From time to time I'll send my clients and interested others an e-mail update on new or pending regulatory actions and news related to healthcare information privacy and security. I'll also post them here for others to read. If you'd like to be on the e-mail list, please contact me, or, subscribe to the RSS feed. Please remember, I am not a lawyer and this is not legal advice, it is only information and resources, and personal opinions. Thanks!
– No Magic Bullet for Compliance? –
Goodness – I haven’t written one of these since last February, and I guess that’s partly because I’ve been busy, but also partly because the world keeps changing and the issues along with it. In the meantime, HIPAA compliance doesn’t go away, and the threats keep on coming. I haven’t seen a magic HIPAA compliance bullet yet, but there are some things you can do to help reduce your compliance exposure, even if they may not be something you can accomplish right away.
Using a highly integrated, cloud-based infrastructure for your medical records system is one thing I’ve seen that helps eliminate points of risk, so long as it is implemented correctly and includes sufficient protections for continued operations when connectivity goes out. Having all the access, management, and communication of your PHI take place within a system that keeps persistent data off of remote devices and simplifies operation (which prevents issues) avoids many of the security weaknesses that plague modern health IT. Not only that, but by essentially outsourcing a good portion of your backup and restoration operations, you are releasing time that can be used for other essential activities, such as new projects and government mandates, and good old security monitoring.
Of course, you want to be sure any contracts provide for access to patient records no matter what contract disputes arise (which would be necessary to meet Privacy Rule requirements for Business Associate contracts), due your due diligence with the vendor, and speak with your peers using the same system to find out about the gotchas before they getcha.
– Speaking of Monitoring… –
Probably one of the most painful and widespread issues I see as I visit health care organizations from Maine to California, from Florida to Alaska, is that organizations have not done what’s necessary to audit and review the access and use of PHI in their systems.
The Privacy Rule still has its basic Minimum Necessary foundation in place, and entities have an obligation to make sure only the right access is taking place. The Security Rule calls for both the technical ability to track accesses of electronic information, and the administrative process to regularly review access lists and logs to determine if policies are being followed.
One of the top security-related issues identified in the post mortem of the 2012 HIPAA Audit Program is that these internal audits and reviews have not been taking place. Why? Because they are a pain to do, and require not just an IT review, but some kind of evaluation of the access that has taken place to see if it is appropriate or not, and it may not be easy to determine without the involvement of overworked managers for whom HIPAA compliance is a burr in the saddle.
And it’s not going to be getting any easier soon. One of the recommendations from the team that examined how to implement the HITECH Act changes required for Accounting of Disclosures is to modify the Security Rule and enhance requirements for the ability to record details of who accessed what information and when, so that more accurate Accountings to be provided, and auditing ability is enhanced. Here is a link to a great set of slides from the team about Accounting of Disclosures and the latest proposals (provided in my last newsletter as well): http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf
So how do you look at access of records? In a small organization it may be reasonable to look at a week’s worth of access logs for all users and see if there is any unreasonable access. If you don’t find any problems, look again in a few months, and if you’re lucky, you can just keep checking on a quarterly or semi-annual basis. If you do find problems, you need to deal with the issues and keep a tight focus on the issues until you’re sure they’re resolved.
For a larger organization, take some samples of staff and some samples of patients over a period of time, to see if all the accesses look right. If you take a good sample you won’t annoy everyone on staff at once, and if you don’t see any issues, you’re in pretty good shape, just keep checking periodically. But if you do find issues, you need to look deeper and wider until you feel you have a handle on it.
And this is important why? Because this is a well-identified issue from prior audits and it will likely be a target question once they get those HIPAA Audits rolling again. Of course, this also is tied to doing regular security audits to ensure your systems haven’t been hacked, and what it all really points to is a need to establish your Information Security Management Calendar that schedules your regular reviews and audits so that you can show what you have done and what you are planning to do, if you are asked any questions about it.
– And what about those HIPAA Audits? –
So, will they ever reappear? They’ve been discussed and hyped and planned for, and now, guess what? We’re waiting for HHS to finish the Web portal that will be used for exchanging information in the new audit process. Yes, the very same HHS that has such a good reputation for quality, timeliness, and security in its Web sites (OK, I really can’t kid about this) hasn’t been able to finish the portal, so the whole HIPAA Audit process is on hold.
The good news is that you have more time to deal with other top issues before they start up again, Real Soon Now (that’s a term from the software development world). You might take a look at another access-related issue, access of patient information by individuals, family, and representatives, and the handling of denials of access, which is identified as a top Privacy compliance issue in the 2012 Audits.
– Patient Access, that’s simple, right? –
Apparently not so much. This is an area that trips up many providers and is one of the areas of most frequently asked questions that I get. You probably have some policies about providing access and how you handle denying access that were put in place in 2003 and haven’t been looked at since then. Go dig them out and see what they say. They at least need to be updated for the Omnibus updates of 2013.
A few pointers: If someone wants a copy of their records including the records received from another provider that you used to make decisions about the individual, you need to provide all of that. Individuals have a right to know what you were looking at when you made decisions about their care, with a few exceptions, such as for psychotherapy notes, disclosures that could cause harm to the individual or others, or disclosures that would reveal the source of information given in confidence (not from another provider).
Note that individuals now have the right to access their laboratory test results directly from the laboratories, as well as new rights to get electronic copies of information held electronically. Also, there is no longer an automatic extra 30-day allowance for provision of records held offsite. In addition, changes to the Privacy Rule allow personal representatives and family members the same access to a deceased patient’s PHI they had prior to death, to help preserve continuity of communication and care for the family.
But more importantly, make sure you have the proper processes in place for making acceptance or denial decisions for requests for access, and for having the proper denial appeal process in place for the denials that may be appealed. I won’t go into all the details here, because there are many, but suffice it to say that improper handling of access requests and denials has been identified as a 2012 Audit issue, so you would be well advised to make sure you have the proper policies in place and people know what they are. We are dealing with one of the foremost rights of individuals under HIPAA and one that people complain about when they feel their rights have not been satisfied. Mishandle requests for access at your peril.
