Today, the Department of Health and Human Services, Office of Civil Rights (OCR), joined with the Workgroup for Electronic Data Interchange and hosted an online seminar discussing HITECH requirements in the new Final Rule. The presentations covered many points about the Final Rule previously outlined on this blog (see here, here, and here).
Rachel Seeger, presenting for the Office of Civil Rights, confirmed the regulator’s intent to strengthen privacy protections for protected health information (PHI) wherever that information may be stored – whether by the health care providers, business associates, or subcontractors.
With respect to enforcement, Ms. Seeger indicated OCR’s policy preference to make audits “a permanent part of enforcement efforts.” OCR especially expressed interest in identifying “systemic or significant” compliance problems within regulated entities.
Presenting for the Workgroup for Electronic Data Interchange, Mark Cone highlighted recurring compliance issues based on an analysis of Corrective Action Plans and audits. Corrective Action Plans are frequent components of resolution agreements between OCR and non-compliant entities and can provide insight into enforcement direction. Mr. Cone offered the following takeaways for avoiding common compliance failures:
- Document risk analysis, as required by the Rule. Simply “putting policies and procedures in place does not constitute a risk analysis,” said Mr. Cone.
- Tailor employee training to the actual practices of the organization, and ensure that training occurs prior to any interaction with PHI.
- Adequately safeguard mobile and portable devices, including stored data and communications via email and text messaging. “Encryption, encryption, encryption,” repeated Mr. Cone, emphasizing the importance of securing mobile devices.
- Enforce workplace sanctions for mishandled PHI. The Final Rule requires implementing a sanctions policy for employee mishandling of PHI, and the OCR demands that the policy be more than words on a page.
- Enforce appropriate workstation use. Mr. Cone suggested that the physical positioning of laptop and computer screens can sometimes be a compliance issue. PHI appearing on a screen should not be visible to casual passers-by or other unauthorized personnel.
- Respond promptly to letters from the OCR. Have a policy in place for appropriately handling requests from the OCR.
- Smaller covered entities should resist the temptation to uncritically accept outside vendors’ own business associate agreements. All business associate agreements should be reviewed to ensure that they are appropriate and up-to-date.
- Periodically revise policies and procedures to ensure that they reflect the organization’s current real-world practices and technology use. Policies and procedures are often the first thing the OCR asks to see in an investigation. Out-of-date policies are treated as a red flag and may trigger heightened regulatory scrutiny.