Important Highlights from the NIST/OCR HIPAA Security Conference Last Week
Every year, the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights (OCR) jointly sponsor a conference to “address the dynamic and challenging environment faced by all organizations that encounter health records or information.” The yearly HIPAA Security Conference, called “Safeguarding Health Information: Building Assurance through HIPAA Security,” provides excellent information for health care practitioners of all types regarding new and continuing important issues we all face with regard to data security in the health care sector. This year’s conference, held on October 16-17, 2019, at the Washington Marriott at Metro Center, Washington, D.C., was no exception. The insights provided particularly from the Director of OCR and the Senior Advisor for HIPAA Compliance and Enforcement for OCR were especially important, with regard to HIPAA compliance.
In his keynote for the conference, OCR Director Roger Severino raised several important issues regarding the ongoing work of HHS with regard to HIPAA:
HHS is considering whether “future billing information” should be considered protected health information (PHI) under HIPAA, for purposes of access, such that health care providers would have to provide the information pursuant to the right of access to avoid surprise billing.
HHS is prioritizing the upcoming HIPAA Notice of Proposed Rulemaking (NPRM) as part of the “Regulatory Sprint to Coordinated Care”— particularly with regard to potentially requiring health care providers to share PHI for treatment, expanding the “definition” of “threat to health and safety” to address individuals in crisis due to opioids, and removing the burden of the acknowledgement of Notice of Privacy Practices. See here for more information on the Request for Information that preceded this NPRM.
With regard to OCR’s recent Health App FAQs (found at the bottom of this page), Director Severino said that health care providers “don’t have to open doors to malware or viruses, don’t need a BAA to send PHI pursuant to a request from the patient,” and are “not liable as a covered entity for what happens to the PHI once the PHI goes to that app, unless the app is working on behalf of the covered entity.” He also mentioned that in some cases, with regard to use of these apps by patients, “buyer beware for patients.”
With regard to the recent Executive Order regarding non-binding, sub-regulatory guidance, Director Severino stated, in response to a question, that the HIPAA access guidance provides the $6.50 “safe harbor,” which is one of several options and not a requirement; as such, the access guidance, like all of OCR’s sub-regulatory guidance, does not impose any new requirements on entities and is not in need of revision.
Director Severino also briefly discussed an “upcoming announcement” regarding a $2.15 million Notice of Final Determination by OCR for civil money penalties that was signed by OCR on October 15, 2019. The announcement was made on October 23, 2019, regarding the Notice of Final Determination published on OCR’s website, which, along with the Notice of Proposed Determination, contains very important information on OCR’s latest civil money penalty case with Jackson Health System.
Director Severino and Serena Mosely-Day, Senior Advisor for HIPAA Compliance and Enforcement at OCR, made several key points regarding ongoing HIPAA enforcement, particularly from recent OCR cases. Both emphasized how important it is for HIPAA covered entities (and business associates) to consider their interactions with or about patients on social media platforms. The Director specifically said, “Providers need to fight the temptation to respond irrationally on social media. Social media is not the place to discuss it.”
With regard to the settlement amounts faced by HIPAA covered entities in cases that OCR takes to enforcement, Director Severino said, “We go for big cases and small cases and in this case, we had to take into account, as we always do, the entity’s ability to pay. We are not out to bankrupt companies.” Further, Ms. Mosely-Day specifically stated that she does not see settlement amounts or civil money penalty amounts decreasing due to the recent enforcement discretion announcement by OCR in the Federal Register. She said that the majority of the cases in which OCR proceeds to settlement or civil money penalties are those involving willful neglect, about which penalty amounts remain the same. See here.