And I haven’t even discussed patient access and communication using e-mail and texting, which could take a few paragraphs more than you can stand to read right now
Here are some links to recent (since my last newsletter) guidance on access issues:
• Guidance on mental health information and circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
• Guidance clarifying that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html
– But don’t worry, I’m never far away –
There is so much to consider under HIPAA these days, and the issues will only be growing. I cover a lot of what you need to know in my Webinars and seminars. Come see me next week (October 30 and 31) in Raleigh, NC for one of my highly acclaimed two-day soup-to-nuts in-person sessions, or any of my upcoming sessions. Here’s the latest in my schedule: http://www.lewiscreeksystems.com/upcoming_public_seminars.html or http://tinyurl.com/a5gplbr
— Talk About Busy —
Well, as anyone in HIPAA compliance will tell you, it has been a very busy period since my last missive, way back in May, no less. The Omnibus compliance deadline of September 23 has come and gone, and the sun still comes up in the morning, well usually, anyway, unless it’s obscured by the latest winter storm. But the good thing is that the sense of panic is giving out, being replaced by an increase of interest in just plain getting down to work and slaying the HIPAA dragon. And the good thing for me about this latest winter storm is that it has disrupted my travel plans and allowed me to actually take a few moments to compose an Occasional Client Update Newsletter. And there is most certainly plenty too talk about! I won’t cover everything that’s happened since last May — you can see all that on my News page, at http://www.lewiscreeksystems.com/privacy_security_and_compli.html — but here are some important highlights.
— Accounting of Disclosures Rears Its Ugly Head —
Well, I think I was a little critical in my prior discussions of the proposed new Accounting of Disclosures rule, and I guess I wasn’t the only one. The proposed rule has been stopped in its tracks, and in the meantime, HHS gathered a US Department of Health and Human Services Office of the National Coordinator for Health IT Health IT Policy Committee Privacy and Security Tiger Team (the USDHHS-ONCHIT-HITPC-PSTT?) that released a report with its recommendations on the topic, available as a PDF of slides, at http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf or http://tinyurl.com/lhym4qh
The recommendations call for a staged implementation relying on available technologies, with pilot projects, an accounting of disclosures outside the organization from certified EHRs as the first step, a new right to request an investigation of internal access, and recommendations to expand the Security Rule to call for more detailed ability to log access for auditing. Simplifying the question of how to distinguish between uses or disclosures at hospitals by community physicians (in the hospital or from their office), the proposal calls for all such accesses to be treated as disclosures. Compared with the proposed rule, the recommendations are more reasonable, more implementable, and more likely to satisfy the desires of patients.
My guess, and we all know how incredibly accurate my guesses are (not!), is that these recommendations will come out as an Interim Final Rule this year at some point, so be ready to hear about it, but don’t panic, as it shouldn’t be too bad. (Famous last words…)
— New Changes for Lab Access —
OK, so who here thinks it’s a good idea for patients to get their lab results without any consultation or interpretation from their doctor? Not many hands going up… But who here thinks a patient should have a right to have direct access to the information so they can develop their own personal health record? More hands up, I’d suspect.
So, that’s the deal in the new final rule, being published February 6, in effect April 7 and Enforceable October 4, 2014, that allows access of authenticated lab results by authenticated individuals or their authorized representatives under HIPAA. (That’s a lot of “auth…” words in one sentence.) Patients will still be able to get their results, with interpretation and counseling, from their care provider, and providers will still have access to the information for treatment. The change simply allows the individual to ask the lab directly for a copy.
Of course, “simple” is in the eye of the beholder — for the laboratories that must now establish a public-facing operation where there was none before, this is not simple at all, and will require the development of new policies and procedures. And updated Notices of Privacy Practices. As usual, it’s worth taking the time to read through the Preamble for all the insights into HHS thinking.
— Proposed Changes for Reporting to Background Check Database —
Along with recommended new rules and new final rules, of course we have a proposed rule, this one to allow freer flow of information from healthcare providers into the National Instant Criminal Background Check System (sounds Orwellian, eh?), permitting certain HIPAA-covered entities to disclose to the NICS the identities of people prohibited by federal law from possessing or receiving a firearm for mental health reasons. HIPAA has ALWAYS had a provision for the disclosure of PHI in the event of a threat to health or safety, but this would clarify what information and how it should be disclosed.
This one is not a final rule, so there is no action to take now, but you should be aware that it may require some modifications to your HIPAA policies once it is finalized. When? Oh dear, I don’t want to guess… Maybe this year? We’ll see. Here’s the proposed rule, so you can see what’s being considered: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html or http://tinyurl.com/m6xpnwx
— New Settlement for Stolen Data Stick and Lack of Breach Policies —
Have I mentioned before that it is important to encrypt portable devices such as memory sticks? APDerm, a provider with six offices in New Hampshire and Massachusetts found out the hard way by losing one of theirs and not having it encrypted. Breach time! And when you do have a breach, what do you do? You follow your incident management policies and procedures to see if it’s reportable, and follow through on your established process. What’s that you say? You don’t have policies and procedures sufficient to meet the HIPAA Breach Notification Rule requirements? You might be next in line for a $150,000 settlement and a Corrective Action Plan. APDerm apparently didn’t have written down what they should have.
Time now to dust off your Breach Notification policies and procedures and make sure you can do what’s necessary when the time comes. And if you don’t like what you find, check out the NIST Special Publication on Computer Security Incident Management, SP 800-61, Revision 2, at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf or http://tinyurl.com/8ouxxsn . In addition, see the September 2012 NIST ITL Bulletin for additional insights and guidance, at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf or http://tinyurl.com/kx5empm
Oh, and did I mention that the HHS Office of Inspector General wants OCR to get off their butts and get busy with some real audits and enforcement? I just love the title of the report — it says it all: "The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule” Yes, but what did they really think? See: http://oig.hhs.gov/oas/reports/region4/41105025.pdf or http://tinyurl.com/pj55cnr . Time to get ready for a HIPAA audit, I’d say.
— Speaking of Enforcement, Say Hello to the FTC —
And if that wasn’t enough, now the Federal Trade Commission says that just being a HIPAA Covered Entity doesn’t get you out of obligations under the Deceptive Trade laws that FTC so artfully uses to go after those who allow breaches of personal information. If you say you will protect someone’s personal information and then you don’t, that’s a deceptive practice and the FTC will make your future a gray one if they decide to go after you, which they can, whether HHS is interested or not. I’d guess that as a matter of practice FTC won’t step in if they feel HHS OCR is doing their job, but, well, see the OIG report on OCR in the paragraph above. Here’s a link to a Bloomberg News story on the order: http://www.bna.com/ftc-affirms-data-n17179881620/
— It’s February 4 - do you know where your small breach reports are? —
And finally, don’t forget that we’re in that magical time before March 1, that 60 days within the end of each year when you must all report all your small breaches (under 500 individuals affected) to HHS, using their Web site, at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ or http://tinyurl.com/3z3bj4y . Of course, you do have a breach reporting policy and procedure, don’t you? (Is there an echo in here?)
So, Happy HIPAA to all, and let me know if you have any questions. Also, see the latest in my schedule of upcoming seminars and Webinars. http://www.lewiscreeksystems.com/upcoming_public_seminars.html or http://tinyurl.com/a5gplbr . Soon to be added are 2-day HIPAA sessions in Sao Paulo, Brazil (!) and Toronto, Canada in March, as well as other sessions. At least I’m not doing Brazil and Canada in the same week — how would I pack for that?...
