to them than security flaws. “Alot of what happens on the security side is invisible topatients,” Greene says.These may turn up when audits of securitycontrols by OCR’s contractor begin (see story, p. 4).“Audits are more likely to find things like a lack ofwireless security,” he says.According to Greene, “a lack of training” is another situation that could constitute grounds for willful neglect.Contact Greene at adamgreene@dwt.com.Web addresses cited in this issue are live links in the PDF version, which is accessible at RPP’ssubscriber-only page at ivacy.

4 Report on Patient PrivacyPenalties for violations corrected within 30 days areat least 10,000 and up to 50,000 for each violation. Afterthat period, or for uncorrected violations, the penaltiesincrease to at least 50,000 for each violation.The HITECH Act did not alter the definition of “willful neglect,” which encompasses two sets of criteria: conscious disregard and reckless indifference. A CE could beguilty of either and meet the willful neglect definition,which is a “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”As OCR said in the proposed rule, “the term [willfulneglect] not only presumes actual or constructive knowledge on the part of the covered entity that a violation isvirtually certain to occur but also encompasses a conscious intent or degree of recklessness with regard to itscompliance obligations.”Avoid ‘Head in the Sand’ MentalityCompared with conscious disregard, reckless indifference “will be more difficult to prove,” Greene says.“There is no definition in HITECH.”Actions that qualify as reckless indifference are undertaken with “serious disregard [for HIPAA] or withknowledge that the entity may be acting in violation offederal law,” Greene says.But, he acknowledges, “It’s tough to nail down whatthat means.”“It is more of what I would call a head-in-the-sandmentality. You may not be intentionally violating HIPAA,but you are doing actions that you know will lead toviolating HIPAA,” Greene says.In the proposed rule issued last summer, OCR gaveexamples of willful neglect cases (see box, p. 3).So far, OCR has imposed civil monetary penaltiesin only one case, which had a finding of willful neglect.That was in the case of Cignet, a medical provider inMaryland, which was fined 4.3 million for failing togive 41 patients their medical records (RPP 8/11, p. 7).OCR collected settlements in six other cases that alsoincluded a payment.Staying Out of TroubleAs Greene notes, other than for Cignet, “in everyother case OCR has avoided making formal findings.Instead, there’s been ‘indications of non-compliance’ andthose have been settled.” The willful neglect provisionsin the final rule “may change that direction,” Greenesays. “There may be more formal findings where thereare cases of willful neglect” that do not rise to the level ofegregiousness that characterized the Cignet case. “Whatis most likely to change is the volume of settlements,”Greene predicts.September 2011“I think they are still looking for voluntary compliance, and seeking to educate [CEs and BAs] but thisrepresents something of a change. Congress has throwndown the gauntlet, and the time for voluntary compliance has ended — at least in willful neglect cases,” headds.The best way to stay out of trouble is to be alert tocomplaints that patients file against a CE, either directlyor through OCR, and take specific corrective actions tomitigate them and prevent future occurrences, Greenesays.It’s also essential to have a “good compliance program” in place, but that’s just the start, he adds. If a CE orBA is found to have known of existing problems and notcorrected them, it is more likely to be slapped with finesfor willful neglect.“I think it is important for CEs to understand thatthey don’t just have to follow the regulations, but havepolicies and procedures that are unique to their institution — and that address issues they’ve been having,”Greene says. “If you have a problem and ignore it, if youdid not take any action, I could see that as possibly leading to a willful neglect case.”Contact Greene at adamgreene@dwt.com. GBeing Selected for an OCR AuditIs ‘Like Losing the Lottery’As more information comes to light about theHITECH Act-mandated privacy and security audits,covered entities should act quickly to make sure theyhave a robust privacy compliance program in place.The contract award notice posted in late June bythe Federal Business Opportunities agency (the federalagency through which firms can apply for governmentcontracts) revealed that KPMG would be developingan audit protocol and conducting 150 audits. The workmust be completed by Dec. 31, 2012, says Adam Greene,who was in HHS’s Office of General Counsel for fouryears and was OCR’s senior health information technology and privacy advisor.Greene points out that 150 organizations “represent asmall fraction of the universe of covered entities.” But, healso notes, 150 audits are far more work than any HHSoffice did (either OCR or CMS) before the HITECH Actcame about. So any organization that is picked for one ofthese reviews is sort of “losing the lottery,” he says.Indeed, only about 3% of all hospitals will be targeted by these audits, by consultant Bill Moran’s calculations. “So the other 97% aren’t going to be seen, and Ithink some perspective needs to be placed on that,” saysSubscribers who have not yet signed up for Web access — with searchable newsletter archives, Hot Topics, Recent Stories and more —should click the blue “Login” button at www.AISHealth.com, then follow the “Forgot your password?” link to receive further instructions.

