On October 30, 2009, the Department of Health and Human Services (HHS) published an interim final rule that significantly amends the civil monetary penalty guidelines for violations of the Health Insurance Portability and Accountability Act (HIPAA) (the "Interim Final Rule"). These amendments, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), become effective on November 30, 2009, but apply to violations occurring on or after February 18, 2009.
Most significantly, the Interim Final Rule increases the civil monetary penalties for a covered entity's or business associate’s violation of the HIPAA Privacy and Security rules. Currently, civil monetary penalties for violating HIPAA are “not more than $100” per violation and a maximum of $25,000 “for all violations of an identical requirement or prohibition during a calendar year.” Under the Interim Final Rule, penalties range from $100 - $50,000 per violation and up to $1,500,000 for identical violations in a calendar year.
The Interim Final Rule also restricts possible defenses to alleged violations. Currently, a covered entity’s lack of knowledge of a violation is an affirmative defense to a claim. Under the Interim Final Rule, covered entities and business associates may be subject to civil monetary penalties ranging from $100 - $50,000 even if they did not know of the violation.
The Interim Final Rule establishes four categories of violations, and associated civil monetary penalties, as follows:
Civil Monetary Penalty per Violation
Cap for All Identical Violations per Calendar Year
The covered entity did not know of the violation.
The violation was due to reasonable cause and not willful neglect.
The violation was due to willful neglect, but was corrected within 30 days of discovery.
The violation was due to willful neglect, but was not corrected within 30 days of discovery.
Within these ranges, HHS will determine penalties based on (i) the nature and extent of the violation, (ii) the nature and extent of the resulting harm, and (iii) other factors, including prior compliance with the rules or the financial condition of the covered entity or business associate at the time of the violation.
This Interim Final Rule is another signal from HHS that it will aggressively enforce the HIPAA Privacy and Security Rules, beginning immediately. If covered entities and business associates do not already have strong HIPAA compliance programs in place to prevent and detect potential violations of the Privacy and Security Rules, they should establish such programs now. Those that do have programs in place should review them to make sure that they comply with the HIPAA Privacy and Security Rules, including the new provisions of the HITECH Act.
On Tuesday, February 17, 2009, 26 days after taking the presidential oath,
President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009.
A 407 page document containing no less than 23 titles in two major divisions.
Needless to say there is a lot in this act. However, from an information security perspective, what really standards out is Title XIII, Health Information Technology, or more commonly known as the Health Information Technology for Economic and Clinical Health Act (HITECH). Comprised of several parts, subtitles, and sections, this comparatively small part of ARRA adds serious teeth to HIPAA. We knew it was coming, so strap in, we’re going for a ride.
This animal covers everything from grants and testing systems to privacy and reporting breaches. Oh and plenty of fines to boot. A printed word is worth a thousand words and the intent of this act depends on your political perspective. Nevertheless, it boasts to promote health information technology (HIT), cover the application and use of HIT standards, support funding and grants related to HIT, testing of HIT, incentives for using HIT, and, my personal favorite, improving privacy provision and security provisions.
First out of the gate is the establishment of a National coordinator to report to the Secretary of the Department for Health and Human Services (HHS), by creating an Office of the National Coordinator for Health Information Technology (ONCHIT) – (That’s the exact acronym in the act – can you believe it?). I won’t bore you with the definitions, policies, standards committees, and management structure; all this is legal stuff anyway.
However, it’s worth a read. There are some interesting statements that will have ramifications for HIT. For example, in Sec. 3009 concerning relationship to HIPAA, I especially like, ”The purposes of this title include ensuring that the health information technology standards and implementation specifications adopted under section 3004 take into account the requirements of HIPAA privacy and security law.” In other words, this is in addition to HIPAA, not a replacement. I will add that Part 2 introduces reporting and the relationship between the ONCHIT, HHS, and the OMB. Nevertheless, the ONCHIT may not seem important at the moment, but it will – keep reading.
Then it goes into defining the testing of HIT, and specifically looks to the National Institute for Standards and Technology (NIST) in the formation and testing of standards related to HIT and refers to section 101 of the High-Performance Computing Act of 1991. In short, what this means is NIST will be the foundation of standards affecting HIT, which is actually a good thing. Also, note that HHS is giving $20M of the $2B allocated to HHS to NIST “for continued work on advancing health care information integration through activities such as technical standards analysis and establishment of conformance testing infrastructure.”
While we’re on the topic of money, $24.285M is going to Privacy and Security, $300M is going to the Regional HIT exchange, and $1,655.715M (or $1.6B) is going… well, they don’t know yet.
Of course, it goes on with defining incentives engineered to get paper-pushers on to IT systems. This should be a boost to private and public sector healthcare organizations that have investment challenges.