-- Enforcement Panic --
OK, so none of us really has much time, what with the summer now upon us and a September 23, 2013 compliance deadline for the new HIPAA rules, but I figured I'd better pass along a few nuggets gleaned from the annual NIST-OCR HIPAA Security Conference, held last week in Washington, DC. With apologies to Douglas Adams and the Hitchhiker's Guide to the Galaxy, DON'T PANIC! In large capital letters.
Leon Rodriguez, head honcho at the HHS Office for Civil Rights arranged to have a nice new violation settlement announced after the end of the first day of the conference, so he'd have plenty to discuss in his opening session on day two. But the real gem in his commentary is not so much about that particular incident, but about their approach to enforcement in general, which is, if you're being a fool and refuse to deal with obvious problems, you're going to get in trouble with OCR. The other side of that is that OCR is not going after organizations that make simple mistakes. If a doctor makes a bad judgement call and passes along information he shouldn't have, nobody's going to jail or getting a penalty. Just that you even seriously considered HIPAA is something that makes them happy. They're not fussy about what kind of encryption you use -- just that you have considered it and are doing ANYTHING puts you in good stead.
Where they get cranky is when you ignore the rules and ignore known issues. Considering the rules and making a bad call is a chance to learn, not cause to be penalized. And for goodness sake, don't let HIPAA get in the way of what you think is reasonable and appropriate. Don't over-think it and unreasonably restrict reasonable disclosures. Rule #1 -- do what the patient wants you to -- "the patient is at the top of the pyramid", and Rule #2 -- there are big exceptions when the health or safety of the patient or others is at risk -- "HIPAA is a valve, not a block."
So, do a risk analysis, consider the clear and obvious issues like laptops and paper records, and update the risk analysis when you change how you do business -- compliance is a process. Folks, I am not making this up -- I am paraphrasing Rodriguez's words, and they echo my longtime advice. Enforcement is not based on one bad decision on one bad day, it's based on the systemic violation of sets of rules.
Oh, and as for that settlement? Be sure you check the security configuration of your servers and systems upon installation and regularly thereafter, and don't leave things vulnerable for months at a time.
-- Cloud Vendors, Conduits, and Persistence of Custody, Oh My! --
Hey, hey, hey, now, enough of the Wizard of Oz references -- that was the last newsletter. (But why are the monkeys still flying around?)
So, there were some important insights into the as-yet-unresolved question of whether Amazon will need to start signing BA Agreements if it wants to continue serving health information clients with its Amazon Web Services products. And, of course, it's not just Amazon, it's any "cloud" vendor handling PHI. The thinking used to be, if it's encrypted and they don't have a key and can't access unencrypted PHI, they're not a BA. Like a landlord relationship -- they're not responsible for your stuff, they're just renting you space and you have to secure it.
But the new rules challenge that notion. The new rules say anyone acting on behalf of a CE that receives, transmits, creates, or maintains PHI is a Business Associate. "Cloud" vendors like "Box" and Verizon are indeed willing to sign BA Agreements and will start siphoning off AWS clients. Will Amazon be able to resist the tide of BAA requests and the inevitable defections to providers that will sign a BAA?
"Persistence of Custody" has emerged as the key phrase. HHS now has this issue under review, and I would expect there to be some kind of official guidance on the topic issued someday, hopefully before it becomes a dead issue. (And if you think I'll hazard a guess as to when, you've got another think coming!) The thinking is, if there is persistent custody of PHI, a BA is warranted, even if the PHI is encrypted.
There is a very limited exception for Conduits, such as the postal service, FedEx, or an ISP that simply provides transmission capability. In the Conduit model, there is no persistence of PHI -- it's passed off and no longer in the courier's hands. But that's not so clear when it comes to electronic delivery. Often a copy remains and can remain on backups indefinitely. A conduit is a pipe, not an opaque bucket.
And don't forget security includes availability as well as confidentiality and integrity, so if your cloud vendor is responsible for ensuring good backups of essential health information and resilience in the face of disasters or "events", they're performing an essential service for your security compliance, helping to preserve your data, so they really should be under some kind of a BA agreement anyway. They would, indeed, clearly, be responsible for aspects of the "maintenance" of your PHI. Sounds like a BA to me.
-- And the Compliance Issue of the Day Is... --
Well, it could be laptops and portable data, since those breaches are still being reported almost daily, but that would be too easy. Let's take a lesson from the kind folks at OCR who were nice enough to do their latest enforcement thing on Idaho State University and not you, so you can learn from their mistakes. What happened there? Nobody checked to make sure some servers were properly secured upon installation and regularly thereafter, and an insecure server allowed uncontrolled access to more than 17K patient records for nearly a year.
The lesson? Make sure your technical people follow good practices whenever new equipment and systems are installed, and have a security check done regularly -- there are even tools that can do a lot of this for you if you just set them up right. Let's all say the words together now, it's just eight syllables, "reg-u-lar tech-ni-cal re-views." I'd put money on the audits that start in October having some questions on this topic, so get started now with some good, regular, documented practices that can go a long way toward protecting you from breaches.
-- Your Mantra Is, Repeat After Me... --
Risk Analysis, Encryption, and Regular Reviews. Like the nice Mr. Rodriguez says, compliance is a process. Risk Analysis, Encryption, and Regular Reviews. If you can document these and keep them up to date, you're on top of the biggest issues on OCR's radar. Risk Analysis, Encryption, and Regular Reviews. No time like right now...
So please let me know if you have any questions, and do check my news, resources, and upcoming training sessions sections on www.lewiscreeksystems.com -- I have lots of training sessions scheduled, including two more intensive two-day HIPAA training sessions, now set for Chicago August 29 and 30, and Phoenix October 24 and 24.
-- With Apologies to Judy Garland, Harold Arlen, and a Cast of Flying Monkeys --
"Auntie Em! Auntie Em! There's a twister a-comin'!" Well, I won't vouch for the accuracy of the quote, but I see some pretty ugly clouds on the horizon. A few comments from Federal officials, a job posting, and a conversation with someone whose company went through one of the random audits last year, and now I'm concerned. Is there a HIPAA storm cellar? You may want one.
I guess I'm not reporting anything new if I take note of the numerous public comments by HHS officials that in the first round of random audits, they found that entities weren't doing much internal auditing of system and network activity to ensure proper use of systems and data by the appropriate people. It's also nothing new that the folks heading up the HHS Office for Civil Rights have said that enforcing the auditing requirements will be a focus of their work in the coming months. And I'm sure I'm among thousands of people on the HHS mailing list that in the last week received a notice that HHS OCR was looking to hire people to do HIPAA privacy and security audits. That's troubling enough. Those two things mean that if you haven't started to follow up on the HIPAA Security Rule's system monitoring and activity review safeguards, you're leaving yourself open to fines and corrective action plans with a growing workforce dedicated to enforcement, full-time.
