HIPAA Enforcement Outlook for 2016Former OCR Attorney Predicts Fines Will Fuel Stepped-Up Activity
If you want to foretell what is on the 2016 agenda for the Department of Health and Human Services' Office for Civil Rights, look to its recent emphasis on enforcement.
Over a five-week span, OCR announced plans to collect $5 million in monetary penalties in a series of three enforcement actions against HIPAA covered entities. This push to collect fines and penalties will provide badly needed funds for the agency to support its goals of expanding a planned program to audit compliance with the HIPAA privacy, security and breach notification rules, as well as other enforcement and regulatory activities.
"I expect OCR will turn to the proceeds from its recent enforcement actions to fuel a wider audit program."
The recent OCR settlement in which Triple S Management paid a $3.5 million fine and agreed to a corrective action plan over shortcomings in their security rule compliance program included the second highest penalty collected by the agency. Five other settlement cases with OCR this year bring the total amount collected by the agency to more than $6 million.
These resolution agreements signal that OCR is moving ahead aggressively to reach settlements in cases where the agency finds serious violations of the privacy and security rules. According to OCR's website, there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews being investigated. I expect the agency will announce more high-profile enforcement actions in 2016, and then use any financial penalties collected to fuel beefed-up enforcement.
The HITECH Act, enacted in 2009, mandated HHS to make a number of significant changes to the HIPAA regulations, expanding the jurisdiction oversight to business associates and encouraging the development of new tools for enhanced regulatory enforcement.
HITECH called on OCR to perform periodic audits of covered entities and business associates' compliance with the HIPAA rules. But progress has been slow.
OCR developed and implemented a pilot audit program in 2012 through which 115 audits of covered entities were conducted.
Since 2014, OCR has been laying the groundwork for another round of audits with hopes of making the program permanent. After many months of delay, OCR awarded in September a contract worth $770,000 to FCI Federal to audit up to 250 covered entities, including healthcare providers and group health plans, to measure their compliance with the HIPAA privacy, security and breach notification rules requirements. These audits of covered entities will be followed by a similar number of audits of business associates to measure their compliance with the HIPAA Security Rule and how they intend to approach their obligations under the privacy and breach notification rules.
But the value of the contract is too small to support anything more than having organizations submit documentation for a sample of their policies and procedures.
OCR has been repeatedly stung by critical reports from the HHS Office of Inspector General and the Government Accountability Office calling on the agency to conduct audits to assess industrywide compliance with the HIPAA rules. So I expect OCR will turn to the proceeds from its recent enforcement actions to fuel a wider audit program.
Sharing of Monetary Settlements Still Undone
Although the HITECH Act called for HHS to develop a methodology to distribute a percentage of monetary settlements collected by OCR to individuals affected by breaches, don't look for the agency to share the wealth with consumers any time soon.
The GAO apparently has delivered recommendations to HHS on a methodology to share a percentage of the proceeds from fines and penalties with consumers harmed by the unlawful uses or disclosures resolved through OCR's investigation. But the HHS regulatory agenda does not include a proposal under development or being reviewed.
With continuing pressures on federal spending restricting the growth of agency budgets and resources to support OCR's expansive mission, it seems unlikely that the office will aggressively pursue an initiative that would result in the sharing with consumers the proceeds from its monetary settlements from HIPAA enforcement actions.
Guidance in the Works
Turning to other OCR issues, one of the most frequently heard complaints from covered entities and business associates is the dearth of explanatory guidance from OCR translating the complex HIPAA and HITECH regulations into language that organizations can use in developing policies and processes to meet the regulatory requirements.
In 2015, OCR issued regulatory guidance on how the HIPAA Privacy Rule applies to workplace wellness programs. And OCR partnered with the Office of the National Coordinator for Health IT to produce a revised edition of the Guide to Privacy and Security of E-PHI.
In September, Deven McGraw, OCR's new deputy director for health information privacy, announced the agency was readying updated guidance on how individuals could exercise their rights to access their protected health information, which will emphasize delivery of PHI in an electronic format. In addition, look for OCR to issue new guidance on how the HIPAA rules apply to cloud computing and storage.