Ah, ok, on to the security meat, Subtitle D- Privacy. First, in sec. 13400, it defines what is a breach, personal health record, electronic health record, and protected health information. The interesting part is the term breach is quite encompassing and applies to any organization (covered entity and business associates) that “accesses, maintains, retain, modifies, records, stores, destroys, or otherwise holds, uses, or discloses” protected health information. This means that any organization that comes anywhere near protected health information, in the US or abroad, is liable and must report a breach. Wait, it gets better.
As part of the act, the ONCHIT will annually “issue guidance on the most effective and appropriate safeguards for use in carrying out the sections…” and goes on to list the section concerning HIT and standards, among others. Hmmm… that should be interesting.
Then sec 13402 defines the notification process in case of a breach. This gets interesting. It defines burden of proof with regards to the covered entity or business associates that notifications have been completed, and goes into great detail on how notifications are to be performed. Written notification to use first-class mail to individuals and in some cases you can use e-mail and websites. But, it’s clear that the government isn’t going to let you get away with just posting something deep in your site – you have to touch people. It gets better.
Sec 13402 (e)(2) states, “Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.” It continues stating that breaches must be published on HHS’s website. It gets even better.
Sec 13402 (i)(1) states that the ONCHIT secretary provide annual breach reports to congress, including the Committee on Finance, Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means, and the Committee on Energy and Commerce in the House of Representatives. The report must include number and nature of breaches and the actions taken in response to them.
Basically, all this boils up to the fact that breaches are going to be very, very public, cost vast amounts of money, and there will be a ton of law suits in the shifting of who was actually responsible for the breach, not to mention remediation activities. Moreover, any covered entity and their business associates that are involved in some way with health information are covered under this act. There is no wiggle room. Therefore, this is very broad and comprehensive in who and what companies are impacted. In fact, sec 13407 goes into great detail on the responsibilities of vendors and non-HIPAA covered entities. If your company falls into one of these categories, you’re going want to read that section very closely. Moreover, sec 13408 states that contracts will have to be rewritten between business associates and covered entities.
Sec 13409 goes into detail concerning criminal penalties and gets pretty harsh on willful neglect. If so deemed, the government will, of course, investigate and based on the outcome, someone could be going to jail.
Then there is a one paragraph section, sec 13411, that may be nothing, but when I read it I think of crazy stuff. It basically states that the secretary will provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements are in compliance. And specifically refers to 45-CFR-164 subparts C and E of Title 45 (Public Welfare), subtitle A HHS, part 164 covering Security and Privacy (aka HIPAA, specifically the “HIPAA Administrative Simplification Regulations”), with C and E defining what organizations are considered covered. Which, for those astute HIPAA experts out there, know that 164 calls out the administrative, physical, and technical safeguards, organizational requirements, and policies and procedures affecting security related to HIPAA. So, this means – if read a particular way - that the ONCHIT is going to be auditing you (or an approved assessor – sounds very PCI-ish). I could be reading too much into HITECH’s Title XIII, subtitle D, sec. 13411, but I don’t think so.
But it doesn’t stop there. Part 2, sec 13424 gets very interesting. For example, the ONCHIT must provide an annual report – to the same groups as the breach report – on compliance. They have to reporting on number of complaints, how many were resolved informally, how many resulted in civil penalties, and the number of subpoenas or inquiries issued. So, my perspective of costs and the rash of law suits that will come from this are pretty much agreed to by congress – they know it’s going to be madness.
But wait, it gets, well, better. Remember that little section 13411? ONCHIT has to include in the annual report on compliance the number of compliance reviews conducted and the outcome of each review! (Look at section 13424 (a)(1)(D)). And, my favorite, 13424 (a)(1)(F), the secretary’s plan for improving compliance and enforcement of such provisions for the following year. Of course, as with everything in HITECH, the report will be provided on the public on HHS’s website.
As far as penalties, under civil action, it can be up to $100 per violation not to exceed $25,000 per year. May not sound like a lot, but that is what can happen to a person – not a company. Technically speaking, if you’re a CISO and responsible for security and there is a breach of 250 records, you could be on the hook for $25k. Nevertheless, this whole thing around fines is interesting…
If people in an organization did not know or would have not known through due diligence, it is $100 per violation not to exceed $25,000 in a calendar year, much like civil actions affecting individuals. Or, if the violation was based on reasonable cause and not willful neglect it is $1000 per violation not to exceed $100,000 in a calendar year. Or, if the violation was deemed based on willful neglect, yet corrected in the manner and timeframe stipulated, it is $10,000 for each violation not to exceed $1,500,000 within the calendar year. (Note: although paragraph (3)(C) states $250,000 total in a year, the definition of the violation type (1)(C)(i) states the number at (3)(D), which is $1,500,000). Of course, if you do not correct the violation in a manner reflective of the act, each violation is $50,000 not to exceed $1,500,000 in a calendar year. However, this is just the beginning if you don’t fix the problem. The secretary has the power to determine the “extent of harm” from your poor and untimely actions, and rest assured that will come as an additional fine.