But then I had a nice long talk yesterday with someone whose organization was audited by HHS in a random audit last summer. For five days, the hired guns from KPMG lived in a conference room and collected information. Asking questions, verifying answers, verifying the verification, almost like automatons, no emotion, no human interaction, really. The questions they asked were the ones in the HIPAA Audit Protocol (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html), and that's scary enough, but in many ways the audit was like a SSAE16 (formerly SAS70) SOC2 audit, in that they were looking to see how well the organization sticks to its policies, whatever they are. Out of some 300 employees, one had missed their annual required HIPAA training, because that person was out and couldn't attend despite almost heroic efforts to do so, and the auditors wrote it up as a deficiency. They backed down after a letter from the organization's lawyer, but the point is, if you have a policy, you had better be sure you're doing what it says you do, or you will have to defend your actions, and that's just plain expensive, time consuming, and unpleasant.
-- If I Only Had a Brain --
So, let's take that little nugget of truth and apply that to the internal auditing issue. Are you starting to feel a little bit of, "Oh, I haven't really been doing enough," in the pit of your stomach? I know there are plenty of internal auditing policies out there that call for regular reviews, which is what HHS says is necessary, but has everyone been doing those reviews? I doubt it. It's among the most time consuming, boring, annoying tasks in security, and everyone hates it. So, what do you do?
First of all, start doing something and document it. Schedule regular reviews of access lists. Schedule a regular random audit of at least one employee's computer use, and one patient's access history. It doesn't have to be much, but you have to do something and you have to do it on a regular basis, not just when there's a complaint or some other event. See what your policy calls for, and write the procedures, and then, most importantly, audit your auditing compliance to make sure you're doing what your policies and procedures call for! What you can show in documentation and what the policies and procedures call for MUST match! You can have a great auditing policy, and you may have some great audits, but if they don't match, you're going to have some explaining to do. Ugh.
Here is everyone's homework for this week: Look up your HIPAA security internal audit policy -- system activity reviews, access reviews, those kinds of things. Do you have one? Do you have any supporting procedures that say how you, in your facility, will do those audits? If you already have these in writing, start doing them now, and then see how well you can actually do what you're saying you do. Be prepared to make some adjustments in your procedures so you can have a defensible position if you're audited -- and document everything!
"But I have such tight access controls that it would be nearly impossible for someone to access information improperly!" Then your audits will be quick and easy verifications. You can't get out of it -- you have to verify.
-- Somewhere Over the Rainbow --
(Am I going to be getting into trouble with the copyright lawyers for all these references?)
HIPAA compliance does sometimes feel like it's somewhere over the rainbow, but what is it like back in dusty, old, black-and-white Kansas, Dorothy? There are actually things you can do to be prepared. First of all, get to know the HIPAA Audit Protocol. Go to the Web site, check just the "Security" questions, select the popup to show "all", click the button to "Export to CSV", and open the file in your favorite spreadsheet. Do some formatting so you can actually read things and use it, add some columns to show your answers, to identify your documentation, and to say what you need to do to improve things. Go through the questions. Once you go through this exercise, you will know your weaknesses, and you will see what you need to put time into so you can have good answers when the auditors call you.
You will probably see that you have deficiencies in your auditing activities, procedures, and documentation. You will then have justification to spend the time you need to on getting your policies and procedures up to snuff and documented, to begin following them, and to make adjustments so your activity matches your policy and procedure. And make sure everything is properly documented.
And maybe if you're picked for a random audit it won't feel like the flying monkeys are out to get you.
I keep chipping away at the issues related to the new final HIPAA rules (aka HIPAA2), looking for insights into the bottom-line question, "Just what needs to happen to become compliant with the new rules?" I provided a little bit of an outline in my last message, but the issues surrounding the changes to Breach Notification need a little more exploration at this point. In upcoming discussions I'm sure I'll be tackling the scope of the changes to the Privacy Rule, but for the moment I'll fill in a few blanks relating to the Security Rule and Breach Notification.
-- Security and Breach Rule Policies
For the most part, changes to the Security Rule consist of adding "...and Business Associates..." to many of the sections, and doing so probably won't affect your Information Security Policies. The changes may need to be reflected in your policy on Business Associates if the policy is specific about BA agreement contents and doesn't refer to the HHS regulations identifying required content (or even better, the Web page for that, http://tinyurl.com/7asm2qj ). If the policy does refer to the regulations, it's probably fine as is.
So, with a little review (make sure you do actually review your policies, please), you'll probably decide your Security policies need little, if any, modification to meet the new rules, except when it comes to Breach Notification. I suspect most policies refer to the old "harm standard" (I know the ones I've supplied in the past did), and those paragraphs will need to be replaced with consideration of the new four-factor risk assessment for probability of disclosure. It's well worth your taking a moment to read through the new definition of a breach, under §164.402, FR page 5695, or page 131 of the PDF version, http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf .
-- How to Evaluate a Breach
The key here is to change your thinking about breach evaluation. Instead of "we don't have to report unless there's harm," the new rules say "we have to report unless there's a defined exception, or unless there's a low probability of compromise." The process to decide whether an incident is a reportable breach is this:
Step 1) Was the data encrypted according to the HHS guidance with strong passwords and are the passwords still secure? If so, not a breach. Document and done. Note that if you did use some kind of encryption but it doesn't meet the official requirements, it may still get you some points to use in step 3.
Step 2) OK, so if it wasn't properly encrypted; does it meet one of the defined exclusions in §164.402's definition of Breach? i) For unintentional, good-faith acquisition or use within the scope of authority and no further use or disclosure, ii) for inadvertent disclosure by someone ordinarily authorized to access the information within the same covered entity, business associate, or organized health care arrangement, or iii) if the disclosed information could not be retained by the unauthorized recipient. If you meet an exclusion, document and done. But do note that the exclusion under ii applies only to the same entity. If you inadvertently fax to another office not part of the same entity, that does NOT qualify for the exclusion. But it may get you points to use in step 3, compared to faxing to the hardware store.
Step 3) Well, it wasn't encrypted according to the guidance, and it doesn't meet an exclusion, so it's a reportable breach, UNLESS you can show a "low probability of compromise" based on a risk assessment considering at least the four factors identified in the regulation. Whereas before it was, "there's a hole, do we have to jump in?" now it's "we're in a hole, how can we dig our way out of it?"
An issue with any one of the Four Factors (didn't they have a Motown hit back in the 60s?) can be enough to raise the risk of a compromise above the "low" level. All four must be well controlled. The factors are, 1) what is the data (nature and extent, and likelihood of identification), 2) to whom was the disclosure made, 3) was the information actually acquired or viewed, and 4) have the risks been mitigated.
