Mac McMillan: 'Disparate' health privacy requirements overwhelming for providers

As the U.S. Department of Health and Human Services' Office for Civil Rights ramps up its audits of healthcare entities in the coming months, there is a sense among some that there will be a flood of fines levied compared to actions that have already been taken. 

"Knowing what's in the pipeline, I suspect that that number will be low compared to what's coming up," Jerome B. Meites, OCR chief regional counsel for the Chicago area, said earlier this summer at an American Bar Association conference.

Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, and CEO of IT security consulting firm CynergisTek, actually foresees trouble looming at the state level for providers, as well.

"Our clients in California are more worried about the state attorney general than the federal government," McMillan (pictured) tells FierceHealthIT. "They get hit with investigations by the state much more frequently than they do from OCR."

In part 2 of an exclusive two-part interview, McMillan talks about the regulatory landscape for HIPAA and how state privacy laws are affecting healthcare organizations and their business associates. Click here to read part 1

FierceHealthIT: What do you expect when the HIPAA audits start up this fall?

McMillan: There's going to be two phases to it. The first will be a survey that goes out to X number of facilities, then they're going to select 400 covered entities and 400 business associates and conduct desk audits. It will be similar to the Meaningful Use audits. They're only going to select those for compliance reviews from those who have issues in the documentation from the desk audits.

FHIT: Do organizations have to prepare differently in any way?

McMillan: No, because the documentation they'll be requesting will be what they were requesting in the previous audits. They're going to want to see your risk assessment, certain policies and procedures, they'll want to see documentation of procedures around breaches, things you should have been documenting as part of the HIPAA compliance program.

FHIT: Do you see changes coming to HIPAA? Will Florida's new breach notification law, which you recently wrote about in a commentary for InformationWeek, influence change at the national level or among other states?

McMillan: I'm more concerned about that Florida law impacting state legislation rather than federal law, but there's already discussion around the need to revise HIPAA. There are folks in the security community--the FBI, DHS--who are looking at the threats to healthcare and saying that HIPAA was never designed to be a complete security standard, so we're not completely confident that's completely adequate anymore to protect healthcare IT systems effectively. Other folks are looking at other aspects of it, on the privacy side just in terms of being able to implement effectively--either the environment has changed since the rule was written or the rule didn't fully take into consideration the operational impact.

But you can't change HIPAA without an official process. It's not a simple thing to change it, so I don't think they're going to change it randomly.

However, I do think that between the California laws, the new Florida law--which in some cases is more difficult than the California laws--the fact that states like Minnesota are considering adopting similar laws, the law in Massachusetts and the law that Texas passed last year, there's a ground swell of discussion around the fact that healthcare is being bombarded with regulations.

Now the providers and business associates are starting to feel the impact. They're joining the discussion, saying, "Why do we have all these disparate requirements? Why can't we have just one standard?" I think that's a legitimate question.

FHIT: I can see where trying to comply with HIPAA and this state law at the same time could be pretty overwhelming.

McMillan: It is. What is the state attorney general going to do with this? You have to wonder, is it the government's plan to let the states enact more strenuous laws and let the states do the policing? Or is the federal government eventually going to weigh in?

If you're looking at a healthcare entity that does work in a single state, it's challenging, but it's manageable to have a federal regulation and a state regulation. But if you're looking at a healthcare entity or business associate that does business in multiple states, think of all the different laws they have to manage. It's getting pretty messy in all people are having to manage.

FHIT: Do you expect any major change to that in, say, the next year?

McMillan: Not in the next year. I think you're going to have to see enough of a ground swell to get Congress involved to put pressure on HHS to do anything. And I don't think HHS is going to be in a position to do anything because [of leadership changes.] The new deputy director for HIPAA isn't even in place yet. I don't expect to see anything new out of OCR in the next year.

There's also changes at the Office of the National Coordinator for Health IT. They have to get new people in place, they have to figure out what the issues are and who they have to work with. And at the end of next year, we'll have elections for president, which means all those people in appointed positions in ONC and OCR will become lame ducks come November 2015.

Editor's note: This interview has been edited for length and clarity.