I think I’m gaining — it was more than a year between the last two newsletters, and it’s not much more than nine months now since the last one! But there is plenty to talk about, no question, including recent enforcement activity, which reflects on one of my pet issues, management of access to external Web sites, and the pace of enforcement actions, which had slowed to a trickle until the recent spate of announcements. And state Attorneys General are now getting into the HIPAA enforcement game as well. By the way, did you hear the announcement about the changes to the HIPAA Audit Protocol? Me neither, but they were made last July. Also on the agenda is a look at what to expect for changes in the rules. Will we ever see a new proposed rule for Accounting of Disclosures now that we’re 10 (yes, ten) years out from the passage of the HITECH Act requiring a change? Will there be changes in the Security Rule for improving the ability to audit and review access and use of data? Will we dump the acknowledgment signature for the Notice of Privacy Practices? And how are we going to solve this shameful situation where it is so difficult for patients to access their information and have it shared with any provider they so choose, without friction? To finish things off, I’m sure we’d all appreciate a quick list of topics to put on your HIPAA list for review, so I’ll try to create that for you.
— “So, what should I DO?” —
I’m really good at pointing out compliance issues that should be addressed somehow, but the client’s answer is often, “So, what should I DO? Out of all the issues that are out there, what needs to be focused on first, and what kind of things can I do to address those issues?” Well, thanks to the Cybersecurity Act of 2015 section 405d, we now have a good advisory document set to provide some distillation of the steps that need most to be taken to meet the numerous rules and standards in information security today. As you know, I am a big fan of Risk Analysis, but this approach is assumes there are certain universal risks that need to be addressed, and provides actions that can be taken to reduce them. On December 28, 2018 the Department of Health and Human Services released a guide to voluntary cybersecurity practices for healthcare organizations ranging in size from local clinics to large hospital systems — three sets of practices are provided, for small, medium, and large organizations.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients is a four-volume publication, the result of a two-year public-private partnership between HHS and more than 150 healthcare industry professionals. The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends ten cybersecurity practices to mitigate them. While this may be old news to mature, larger IT organizations, for smaller organizations it provides a useful way to explain the issues and show what needs to be done, to senior managers who may not have a lot of information security expertise at their disposal.
Note that this does not replace a risk analysis, it supplements it, but if the considerations in the report are addressed, it can make the Risk Analysis a lot less traumatic. I think it’s definitely worth it for those in charge of privacy and security to spend some time absorbing and addressing the issues included, as a defined project, not just a casual activity. See: https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
— HIPAA Enforcement Pace Increases —
For a while it seemed that HIPAA enforcement was stalled, with few settlements being announced following the change in the administration a few years ago. But things picked up considerably at the end of 2018, with four actions being announced, a record $16 million settlement for a breach of 79 million records, a $125K settlement for doctor going public with patient information to refute a claim made publicly by a patient, a $500K settlement for sharing information with a fraudulent business associate (with no BA agreement) who breached the information, and a $111.4K settlement for failing to terminate the access of a former employee to the organization’s scheduling calendar hosted by Google without a Business Associate Agreement.
While the Anthem settlement for $16 million sounds like a lot, we’re taking about 20 cents a record for the breached information. Sounds pretty limp to me, but it does almost triple the previously high settlement amount. As for going public with patient information, we now have three settlements with head honchos who couldn’t help themselves, who, in the most recent case, ignored the advice of their own compliance people (what do you pay them for then, eh?), and went public with a patient’s information, in two cases as a response to public statements by the patients. Let’s make this clear, shall we? Even if the patient hands out copies of their entire medical record to everyone in the street, the doctor still has to have a HIPAA Authorization from the patient to discuss their information in public.
