42 CFR Part 2 Revisited, Ready for the GDPR?, The Future of HIPAA Audits

Well, it’s been more than a year since my last newsletter, and to be sure many of you must have figured your name was lost from the list or something, but no, I’ve just been rather busy over the last year, with so much happening that its’ been hard to figure out where to start.  So I’ll just dive in and cover a few things on may mind and see where we get.

 — 42 CFR Part 2 Revisited — 

Interestingly enough my last newsletter looked at some of the changes being made to 42 CFR Part 2 (concerning substance use disorder treatment information) that finally went into effect in March of 2017, and now here we are with additional changes to 42 CFR Part 2 going into effect, and debate in congress as to how to make further changes to help combat the epidemic of opioid abuse that is destroying our communities.  Patient protections, designed when keeping addiction information secret was the best idea, appear to be contributing to the problems, as treatment for modern addiction calls for integrated, community-based, family-supporting treatment and communications.  

Anyway, the most recent changes are common sense changes to help move 42 CFR Part 2 a bit closer to HIPAA-like controls in some areas.  Under the new final rule, when an individual consents to their substance abuse information being disclosed for payment or health care operations purposes, the recipient may share that Substance Use Disorder (SUD — get used to yet another acronym!) information with their contractors, sub-contractors, and legal representatives as necessary to carry out the payment or health care operations.

Also, previously, only Part 2 programs (generally specialty SUD treatment programs) were permitted to disclose protected substance use disorder information without patient consent for audits and evaluations. Under the new Final Rule, other individuals and entities which have lawfully received Part 2-protected information may also disclose substance use disorder information for the purpose of certain audits and evaluations, and shared with auditors’ and evaluators’ contractors, sub-contractors, and legal representatives as needed.  The new Final Rule also allows for an abbreviated notice of the prohibition on re-disclosure that will fit better into EHR text fields.

These changes, on top of the 2017 changes allowing consent for disclosures to an individual’s providers in general (with changes allowed to the provider list without having to get a new consent every time), combined with an accounting of disclosures under such consent, make it easier to share information as needed, but it’s still a very sticky process.  The goal will be to make necessary information sharing easier in order to save lives, without destroying patient protections.  Stay tuned — we can expect action on this topic soon, I’d expect, the way the opioid crisis is getting out of hand.  

I’ve posted a set of useful links on my Resources pages, on the Regulations, Standards, and Laws page at http://www.lewiscreeksystems.com/resources_regulations_stand.html .  When you review the links and the information, understand that some of the links go to information prepared in 2017 that does not consider the 2018 changes, so check the dates on pages to be sure you know what you’re looking at.   (Marketing notice: If this is relevant to your operations, I’m doing a Webinar on this topic on April 9 — see the list on my Web site at http://www.lewiscreeksystems.com/upcoming_public_seminars.html .)

As with so much of our lives today, from addiction to personal privacy to gun control to Facebook, that which was taken as immutable must now be re-examined and the lines redrawn in the context of today.  We live in challenging times and we’ll have to grow and change to survive, which is, after all, the essence of life, so let’s embrace the challenge and do the best we can to make sense of it all, for the good of us all.

 — Ready for the GDPR? — 

The what?  Is this a new Federal regulation?  No.  It’s worse.  It’s a European Union regulation that applies to anyone, anywhere who has any personal information of any EU subject.  It doesn’t say what companies should do, it says that all identifiable personal information of EU subjects must be protected by whomever holds it.  It’s focused on the individual’s information, not the businesses that use it.  What a concept!

European rules apply to us??  That’s the story.  If you want to serve any customers who reside in the EU, you need to be in compliance with the GDPR.  In healthcare you can’t decide, “no, I’m not serving anyone from the EU,” you need to take care of whomever presents to you, and for some organizations, particularly near tourist destinations, the likelihood of serving someone from the EU is just about 100%.  NOTE: The care and services provided in the US to someone who is in the US would likely not be covered under the GDPR, but any communication to the EU about the individual would be covered (and the GDPR would cover US residents’ information if they receive services in the EU).  But if you actively market your services to EU residents, they may wind up under the GDPR, if they come to the US to receive services as a result.  Does you head hurt yet?

Violation penalties are based on the global profits of the organization, up to 4% for serious violations (or up to 10 million Euros, whichever is higher), and 2% for technical lack of compliance.  These can obviously be some very big numbers for companies like Microsoft and Google, but even for a small office, it can be a huge hit.

Healthcare is lucky — HIPAA has demanded a lot of the same protections for years now, but the net is cast a bit wider now, including all identifiable information, not just health-related information, and more stringent requirements for encryption for storage and transmission of identifiable personal information.  The Information Flow Analysis process I’ve been using for years for HIPAA Risk Analysis is the required approach — where does the information come from, where is it created, where is it stored, and where does it go to.  You need to have a handle on your data and make sure it is nailed down — that ought to be a familiar concept to you.

