When the Department of Health and Human Services Office for Civil Rights slaps hospitals with a hefty fine for a data breach, from where does that money ultimately come?
Tom Walsh, founder and managing partner of tw-Security, contends that since IT is widely viewed as a cost center, and information security, in turn, is overhead to IT, it’s among the first things executives cut from the budget.
“Fining an organization is like me tying one of your hands behind your back and saying ‘now get out there and fight the good fight,’” Walsh said. “Don’t tie their hands behind their back.”
Matt Fisher, a partner with law firm Mirick O’Connell, added that “imposing fines on any organization is arguably not sustainable,” but said that penalties do help to change hospital’s behavior.
More HIPAA audits coming
Walsh was careful not to lay the blame solely on OCR. Hospitals that consciously decide to build a new luxury lobby, for instance, instead of encrypting laptops are at fault when they experience a data breach. And executives making that decision should be held accountable.
Fisher said that the HIPAA fines happen only in a vast minority of cases and OCR takes the entity being penalized into consideration — though the bulk of settlement work is handled behind the scenes.
“The fines out there,” Fisher said, “there’s arguably no rhyme or reason to the amount imposed.”
That said, hospital executives should expect OCR to conduct more HIPAA audits moving forward. OCR senior advisor Linda Sanches said late last year at the Healthcare IT News Privacy & Security Forum that the agency will conduct on-site audits in 2017.
“OCR hasn’t yet audited to a significant degree,” said Pamela Hepp, an attorney with the healthcare practice at Buchanan, Ingersoll & Rooney. “Some of our clients have received an initial request, but haven’t been audited. It will take some time.”
That’s time that Walsh said the federal government and the healthcare industry can use to rethink its approach entirely.
Escrow accounts and HIPAA certification
OCR’s goal of making sure we’re indeed protecting patient data and the HIPAA rule is actually being implemented correctly is an honorable and necessary endeavor, Walsh said. But the execution — and the revenue generation OCR needs — could both be handled more effectively.
Walsh presented two ideas. The first is for OCR to fine hospitals, but instead put that money into escrow and release some of it back when hospitals meet certain criteria, like the current corrective action plans typically part of the settlement.
The second idea Walsh offered is a voluntary certification program in which vendors and healthcare providers pay to validate that they are in fact complying with HIPAA — much the way that hospitals and other companies have to meet certain PCI standards for credit card processing.
Fisher said that such a certification program would most likely need to be outsourced and might struggle to generate enough revenue to sustain itself. Either or both options would, of course, depend on successfully generating the revenue OCR needs without crippling hospitals operating budgets.
“We’re in this quagmire where we have to make a decision: is this a sustainable model for getting our industry into shape or not?” Walsh said. “We can rethink this to get what OCR needs and make healthcare more secure.”
In the meantime, as Fisher said, hospital executives and information security professionals should know that HIPAA breach fines are here to stay, and they should plan accordingly.