In the case of the fraudulent Business Associate, make sure someone you are dealing with is actually a representative of the company they claim to represent, and if they’re acting as a BA, get the BA Agreement in place! You need to do research on the BA commensurate with the risk involved. But the most recent enforcement settlement case really caught me by surprise. As many of my clients know, I have a thing these days about staff access to external Web sites managed by other entities. It’s easy to have well-controlled access to your own systems and networks, where when someone leaves, you have a process to throw the switch and cut off access. But it’s less easy to deal with all the access to outside Web sites, which has really blossomed these days with the proliferation of electronic systems for all kinds of communications and transactions. (And you may have inbound remote access of your own to protect.)
Do you know who has access to external sites that involve Protected Health Information and how to make sure your responsibilities are taken care of upon departure of the staff? Do you know what your responsibilities are? Yes, those external resources are responsible for their own security, but there could certainly be seen to be an ethical responsibility, if not contractual, to notify them if a user is no longer on your staff. If that access might allow access to your own patients’ information, it may certainly be seen as your responsibility. This settlement involved a former employee’s access to the organization’s calendar, which happened to be hosted improperly under the regulations (no BAA). If you don’t have a defined process for tracking who has access to what and making sure that access is terminated when the employee is, you are leaving yourself open to a growing risk issue. The time to deal with it is now.
Let me give you a quick example that may make your ears ring, about unterminated remote access into an organization. A client of mine recently hired a new CFO who used to work at another facility some years ago. While at the prior facility, the person needed to get remote access into some system or other, and at the time the organization did not have a defined remote access process, and the IT staff set up a special access method allowing the access that was needed. As time passed, the IT staff and management turned over, and the individual needing the access moved on to another organization and eventually became the CFO I know today. Based on the CFO’s awareness of the issue of remote access left open, the CFO checked, and yes, the CFO still has access to systems and networks at an organization they no longer work for, and haven’t for many years. In fact, the recently-hired current IT staff at the old organization either isn’t aware of the access allowed, or is aware of it but is afraid to turn it off because they don’t know what it does and don’t want to break any existing processes. Because the old access was never properly established and managed according to a documented process, it has been forgotten over time and now exists as a back door into systems that IT doesn’t know about, and that could potentially be discovered by hackers, depending on the security of the access, which is completely unknown by the IT staff. The easiest fix is probably to rip everything out and start from scratch for networks and access. Wouldn’t it have been easier to know who has access and how, and manage the access before it becomes a liability?
And even as HHS slowed its enforcement for a while, state attorneys general have been busy picking up the slack, with New Jersey hitting the headlines most recently in November with a $200K penalty and ban from ever working in New Jersey again for a transcription company that didn’t protect information properly, on top of a $414K penalty last April for the medical group that hired them. New York had a $575K settlement last March for a health information breach exposing social over 80,000 social security numbers. Clearly, even if HHS disappears form the scene, the state AGs are prepared to carry on in enforcement using HIPAA as the standard.
— Update to the HIPAA Audit Protocol —
Did you see the announcement last July about the updated HIPAA Audit Protocol? Me neither, because it wasn’t made, and HHS still hasn’t released an announcement or an overview of what’s different in the protocol. So, here’s the scoop: there are a dozen questions changed, numbers 4, 58, 163, 164, 165, 170, 172, 173, 174, 175, 177, and 178, which translates to a few in the privacy realm and several in the breach notification section, updating the questions based on the experience gained in the 2016 Audit round. There are no changes to the Security Rule questions. This is all very nice, but in re-publishing the HIPAA Audit Protocol, they put it up on the Web site in such a way that copying it into some actually usable tool like a spreadsheet or database is a royal pain and takes a day of work to fix once you copy and paste. This is same the problem the original 2016 protocol had, that was finally fixed after many months, and is now broken again, oh thanks.
But, lucky you! I have updated my spreadsheet copy with the changes, discovered by laboriously examining every one of the 180 questions for changes, since a direct comparison isn’t possible because of the insane formatting. If you’d like to see the HHS HIPAA Audit Protocol, it’s still at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html and if you want an updated spreadsheet copy with the changes, please send me a message and I’ll be happy to send you one. (See? This is the test to see if you’ve read this far — of course you want a copy!) Please be aware that because of limitations in Excel, and the size of some entries, it may require double-clicking on a cell and/or reducing the font size to see or print the cell contents fully. Make sure you look at ALL the details of each question.