-- How Can You Implement This?
I'd recommend your policy point to the regulation (45 CFR §164.400 et seq.), and you implement procedures to support the policy that will take you through the Three Steps and the Four Factors (is this becoming a battle of the bands?)
Let's run through a quick set of examples: Let's say someone in your office faxes some health information to another office within your covered entity, but it is not the intended office. Well, it's on the fax machine, so it's not secured, so go to step 2. In this case, it meets the exception under ii, so it's not a reportable breach. Document and done.
What if it's faxed to another doctor's office that happens to be a different covered entity from yours? In this case, you have to go to Step 3, and evaluate the Four Factors. Let's say this is information about a dermatology skin patch test that went to the wrong dermatologist, was not actually viewed, and was shredded.
- Factor 1: The data is not sensitive, not extensive, just one simple test result. Sounds OK, not too risky.
- Factor 2: The disclosure was to another doctor's office also under HIPAA rules to protect all PHI no matter the source. Sounds OK there, too.
- Factor 3: Was the information viewed? In this case, let's say the receiving person realized the fax was misdirected and did not look at the pages behind the cover sheet and learned nothing other than that a fax was sent from an office erroneously. In that case, sure, that sounds OK too.
- Factor 4: The fax was shredded and the risk was fully mitigated. Also good news.
In this case, document your analysis, and you'd be justified in coming to a conclusion of there being a "low risk or compromise".
-- Some Variations on the Factors
But how about if, instead of a skin patch test result, it's HIV/AIDS test results? BAM! There goes factor 1. VERY sensitive information. Must report. Likewise if it's a complete record with lots of detail.
Or, how about if it's the hardware store instead of a HIPAA-covered entity that receives the fax? BAM! There goes factor 2. Must report.
Or, if the person receiving the fax discusses the contents with someone in their office? BAM again. Factor 3. Report.
Or, if you don't actually know that the fax was shredded? Factor 4. Report.
Any one of the factors can push your risk assessment above the "low probability of compromise" level.
-- So What Does That Leave?
At this point, we've covered what needs to happen for Security and Breach Notification Rule compliance. Do note, though, that the new requirements do not go into effect until March 26, 2013, and are not required to be used until September 23, 2013. Until March 26, you must still use the "harm standard". Between March 26 and September 23 you can use EITHER the old standard, or the new process. After September 23, you must use the new rules.
Next time I'll start digging into some of the many Privacy Rule issues.
And, as always, let me know if you have any questions, and do keep up with my list of upcoming seminars and Webinars at http://www.lewiscreeksystems.com/upcoming_public_seminars.html
As time goes by and we in the compliance community have the opportunity to digest the new rules a bit more and dig deeper into some of the tidbits hidden in the Preamble to the changes, new details will emerge, new understanding will develop, and framework for HIPAA update implementation will emerge. Here's how it looks so far:
-- A Framework for Implementing the HIPAA Changes
1) Policies will need to be modified or adopted to deal with the changes to business associates, individual access, breach notification, marketing and fundraising, and lots more. This will not be a simple job, depending on the complexity of your current policies, and must be executed by September 23, 2013.
2) Your Notice of Privacy Practices will need to be updated to reflect the new patient rights, and may be modified to remove language no longer required pertaining to some marketing activities that now will require an authorization instead. This also will need to be implemented by September 23, 2013. Providers will NOT have to mail out a new one to patients, but will need to use it and make it available and properly posted in their offices and on their Web sites.
3) Update your Business Associate Agreements to meet the new standards, and while you're at it, add in beefier protections for breaches, liability and indemnifications, so you don't get caught holding the bag if a BA plays fast and loose with your PHI. Luckily, the big news is that upon official publication of the new rules on January 25, 2013, they also released updated HIPAA Business Associate Agreement template provisions, available at the same Web address as the old, ancient, obsolete version: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html (Shorter link: http://tinyurl.com/7asm2qj )
Now, just as before, this language is hardly stuff your lawyer would like you to sign as is, but it does identify the elements that must be in a modern BAA meeting the new standards. Do not adopt it as is, but use it to look at your current template and agreements, identify needed changes, and work with your attorney to implement those changes in a way that is legally correct for you, in your state.
Compliant BAAs under the old rules in place as of January 25, 2013 have until September 23, 2014 to be updated, and this includes "evergreen" contracts that auto-renew without intervention. Any new or manually renewed contracts must meet the new requirements by September 23, 2013.
4) And then once you implement the new policies, NPP, and BAAs, you'll need to make sure the proper procedures are developed and training takes place so it all works.
-- Speaking of Business Associates...
I've long spoken of the issues of the proposed rules for Business Associates, providing an example of how the shredding company for a business associate that provides services using PHI on behalf of a covered entity could unwittingly find itself under the regulations of the US Department of Health and Human Services, with significant compliance obligations and penalties for non-compliance. I spoke of how difficult it would be to educate all the business associates and their subcontractors all the way down the chain to implement the rules fully.
Well, it's even more complicated than that. Here's a scenario: You have an official e-mail system that your office uses for all professional communications and you have a policy that says staff should ONLY use that system. One staffer goes outside of the policy and uses G-mail to send someone in another office some PHI. Under the new rules? BAM! Google is a Business Associate because they have access to your firm's PHI. Without any notice or intervention, and despite any terms of service they might wish to implement. With that one act, both you and Google are in violation of the HIPAA BA rules, without your or their knowledge.
Needless to say, there are some serious issues that result from this interpretation, and we will just have to see how this shakes out. Will there be forthcoming guidance that softens the blow? That doesn't seem likely given the wording in the preamble to the new rules, but it could happen. Here is a link to a good article by Health IT lawyer John Christiansen discussing this topic and the impacts in some cloud and ISP circumstances: http://christiansenlaw.net/2013/01/do-the-hitech-rules-really-make-all-healthcare-asps-and-cloud-services-providers-business-associates/ (Or use this short link: http://tinyurl.com/b29f4x2 )
Isn't HIPAA fun?
-- And if I've provided you any BAA or policy language in the past...
It probably needs updating. I'll try to be proactive and let you know, although a lot of policies and agreements have been developed over the last ten years of HIPAA. If you have questions about yours, please let me know and we can set up a review. Also, I have four Webinars this week and next, on Breach Notification, E-mail and Texting, the new Final Amendments, and Business Associates -- I'll be including the new rules in all of these. See my page for more information on these and many more: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
Please let me know if you have questions -- I'm always happy to help!
Well, the big news is that we've finally been treated to a new final HIPAA rule, issued last Thursday, true to form, just before a holiday weekend, all 563 pages. A great deal is "as proposed" but there are some significant changes and some significant insights provided in the preamble. Here's a link to the pre-publication version https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf The actual date of issue of the official version in the Federal Register will be this Friday, January 25, whereupon the link above may stop working and links to the official version will be announced.
