Lewis Creek Systems, LLC

-- With Apologies to Judy Garland, Harold Arlen, and a Cast of Flying Monkeys -- 

"Auntie Em!  Auntie Em!  There's a twister a-comin'!"  Well, I won't vouch for the accuracy of the quote, but I see some pretty ugly clouds on the horizon.  A few comments from Federal officials, a job posting, and a conversation with someone whose company went through one of the random audits last year, and now I'm concerned.  Is there a HIPAA storm cellar?  You may want one.

I guess I'm not reporting anything new if I take note of the numerous public comments by HHS officials that in the first round of random audits, they found that entities weren't doing much internal auditing of system and network activity to ensure proper use of systems and data by the appropriate people.  It's also nothing new that the folks heading up the HHS Office for Civil Rights have said that enforcing the auditing requirements will be a focus of their work in the coming months.  And I'm sure I'm among thousands of people on the HHS mailing list that in the last week received a notice that HHS OCR was looking to hire people to do HIPAA privacy and security audits.  That's troubling enough.  Those two things mean that if you haven't started to follow up on the HIPAA Security Rule's system monitoring and activity review safeguards, you're leaving yourself open to fines and corrective action plans with a growing workforce dedicated to enforcement, full-time.

But then I had a nice long talk yesterday with someone whose organization was audited by HHS in a random audit last summer.  For five days, the hired guns from KPMG lived in a conference room and collected information.  Asking questions, verifying answers, verifying the verification, almost like automatons, no emotion, no human interaction, really.  The questions they asked were the ones in the HIPAA Audit Protocol (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html), and that's scary enough, but in many ways the audit was like a SSAE16 (formerly SAS70) SOC2 audit, in that they were looking to see how well the organization sticks to its policies, whatever they are. Out of some 300 employees, one had missed their annual required HIPAA training, because that person was out and couldn't attend despite almost heroic efforts to do so, and the auditors wrote it up as a deficiency.  They backed down after a letter from the organization's lawyer, but the point is, if you have a policy, you had better be sure you're doing what it says you do, or you will have to defend your actions, and that's just plain expensive, time consuming, and unpleasant.

-- If I Only Had a Brain -- 

So, let's take that little nugget of truth and apply that to the internal auditing issue.  Are you starting to feel a little bit of, "Oh, I haven't really been doing enough," in the pit of your stomach?  I know there are plenty of internal auditing policies out there that call for regular reviews, which is what HHS says is necessary, but has everyone been doing those reviews?  I doubt it.  It's among the most time consuming, boring, annoying tasks in security, and everyone hates it.  So, what do you do?

First of all, start doing something and document it.  Schedule regular reviews of access lists.  Schedule a regular random audit of at least one employee's computer use, and one patient's access history.  It doesn't have to be much, but you have to do something and you have to do it on a regular basis, not just when there's a complaint or some other event.  See what your policy calls for, and write the procedures, and then, most importantly, audit your auditing compliance to make sure you're doing what your policies and procedures call for!  What you can show in documentation and what the policies and procedures call for MUST match!  You can have a great auditing policy, and you may have some great audits, but if they don't match, you're going to have some explaining to do.  Ugh.

Here is everyone's homework for this week:  Look up your HIPAA security internal audit policy -- system activity reviews, access reviews,  those kinds of things.  Do you have one?  Do you have any supporting procedures that say how you, in your facility, will do those audits?  If you already have these in writing, start doing them now, and then see how well you can actually do what you're saying you do.  Be prepared to make some adjustments in your procedures so you can have a defensible position if you're audited -- and document everything!

"But I have such tight access controls that it would be nearly impossible for someone to access information improperly!"  Then your audits will be quick and easy verifications. You can't get out of it -- you have to verify.

-- Somewhere Over the Rainbow -- 

(Am I going to be getting into trouble with the copyright lawyers for all these references?)

HIPAA compliance does sometimes feel like it's somewhere over the rainbow, but what is it like back in dusty, old, black-and-white Kansas, Dorothy?  There are actually things you can do to be prepared.  First of all, get to know the HIPAA Audit Protocol.  Go to the Web site, check just the "Security" questions, select the popup to show "all", click the button to "Export to CSV", and open the file in your favorite spreadsheet.  Do some formatting so you can actually read things and use it, add some columns to show your answers, to identify your documentation, and to say what you need to do to improve things.  Go through the questions.  Once you go through this exercise, you will know your weaknesses, and you will see what you need to put time into so you can have good answers when the auditors call you.