So far, I haven’t said anything too controversial — just open your eyes a bit wider and be a bit more hard-nosed about encrypting everything you can.  But when it comes to Breach Reporting, hold onto your hats.  Breaches of personal information must be reported to the “relevant supervising authority” within 72 hours when feasible.  In addition, opt-ins are required for any uses of the information, so an EU consent will be required from all EU patients.  Oh, and there’s also a “right to be forgotten” that must be dealt with somehow, and rights to correct errors in data.

I’m still getting my arms around the impacts and how to modify and update compliance processes and recommendations, but it’s clear that for many of my clients, compliance with the GDPR is going to be necessary.

Longer term, though, I hope you can see what this means.  Can you separate the information for EU subjects from your non-EU customers?  I didn’t think so.  This will force the de facto standard for treatment of personal information in the US to rise to the EU standard simply because so many organizations will have to comply.  Better security will be expected, will become the standard of care for personal information, even if our government can’t get it together to require it.  Longer term, a consistent approach to the security of personal information globally will be a good idea.  Short term, it’s another uh-oh moment in healthcare, as though we don’t get enough of those already anyway.

So, breathe deeply and don’t panic.  See the EU GDPR Web site to get more details, at: https://www.eugdpr.org and there’s a great summary at http://www.bio-itworld.com/2017/10/10/what-the-eu-general-data-protection-regulation-means-for-you.aspx  

 — The Future of HIPAA Audits — 

So, of course you did read the official announcements from HHS first stating that there would be no on-site audits as part of the Phase 2 2016-2017 Audits, and then that the HIPAA audit program was formally cancelled, didn’t you?  What?  You don’t see the official announcements?  Were there any such announcements?  Well, no.

In keeping with the informal (perhaps wild-west?) nature of government communications these days, a couple of significant changes in the direction of HIPAA enforcement occurred recently when HHS personnel mentioned in unofficial comments that first, the on-site audits that were to be done in 2017 were cancelled, and then more recently, that there would be no further HIPAA audits, and Phase Three of the HIPAA Audit program would be the development of reports on Phases One and Two including recommendations for best practices based on what was learned in those audits.

Once again, don’t you just love how a law can be passed for the government to do something, but implements it only if it feels like it this week?  The HITECH Act in section 13411 calls for periodic audits of HIPAA compliance of covered entities and business associates.  So, I guess the period is now, uh, “never”?  Or once a millennium?  Well, I guess the law doesn’t specify the period, so it’s up to the boss.

So should you just forget about the audits?  No way!  Being prepared for an audit means you are prepared to withstand an enforcement investigation with a minimum of disruption and a maximum of success.  The 2016 HIPAA Audit protocol, stringent as it is, is still a great tool to see if you really have in place everything you need to answer any questions about compliance that come up.  And, of course, should there be a change of administration, there could again be a change of attitude about HIPAA audits.  

If you haven’t yet, copy the HIPAA Audit protocol from the HHS Web site ( https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html ), paste it into an Excel spreadsheet and do some reformatting, and then get busy.  Add some columns for item number, responses, documentation links, remaining issues, and priority, and you have a handy compliance review and management tool.  Or ask me for a copy of mine.

The word is, from these same officials, that enforcement activity is not backing off, just the audits, so you still need to be ready to respond to any inquiries about your compliance.  Recent settlements have been up to multi-millions of dollars, so it’s definitely better for you to do your own auditing, before someone else does.

— A Final Note from my morning news review… — 

A new study shows that patient deaths increase by a measurable amount following a data breach at a hospital.  Money is diverted from patient care to security, people are distracted, things take longer to get done than they should — and thousands of people die as a result.  Is there any better reason to get your security in order before a breach disrupts everything?  Better security = better patient care.  See the article in Becker’s Hospital Review, with a link to the Wall Street Journal article on the topic: https://www.beckershospitalreview.com/cybersecurity/study-hospital-data-breaches-tied-to-thousands-of-additional-patient-deaths.html 

And that ain’t all folks!  Check my News page at http://www.lewiscreeksystems.com/privacy_security_and_compli.html for lots more.

 — Go forth and be HIPAA! — 

I’ll see if I can put out another newsletter issue promptly.  That should be easy, right?  I’ll probably include some good Q&A I’ve gotten, and maybe discussion on two of the biggest areas of concern/difficulty in healthcare security today: texting, and managing access to external Web sites.  Of course, a nasty Ransomware attack can always wipe you out, but texting and managing access to external resources are things that we can devise solutions for, and need to, as the means of communicating in healthcare continue to change.

It’s never too late to improve your compliance, and it’s always a good idea to follow up on any HIPAA-related issues you suspect.  Trust your hunches and go looking for problems if you have any suspicions about the quality of your compliance.  If you don’t check, you’re leaving it up to HHS, or worse, the local TV News team.  Be positive forward thinking, and enjoy the breaking Spring!

And please let me know if you have any questions.  

Thanks!

Jim


              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us