HHS Eyes End of 2017 for Draft Rule on Privacy Breaches

— Aims to define what constitutes 'harm' when health records are exposed

Last Updated February 22, 2017
MedicalToday

ORLANDO -- The office dealing with health privacy at the U.S. Department of Health and Human Services (HHS) expects to have proposed regulations by the end of the year on compensating people whose healthcare privacy has been breached, an official said here Monday.

A provision in HITECH (the Health Information Technology for Economic and Clinical Health Act) requires HHS to come up with a way to give people who are harmed by violations of HIPAA a percentage of any civil monetary penalties or settlements collected, explained , deputy director for health information privacy at HHS's Office for Civil Rights, at the the Healthcare Information and Management Systems Society (HIMSS) annual meeting.

The question is, "What qualifies as harm when there has been a violation of privacy and security rules?" she said. "How do we determine a violation has occurred when the case is settled and there is no finding of fault? ... We'll be issuing that [proposed rule] hopefully in 2017."

In addition to that rule, "We're doing guidance on text messaging," she continued. "There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department."

"The question really comes up when the text messaging platform you want to use is not secure," said McGraw. "When it's secure, I think the questions are fairly clear. When it's not secure, the questions are not so clear. That's what we hope to address there."

Use of social media by covered entities will be another guidance topic for the department, according to McGraw. "We've had issues come up with the posting of individually identifiable information on the Internet," she said. "We have a definition of what constitutes PHI [protected health information] ... and a privacy rule that governs when you can use and disclose PHI."

"Make sure [when you're using social media] to pay attention to permitted uses and disclosures, and the circumstances under which you need authorization from the individual in order to disclose what would be PHI -- which has a very broad definition -- on a publicly available social media page."

"I think I've basically given you what the guidance is going to say, but it will be much more legalistic once we get it through our attorneys, and then we'll try to make it understandable to all of you," she added.

The office is also working on guidance "that I'm calling 'The Anatomy of a Case,' which walks through a typical case we do in HIPAA and how we calculate penalties, and the basic criteria we use to come to settlement amounts," said McGraw.

One other project the office is working on: updating its existing FAQs. "Our website has numerous FAQs, and some are horribly out of date," she said. "We're going to get this out as quickly as we can."

McGraw also addressed an issue that makes many healthcare providers nervous -- healthcare privacy audits. "Audits are not a fishing expedition for enforcement cases; they are another tool ... to encourage compliance; they provide examples," she said. "An audit is really about identifying best practices, understanding the vulnerabilities that still exist across a range of entities, and figuring out where we need to do more with respect to technical assistance." And it also gets people's attention and causes them to start looking at their own audit procedures, she added.

The audits are "intended to be non-punitive, though we [can] open up an audit review" if something suspicious seems to be going on, or if an entity doesn't respond to audit requests, she said.

So far the office has done "desk audits" -- done by requesting documents, not by going on-site -- on 166 covered entities and 45 business associates. Audited entities "should keep an eye on their email; we could be sending out draft reports as early as next week," she said. "We're going to finish desk audits ... before we move forward with anything else, including on-site audits. We're likely talking about the end of the year ... [but] it may not be until 2018."

McGraw seemed a little taken aback by one audience member who asked whether it was possible to volunteer for an audit, but she recovered quickly. "We really are committed to picking [entities] somewhat randomly; right now we're not taking volunteers," she said. "But we will take your question under advisement."

One issue the staff would like to issue guidance on deals with disclosure of non-identifiable genetic information, McGraw said in response to another question from the audience. "I know entities are not all on the same page whether they think it's identifiable; in some contexts it may be more identifiable than others. It depends on whether you have the ability for phenotypic data to be matched with that genetic data so you can make that correlation."

"Until we do [provide guidance], you can use a safe harbor ... Or you can use an expert or statistical method if you want to try to de-identify data that does include genomic data, until we get to the point of providing more definitive guidance on this topic, which we want to do by soliciting comment first."