- OCR is drafting a notice of proposed rulemaking (NPRM) on “good faith” disclosures of patient data by healthcare providers in patient emergencies, such as an opioid overdose.
This disclosure could be done without the patient’s consent, said OCR Director Roger Severino during his Oct. 18 keynote address at the Safeguarding Health Information: Building Assurance Through HIPAA Security conference being held this week in Washington, DC.
OCR is also preparing a request for information on improving care coordination and reducing regulatory burden for healthcare organizations, including a proposal to drop the requirement that patients sign a form acknowledging that they have received the organization’s notice of privacy practices.
In addition, his office is working on a proposal to distribute HIPAA fines to data breach victims, a measure that was called for in the HITECH Act of 2009.
In the spring of this year, OMB issued an advanced notice of proposed rulemaking soliciting public comments on “establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.”
Severino said that OCR has assessed $45.4 million in HIPAA fines since the beginning of the Trump administration.
Severino related that, since February 2017, OCR has assessed a number of large HIPAA penalties, including:
- Memorial Healthcare System, $5.5 million, due to a lack of audit controls that led to PHI data breach
- Memorial Hermann Health System, $2.4 million, for multiple PHI disclosures
- St. Luke’s-Roosevelt Hospital Center, $387,000, for faxing information on HIV/AIDS patients to employers
- Fresenius Medical Care North America, $3.5 million, for HIPAA violations on five different occasions at different facilities
- Filefax, $100,000, for leaving medical records at a shredding and recycling facility
- MD Anderson Cancer Center (Administrative Law Judge ruling), $4.4 million, for failing to encrypt its inventory of devices that handled and held ePHI
- ABC cases, $999,000, assessed on three Boston-area hospitals for failing to obtain patient authorizations before letting ABC TV crews film in the facilities
- Anthem, $16 million, for HIPAA violations that exposed ePHI of 79 million people
Severino examined the breaches reported to the OCR Breach Portal since January 1, 2018, and found that the hacking/IT incident and unauthorized access/disclosure categories each made up 41 percent of breaches. Theft made up 12 percent, loss 4 percent, and improper disposal 2 percent.
He compared this with breaches reported between Sept. 23, 2009, and Dec. 31, 2017. During that period, theft made up the largest percentage of breach categories, at 38 percent, followed by unauthorized/access disclosure at 27 percent, hacking/IT incident 19 percent, loss 8 percent, improper disposal 3 percent, other 4 percent, and unknown 1 percent.
In terms of breach location since January 1, 2018, email made up 31 percent, paper/film records 21 percent, network server 16 percent, desktop computer 9 percent, laptop 6 percent, EMR 6 percent, other portable electronic devices 5 percent, and other 6 percent.
Again, he compared this with breaches reported between Sept. 23, 2009, and Dec. 31, 2017. During that period, paper records made up 21 percent of breaches, network server 17 percent, laptop 16 percent, email 11 percent, desktop computer 10 percent, other portable electronic devices 9 percent, EMR 6 percent, and other 10 percent.
Severino said that a summary of findings from Phase 2 of the HIPAA audit program will be published this year. For Phase 2, OCR conducted desk audits of 166 covered entities and 41 business associates. The purpose of the desk audits was to identity best practices, uncover risks and vulnerabilities not identified through other enforcement tools, and encourage consistent attention to compliance.
In addition, he noted that OCR and ONC had recently updated their security risk assessment tool to improve usability and expand its application to a broader range of risks.
The agencies developed the tool to help small to medium-sized healthcare practices, covered entities, and business associates comply with the HIPAA Security Rule and the CMS EHR Incentive Program.