Just a note to tell you that the HIPAA Deskbook is back online at Amazon. You can access it through the Publications link on this site.
Do you know whether your server firewall is on? Well, somebody better know, or it could cost you a fine of $400,000 just like it cost the Idaho State University last month.
The HIPAA fine was assessed by the Office of Civil Rights (OCR) for 17,500 patient records that were left exposed when the firewall protection for several servers were turned off for maintenance and never returned to service for 10 months. The fine also included penalties for not conducting a risk assessment, failing to have adequate security protections, and failure to review system information to be aware of security status and file access.
The lesson here is that unintentional breaches of security and privacy can occur due to human error. Your system should be set up to identify threats, and then someone should be assigned to reviewing the alarms and reports that it produces on a prompt and regular basis.
With fewer than 90 days left before all of the HIPAA revisions begin enforcement, Health Centers should be well on their way to compliance. If you are not, here are a quick dozen things you should get started on:
Do an inventory of your PHI
One of the major problems many facilities have is that they don’t have a good idea of what private information they have. If you already did an inventory and it is more than two years old, do it again. You need to know what information you have, what form it is in, how it is acquired, how it is used, how it is stored, and who has access to it.
Do a risk assessment/gap analysis
HIPAA requires a risk assessment that identifies potential risks and gaps in your system to protect against those risks for HIPAA privacy rules, HIPAA security rules, and non-HIPAA exposures under state laws and professional liability theories. Meaningful use criteria also require a risk assessment. This assessment should include processes and systems, but it should also include risks from your workforce. With workforce errors being high on the list of causes for data breaches, exposure to honest mistakes and intentional violations must be anticipated. Repeat every two years or in the event of a substantial change (such as adopting an EHR) or privacy/security incident.
Prepare a risk management plan
Risk management is an important part of the “Redeeming” application. It is the part where the Board has considered the risk assessment and decided what process the CHC will follow to address the risks and gaps. In the event of an audit or investigation, the OCR will want evidence of leadership involvement, a written plan, and effective implementation.
Prepare or update your policies and procedures
Policies and procedures need to be reviewed at least annually and every time CMS alters the HIPAA rules or issues an interpretation. They need to be kept current and carefully coordinated to prevent gaps and inconsistencies. The policies should address privacy, breach, and security, as well as training, monitoring, and discipline. They should be created by and for your facility. Purchased templates have definite flaws: 1) One size never fits anyone; 2) You are not invested in their creation; 3) They sit on the shelf and are never reviewed; 4) …And they never are followed closely enough to avoid violations.
Have a policy on data retention and follow it. Systematically destroy documents that you no longer need. More data means more potential liability.
Have a policy on litigation holds. This becomes much more difficult when you go to EHR, so talk to your vendor, your gap insurance risk management folks, FTCA consultants, and/or your cyber-insurance carrier about what they can suggest for your current records system.
Have a policy on criminal background checks. Do them on everyone.
Have policies on physical security, portable media, taking records out of the office, remote access, BYOD, laps tops, cell phones, social media, etc.
Now train, train, train…
One of the most common violations for all of the federal regulations is a failure to properly and “adequately” train providers and employees. OCR will expect that employees and providers are properly trained through an orientation process prior to assuming their duties and that they will be retrained at least annually. They also must be retained when policies and procedures change.
Training is important, but it also must be relevant and useful or it is quickly forgotten or ignored. The most effective training is provided to staff with similar functions and tightly focused on just those aspects of the law and policies that apply to their job. Real life examples also improve performance a great deal.
I suggest that data breach procedures be presented in separate training sessions from privacy and security general training. Getting everything in at once may help the schedule, but generally trashes any hope of long term information retention.
Perform regular and frequent monitoring and performance audits
Do not rely on built in audit features of your EHR to feel assured that you are in compliance. Someone has to actually look at reports and analyze them for them to actually do any good. With OCR expectations of active surveillance and correction, CHCs have to assign a trained person to review security and privacy aspects in as close to real time as is feasible in your setting.
