Looks Like HIPAA Compliance Isn’t Getting Any Easier Soon

 – No Magic Bullet for Compliance? – 

Goodness – I haven’t written one of these since last February, and I guess that’s partly because I’ve been busy, but also partly because the world keeps changing and the issues along with it.  In the meantime, HIPAA compliance doesn’t go away, and the threats keep on coming.  I haven’t seen a magic HIPAA compliance bullet yet, but there are some things you can do to help reduce your compliance exposure, even if they may not be something you can accomplish right away.

Using a highly integrated, cloud-based infrastructure for your medical records system is one thing I’ve seen that helps eliminate points of risk, so long as it is implemented correctly and includes sufficient protections for continued operations when connectivity goes out.  Having all the access, management, and communication of your PHI take place within a system that keeps persistent data off of remote devices and simplifies operation (which prevents issues) avoids many of the security weaknesses that plague modern health IT.  Not only that, but by essentially outsourcing a good portion of your backup and restoration operations, you are releasing time that can be used for other essential activities, such as new projects and government mandates, and good old security monitoring.

Of course, you want to be sure any contracts provide for access to patient records no matter what contract disputes arise (which would be necessary to meet Privacy Rule requirements for Business Associate contracts), due your due diligence with the vendor, and speak with your peers using the same system to find out about the gotchas before they getcha. 

 – Speaking of Monitoring… – 

Probably one of the most painful and widespread issues I see as I visit health care organizations from Maine to California, from Florida to Alaska, is that organizations have not done what’s necessary to audit and review the access and use of PHI in their systems.  

The Privacy Rule still has its basic Minimum Necessary foundation in place, and entities have an obligation to make sure only the right access is taking place.  The Security Rule calls for both the technical ability to track accesses of electronic information, and the administrative process to regularly review access lists and logs to determine if policies are being followed.

One of the top security-related issues identified in the post mortem of the 2012 HIPAA Audit Program is that these internal audits and reviews have not been taking place.  Why?  Because they are a pain to do, and require not just an IT review, but some kind of evaluation of the access that has taken place to see if it is appropriate or not, and it may not be easy to determine without the involvement of overworked managers for whom HIPAA compliance is a burr in the saddle.

And it’s not going to be getting any easier soon.  One of the recommendations from the team that examined how to implement the HITECH Act changes required for Accounting of Disclosures is to modify the Security Rule and enhance requirements for the ability to record details of who accessed what information and when, so that more accurate Accountings to be provided, and auditing ability is enhanced.  Here is a link to a great set of slides from the team about Accounting of Disclosures and the latest proposals (provided in my last newsletter as well): http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf   

So how do you look at access of records?  In a small organization it may be reasonable to look at a week’s worth of access logs for all users and see if there is any unreasonable access.  If you don’t find any problems, look again in a few months, and if you’re lucky, you can just keep checking on a quarterly or semi-annual basis.  If you do find problems, you need to deal with the issues and keep a tight focus on the issues until you’re sure they’re resolved.

For a larger organization, take some samples of staff and some samples of patients over a period of time, to see if all the accesses look right.  If you take a good sample you won’t annoy everyone on staff at once, and if you don’t see any issues, you’re in pretty good shape, just keep checking periodically.  But if you do find issues, you need to look deeper and wider until you feel you have a handle on it.

And this is important why?  Because this is a well-identified issue from prior audits and it will likely be a target question once they get those HIPAA Audits rolling again.  Of course, this also is tied to doing regular security audits to ensure your systems haven’t been hacked, and what it all really points to is a need to establish your Information Security Management Calendar that schedules your regular reviews and audits so that you can show what you have done and what you are planning to do, if you are asked any questions about it.

 – And what about those HIPAA Audits? – 

So, will they ever reappear?  They’ve been discussed and hyped and planned for, and now, guess what?  We’re waiting for HHS to finish the Web portal that will be used for exchanging information in the new audit process.  Yes, the very same HHS that has such a good reputation for quality, timeliness, and security in its Web sites (OK, I really can’t kid about this) hasn’t been able to finish the portal, so the whole HIPAA Audit process is on hold.

The good news is that you have more time to deal with other top issues before they start up again, Real Soon Now (that’s a term from the software development world).  You might take a look at another access-related issue, access of patient information by individuals, family, and representatives, and the handling of denials of access, which is identified as a top Privacy compliance issue in the 2012 Audits.

 – Patient Access, that’s simple, right? – 

Apparently not so much.  This is an area that trips up many providers and is one of the areas of most frequently asked questions that I get.  You probably have some policies about providing access and how you handle denying access that were put in place in 2003 and haven’t been looked at since then.  Go dig them out and see what they say.  They at least need to be updated for the Omnibus updates of 2013.

A few pointers:  If someone wants a copy of their records including the records received from another provider that you used to make decisions about the individual, you need to provide all of that.  Individuals have a right to know what you were looking at when you made decisions about their care, with a few exceptions, such as for psychotherapy notes, disclosures that could cause harm to the individual or others, or disclosures that would reveal the source of information given in confidence (not from another provider).

Note that individuals now have the right to access their laboratory test results directly from the laboratories, as well as new rights to get electronic copies of information held electronically.  Also, there is no longer an automatic extra 30-day allowance for provision of records held offsite.  In addition, changes to the Privacy Rule allow personal representatives and family members the same access to a deceased patient’s PHI they had prior to death, to help preserve continuity of communication and care for the family.

But more importantly, make sure you have the proper processes in place for making acceptance or denial decisions for requests for access, and for having the proper denial appeal process in place for the denials that may be appealed.  I won’t go into all the details here, because there are many, but suffice it to say that improper handling of access requests and denials has been identified as a 2012 Audit issue, so you would be well advised to make sure you have the proper policies in place and people know what they are.  We are dealing with one of the foremost rights of individuals under HIPAA and one that people complain about when they feel their rights have not been satisfied.  Mishandle requests for access at your peril.

And I haven’t even discussed patient access and communication using e-mail and texting, which could take a few paragraphs more than you can stand to read right now

Here are some links to recent (since my last newsletter) guidance on access issues:
 • Guidance on mental health information and circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html 
 • Guidance clarifying that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html  

 – But don’t worry, I’m never far away – 

There is so much to consider under HIPAA these days, and the issues will only be growing.  I cover a lot of what you need to know in my Webinars and seminars.  Come see me next week (October 30 and 31) in Raleigh, NC for one of my highly acclaimed two-day soup-to-nuts in-person sessions, or any of my upcoming sessions.  Here’s the latest in my schedule: http://www.lewiscreeksystems.com/upcoming_public_seminars.html  or  http://tinyurl.com/a5gplbr  

Jim


              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us