You will probably see that you have deficiencies in your auditing activities, procedures, and documentation.  You will then have justification to spend the time you need to on getting your policies and procedures up to snuff and documented, to begin following them, and to make adjustments so your activity matches your policy and procedure.  And make sure everything is properly documented.  

And maybe if you're picked for a random audit it won't feel like the flying monkeys are out to get you.

Jim

As time goes by and we in the compliance community have the opportunity to digest the new rules a bit more and dig deeper into some of the tidbits hidden in the Preamble to the changes, new details will emerge, new understanding will develop, and framework for HIPAA update implementation will emerge.  Here's how it looks so far:

 -- A Framework for Implementing the HIPAA Changes

1) Policies will need to be modified or adopted to deal with the changes to business associates, individual access, breach notification, marketing and fundraising, and lots more.  This will not be a simple job, depending on the complexity of your current policies, and must be executed by September 23, 2013.

2) Your Notice of Privacy Practices will need to be updated to reflect the new patient rights, and may be modified to remove language no longer required pertaining to some marketing activities that now will require an authorization instead.  This also will need to be implemented by September 23, 2013.  Providers will NOT have to mail out a new one to patients, but will need to use it and make it available and properly posted in their offices and on their Web sites.

3) Update your Business Associate Agreements to meet the new standards, and while you're at it, add in beefier protections for breaches, liability and indemnifications, so you don't get caught holding the bag if a BA plays fast and loose with your PHI.  Luckily, the big news is that upon official publication of the new rules on January 25, 2013, they also released updated HIPAA Business Associate Agreement template provisions, available at the same Web address as the old, ancient, obsolete version:     http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html  (Shorter link: http://tinyurl.com/7asm2qj )

Now, just as before, this language is hardly stuff your lawyer would like you to sign as is, but it does identify the elements that must be in a modern BAA meeting the new standards.  Do not adopt it as is, but use it to look at your current template and agreements, identify needed changes, and work with your attorney to implement those changes in a way that is legally correct for you, in your state.

Compliant BAAs under the old rules in place as of January 25, 2013 have until September 23, 2014 to be updated, and this includes "evergreen" contracts that auto-renew without intervention.  Any new or manually renewed contracts must meet the new requirements by September 23, 2013.

4) And then once you implement the new policies, NPP, and BAAs, you'll need to make sure the proper procedures are developed and training takes place so it all works.

 -- Speaking of Business Associates...

I've long spoken of the issues of the proposed rules for Business Associates, providing an example of how the shredding company for a business associate that provides services using PHI on behalf of a covered entity could unwittingly find itself under the regulations of the US Department of Health and Human Services, with significant compliance obligations and penalties for non-compliance.  I spoke of how difficult it would be to educate all the business associates and their subcontractors all the way down the chain to implement the rules fully.

Well, it's even more complicated than that.  Here's a scenario:  You have an official e-mail system that your office uses for all professional communications and you have a policy that says staff should ONLY use that system.  One staffer goes outside of the policy and uses G-mail to send someone in another office some PHI.  Under the new rules?  BAM!  Google is a Business Associate because they have access to your firm's PHI.  Without any notice or intervention, and despite any terms of service they might wish to implement. With that one act, both you and Google are in violation of the HIPAA BA rules, without your or their knowledge.

Needless to say, there are some serious issues that result from this interpretation, and we will just have to see how this shakes out.  Will there be forthcoming guidance that softens the blow?  That doesn't seem likely given the wording in the preamble to the new rules, but it could happen.  Here is a link to a good article by Health IT lawyer John Christiansen discussing this topic and the impacts in some cloud and ISP circumstances:  http://christiansenlaw.net/2013/01/do-the-hitech-rules-really-make-all-healthcare-asps-and-cloud-services-providers-business-associates/  (Or use this short link: http://tinyurl.com/b29f4x2 )  

Isn't HIPAA fun?

 -- And if I've provided you any BAA or policy language in the past...

It probably needs updating.  I'll try to be proactive and let you know, although a lot of policies and agreements have been developed over the last ten years of HIPAA.  If you have questions about yours, please let me know and we can set up a review.  Also, I have four Webinars this week and next, on Breach Notification, E-mail and Texting, the new Final Amendments, and Business Associates -- I'll be including the new rules in all of these.  See my page for more information on these and many more: http://www.lewiscreeksystems.com/upcoming_public_seminars.html 

Please let me know if you have questions -- I'm always happy to help!

