I know, those of you who know me are surprised to see another newsletter so soon after my last one, but there is just so much going on! New lessons are being taught in HIPAA enforcement settlements, the changes to 42 CFR Part 2 (pertaining to substance abuse treatment information) have just been finalized this week, and there are HIPAA impacts resulting from the 21st Century Cures Act as well as the impending repeal or defunding of the Affordable Care Act. On top of all that, I’ve begun offering free short PowerPoint show-based security reminders you can download and use with your staff. The first one is posted with more to come over the coming year.
— What’s in the HIPAA News? —
Looks like the trickle of HIPAA Settlements is becoming a wave — two new settlements for potential HIPAA violations were announced in just the last two weeks. The lessons? Report your breaches on time ($475K + action plan https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence). Implement your safeguards, such as risk analysis, encryption of portable devices, and follow through with whatever you have promised OCR you’d do following a breach ($2.2 million + action plan https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE).
Also new is updated guidance and FAQs from HHS on disclosures to loved ones. I don’t think this is the anticipated new guidance on sharing information with family and friends involved with an individual’s care, but it contributes to knowledge in that realm. OCR’s updated guidance and FAQ may be found at: https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html and the FAQ is also available at https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html I still have hope the more complete guidance is on the way, because this is an area of some sensitivity for patients.
One of the more useful and relevant guides released by NIST is the new Special Publication 800-184, which is an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning. The press release (at https://www.nist.gov/news-events/news/2016/12/nist-guide-provides-way-tackle-cybersecurity-incidents-recovery-plan) provides a good overview, and the Guide is available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf
From the press release: "The publication supplies tactical and strategic guidance for developing, testing and improving recovery plans, and calls for organizations to create a specific playbook for each possible cybersecurity incident. The guide provides examples of playbooks to handle data breaches and ransomware.” This approach supports my view that developing and working through drills on various scenarios is one of the best ways to be prepared for a nasty security event.
And what’s this? Yet another security framework from our friends at NIST? The new Draft 1.1 of the NIST Cybersecurity Framework is out (https://www.nist.gov/cyberframework/draft-version-11), and while it is indeed useful, I echo the sentiments of security expert Stephen Northcutt as he commented in the SANS NewsBites newsletter of January 13 (https://www.sans.org/newsletters/newsbites/xix/4), “In one sense, another framework makes me want to puke. However this organized security framework is the path to better risk management. Why NIST could not read and use the critical security controls is beyond my understanding.” [sigh] Yes, it is useful, at least as far as some of the simple rubrics contained within are concerned (Identify, Protect, Detect, Respond, and Recover) but again, I feel this kind of work should be coming from government-funded university research (at least partly because so many computer science programs barely acknowledge security and need this kind of a boost) not NIST. This framework comes from a clean sheet and doesn’t consider other valuable, established processes much, so it’s just a bit annoying. Please, no more new frameworks.
— Final Changes to 42 CFR Part 2 —
If you don’t know what 42 CFR Part 2 is, you probably don’t care much about this, but in the world of mental health and substance abuse treatment, this is news. Basically, 42 CFR Part 2 puts limitations on the sharing of information related to drug abuse treatment. Each disclosure requires a consent, and information cannot be re-disclosed by a recipient without another consent. It’s burdensome, especially in the new world of information sharing and coordinated treatment among providers.
The new final changes to 42 CFR Part 2 (https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records), among other things, allow release of information to a qualified researcher, but more importantly, allow a patient to consent to disclosing their information using a general designation (such as “my healthcare providers”), to allow patients to benefit from integrated health care systems. Patients do not have to agree to such disclosures, but patients who do agree to the general disclosure designation have the option to request a list of entities to whom their information has been disclosed. A nice summary is in the press release, at https://www.samhsa.gov/newsroom/press-announcements/201701131200
— Hot Off the Presses: Common Rule Update Finalized —
And if you’re into research, it’s time to look into the finalized Common Rule revisions, also just out this week. So many new intersections between HIPAA, 42 CFR Part 2, and research! Those of you who do research with health information relating to substance abuse have some homework to do. You have a little time, until 2018, to implement the new rule. See https://www.federalregister.gov/documents/2017/01/19/2017-01058/federal-policy-for-protection-of-human-subjects
— HIPAA implications of 21st Century Cures Act —
While the 21st Century Cures Act doesn’t directly affect HIPAA, it calls for a lot that is related to HIPAA. On December 8, 2016, AHIMA published an informative guide to the Health IT and HIM related sections. There are numerous sections pertinent to those in HIPAA compliance, and this overview guide from AHIMA is easy to use and understand. In fact, many of the things called for relating to HIPAA, such as guidance on sharing information with family, friends, and others involved with an individual’s care, are already in the works at HHS Office for Civil Rights, but the legislation provides a solid foundation for these activities. The law also reinforces patient access rights, and touches on issues relating to research, mental health, and 42 CFR Part 2. This legislation has non-trivial, wide ranging impacts on HIPAA. See the AHIMA guide at: http://bok.ahima.org/doc?oid=302012
— HIPAA implications of ACA Repeal or Defunding —
As I mentioned in my last newsletter, if the ACA is repealed, there could be huge demand from patients to exercise their right to not tell the insurance company about an encounter if they pay out of pocket. Now that may be fueled by more than just fears of having your insurance cancelled or your rates quadrupled. Certain ethnic minorities that may be being targeted by the new Administration will also want to stay out of as many databases as possible.
It seems likely at the moment that ACA will die through de-funding, not outright repeal, but who knows? What a mess. Be ready to deal with it. And write your senators and congressmen if you don’t want to see healthcare denied to a significant portion of the population through lack of insurance — maybe even you!
— Free Training Reminder PPT on E-mail, Texting, and Mobile Device Hazards —
I have begun offering a new series of training products, available on my Web site. First up is a free, nine minute Powerpoint show with audio, on the topic of E-mail, Texting, and Mobile Device Hazards, which you may download and use as a security reminder for your staff. Over the coming year, I’ll be adding more free reminders, as well as a suite of 90-minute training sessions available for a fee. Also, I find an increasing number of my clients ask me to prepare a pre-recorded staff training session that is specific to their organization and their policies, which is, after all, the right way to do it. See what’s up at http://www.lewiscreeksystems.com/hipaa-training-products.html
As for live training sessions coming up:
SFO can be nice in February, maybe a 1.5 day Privacy Rule session February 23 and 24 would be good — see: http://www.complianceonline.com/hipaa-privacy-rule-compliance-new-rules-and-responsibilities-of-privacy-officer-seminar-training-80142SEM-prdsm
Washington, DC can be lovely at the end of March, nice enough on March 23 and 24 for a 2-day A to Z session — see: http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900754SEMINAR?HIPAA-privacy-security-compliance-Washington-DC
And I have other live Webinars scheduled well into 2017 already, so be sure to check my upcoming public seminars page, at: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
— Go Forth and Be HIPAA! —
Please enjoy your winter — it’s been strange here in Vermont so far — ticks in January?? And please let me know if you have any questions.
Thanks!
Jim