OCR's Severino Outlines Top HIPAA Enforcement InitiativesEnsuring Patients' Rights to Access Records a Top Priority
Enforcing patients’ rights under HIPAA to access their health information – including via health apps - is a top policy initiative at the Department of Health and Human Services’ Office for Civil Rights, Director Roger Severino said in a Wednesday presentation.
Speaking at the 11th annual HIPAA conference in Washington hosted by OCR and the National Institute of Standards and Technology, Severino also revealed that OCR has reached a “final determination” to issue a $2.1 million civil monetary penalty in a HIPAA case. “You’ll be hearing about that soon,” he told the audience, declining to disclose any details about the nature of the case.
In a step toward improving patient access to their information, OCR in April issued guidance that says a covered entity cannot withhold sending electronic protected health information to a health app selected by an individual because of concerns about how the health app developer will use or disclose ePHI.
Unless an app poses a security risk to the covered entity, the patients should be able to access their health information via apps of their choice, Severino said.
Also, a covered entity is not liable for the re-disclosure of ePHI by a health app if there is no business associate relationship between the health app developer and the covered entity, he noted.
If the information is sent to an app at the patient’s request, “covered entities aren’t liable for what happens after the PHI goes to the app,” Severino added. “Covered entities should do this unless it’s a threat to their own systems.”
In September, OCR issued a HIPAA settlement related to a right of access issue. The $85,000 financial settlement and corrective action plan for Bayfront Health St. Petersburg was reached after the organization took months to provide a mother with requested fetal health information.
That enforcement action is the “first in a series” of enforcement actions that OCR expects to take involving patients’ rights to access their records, Severino said.
”We’ve been doing a lot to see this problem fixed. Now it’s time for serious enforcement, especially when we are moving to a full mobile data cloud age,” he said.
Battling ‘Surprise’ Healthcare Bills
In further comments about the issue of providing patients with access to their records “in a timely fashion and at a reasonable cost,” Severino said OCR is assessing how that right might also help empower individuals to obtain pricing information before they receive healthcare.
The spotlight on access to records fits in with a number of larger policy efforts at HHS, including its “regulatory sprint” for improved coordination of care, Severino said. But patients’ right of access also plays a role in the Trump administration’s push for improved healthcare cost transparency, Severino told the audience.
On display with Severino was the medical boot that he purchased at the advice of his doctor prior to surgery to repair a torn Achilles tendon. Severino ended up paying $430 for the boot from his doctor’s office. But he later saw that same boot available on Amazon Prime for $70.
”This boot represents what’s wrong with price transparency,” Severino said.
On June 24, President Trump issued an executive order directing HHS to “solicit comment on a proposal to require healthcare providers, health insurance issuers and self-insured group health plans to provide or facilitate access to information about expected out-of-pocket costs for items or services to patients before they receive care," Severino noted.
”We’re looking at ways to have HIPAA address this problem,” he said.
That could potentially include requiring covered entities to provide pricing information to patients about healthcare bills in advance of treatment, similar to the way banks provide consumers with mortgage cost information, Severino said. ”Why can’t we do this in healthcare?” he asked.
In his presentation, Severino also highlighted OCR’s efforts to support better coordination of care.
That includes encouraging information sharing, facilitating parental involvement in care to address the opioid crisis and serious mental illness, and changing the current requirement for obtaining an acknowledgment of receipt of the Notice of Privacy Practices, he said.
Ransomware and phishing attacks are the top cyberthreats in the healthcare sector, Severino told the audience.
”Phishing is a primary threat vector,” he said. Training of employees is critical, including sending out test phishing emails to see who bites, he said.
Among key factors contributing to some of the largest health data breaches being reported to OCR are remote desktop protocol vulnerabilities, weak single-factor authentication and weak access controls, including failure to terminate access rights when workforce members end their employment, he added.
One member of the audience asked if OCR would consider rewriting the HIPAA Security Rule to better reflect the NIST Cybersecurity Framework. Severino appeared to reject that notion.
“Our rules are scalable,” so that entities of any size can comply, he said. “If we were to specify in detail, it would be difficult to draw lines and would be out of date in short order with the rapid change of technology.”