Jim

A Happy New Year to all, and here's to having better compliance with HIPAA in the coming months!

New Rules?  What New Rules?

Well, we still have no new regulations yet, and even the head of HHS OCR, the folks making the rules, isn't sure when they'll appear.  I mean, come on, the laws behind these rules, for the most part, went into effect more than two years ago.  The longer the delay goes on, the more I begin to wonder if they'll throw into the "Omnibus Update" a final rule on the new Accounting of Disclosures provisions.  (Yes, the final rule changes are likely to be about as subtle as a bus... or a bull in a china shop...)

The big takeaway from this is it's time for all the HIPAA business associates to face up to the fact that they're going to be covered under the rules, and have already been covered under the law for more than two years, and are subject to enforcement by state attorneys general.  The delay in finalizing the rules has presented an opportunity for these entities to get their compliance houses in order before the clock starts ticking.  When the final rules go into effect, BAs will have only six months to become compliant, and the competition for resources to get the job done will be fierce.  The word from the head of HHS OCR is that BAs need to get ready now, and I would expect vigorous enforcement of the rules once they're enforceable.  Here's a link to an interview with Leon Rodriguez that is very illuminating!  http://www.govhealthit.com/news/ocr-looking-high-level-sensitivity-data-breaches

Another Settlement for a Laptop Breach, With a Small Hospice Agency

Oh, this one really hurts.  Hospice of North Idaho (HONI) uses lots of laptops to provide its services.  One got stolen.  They hadn't done a risk analysis, and they hadn't implemented any mobile device security policies and procedures.  441 patients' information involved.  $50,000 settlement plus corrective action plan.

OK, a few things here:  

1) This is going to cost HONI a LOT more than the $50K settlement, and I'd guess they have NO money to spare at an outfit like this.  This comes right out of their ability to provide services.  Getting into compliance for a relatively straightforward organization like this would have cost a SMALL FRACTION of the costs of the breach and settlement.

2) Note that this is for a breach that's under the threshold of 500 to be reported as a large breach.  Yes, folks, they're looking at the small breaches too, taking names, and finding examples to make.

3) I'm sure you can fill this one in yourself by now, if you've been listening to me...  Do your risk analysis, implement some policies and procedures and encrypt all your mobile devices!  Almost every day another breach is reported involving thousands of patient records on a laptop.  Portable data is a clear, obvious, documented serious risk that is WAY cheaper to protect than recover from a breach thereof.  STOP THE MADNESS!  Do your homework and encrypt your laptops and any mobile health information.  Do it NOW.  No more excuses!

Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html

And About That Guidance On Mobile Device Security...

The nice folks at the Office of the National Coordinator for Health IT have put together a good set of resources that everyone using any portable devices holding Protected Health Information should take a look at!  With all the problems of breaches of mobile devices, this is a welcome addition to the educational arsenal.  Use this to educate yourself, and to help show your bosses why putting in the time and money to protect these devices is such a good idea, and so much less expensive than not doing so.  There are documents, FAQs, videos, and more.  Check it out at http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

Seminars, Webinars, and Conferences, Oh My!

Hokey Smokes, Bullwinkle, here it is only the fourth of January, and I already have 27 speaking engagements set for 2013!  2012 saw a total of 62 sessions, some from my desk, some across the country -- I'm not sure I can do more and meet client needs at the same time.  But I do cover a variety of topics and issues related to HIPAA.  See the ever-evolving list at http://www.lewiscreeksystems.com/upcoming_public_seminars.html

And On That Note...

Please let me know if you have any questions or need any assistance with HIPAA compliance -- I'm always happy to have a conversation and do my best to get you headed in the right direction.

Thanks!

Jim

Hi All,

 -- The NIST/OCR HIPAA Security Conference -- 

Oh how I wish I had more news to report from the annual NIST/OCR (National Institute of Standards and Technology / US Department of Health and Human Services Office for Civil Rights) HIPAA Security conference down in DC on June 6 and 7.  Presentations from the conference are available at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html 

Well, the big news I was hoping to hear more about was the release date for the final rule changes to HIPAA (except Accounting of Disclosures), and the best "official" word, expressed by senior officials at OCR (and by folks informed of the official line over at the big Privacy conference happening almost concurrently in DC) is that the new rules will be out by the "end of the summer", whatever that means.