By monitoring, I am referring to going over logs and other records on a continuous basis to identify access or security issues as quickly as possible, should they occur. Auditing typically is a process of actually requiring internal proof of compliance using standards similar to those standards that OCR would apply. Audits may be done less frequently, unless monitoring reveals an issue.
Discipline for violations
Have disciplinary policies as required by the HITECH Act and implement the tiered approach that parallels the OCR fine structure, so that discipline is appropriate to the situation. Remember, re-education is an option for discipline until attitude or repeated failure demonstrates that it is not going to improve performance from the individual employee or provider. Some circumstances, however, may justify “one strike” termination.
Revise your Notice of Privacy Practices
OCR has made it clear that they believe the changes in the regulations require revision and re-issue of your Notice of Privacy Practices. Posting to a website along with posting a summary in the lobby waiting area appear to conform to OCR expectations, so long as full NPP are available for the patient to review upon request.
Inventory your Business Associates
The 2013 regulations make it extremely important that you know who your business associates are, and that they in turn realize their obligations as business associates. The best way to determine who your business associates are is to review you payables history to see who you are doing business with, then evaluate whether any portion of what they do for you falls within the business associates definitions. Remember, just because the business or individual falls within a permissible disclosure category under HIPAA does not mean that they are not business associates. In fact, it almost assures that they are business associates.
Complete new Business Associates Agreements
Revise your Business Associates Agreements (BAA) to comply with the terms of the new regulations and get the agreements in place. If you have a service contract that includes the necessary elements of a Business Associates Agreement, a separate BAA is not required.
Connect with Stephen Frew on LinkedIn.com
When Google, Apple, and other major players deny cooperating with the federal government and allowing access to their computers for PRISM’s massive data surveillance program, healthcare providers and business associates should not be re-assured. Either these players are issuing denials to cover their backsides, or they are admitting that the government is able to breach all of their security to sift their data on a 24/7 basis without them ever catching on.
If Uncle Sam can do it, so can the Chinese and perhaps the Russian Mafia. Uncle Sam has admitted to sharing the data with at least one foreign country (presumably Britain) in what some people are calling a “you spy on my citizens, I will spy on yours” arrangement to give plausible denial to both countries. How many times data gets leaked remains to be seen. The disclosure of PRISM has already prompted a movement in the EU to revoke the “safe harbor” exception for the US and US companies for EU privacy compliance regulations because the US cannot guarantee minimum security standards for data.
For those with HIPAA responsibilities, this raises a huge red flag about the security of the internet and of the “Cloud” for storing confidential patient data.
Computer security experts are already predicting that the exponential growth of the cloud may hit a brick wall when companies realize that the cloud is not as secure as it is held out to be. Many electronic medical records use cloud hosting or storage, leaving security in doubt.
So, will encrypting data in use, in motion, and at rest solve the problem? Certainly, encryption is a start, but if PRISM and other programs — be assured there are probably multiple programs doing different things to scarf up data that we do not know about (plausible denial, again) — are capable of reading everything, does that mean even encrypted data? And, given that certain words or patterns trigger “deeper dives” in the surveillance parlance, would effective encryption put a red flag on your operation? We don’t know yet…and maybe never will.
Some people will be tempted to say that it is “only the government” and that privacy doesn’t really matter anyway. HIPAA says privacy matters, and that the covered entity and business associates are liable for data breach response costs, fines, and possible jail time for breaches. States and common law liability puts the covered entity and business associate at risk for civil liability.
If the industry cannot rely on these major providers to assure us of actual secure and private online operations, then covered entities and business associates are taking a huge risk putting their HIPAA data in the care of these players.
Telling lies, plausible denial, or totally inadequate security — you can call it whatever you want, but it still says HIPAA covered entities and business associates should keep their data off the internet and out of the cloud.
Let’s face it, federal rules and regulations are too complicated for even the Feds to figure them out, so it should come as little surprise that the HIPAA regulations that went into effect in March 2013 have some errors. In a final regulation to clear up “technical errors”, the feds announced June 7 that the following changes are being made:
§ 160.508 [Amended]
2.Amend § 160.508(c)(5) by correcting “§ 160.410(b)(3)(ii)(B)” to read “§ 160.410(b)(2)(ii)(B) or (c)(2)(ii)” and by correcting “42 U.S.C. 1320d-5(b)(3)(B)” to read “42 U.S.C. 1320d-5(b)(2)(B)”.