September 2011Report on Patient PrivacyMoran, with the Alexandria, Va.-based firm of StrategicManagement.The award notice contains “typical audit language”and shows that auditors will be looking for basic causeand-effect issues, according to Moran. He predicts thatthe auditors will look at the geographic distribution byOCR’s 10 regional offices and categorize covered entitiesby size and take most of the sample from there.“That’s how we used to do studies in the OIG,” saysMoran, who was regional inspector general in Chicagofor HHS’s Office of Inspector General. Moran also predicts that auditors will dedicate 15% to 20% of the sampleto facilities that are already known to have problems. The5auditors will “want to drill down on those problems,” hesays.Don’t expect a knock on your door anytime soon,though, says Greene, who has been in Davis Wright Tremaine’s Washington, D.C., office since May. It’s going totake a while for KPMG to put together the audit protocol,plus “OCR has indicated they expect a pilot program,so KPMG will field test the protocol on 20 or so coveredentities. Then based on any lessons learned, they wouldconduct the real audits,” he says.OCR Deputy Director for Health Information Privacy Susan McAndrew has indicated she expects theofficial audits to start late this year or the beginning ofStatus of HITECH Act RegulationsDescription of Regulations/Statutory SectionHITECH Act Deadlinefor RegulationStatus of RegulationEffective Date of Statutory Provision/RegulationPROPOSED RULES ISSUEDAccounting for disclosuresprovisions when the entityhas electronic health records(EHRs)§13405(c)Not later than 6 monthsafter the date on whichthe Secretary adoptsstandards on accountingfor disclosures.Proposed rule published May 31,2011. Public comment period endedAug. 1, 2011. Awaiting final rule.If the organization uses EHRs before Jan. 1,2009, the effective date is Jan. 1, 2014.If the organization starts using EHRs after Jan.1, 2009, the effective date is Jan. 1, 2013.Expanding organizations thatare business associates§13408Not specifiedProposed rule published July 14,2010 (75 Fed. Reg. 40868); final ruleexpected sometime in 2011.180 days after final rule is published.Extension of HIPAA securityrule and certain privacyprovisions to businessassociates§§13401, 13404Not specifiedProposed rule published July 14,2010; final rule expected sometimein 2011.Statutory provision: Feb. 18, 2010.Final rule enforced 180 days after publication.Willful neglect§13410Aug. 18, 2010Proposed rule published July 14,2010; final rule expected sometimein 2011.Statutory provision: 24 months after enactmentof HITECH Act.Marketing and fundraising§13406Not specifiedProposed rule published July 14,2010; final rule expected sometimein 2011.Statutory provision: Feb. 18, 2010.Final rule enforced 180 days after publication.Patient’s right to requestrestrictions on disclosures§13405(a)Not specifiedProposed rule published July 14,2010; final rule expected sometimein 2011.Statutory provision: Feb. 18, 2009.Final rule enforced 180 days after publication.Prohibition on sale of EHRs orPHI without authorization§13405(d)Aug. 18, 2010Proposed rule published July 14,2010; final rule expected sometimein 2011Effective six months (180 days) afterpublication of final ruleFINAL RULES RELEASED AND IN EFFECTBreach notification provision§13402Aug. 18, 2009Interim final rule published Aug. 24,2009 (74 Fed. Reg. 42740)*Sept. 23, 2009(Effective 30 days after publication of theinterim final regulations, as required)Tiered penalties§13410(d)Feb. 18, 2010Interim final rule published Oct. 30,2009 (74 Fed. Reg. 56123)Statutory provision: Feb. 18, 2009.Regulation: Nov. 30, 2009Temporary breach notificationprovisions for personal healthrecords §13407(Federal TradeCommission)Aug. 18, 2009Final rule published Aug. 25, 2009(74 Fed. Reg. 42962)Sept. 24, 2009*NOTE: A final rule on notification of breaches of unsecured PHI was submitted for regulatory review on May 14, 2010, but was withdrawn on July29, 2010, for further review by OCR.Visit the “Compliance” channel on www.AISHealth.comto access a wide range of free resources related to HIPAA.