DISCLAIMER! I am not a lawyer and everyone in the HIPAA world is still sorting out all the impacts and changes, and I'd be a fool to think that I know what all the issues are and have everything interpreted correctly at this early stage. This is not a complete analysis, but just a few observations, and I'll have more information as things develop.
So, what's up with the final rule? For the most part, it's being finalized as proposed, but with some significant exceptions. Here are some tidbits.
-- Business Associate Agreement Compliance Timing
The new rule, as proposed, extends the HIPAA regulations to Business Associates, and there are changes in what is required in a Business Associate Agreement to reflect the new status of BAs. The sequence of compliance in HIPAA is usually that the rule is officially Published (as this one will be on Friday the 25th), it goes into effect 60 days later, and is enforceable 6 months after that. The proposed rule said that if your BA agreement was in compliance with the old rules as of the effective date, you'd have 18 months to get your BA Agreement up to snuff, not just 6 months, so you'd have some time, once it was published, to at least nail down what you could under the old requirements and not have to look at it again for 18 months.
Well, surprise, surprise, the final rule says that if your BA agreement is compliant as of the day of publication, not the effective date, you get the extra year to get your agreements updated. You don't get that 60 days before it goes into effect to sign agreements under the old rules and put off revisiting them for 18 months. In other words, you have until this Friday to sign any agreements that are compliant with the old rules and not have to revisit them for 18 months. Starting next week, you'll have to use agreements meeting the new requirements, or you'll have to revise them by September 23, 2013.
I've been recommending that folks include language that meets the new requirements for some time now, so if you have, you may be all set to continue into the future and have until September 24, 2014 to revise all the older ones.
-- Breach Notification: The Harm Standard is Dead, Long Live the Harm Standard
We all knew that there would be some changes in the Harm Standard in Breach Notification because of the controversy around it, and a perceived lack of uniformity in the industry as to how to interpret it. Well, there sure are some changes. The Harm Standard has been unceremoniously dumped, replaced by the notion of a "low probability of compromise" using a risk assessment of each potential breach, considering four factors: what the information was, to whom it was released, whether or not it was actually accessed, used, or disclosed, and how the incident was mitigated. OK, so far so good...
Interestingly, in the Preamble discussion of the new rule, one of the considerations in evaluating the information potentially breached is whether or not its exposure is adverse to the individual or benefits some other person. It sounds like the "adverse to the individual" is a new harm standard, without the icky name. Now, to be sure, you need to look at more than this to see if it's reportable -- any one of the four factors can drive notification. But it does allow some room for consideration of the impact on the individual.
The big impact here is that you do need to establish a process for assessing the risk of every potential breach to see if it is reportable.
One of the best things I noticed in the new rule was in the Preamble discussion having to do with sending information to the wrong provider by mistake. Under the interim rule there was not an exception for inadvertently sending to the wrong HIPAA-covered entity. There still is no exception, but the Preamble discussion did make it clear that you can use a risk assessment considering the four factors to decide that there is not a reportable breach. Just don't make it automatic! You still need to do the risk analysis every time -- you may have situations where it's not something you can except.
-- Some Guidance on Unencrypted E-mail (and Texting?)
One of the new requirements unchanged from that proposed is that if someone wants an electronic copy of their health information that's held electronically, you must provide that. No news there -- it's in the HITECH Act and in the proposed rule, and also in the Meaningful Use requirements for anyone going for incentive funding for their EHR. What is news is the discussion in the preamble about how to transmit that information to the individual. In short, if the individual wants you to e-mail them any PHI, you need to explain that it is not necessarily secure and that the information may be exposed, and ask if they want to do that anyway. If they say, "yes, e-mail me anyway, I understand and accept the risks," then e-mailing PHI is fine. They note that individuals don't necessarily have the savviness to manage decryption processes, and they have a right to ask for their information however they want it (within reason), so e-mailing is fine. Don't forget: DOCUMENT the discussion and agreement to accept the risk.
This logic may also be extended to texting. If the individual says, "text me my test results", and you explain the risks and they say do it anyway, you may. DOCUMENT it.
Note that this does not exempt professional communications! Any professional exchange of PHI over the Internet MUST be encrypted to avoid breaches. The ability to avoid encryption only applies to communication with the individuals. Also, keep in mind that if you're going for incentive funding for your EHR, you need to provide a secure portal for patient access of information, which would minimize the need for e-mailing of PHI anyway.
Also note that I feel it would be foolish to not consider the content of any unencrypted e-mail or texting. I would resist sending unencrypted information of a particularly sensitive nature, or any information that may be covered by more stringent regulations, such as substance abuse or HIV/AIDS information. I think it is important to show that in your discussion to not encrypt that the nature of the information was considered. If you're just wanting to text someone so you can say you're running 10 minutes late for their appointment, that's a low risk situation, and not the same as telling someone their oncology test was positive. Use your judgement and document it!
-- Is That All, Folks?
Not by a long shot. I'm digging deep into this because I have webinars and seminars on HIPAA this week and next and on into the year. Nothing like having to teach someone else to force you to really know your material! I'm sure we'll all be finding little gems as we in the compliance community come to grips with the new rules. Here is the obligatory link to my page of upcoming sessions: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
Please let me know if you have any questions (how could you not... I certainly do!). I'll do my best to sort things out for you, and I'll try to pass along any insights as they occur to me. There is certainly a lot that can be found in 563 pages, to be sure!
A Happy New Year to all, and here's to having better compliance with HIPAA in the coming months!
New Rules? What New Rules?
Well, we still have no new regulations yet, and even the head of HHS OCR, the folks making the rules, isn't sure when they'll appear. I mean, come on, the laws behind these rules, for the most part, went into effect more than two years ago. The longer the delay goes on, the more I begin to wonder if they'll throw into the "Omnibus Update" a final rule on the new Accounting of Disclosures provisions. (Yes, the final rule changes are likely to be about as subtle as a bus... or a bull in a china shop...)
The big takeaway from this is it's time for all the HIPAA business associates to face up to the fact that they're going to be covered under the rules, and have already been covered under the law for more than two years, and are subject to enforcement by state attorneys general. The delay in finalizing the rules has presented an opportunity for these entities to get their compliance houses in order before the clock starts ticking. When the final rules go into effect, BAs will have only six months to become compliant, and the competition for resources to get the job done will be fierce. The word from the head of HHS OCR is that BAs need to get ready now, and I would expect vigorous enforcement of the rules once they're enforceable. Here's a link to an interview with Leon Rodriguez that is very illuminating! http://www.govhealthit.com/news/ocr-looking-high-level-sensitivity-data-breaches
Another Settlement for a Laptop Breach, With a Small Hospice Agency
Oh, this one really hurts. Hospice of North Idaho (HONI) uses lots of laptops to provide its services. One got stolen. They hadn't done a risk analysis, and they hadn't implemented any mobile device security policies and procedures. 441 patients' information involved. $50,000 settlement plus corrective action plan.
