Enforcement

Whereas in the EU and many other areas around the world, privacy is driven through principles, today in the United States it tends to be handled primarily through procedural requirements in theory, and often enforcement mechanisms in practicality. As privacy and data protection principles reach more common ground globally in the future, expect that privacy and data protection enforcement will also embrace more common ground.

Turning solely to the United States for a moment, however, we will take a quick peek into the crystal ball at the enforcement landscape for healthcare in the future.

In the U.S. healthcare sector, the HHS Office for Civil Rights (OCR) has regulatory enforcement oversight for those organizations and persons handling protected health information (PHI) as that term is defined under HIPAA. OCR initially only had enforcement authority over “covered entities”—healthcare providers, health plans, and clearinghouses. In recent years, following the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, it also now has enforcement jurisdiction over “business associates”—service providers to those covered entities. OCR’s overall approach to enforcement reflected some of the policy tensions in privacy regulation, particularly for the healthcare industry. OCR was concerned—when the HIPAA rules first went into effect—that healthcare providers and others would be nervous about sharing health information even in appropriate and beneficial situations, and therefore implemented an approach that was designed to educate, support, guide, and revise privacy-related activities rather than taking aggressive enforcement action. Because it was open and forthcoming about this approach, the healthcare industry quickly adapted to the HIPAA structure, and, in most situations, information that needed to be shared was shared.

Fast-forward a few years, to our current environment. HIPAA enforcement has increased, although not substantially. Most of the published enforcement actions have related to security problems, more than specific provisions of the privacy rules. Common themes for enforcement involve failures to conduct appropriate overall risk assessments and security problems related to mobile devices and other online activity. Now that the HIPAA breach notification rule (another HITECH Act innovation) is in full effect, reports of large security breaches have become a primary source of investigative leads for OCR in its enforcement activities. While many reported breaches do not end up leading to enforcement activity, these breaches trigger investigations that are guiding the overall OCR approach to enforcement. We can expect enforcement to continue to increase, although this increase likely will continue to be gradual.

The OCR approach to enforcement against business associates also will be important to watch. Business associates cover a wide range of entities—including one-person consulting firms and some of the biggest business firms in the world, along with everything in between. Beyond mere size, some business associates play a prominent role in the healthcare industry, while others may serve only one or two healthcare clients as part of a much broader kind of business activity (think an accounting or consulting firm that has clients in every industry with a modest portfolio in healthcare). In addition, some business associates are heavily involved in the use and disclosure of health information, while others may play a much more tangential role in any identifiable personal data. We will be watching how OCR draws these lines in enforcement activities down the road. While the overall enforcement approach still reflects a good understanding of reasonable efforts and an understanding of when companies are trying hard to get things right, we can expect to see ongoing pressure to engage in enforcement in appropriate settings.

 
Source
< Prev   CONTENTS   Source   Next >