6 Report on Patient Privacy2012, and go through the calendar year, which is the endof the contract, Greene notes.According to the award notice, KPMG auditors willconduct site visits “on entities varying in size and scope”that would include interviews with an organization’sexecutives, an examination of its physical features, stepsto see whether it consistently follows its policies and alook at its compliance with regulatory requirements.KPMG will then create an audit report to include:u A timeline and methodology of the audit;u Any best practices noted;u Collection materials from the audit, such as checklistsand interview notes;u A certification showing the audit was completed;u Recommendations for actions the entity can take toaddress the compliance problems identified through theaudit; andu Future oversight recommendations.Greene tells RPP he thinks the audits will be mostlyfor information-gathering purposes, but that some couldresult in enforcement outcomes. McAndrew “has indicated that if an audit unearths a major violation, it wouldbe treated similarly to an investigation that would leadto some kind of enforcement action like a settlement,”he says. “This is a significant change from past HIPAAaudits, which were strictly educational and did not leadto actions.”“No one’s going to be able to create a totally auditproof organization,” he acknowledges.So How Should Covered Entities Prepare?“Take this as a good if not daunting opportunity toevaluate your compliance program and beat the auditorsto the punch,” Greene says. If you don’t have policies andprocedures, or if they’ve been sitting on a shelf collectingdust and haven’t been revised since 2003, this is a goodopportunity to update and re-evaluate them, he says.Also, walk through your organization to see whereyour policies work and where potential violations exist.Make sure you have comprehensive training for newhires and re-training for the veteran employees. “At theend of the day, if you have policies and procedures, butyou haven’t trained anyone on them, they’re not going todo you much good,” Greene warns.Additionally, make sure you have addressed anddocumented any issues that have come up in your organization and that you have a sanctions policy in effect.“You should have a written sanctions policy, it should becommunicated to your workforce so people understandthe repercussions, and it should be applied evenhandedly,” Greene says.September 2011Regarding security, CEs should have a good, comprehensive risk analysis that shows where all the healthinformation resides throughout your organization, identifies any threats and vulnerabilities to the entity and creates reasonable safeguards to protect it, says Greene.Lastly, on breach notification, “if you’re keeping yourhead in the sand, that’s probably going to be apparent”to auditors, says Greene. Having a reasonable detection program in place and appropriately reporting anybreaches that are discovered are key.Contact Greene at adamgreene@dwt.com and Moranat wmoran@strategicm.com. GHard Drive Theft Prompts Insurer toSpend 6M, Encrypt ‘Data at Rest’After thieves stole 57 hard drives containing information on about 1 million of its members, TennesseeBlueCross BlueShield resolved that a similar incident —and subsequent cleanup — would never happen again.The insurer recently announced that it has spent about 6million encrypting all of its data at rest.While encryption is not required, the HITECH Actmade it a safe harbor for covered entities (CEs) and business associates under the security breach notification provision. Privacy and security experts view this provisionas an implicit mandate for encryption (RPP 5/10, p. 6).HHS released guidance on April 17, 2009, on making patient data unusable, unreadable or indecipherableto unauthorized users and defined the states in whichdata can exist: in motion, at rest, in use and disposed. Theguidance also gave CEs two choices for safeguarding it:encryption or destruction (RPP 7/09, p. 5).The plan to encrypt its data in all of the states hadbecome “more of a philosophy” at BlueCross BlueShieldof Tennessee, says Michael Lawley, vice president oftechnology shared services. The insurer had planned toadopt encryption as the technologies became available.The company had already encrypted its laptops andmainframes. “Those techs were already robust and hadbeen tested,” Lawley tells RPP.After the theft occurred in October 2009, Lawley saysthe company kicked into high gear and not only reviewedall of its policies and procedures, but also began a meticulous inventory of all the places where data reside inthe organization. They took a “maniacal approach” to thetask because “we wanted to make sure that we didn’t gothrough this journey and then have to repeat it,” he says.The insurer spent 6 million, 5,000 man hours andjust over a year to encrypt all of its data at rest, including 885 terabytes of mass data storage, 1,000 server harddrives, 6,000 desktop and laptop computers (includingCopyright 2011 by Atlantic Information Services, Inc. All rights reserved.Please see the box on page 2 for permitted and prohibited uses of Report on Patient Privacy content.

September 2011Report on Patient Privacyremovable media ports), 25,000 phone call recordingsand 136,000 volumes of backup tape.Lawley notes that, while they were conducting theinventory, they didn’t come across anything he wouldcall a “bad practice” being conducted by one or moreemployees. But, he says, they “discovered a few locations where data sat that we had not originally considered, which slightly increased the scale and scope ofthe project.” For example, the company has a machinefor special printing projects that was not encrypted.Another area was multifunctional devices for printers.“The information doesn’t sit there for long, but it is dataat rest,” he says.The theft seems to have been a psy

between violations of the lowest tier such as unknowing violations, and violations due to willful neglect," accord-ing to Greene. Willful neglect comes into play in the third and high-est penalty tiers, which differ based on whether the CE or business associate corrected the violation or suspect activity within 30 days.