— New Accounting of Disclosures Rule Coming —
So, for you old-timers in HIPAA, we’re coming up on the 10th anniversary of the HITECH Act amending HIPAA, which might be nice, except that HHS still hasn’t come up with a decent plan for the required new rule for Accounting of Disclosures that the HITECH Act calls for. The law requires some substantial changes, and HHS’s initial proposal was met with derision and laughter, as it went way beyond the requirements of the law and the capability of technology to reasonably support the proposed rule. In short, no, it couldn’t possibly work, and was finally formally withdrawn earlier this year. But the law still exists, and with it the obligation to make Accounting of Disclosures actually relevant to patients. I mean, has anyone ever actually asked your organization for an Accounting of Disclosures, and would you even know what to do if they did?
So the development of the new rule is under way, with HHS asking for initial comments in a December 12 announcement of the Request For Information. Based on the recommendations developed some years ago there are likely also to be changes recommended for the Security Rule to improve the ability to audit and review access and use of data, in support of the new Accounting rule. (You can’t account for what you don’t know!) That will make the first substantive change to the Security Rule since it was adopted, not counting the expansion of coverage to Business Associates, and probably about time. When the government reopens, the RFI will be available at: https://www.federalregister.gov/public-inspection/ — comments are due by February 11, but who knows if the government will be open by then.
— Changes to Signature Requirement for the NPP? —
Will we dump the acknowledgment signature for the Notice of Privacy Practices? Really, that’s the best we can do for finding ways to reduce the administrative burden of HIPAA? Well, that’s the idea, but it’s not all that simple, since the signature for the NPP counts as a signature for consent under the Telephone Consumer Protection Act of 1991 to contact someone using their cell phone, which is how just about everyone communicates these days. If you don’t have documented consent under TCPA, you can’t call or text someone’s cell phone for payment purposes AT ALL, and there are also limitations on uses for healthcare operations, like appointment reminders. A judge ruled about a year ago that signing the NPP that says how your contact information may be used counts as a TCPA consent. If that signature goes away, you’ll have to get a signature instead for TCPA consent, resulting in zero reduction in administrative burden and an expense of changing processes. There is also some consideration of changing the TCPA rules to allow contact for treatment, payment, and healthcare operations as defined by HIPAA without consent, but unless that happens if and when the HIPAA rules are changed, there will be a net negative effect. This is also an area ripe for comments on the RFI, if we can ever get a copy and submit the comments.
— 2019 is The Year of Sharing Health Information —
Well, I’m calling it that anyway. So, how are we going to solve this shameful situation where it is so difficult for patients to access their information and have it shared with any provider they so choose, without friction? HIPAA is NOT the issue; misinterpretation of HIPAA is often the issue. Doctor’s offices have always been shy about sharing their intellectual capital, their medical records, and their patients with other doctors. Of course a doctor wants to keep his patients! But now simple reluctance has turned into outright blocking of information transfers to protect an office’s business, contrary to HIPAA. In so many of these cases, HIPAA is used as an excuse for not sharing information with other providers, when the rule explicitly allows such sharing. MAKE SURE you are sharing information as requested by your patients, and as required by HIPAA. If your organization is resisting this, fix it! If you are dealing with another organization that won’t share what they should, it’s time to start making noise, with the organization’s leadership, with HHS, and with the Press (though be sure not to include any patient identifiable information in Press communications). When you complain publicly, patients will start asking questions and putting pressure on their doctors to do the right thing. We need to shake up the entire industry to make this happen, and we all need to step up for our patients’ and the nation’s health.
— Your 2019 HIPAA To-Do List —
1. Review/update/establish your external Web site and remote access management processes
2. Check your termination processes and make sure they work
3. Review your access and use of systems and data
4. Update your Risk Analysis
5. Plan out your Risk Management Activities
6. Be ready to respond if there is a change in the rules
And please let me know if you have any questions.
Thanks!
Jim