It’s important to note a few things. One is that the definition of the penalties is slightly separate from the tiers of fines. Therefore, although it says not to exceed in a calendar year, the per-violation is stated as “at least”, meaning that this is the minimum cost per violation. Therefore, a judge has the room to say one violation is equal to the limit for the type of violation – aka maximum penalty provided by law. Second, and I’m obviously no lawyer, but the term “in a calendar year” and relating to “…the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed…” When I read this I would hope any breaches start in January! The way this reads – and I could be completely wrong – is that a breach in December could cost $1,500,000 and another in the following month could cost yet another $1,500,000. Of course, if you’re fined $1,500,000 from a breach in January, you’re covered for the remaining breaches in that year :) Lastly, again assuming I’m interpreting this right, there could be multiple people involved if covered entities and business associates to not articulate responsibility to a single person, such as the CISO. If not, anyone involved in the protection of information is liable. So, assume the CEO, CISO, CIO, and General Council are identified as demonstrating neglect and not responding effectively, that’s $6M in just fines.
Finally, many of the provisions in ARRA’s HITECH go into effect six months from inception. Last time I checked, that was last Saturday!
So, what to do, what to do. First, climb out from under your desk, take a deep breath. Oh, I’m not going to tell you everything is going to be ok and let you off this hook. Nope, man-up. Ok, I’ll let you off a little bit, there are multiple sections concerning effective dates that range from 2010 to 2016 based on the type of entity and information. Nevertheless, here is what you need to start doing today.
If you’re a covered entity (see HIPAA if you’re not sure) you better start notifying your business associates of the new security rule (focus on subtitle –D for starters), explain the penalties (which can impact individuals as companies) and changes in ARRA, and start combing through your contracts to revise them to reflect the changes. Yes… I’m not kidding. You have to make certain contract reflect sec 13408 in relation to the responsibilities and penalties. If your vendor or associate has indemnification or other clauses concerning liabilities, these will have to be closely reviewed because the fines can get pretty steep.
Also, you need to review the HIPAA security safeguards (there are some new ones, such as destruction of data, and the difference between personal health record, electronic health record, and protected health information) and keep and eye on NIST to make certain your environment is compliant. Also, I highly recommend you perform a risk assessment on your environment, security controls, and security management processes. And when you do, make absolutely certain that you can identify exactly where and what is touching private information. Without this in hand, you’re not going to know how to manage breaches, your business associates, or be prepared for an audit. My advice is to get way ahead of the curve, and do it now.
If you’re not a covered entity and a business associate of one or more covered entities, this may get costly. You’re going to have to update all your contracts, evaluate your role concerning records and information (do you access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose records?). You need to look deeply. In some cases, just transmitting this type of information can mean you’re affected. It should be noted there are exception and processes for getting exceptions, but don’t hold your breath. But, again, there is some silver lining concerning effective dates, so you do have time.
So what does all this mean? For security, I’m not sure. Does it mean that we’re going to have better security controls? Unlikely – compliance doesn’t equal security. What it means is the same thing all regulations mean, more spending, more complexity, and more reasons not to do business.
Look, the fact remains… there is no perfect security, just that simple. All security really is, is the reduction of exposure. You can’t cover the entire spectrum and there will be gaps and those gaps will result in a breach. The best thing you can do is think in a secure fashion. I beg of you, please don’t approach this one like others have with PCI and the like and think of it as a checkbox. There is a reason for all these regulations – it is the only way to get people to practice better security. The problem is the standards and specifications are translated into auditable checkboxes ultimately defeating the purpose. You need to apply security in a manner that achieves the intent relative to your environment. Don’t just say, “Well, the regulation’s standard says we have to have ‘X’, and there it is. Check.” That isn’t security.
Nevertheless, for general security, it does mean more visibility.
People will know when their data is lost or stolen. Right now this is required in a few states in the US and there are federal laws being pushed through congress as I write this. Moreover, the annual reports from ONCHIT will be pretty interesting to say the least. This should be quite a motivator seeing that a single breach could result in impact millions throughout the country. Also, this is a bit different from losing a credit card number. While a huge problem, people see this as having to be fixed by the credit card companies and banks. However, when your personal health information gets out, it hits far more closer to home and very personal. Should be interesting.
In the short term this will cause havoc. In the mid-term organizations that are willing to stay on the wagon will work hard to implement better controls. And in the long run, security may actually be more meaningful. However, the same thing was said when HIPAA was signed, 13 years ago.