OK, a few things here:
1) This is going to cost HONI a LOT more than the $50K settlement, and I'd guess they have NO money to spare at an outfit like this. This comes right out of their ability to provide services. Getting into compliance for a relatively straightforward organization like this would have cost a SMALL FRACTION of the costs of the breach and settlement.
2) Note that this is for a breach that's under the threshold of 500 to be reported as a large breach. Yes, folks, they're looking at the small breaches too, taking names, and finding examples to make.
3) I'm sure you can fill this one in yourself by now, if you've been listening to me... Do your risk analysis, implement some policies and procedures and encrypt all your mobile devices! Almost every day another breach is reported involving thousands of patient records on a laptop. Portable data is a clear, obvious, documented serious risk that is WAY cheaper to protect than recover from a breach thereof. STOP THE MADNESS! Do your homework and encrypt your laptops and any mobile health information. Do it NOW. No more excuses!
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html
And About That Guidance On Mobile Device Security...
The nice folks at the Office of the National Coordinator for Health IT have put together a good set of resources that everyone using any portable devices holding Protected Health Information should take a look at! With all the problems of breaches of mobile devices, this is a welcome addition to the educational arsenal. Use this to educate yourself, and to help show your bosses why putting in the time and money to protect these devices is such a good idea, and so much less expensive than not doing so. There are documents, FAQs, videos, and more. Check it out at http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
Seminars, Webinars, and Conferences, Oh My!
Hokey Smokes, Bullwinkle, here it is only the fourth of January, and I already have 27 speaking engagements set for 2013! 2012 saw a total of 62 sessions, some from my desk, some across the country -- I'm not sure I can do more and meet client needs at the same time. But I do cover a variety of topics and issues related to HIPAA. See the ever-evolving list at http://www.lewiscreeksystems.com/upcoming_public_seminars.html
And On That Note...
Please let me know if you have any questions or need any assistance with HIPAA compliance -- I'm always happy to have a conversation and do my best to get you headed in the right direction.
If I keep waiting for the new rules to send a client message out, it may never happen, or so it seems. So here's a summary of the latest goings on in the world of HIPAA.
Final HIPAA Rules Expected Maybe Someday
OK, so it's gotten so bad that I've about given up updating my slides in HIPAA presentations with the latest expected dates for release of the final HIPAA changes in the big Omnibus rule, and now it's clear we'll hear nothing before the election, so we'll see. All of the uncertainty is causing a lot of inaction and stalling a lot of work that really needs to be done to get healthcare down the road to at least the present day, if not the future. When will we see the regs? Someday, maybe, maybe not. Meanwhile, state attorneys general have sued business associates for violations under the HITECH act, even without the regulations in place. So we continue in regulatory limbo -- both the old and new rules apply...
HIPAA Audit Protocol Updated
At some point during September, without announcement, the HIPAA Audit Protocol was updated, improved, and moved to a new web page, leaving the old one still active without any notice that a new version had been published elsewhere. Hey thanks for the heads up! http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html Anyway, it's up from 165 to 169 questions, but the big news is the "Export" button that makes it possible to export the contents to something useful like a spreadsheet, where you can add columns for Item Number (so you can always sort things back to the original order!), unresolved questions, issues to be addressed, supporting documentation, and priority for resolution. Once you do this, you can format the cells so the contents are readable (what a concept!) and use the HIPAA Audit Protocol as a master HIPAA compliance guide and documentation record. Sort of like a simpler, less detailed, lightweight version of the NIST HIPAA Security Rule Toolkit. It's still not perfect, and there are still some wonky questions, but it can be actually used. Let me know if you'd like a copy of the protocol (as published on October 15, 2012) in a formatted .xlsx spreadsheet something like what I described, and I'll e-mail you one.
And the Settlements Go On
Is this starting to sound like a broken record? Organization loses a laptop, HHS OCR investigates, finds no laptop encryption, no real information security management process, no risk analysis, no polices and procedures, or training on using laptops, etc., etc., and a one-point-something million dollar settlement and an expensive Corrective Action Plan are the result. This time it's Mass. Eye and Ear Infirmary (and Mass. Eye and Ear Associates) on the hook, for $1.5 million, plus a nice fat CAP. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html So, do we all get the message yet? Repeat after me: No unencrypted PHI on laptops or portable devices. Otherwise, you are SO looking for trouble.
New Risk Assessment Guide Great for Federal Agencies, Not So for Health Care
Sorry, but the new NIST SP 800-30 Revision 1 is clumsy, fat, overwrought, and just about useless. Use the old one. The new one will make your head hurt. So warned, the new version is available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, and the old version (recommended) is still available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
New Incident Handling Guide Great for Everybody
This new update from NIST is a winner, and there's even a ITL (NIST's Information Technology Laboratory) Bulletin with more discussion and guidance. NIST SP 800-61 Revision 2 is strongly recommended, available at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf and the September ITL Bulletin is available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf Take note! If you have an incident and HHS investigates, they will want to see your incident management plan and the report from the incident. Get to know SP 800-61 Rev 2 -- it is your friend.
More News and Resources
Yes, there's more -- announcements from Verizon about BAA-quality cloud services, new free privacy training resources from the Office of the National Coordinator, and the beat goes on. See the Lewis Creek Systems site http://www.lewiscreeksystems.com for more.
And Training Sessions
Don't forget to check the Upcoming Pubic Seminars schedule at http://www.lewiscreeksystems.com/upcoming_public_seminars.html to see what's coming up in person and on the Web. If you need a serious HIPAA hit in the next week, I'm doing an intense 2-day session in DC on October 25 and 26 at the Marriott Courtyard Embassy Row -- see http://www.globalcompliancepanel.com/control/s_product/~product_id=900012SEMINAR
But life is not all HIPAA...
I'm off for a three-day Electric Bass Workout (see http://www.bassworkout.com ) so I can concentrate on something other than HIPAA for a few days. I find I am much more productive and work much better when I take the time out to concentrate on something other than what I concentrate on every day, which is HIPAA. For me, it's music, for some it's fishing or working on their old car or gardening or something, but the message is, you'll be happier and get more work done if you remember to take care of your self and spend time focusing on your joys. So, if you need to reach me from this afternoon through the weekend, be prepared for a delay -- I'm taking care of some important business.
And as always,
If you have any questions, please let me know, and I'll be happy to do my best, though perhaps not until next week!
