While 2012 isn’t likely to see the emergence of major health privacy legislation on the level of 2009’s HITECH Act, a trio of senators says they are pondering bills that could expand the entities that must comply with HIPAA, mandate encryption, require better reporting by the Department of Justice on cases, and increase some penalties.

Their ideas were revealed at what started out as a Senate hearing on digital health information privacy but turned into a tongue-lashing of the Office for Civil Rights for lax enforcement and its failure to issue final regulations implementing the HITECH Act. The senators said new legislation would address what they see as gaps in the current privacy and security protections.

Convened by the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law, chaired by Sen. Al Franken (D-Minn.), this was only the second hearing in the subcommittee’s history. The seventh subcommittee of the Judiciary, the panel was created in February and, given its membership, is likely to be a hotbed of privacy and security legislation.

Franken is joined on the committee by Richard Blumenthal (D-Conn.), former Connecticut attorney general and the first state official to bring a HIPAA case on a state level, as permitted under HITECH (RPP 2/10, p. 1). Other members are Tom Coburn (R-Okla.) and Sheldon Whitehouse (D-R.I.), long a privacy advocate.

The hearing featured testimony by a Department of Justice official about the kinds of medical privacy cases DOJ prosecutes, information that is rarely made public. Loretta Lynch, the U.S. Attorney for the Eastern District of New York, also took flack for DOJ’s inability to track the outcome of cases referred to it by OCR (see box, p. 3).

OCR Director Leon Rodriguez was among those testifying at the hearing; he was grilled about why the final HITECH Act regulations aren’t out yet. Others testifying were Kari Myrold, privacy officer for Hennepin County Medical Center in Minneapolis, Minn., and Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.

Enforcement Record Is Unacceptable

Before he even began questioning the officials, Franken noted early in the hearing that “our right to privacy is not being fully protected.” He also said that citizens have a “fundamental right to know who has their personal information, and to control who gets that information, and [control] with whom it is shared.” This might lead some to speculate that Franken supports reinstituting some form of consent, but the issue was not raised at the hearing.

The HITECH Act included provisions to hold business associates as fully accountable as covered entities to fill “substantial gaps” left by HIPAA, said Franken, who then expressed his frustration with the state of affairs today.

“When Congress passed the HITECH Act it sent a clear bipartisan signal that it was time to get serious about health information privacy. Unfortunately, all signs indicate that we’re still not there either in terms of the protections we have in place or the way that we’ve been implementing and enforcing those protections,” he said. “A lot of the crucial protections of the HITECH Act have yet to be implemented. For example, HHS has yet to issue final enforceable rules on a number of critical protections, like the business associate rule.”

Franken termed the government’s HIPAA enforcement “unsatisfactory.”

“[W]hile the Department of Health and Human Services and the Department of Justice have increased enforcement in the past one or two years, the overall record of enforcement is simply not satisfactory,” Franken said. “Of the approximately 22,500 complaints that HHS has received since 2003 that it had authority to investigate, HHS has leveled a formal fine or civil monetary penalty in one case — just one. They have reached monetary settlements in six other cases. DOJ’s record on this is similarly mixed. Since 2003 HHS has referred about 495 cases to DOJ for prosecution, but since then DOJ has prosecuted just 16 criminal HIPAA cases.”

OCR Director Is on the Hot Seat

Franken said he wanted an “explanation” for the “lack of enforcement” by OCR. Rodriguez responded by noting, as had Franken, that OCR’s preference has been for achieving voluntary compliance, with a focus on education rather than prosecutions. But he sounded a note of warning to CEs and BAs that this was about to change.

“HITECH has changed the environment significantly in two ways. The first is, there no longer is a hard requirement that a covered entity be given that opportunity [to come voluntarily into compliance]. We will still do it in many and most cases, but there is not necessarily a hard requirement that a covered entity be given that opportunity to implement corrective action before we move to penalties,” Rodriguez said.

Later in the hearing Rodriguez referred to hefty penalties coming in the near future as “the real frontier.”

“While there is a certain layer of cases that do merit criminal sanctions, in my view the real frontier is in our leveraging these new, stiff penalties that we have under the HITECH statute and expanding our utilization of those penalties,” he said.