§ 160.548 [Amended]
3.Amend § 160.548(e) by correcting “§ 160.410(b)(1)” to read “§ 160.410(a)(1) or (2)”.
PART 164—SECURITY AND PRIVACY Back to Top
4.The authority citation for part 164 continues to read as follows:
42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
§ 164.103 [Amended]
5.Amend § 164.103 as follows:
a. In the definition of health care component, by correcting “§ 164.105(a)(2)(iii)(C)” to read “§ 164.105(a)(2)(iii)(D)”.
b. In the definition of hybrid entity, by correcting “§ 164.105(a)(2)(iii)(C)” to read “§ 164.105(a)(2)(iii)(D)”.
§ 164.314 [Amended]
6.Amend § 164.314(a)(1) by correcting “§ 164.308(b)(4)” to read “§ 164.308(b)(3)”.
§ 164.512 [Amended]
7.Amend § 164.512(k)(4)(i) by correcting “12698” to read “12968”.
§ 164.514 [Amended]
8.Amend § 164.514(f)(2)(iv) by correcting “paragraph (f)(1)(ii)(B)” to read “paragraph (f)(2)(ii)”.
§ 164.524 [Amended]
9.Amend § 164.524(c)(4)(iv) by correcting “paragraph (c)(2)(ii)” to read “paragraph (c)(2)(iii)”.
§ 164.532 [Amended]
10.Amend the introductory text of § 164.532(f) by correcting “[January 25, 2013” to read “January 25, 2013”.
I am reprinting this list because with all the major scandals rocking DC, it is likely that you might miss the news of minor screw-ups. Please note that such errors are OK for the government, but not for covered entities and business associates. You are required to know what they meant, not what they said.
A maintenance error that turned off a firewall on a computer server in one of 29 clinics in the Idaho State University healthcare system exposed more than 17,500 patient records for a period of 10 months. When the breach it was discovered in 2011, ISU self-reported to OCR as required by the HIPAA/HITECH data breach regulations.
Following a lengthy investigation, OCR has announced its first fine and corrective action plan agreement for 2013. ISU must pay a $400,000 fine and operate under a monitored correction plan for two years.
The deficiencies cited by OCR included:
ISU failed to conduct a risk analysis from April 2007 until November 2012;
Inadequate security measures from April 2007 until November 2012;
Inadequate procedures to review information system activity to determine if protected health information was inappropriately accessed or disclosed from April 2007 until June 2012.
The plan of correction requires a compliance gap analysis on Security Rule requirements and annual reports on training, review and updates of the ISU risk management plan, and review and updates of the information management system.
In a prior post, I mentioned that my daughter was about to release a new reference book on HIPAA and predicted the release would come in April. Wrong. College classes and a social activity or two delayed completion until now, and in spite of my grousing about the delays, her Dean’s List performance did vindicate her scheduling priorities.
First, it’s a hard-copy book with more than 170 pages. It is a reference to the full text of the latest version of HIPAA / HITECH regulations updated with the 2013 Omnibus Regulation provisions that will begin enforcement in September.
In addition to the regulations themselves, the book contains the full text of the Office of Civil Rights HIPAA Audit Protocol. Following each section of the regulations, applicable audit protocol standards appear, giving you the actual compliance criteria that OCR will be applying in random audits, complaint based investigations, and breach notification investigations. The OCR sample document request list for complaint and breach investigations is also included.
With the emphasis on Business Associates compliance in the new regulations, the book also includes the OCR sample template for BAAs that comply with the new language.
This HIPAA reference also has a feature that most of us have wanted, but my daughter deemed essential. Not having a “search engine” is her primary complaint about books…especially those that you have to access quickly…. So she added hundreds of terms and provisions to an index for rapid access to the answers you need. HIPAA is still a beast, but this helps tame it.