But while that's the official word, the remarks by Leon Rodriguez, the head of HHS OCR, were slightly different, and if anyone's slightly different words should be considered, it's the head guy's.  Rodriguez used phrasing like, "I wish I could give you a date, but it's very, very, very soon."  Now, in my family, when you repeat something three times, you really mean it.  Leon's not one of our kids, but if he's the top guy at OCR, the nuances of his speech can't be ignored.  I still think it will be out soon -- what do you bet, just in time for the 4th of July holiday -- wouldn't that be just like them...  But I'll probably be wrong again.

Another choice tidbit is that the folks who are implementing the incentive funding for EHRs are planning to audit the meaningful use attestation of, hold on for this, 10% of all entities receiving funding.  Yikes!  10%??  That's a LOT of audits, and I know there are some who are doing a skimpy job on meeting Objective 15 (requiring a HIPAA Security Risk Analysis) who will get snagged.  My advice (and it's not legal advice because I'm not a lawyer and I don't play one on TV) is to make sure you have a real risk analysis done, one that you can point to and show you've been paying attention to.  10%??  Wow.  Hey, a real risk analysis is the smartest thing you can do anyway.

Other items from the conference:  
 -- Breaches caused by lost, stolen, or improperly disposed of PHI are holding steady at about 2/3 of all breaches; about half of all breaches could be avoided through proper use of encryption and access controls.  No big news there, just a confirmation of what's been happening for quite some time now.
 -- Breaches by hacking are on the increase.  No question.  Health data IS a rich target, identified by international identity thieves.  The hacking breach at Utah Medicaid led to 700,000 records being exposed and the state CIO's turning in his resignation.  Health information security has recently become a much more serious game.  Less Keystone Cops and more James Bond.  IT staffs will have to adjust, and fast.
 -- Have an incident that might be a breach?  Calm down, stop the damage, and do the research.  It's not a breach until you decide it is, indeed, a breach.  If you decide too soon, without complete evidence, you may wind up notifying incorrectly.  Have a good INCIDENT handling policy and procedure that tells you what to do and how to proceed, and how to get to the point where you say, OK, yes, it is actually a breach, and we have to treat it as such, or not.  You will have both regulatory and technical considerations as to how you call it; don't jump to conclusions.
 -- The Office of the National Coordinator has done a great analysis of smart phone security, available in the sessions listed for June 6, "ONC Mobile Device Project".  Find your devices there and see if you're doing all you can to protect PHI.

 -- The HIPAA Audit Protocol -- 

Of course, there's a lot more to report.  One biggy is that OCR would be publishing its audit protocol for the HIPAA privacy and security compliance audits now taking place, and the protocol was just announced yesterday -- see http://ocrnotifications.hhs.gov/hipaa.html  Take a look, and see how you'd do.  (Don't Panic!)

Now, this audit protocol is just what we've all been waiting for, so we can know how to be prepared for an audit, but I have to admit it is something of a disappointment.  It has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria".  I can write the questions they've written myself, and so can anyone familiar with the regulations, but what are these mysterious "criteria"?  THAT's what we all want to know.

In my cursory review, I've found some questions that don't seem to relate to the regulations they specify.  For instance, one question on §164.308(a)(7)(i), the Contingency Planning standard, is all about identifying preventive measures.  That section of the regulation calls for a response to various disasters, but says absolutely nothing about preventing them.  Preventive measures would be covered under other safeguards.  Very disturbing.

And there is no way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way.

But it is a great way to see just what kind of documentation you might be asked to produce.  There is plenty of call for explanations and justifications for variations under addressable specifications, so it's clear that full documentation of your compliance decisions is necessary.  It can certainly be overwhelming to look at the level of detail they're asking about.

Overall, on first review, what a let down, but we'll all have to work with it as best we can.  It IS the protocol currently.  At least it will be good for scaring the heck out of clients, CEOs, CFOs...

 -- $1.7 million Settlement with Alaska Medicaid -- 

Lest you think the folks at HHS OCR have been too busy with audits and conferences to engage in good ol' enforcement, just take a look at the latest installment of OCR's fun game, "Let's go make HIPAA enforcement examples of every kind of entity there is!".  A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures.  This time?  A state Medicaid agency, and the press release ( http://www.hhs.gov/news/press/2012pres/06/20120626a.html ) makes it clear that state agencies are not exempt from HIPAA.  The toll?  A $1.7 million settlement, a corrective action plan, and monitoring.  The message?  There are no sacred cows in HIPAA compliance any more, not even up in Alaska.  See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html 

 -- California Releases HIPAA Security Toolkit for Small Entities -- 

Well, I really don't know how I stand on this one.  It's an online toolkit provided by the state of California that anyone can use for looking at their HIPAA security compliance, designed for physician offices and smaller entities.  It consists of data collection and risk analysis portions.  The questionnaire part I like a great deal and is a great way to dive into HIPAA compliance for a smaller organization.  

