-- Enforcement Panic --
OK, so none of us really has much time, what with the summer now upon us and a September 23, 2013 compliance deadline for the new HIPAA rules, but I figured I'd better pass along a few nuggets gleaned from the annual NIST-OCR HIPAA Security Conference, held last week in Washington, DC. With apologies to Douglas Adams and the Hitchhiker's Guide to the Galaxy, DON'T PANIC! In large capital letters.
Leon Rodriguez, head honcho at the HHS Office for Civil Rights arranged to have a nice new violation settlement announced after the end of the first day of the conference, so he'd have plenty to discuss in his opening session on day two. But the real gem in his commentary is not so much about that particular incident, but about their approach to enforcement in general, which is, if you're being a fool and refuse to deal with obvious problems, you're going to get in trouble with OCR. The other side of that is that OCR is not going after organizations that make simple mistakes. If a doctor makes a bad judgement call and passes along information he shouldn't have, nobody's going to jail or getting a penalty. Just that you even seriously considered HIPAA is something that makes them happy. They're not fussy about what kind of encryption you use -- just that you have considered it and are doing ANYTHING puts you in good stead.
Where they get cranky is when you ignore the rules and ignore known issues. Considering the rules and making a bad call is a chance to learn, not cause to be penalized. And for goodness sake, don't let HIPAA get in the way of what you think is reasonable and appropriate. Don't over-think it and unreasonably restrict reasonable disclosures. Rule #1 -- do what the patient wants you to -- "the patient is at the top of the pyramid", and Rule #2 -- there are big exceptions when the health or safety of the patient or others is at risk -- "HIPAA is a valve, not a block."
So, do a risk analysis, consider the clear and obvious issues like laptops and paper records, and update the risk analysis when you change how you do business -- compliance is a process. Folks, I am not making this up -- I am paraphrasing Rodriguez's words, and they echo my longtime advice. Enforcement is not based on one bad decision on one bad day, it's based on the systemic violation of sets of rules.
Oh, and as for that settlement? Be sure you check the security configuration of your servers and systems upon installation and regularly thereafter, and don't leave things vulnerable for months at a time.
-- Cloud Vendors, Conduits, and Persistence of Custody, Oh My! --
Hey, hey, hey, now, enough of the Wizard of Oz references -- that was the last newsletter. (But why are the monkeys still flying around?)
So, there were some important insights into the as-yet-unresolved question of whether Amazon will need to start signing BA Agreements if it wants to continue serving health information clients with its Amazon Web Services products. And, of course, it's not just Amazon, it's any "cloud" vendor handling PHI. The thinking used to be, if it's encrypted and they don't have a key and can't access unencrypted PHI, they're not a BA. Like a landlord relationship -- they're not responsible for your stuff, they're just renting you space and you have to secure it.
But the new rules challenge that notion. The new rules say anyone acting on behalf of a CE that receives, transmits, creates, or maintains PHI is a Business Associate. "Cloud" vendors like "Box" and Verizon are indeed willing to sign BA Agreements and will start siphoning off AWS clients. Will Amazon be able to resist the tide of BAA requests and the inevitable defections to providers that will sign a BAA?
"Persistence of Custody" has emerged as the key phrase. HHS now has this issue under review, and I would expect there to be some kind of official guidance on the topic issued someday, hopefully before it becomes a dead issue. (And if you think I'll hazard a guess as to when, you've got another think coming!) The thinking is, if there is persistent custody of PHI, a BA is warranted, even if the PHI is encrypted.
There is a very limited exception for Conduits, such as the postal service, FedEx, or an ISP that simply provides transmission capability. In the Conduit model, there is no persistence of PHI -- it's passed off and no longer in the courier's hands. But that's not so clear when it comes to electronic delivery. Often a copy remains and can remain on backups indefinitely. A conduit is a pipe, not an opaque bucket.
And don't forget security includes availability as well as confidentiality and integrity, so if your cloud vendor is responsible for ensuring good backups of essential health information and resilience in the face of disasters or "events", they're performing an essential service for your security compliance, helping to preserve your data, so they really should be under some kind of a BA agreement anyway. They would, indeed, clearly, be responsible for aspects of the "maintenance" of your PHI. Sounds like a BA to me.
-- And the Compliance Issue of the Day Is... --
Well, it could be laptops and portable data, since those breaches are still being reported almost daily, but that would be too easy. Let's take a lesson from the kind folks at OCR who were nice enough to do their latest enforcement thing on Idaho State University and not you, so you can learn from their mistakes. What happened there? Nobody checked to make sure some servers were properly secured upon installation and regularly thereafter, and an insecure server allowed uncontrolled access to more than 17K patient records for nearly a year.
The lesson? Make sure your technical people follow good practices whenever new equipment and systems are installed, and have a security check done regularly -- there are even tools that can do a lot of this for you if you just set them up right. Let's all say the words together now, it's just eight syllables, "reg-u-lar tech-ni-cal re-views." I'd put money on the audits that start in October having some questions on this topic, so get started now with some good, regular, documented practices that can go a long way toward protecting you from breaches.
-- Your Mantra Is, Repeat After Me... --
Risk Analysis, Encryption, and Regular Reviews. Like the nice Mr. Rodriguez says, compliance is a process. Risk Analysis, Encryption, and Regular Reviews. If you can document these and keep them up to date, you're on top of the biggest issues on OCR's radar. Risk Analysis, Encryption, and Regular Reviews. No time like right now...
So please let me know if you have any questions, and do check my news, resources, and upcoming training sessions sections on www.lewiscreeksystems.com -- I have lots of training sessions scheduled, including two more intensive two-day HIPAA training sessions, now set for Chicago August 29 and 30, and Phoenix October 24 and 24.
Thanks!
Jim