You can order it online at AMAZON.CON
While most folks have not taken the time to read the 561-page HIPAA amendment regulation that goes into effect later this month, there is one huge issue lurking there for hospitals and physicians that use on-line services that digitally transfer, use, or store personal health information (PHI). The new regulations make these folks Business Associates, even if they are based in Mongolia or anywhere else in the world. And that means healthcare providers MUST have written Business Associate Agreements (BAA) with these services, and the services have to agree to comply with US regulations, including agreeing to Office of Civil Rights (OCR) inspections.
At this point, I should also point out that the regulation also makes new BAAs mandatory for all of the BA for any provider, not just the online providers. Most of these new BAs don’t have a clue that they have just been slapped with HIPAA compliance or what that means. The online BAs are even bigger risks, however, because most providers don’t even realize that the nifty, spiffy online service is covered by HIPAA. They sign up online, click the “I Agree” button, and they are have the service and are happy. Unfortunately, OCR won’t be happy if you don’t have a legally compliant BAA.
Some folks make the mistake of assuming that since the “cloud” or other service is encrypted, that is all they have to worry about. While encryption may save you from a data breach compliance issue, it does not take care of all of the HIPAA compliance issues. This service is a BA with or without a BAA, but they are likely to be operating outside of HIPAA compliance if there is no BA. If there is a violation at the BA level, it is likely to be the BA that gets cited and fined, but OCR will cite and fine the provider for not having a BAA and for not assuring that the BA was operating in compliance with HIPAA.
I also foresee an issue with some services that reside on foreign shores. Will they dutifully allow OCR to sift through their records and servers and turn over tons of records to US regulators? Maybe, or just maybe they will “flip off” OCR as some foreign pain in the posterior. If the latter is the case, we have seen how OCR has jacked up fines before — for failure to cooperate. Since the BA is off-shore, it is my prediction that when they fail to cooperate with the OCR, the on-shore provider will take the brunt of the feds’ displeasure in the form of maximum fines (which are $1.5 million per year for EACH type of violation).
For those of you who hate reading any more regulations than you have to, my daughter is publishing the revised rules along with the HIPAA audit protocol for each in a new book that is scheduled for release by the end of March 2013. I will post information as soon as it makes its appearance on Amazon, and I will make sure readers of this blog and my newsletter get a chance to get it at a substantial discount.
In what could be the largest intentional wholesale breach of online privacy in history, NBC News is reporting that the Obama administration has turned over its campaign data base to a newly formed advocacy organization being set up to help ramrod administration policy through Congress. Although it is likely that individuals in the database might be supportive of the presidential efforts, the transfer is similar to a company selling widgets turning over their database to a similar company where there was perceived value.
Did the Obama campaign comply with privacy rules when the transfer was made? Preliminary reports suggest that rules were ignored in the transfer.
Full story at: http://openchannel.nbcnews.com/_news/2013/01/28/16726913-obama-campaign-gives-database-of-millions-of-supporters-to-new-advocacy-group?lite
In response to the release last week of the new HIPAA “mega” regulation, the HHS Office of Civil Rights (OCR) has released a proposed sample of a Business Associates Agreement that includes requirements of the new Regulation.
The sample is not a required form, but provides a broad form for healthcare providers who do not have their own HIPAA compliance team.
Some tips for using the form:
1. It is great that the government is putting out a sample, but NEVER adopt a sample. ALWAYS customize the form to address the specifics of your agreement and expectations for the individual Business Associate or you will be unhappy with the outcome.
2. Get professional advice from an outside law firm, house counsel, or consultant. To save time and money, use experienced internal staff to draft the preliminary agreement, and submit the draft for legal review.
3. You definitely need to add some provisions that are not in the sample. Talk to your lawyer or consultant about “choice of law” provisions, “venue” selection, and “jurisdiction” designation.
4. You may wish to consider adding insurance requirements, proof of insurance, and policy limit requirements.’
5. You definitely want to look carefully at notification requirements, monitoring provisions, and audit rights.
The basic OCR sample form can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html