-- The NIST/OCR HIPAA Security Conference --
Oh how I wish I had more news to report from the annual NIST/OCR (National Institute of Standards and Technology / US Department of Health and Human Services Office for Civil Rights) HIPAA Security conference down in DC on June 6 and 7. Presentations from the conference are available at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html
Well, the big news I was hoping to hear more about was the release date for the final rule changes to HIPAA (except Accounting of Disclosures), and the best "official" word, expressed by senior officials at OCR (and by folks informed of the official line over at the big Privacy conference happening almost concurrently in DC) is that the new rules will be out by the "end of the summer", whatever that means.
But while that's the official word, the remarks by Leon Rodriguez, the head of HHS OCR, were slightly different, and if anyone's slightly different words should be considered, it's the head guy's. Rodriguez used phrasing like, "I wish I could give you a date, but it's very, very, very soon." Now, in my family, when you repeat something three times, you really mean it. Leon's not one of our kids, but if he's the top guy at OCR, the nuances of his speech can't be ignored. I still think it will be out soon -- what do you bet, just in time for the 4th of July holiday -- wouldn't that be just like them... But I'll probably be wrong again.
Another choice tidbit is that the folks who are implementing the incentive funding for EHRs are planning to audit the meaningful use attestation of, hold on for this, 10% of all entities receiving funding. Yikes! 10%?? That's a LOT of audits, and I know there are some who are doing a skimpy job on meeting Objective 15 (requiring a HIPAA Security Risk Analysis) who will get snagged. My advice (and it's not legal advice because I'm not a lawyer and I don't play one on TV) is to make sure you have a real risk analysis done, one that you can point to and show you've been paying attention to. 10%?? Wow. Hey, a real risk analysis is the smartest thing you can do anyway.
Other items from the conference:
-- Breaches caused by lost, stolen, or improperly disposed of PHI are holding steady at about 2/3 of all breaches; about half of all breaches could be avoided through proper use of encryption and access controls. No big news there, just a confirmation of what's been happening for quite some time now.
-- Breaches by hacking are on the increase. No question. Health data IS a rich target, identified by international identity thieves. The hacking breach at Utah Medicaid led to 700,000 records being exposed and the state CIO's turning in his resignation. Health information security has recently become a much more serious game. Less Keystone Cops and more James Bond. IT staffs will have to adjust, and fast.
-- Have an incident that might be a breach? Calm down, stop the damage, and do the research. It's not a breach until you decide it is, indeed, a breach. If you decide too soon, without complete evidence, you may wind up notifying incorrectly. Have a good INCIDENT handling policy and procedure that tells you what to do and how to proceed, and how to get to the point where you say, OK, yes, it is actually a breach, and we have to treat it as such, or not. You will have both regulatory and technical considerations as to how you call it; don't jump to conclusions.
-- The Office of the National Coordinator has done a great analysis of smart phone security, available in the sessions listed for June 6, "ONC Mobile Device Project". Find your devices there and see if you're doing all you can to protect PHI.
-- The HIPAA Audit Protocol --
Of course, there's a lot more to report. One biggy is that OCR would be publishing its audit protocol for the HIPAA privacy and security compliance audits now taking place, and the protocol was just announced yesterday -- see http://ocrnotifications.hhs.gov/hipaa.html Take a look, and see how you'd do. (Don't Panic!)
Now, this audit protocol is just what we've all been waiting for, so we can know how to be prepared for an audit, but I have to admit it is something of a disappointment. It has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria". I can write the questions they've written myself, and so can anyone familiar with the regulations, but what are these mysterious "criteria"? THAT's what we all want to know.
In my cursory review, I've found some questions that don't seem to relate to the regulations they specify. For instance, one question on §164.308(a)(7)(i), the Contingency Planning standard, is all about identifying preventive measures. That section of the regulation calls for a response to various disasters, but says absolutely nothing about preventing them. Preventive measures would be covered under other safeguards. Very disturbing.
And there is no way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way.
But it is a great way to see just what kind of documentation you might be asked to produce. There is plenty of call for explanations and justifications for variations under addressable specifications, so it's clear that full documentation of your compliance decisions is necessary. It can certainly be overwhelming to look at the level of detail they're asking about.
Overall, on first review, what a let down, but we'll all have to work with it as best we can. It IS the protocol currently. At least it will be good for scaring the heck out of clients, CEOs, CFOs...
-- $1.7 million Settlement with Alaska Medicaid --
Lest you think the folks at HHS OCR have been too busy with audits and conferences to engage in good ol' enforcement, just take a look at the latest installment of OCR's fun game, "Let's go make HIPAA enforcement examples of every kind of entity there is!". A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures. This time? A state Medicaid agency, and the press release ( http://www.hhs.gov/news/press/2012pres/06/20120626a.html ) makes it clear that state agencies are not exempt from HIPAA. The toll? A $1.7 million settlement, a corrective action plan, and monitoring. The message? There are no sacred cows in HIPAA compliance any more, not even up in Alaska. See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html
-- California Releases HIPAA Security Toolkit for Small Entities --
Well, I really don't know how I stand on this one. It's an online toolkit provided by the state of California that anyone can use for looking at their HIPAA security compliance, designed for physician offices and smaller entities. It consists of data collection and risk analysis portions. The questionnaire part I like a great deal and is a great way to dive into HIPAA compliance for a smaller organization.
Where I do have issues is with their interpretation of how to take the information collected and turn it into a risk analysis. Their approach is very much oriented toward assigning dollar values to various security events using Annual Loss Expectancy to come up with a way to decide about what actions to take based on financial terms. But much of information security doesn't work based on ALEs and other mathematical approaches -- too many of the risks are too unpredictable and changing too fast for the rigorous methods to be of real value. And I can't imagine a small office suffering through this process when there are less formal, easier to use methods that just plain work better.
Now, keep in mind that the questionnaire in the California toolkit is nowhere near as detailed as the one in the NIST HIPAA Security Rule Toolkit, and unlike the NIST toolkit it is designed to feed into a risk analysis, so a direct comparison between the two toolkits is difficult, but the questions are useful for making sure the issues are considered. However I think if this tool is used without guidance it could be very dangerous, because it can be too easy to say you have safeguards in place when in fact they may be insufficient. If you say you have safeguards, it won't show up as a risk issue in the risk analysis, but if the safeguards are actually insufficient based on a qualified review, the risk analysis is faulty.
So, appreciate it, use it with caution, and be prepared to run screaming from the Risk Analysis portion as though your hair were on fire. The user guide with complete instructions is available at https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf and the toolkit is accessed at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx
-- And in conclusion... --
I used to have to make up stories about HIPAA compliance issues and security issues and breaches and penalties, but no more. It seems there's another example of what not to do with PHI in the press every day. HHS OCR is doing all the explaining now and we'd best pay attention or be prepared to pay the price.