Where I do have issues is with their interpretation of how to take the information collected and turn it into a risk analysis.  Their approach is very much oriented toward assigning dollar values to various security events using Annual Loss Expectancy to come up with a way to decide about what actions to take based on financial terms.  But much of information security doesn't work based on ALEs and other mathematical approaches -- too many of the risks are too unpredictable and changing too fast for the rigorous methods to be of real value.  And I can't imagine a small office suffering through this process when there are less formal, easier to use methods that just plain work better.

Now, keep in mind that the questionnaire in the California toolkit is nowhere near as detailed as the one in the NIST HIPAA Security Rule Toolkit, and unlike the NIST toolkit it is designed to feed into a risk analysis, so a direct comparison between the two toolkits is difficult, but the questions are useful for making sure the issues are considered.  However I think if this tool is used without guidance it could be very dangerous, because it can be too easy to say you have safeguards in place when in fact they may be insufficient.  If you say you have safeguards, it won't show up as a risk issue in the risk analysis, but if the safeguards are actually insufficient based on a qualified review, the risk analysis is faulty.

So, appreciate it, use it with caution, and be prepared to run screaming from the Risk Analysis portion as though your hair were on fire.  The user guide with complete instructions is available at https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf and the toolkit is accessed at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx 

 -- And in conclusion... -- 

I used to have to make up stories about HIPAA compliance issues and security issues and breaches and penalties, but no more.  It seems there's another example of what not to do with PHI in the press every day.  HHS OCR is doing all the explaining now and we'd best pay attention or be prepared to pay the price.

Jim

Hi All,

First of all, for all the expected dates for final regulations I gave you in my last missive, add 90-120 days.  The HHS calendar is already out of date, as items expected for release shortly have not even made it to OMB for final review, which can take a few months.  So, breathe deeply, and relax -- stay the course and keep moving toward what will likely be required in the regulations.  Eventually they'll see the light of day.

Well, even if we don't have finalize HIPAA changes from HHS, we do have new proposed Stage 2 Meaningful Use regulations, and those beef up the security requirements by specifically bringing attention to the encryption of data at rest and the use of secure messaging with patients by eligible professionals (EPs) but, curiously, not by hospitals and Critical Access Hospitals (CAHs).

In 42 CFR §495.6(j)(16) (for EPs) and (l)(15) (for hospitals and CAHs) the existing Stage 1 measures calling for a HIPAA Security Rule risk analysis would have added to them a new phrase, "including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)" which means you really have to seriously look at encrypting portable devices holding data at rest.  The preamble specifically calls out the issue of breaches of data held on portable devices as the reason for the change.  It doesn't really change what you should be doing anyway, but does put some teeth into the notion that it's really time to lock down portable data.

In 42 CFR §495.6(j)(17) a new objective for eligible professionals is to use secure electronic messaging with at least 10% of patients.  Again, the preamble points out the necessity of security, here to get the trust of patients and get them involved in better communication with their providers.  But I'm a little puzzled as to why a requirement like this wasn't also put in for hospitals and CAHs, because they communicate with patients too, you know.  The mysteries of the regulatory process...

So what does all this mean?  Nothing much has changed, except that the emphasis on securing data at rest and in transit is growing, which shouldn't be a surprise to anyone -- they're only proposing regulations to deal with the clear problems revealed by breach notification.

The proposed regulation is at http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf for now, and will be published in the Federal Register shortly.  The CMS fact sheet page is at: https://www.cms.gov/apps/media/press/factsheet.asp?Counter=4286&intNumPerPage=10&checkDate=&checkKey=&srchType=1&numDays=3500&srchOpt=0&srchData=&keywordType=All&chkNewsType=6&intPage=&showAll=&pYear=&year=&desc=&cboOrder=date (or http://tinyurl.com/6rvrjex ).  I have extracted the relevant language from the NPRM and posted it here: http://www.lewiscreeksystems.com/proposed_mu_stage_2_regs.pdf

Enjoy!

Jim