Privacy and security
Is HIPAA enough?
HIPAA breaches haven’t become less common. If the law was, in part, meant to reduce the amount of PHI released to unauthorized individuals, some may say its success is uncertain. HIPAA’s requirements aren’t prohibitively stringent: they provide a basic floor of privacy and security. If a covered entity (CE) or business associate (BA) does no more than comply with HIPAA, it will simply be doing the bare minimum to safeguard PHI. Although that may not sound difficult, some organizations continue to fall short and leave others wondering if HIPAA is enough to meet today’s information security and privacy challenges.
HIPAA does provide a floor for privacy and security, a minimum amount an organization can do, but is it effective? "No, it establishes a level of security that’s not actually effective," Rick Kam, CIPP/US, president and co-founder of ID Experts, says.
HIPAA is not as closely tied to reimbursement as other compliance measures. Many organizations may choose to simply meet HIPAA’s basic requirements and put the majority of their efforts into meeting other compliance goals. Although such a situation may not exactly set HIPAA up to fail, it doesn’t do any favors for the privacy and security of PHI either.
"For most organizations, who don’t think they’re going to have an issue, they’re lulled into a comfortable zone where they can say, ‘I’ve done what the federal government has asked me to do, that’s enough, I’m compliant.’ The bad news is they’re still being breached and their employees are being sloppy and losing data and so forth," Kam says.
The Office for Civil Rights’ (OCR) HIPAA audit program is intended to help CEs and BAs get better at HIPAA compliance?and help the agency understand what it can do better. Whether the audits will result in changes or improvements to HIPAA is debatable. Earlier this year, some lawmakers suggested expanding HIPAA and making it stronger, but it’s unlikely the topic will be revisited in earnest until next year at the earliest, Kam says.
Other agencies, such as the Office of Inspector General and Government Accountability Office, have recently questioned OCR’s oversight of HIPAA and lack of robust guidelines. Even OCR agrees that a permanent audit program—required by HIPAA—is long overdue. But in this, the agency isn’t far removed from the entities it oversees, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.
"HHS-OCR is much like many of the CEs and BAs, as they have next to or no auditing and monitoring function," he says. "When you don’t have an effective auditing and monitoring function, I don’t believe you can have an effective enforcement function. It’s as simple as that."
OCR offers a risk analysis tool and improved its guidelines and explanations for CEs and BAs this year, but the agency has limited ability to help smaller entities that may struggle to afford new software and upgraded security safeguards. Smaller entities may be more likely to combine the role of information security officer with other duties and may have a difficult time competing with larger organizations for qualified staff. Smaller entities may simply not have the expertise in-house, Kam says.
"There have to be other ways these organizations can improve," he says. "Maybe it’s as simple as other industries, like the insurance industry, coming to their rescue with cyber insurance and tools that are part of their programs in order to help those small organizations do a better job."
Focus on fines
OCR relies on fines to scare CEs and BAs into HIPAA compliance, yet for many the fines aren’t all that scary.
An organization that’s been through a HIPAA breach investigation may not want to repeat the experience. However, as a ProPublica investigation earlier this year discovered, OCR investigates relatively few breaches (www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders).
Even when an organization is investigated, the consequences often come years later and may not be significant enough to change its behavior. Those fines might cripple a small BA or CE, but larger companies or health systems might see even the biggest HIPAA fines as cheaper than compliance, Mac McMillan, FHIMSS, CISSM, co-founder and CEO of CynergisTek, Inc., in Austin, Texas, says.
In recent settlement announcements, OCR has put at least some of the blame squarely on the organization’s leaders. Those strong words may be in vain, Ruelas says. Because the agency doesn’t hold an organization’s leaders directly responsible for failing to act on risk analyses or support privacy and security needs, there’s little incentive for leaders to be accountable.
"I also think that it is not uncommon when settlements are made, there are people that are named scapegoats for the issues related to the settlement and often find themselves in some manner as the sacrificial lamb in losing their jobs," Ruelas says.
One way to solve the accountability crisis would be to take a cue from legislation such as the Sarbanes-Oxley Act (www.sec.gov/about/laws.shtml#sox2002), Kam says. The Sarbanes-Oxley Act was signed into law in 2002 in response to the corporate and accounting scandals that rocked the financial world in the early 2000s. If an organization’s chief executive officer was required to personally sign off on risk analysis reports and could be held personally accountable for his or her failure to properly follow up on security risks, HIPAA might start to carry some real weight.
OCR recommends that CEs and BAs follow theNational Institute of Standards and Technology’s (NIST) cybersecurity framework. The agency released a HIPAA/NIST crosswalk tool in February to help CEs and BAs map HIPAA security requirements to specific standards in the framework (www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf). CEs and BAs aren’t required to follow the NIST’s cybersecurity framework, but it provides the practical guidance many are looking for. It can also be used to help an organization improve its data security overall and better protect PHI and business and financial information.
"I think the healthcare industry needs to up the ante, to work toward a higher standard," Kam says. "NIST and others are publishing security protocols and frameworks that the industry can work toward. Those are the types of standards that should be looked at, not for compliance but for data security."
Other security standards such as the Payment Card Industry Data Security Standard (PCI-DSS) are optional but can be used to enhance an organization’s security.
But regardless of the standard, organizations must determine that security standards and policies are actually being applied. All too often policies on paper are fully implemented. Without regular organizationwide risk analyses, gaps in compliance and implementation will be missed. Failure to complete or follow up on organizationwide risk analyses has been cited repeatedly in OCR’s recent HIPAA breach settlements. A risk analysis is the cornerstone of a security program, Linda Sanches, MPH, senior advisor for health information privacy for OCR, said in September at the Health Care Compliance Association’s annual regional conference in Boston.
"You cannot have a sound security program without a risk analysis," she said.
Sanches advised CEs and BAs to check OCR’s website for guidance and tools designed to help with HIPAA compliance. But a Government Accountability Office (GAO) report released in September cast a critical eye on the agency’s resources for CEs and BAs (www.gao.gov/assets/680/679260.pdf). The GAO report slammed OCR’s oversight of HIPAA and called the guidance and tools it offers CEs and BAs inadequate.
Looking to states
Most states have privacy and security laws and organizations can look to them to answer some of the questions, and fill some of the gaps, left by HIPAA. Navigating a patchwork of state laws isn’t always ideal. Multi-state organizations must keep track of laws in each state they operate in. And if a resident of one state experiences a breach of his or her PHI held by an organization in another state, it might be difficult for an organization to determine which state’s law applies. However, HIPAA was designed to complement state laws, not overrule them.
"HIPAA is designed to work with state laws," Sanches said. "You really need to look at the interplay between state laws."