Privacy & Information Security Law Blog

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuit against Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.

Director Rodriguez also highlighted OCR’s new audit program, which he expects will become “a permanent and robust program.” According to Director Rodriguez, together with the HITECH breach notification requirements, the audits help OCR identify significant vulnerabilities affecting both electronic and hard copy protected health information (“PHI”). Linda Sanches, a senior advisor at OCR responsible for the audit program, also spoke and explained that OCR is not planning to sanction covered entities based on audit results unless they reveal a serious violation. Sanches also indicated that although OCR has the authority to audit business associates, there are no plans to do so in this phase of the audit program. OCR currently is in the process of determining what the business associate audit program will look like. Based on information from the audits that have been conducted thus far, Sanches advised covered entities and business associates to review and assess the actions they have taken to comply with HIPAA, and to “find all [their] PHI,” taking into consideration the fact that PHI is now contained in new types of equipment that did not exist ten years ago.