Franken also pushed Rodriquez to state when the final regulations would be issued to implement provisions of the HITECH Act. Rodriquez said he could not give a date, suggesting that OCR was still going through the comments received when the rules were issued.

“What I can tell you, senator, is that we’ve received extensive comments on both the business associate proposed rule and a number of other provisions under HITECH, that we have worked diligently to analyze those rules and to prepare regulatory text based on our analysis, and we are working as diligently as we can toward a final rule. I can’t give you a timeframe at this time,” he said.

Franken responded: “OK. Well, hurry up.”

After comments by DOJ’s Lynch, Coburn, a physician, seized on the issue of criminals using providers’ and Medicare patients’ numbers. “Would you think that increasing the penalties, in terms of utilizing a patient’s Medicare Social Security number or provider number, would be beneficial in [your] effective carrying out of the law?” he asked Lynch.

Lynch responded that “right now we have a very effective framework” and noted the “three-tier” penalty structure called for in HITECH, which seems to be working well.

Senators: ‘Increase Penalties, Expand HIPAA’

Still, Coburn pressed on. “I’m thinking of raising the penalties for intentionally selling Medicare provider numbers or Medicare Social Security numbers — patient numbers or provider numbers,” he said, “because that’s where we see a lot of this, in terms of the multiple layer[s] of fraud, in terms of false billing to Medicare.”

It is not clear whether this issue will get traction with the subcommittee, which then moved on to the possible expansion of HIPAA with Blumenthal querying those testifying.

Blumenthal noted that his bill, S. 1535, the Personal Data Protection and Breach Accountability Act, “explicitly protects health information” and “extends [HIPAA] protections to health data held by companies that are not currently covered by HIPAA.”

Rodriquez demurred when asked his view of such an expansion. Blumenthal also asked McGraw about this, as well as why encryption wasn’t being performed as it should be.

“I gather from your — both your written testimony and from your responses to my questions and Senator Franken’s — that you would certainly not object and might even recommend to many of the entities not now covered under HIPAA also be included in these protections, both as to encryption and any other requirements for systematic safeguarding this information,” he said to McGraw.

Action Is Urged to Spur Encryption

“Absolutely,” McGraw said. “We wholly supported the provision in your bill on breach notification that it include health data; we thought that was an important advance.”

Regarding encryption specifically, McGraw said her organization “would like to see more done in this regard, whether it’s in the form of some more specific requirements or whether more guidance about when the Office for Civil Rights expects entities to encrypt. I think that would also be helpful.”

Myrold, with Hennepin County Medical Center, also said better standards or explicit requirements for encryption are necessary, as there remain “a number of organizations who apply policies inconsistently.”

“Business associates, data breach notification, expanding the definition of a ‘covered entity,’ encryption, and the accounting of disclosures [proposed rule] are other areas where I certainly can see that we could make improvements,” Myrold said.

She said “a big reason” overall compliance with HIPAA privacy and security rules is lagging “is the final rules aren’t here.…And until we actually get those final rules and people knowing that they’re going to actually be enforced, you’re probably not going to see a lot more compliance. It’s a big issue,” Myrold said.

McGraw also put in a bid for more guidance. In particular, she said that Congress should “send a signal” to OCR that agreements between covered entities and business associates should specify the sorts of uses that are not permitted. She noted that there is a real sense of urgency in needing the final regulations on BAs, but also that they be required to be “very clear that a contractor gets data for a specific purpose and should be limited in how they use that data to accomplish that purpose.”

“This is absolutely accomplishable by regulation, but I think it’s always helpful when Congress sends a signal to the regulators about what it would like to see….We would be willing to work with legislation that would provide a more clear signal to the department about what Congress wants to see,” McGraw said.

All the senators who spoke vowed to work together to address the privacy and security issues plaguing medical information today. “I sincerely believe that health information policy and privacy is a bipartisan issue and a bipartisan cause, and one that will require a bipartisan solution,” Franken said.

AIS is celebrating our 25th anniversary with special discounts of 25% off our most popular publications – including a $124 discount on a one-year subscription to Report on Patient Privacy. Click here to see the deals and save!