HIPAA/HITECH: It's Hard for the Big Guys, Too

This week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released a report entitled CMS Response to Breaches and Medical Identity Theft.  The OIG was concerned about the possible medical identity theft that could come from misuse of Medicare beneficiary numbers.

The OIG found that between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries.  And although CMS reportedly notified all affected individuals, it failed to meet several HITECH Act notification requirements, including:  

• Failing to notify affected individuals within 60 days of the breach’s discovery;
  
• Failing to describe how CMS’s contractors were investigating the breach, mitigating losses, or protecting against future breaches;
  
• Failing to include information about when the breach occurred or the date when it was discovered; and
  
• Failing to identify the type(s) of unsecured PHI involved, contact procedures for individuals to learn more about the breach, or steps individuals should take to protect themselves from harm. 

The OIG also noted that although CMS has created a  Compromised Number Checklist (CNC) database for use by CMS contractors, CMS needs to provide guidance to its contractors about using the database information to stop payments on compromised Medicare numbers.

CMS actually agreed with most of the OIG's findings, and is working to improve its practices.

So if you feel like you are falling behind, you are certainly not alone.  Even the feds can't comply with their own rules very easily.

But given the enforcement environment, just keep at it!

Encryption: A De Facto Requirement?

No one will say it.

Why won’t the regulators just say it?

Some of you have your ePHI in the cloud. Some of you work for health care systems that do not let you save your ePHI locally, but take ownership of all ePHI on a central server. Hopefully, those cloud vendors and the centralized information service departments are protecting ePHI with strong technical safeguards. (Check to make sure.) But for the rest of you with an EHR, consider this:

The HIPAA Security Rule makes encryption an addressable specification. Addressable does not mean optional, as I have mentioned before, however, it does not mean “required” either. It means you need to assess and determine whether the specification is a “reasonable and appropriate” safeguard and either implement or document why it would not be reasonable and appropriate, and then put an equivalent alternative measure in place if reasonable and appropriate. Huh?

Clearly, you are mandated to have strong technical safeguards like encryption.  Instead of the regulators doing this little dance, shouldn't they just say required?

Likewise, the just-published final Meaningful Use Stage 2 requirements call for the eligible professional to “conduct or review a security risk analysis in accordance with the requirements under (HIPAA) 45 CFR 164.308(a)(1), [which includes] addressing the encryption/security of data stored in a Certified EHR… and implement security updates as necessary and correct identified security deficiencies as part of the EP's risk management process.”  

Translation: Do the HIPAA security risk analysis. If you think it is not reasonable to encrypt your data-at-rest, then implement other equivalent safeguards. Document your whole thought process and rationale. It might be easier just to encrypt.

And the not-yet-final-but-still-enforceable HITECH  Interim Final Rule regarding Breach Notification tells us that encryption to a certain government-blessed standard will take the provider out from under all the breach notification requirements, which includes sparing the provider the need to alarm its patients and splash its worst PR nightmare all over the media. But, of course, no one says it is required.

I do not pretend to have technical expertise, so I do not recommend particular encryption products. However, I do read the regulatory guidance that refers to National Institute of Standards and Technology (NIST) Publication 800-111 regarding data at rest. I also heard the Director of the OCR say at the National HIPAA Summit that the vast majority of breaches come from loss or theft of electronics. To keep your practice off the DHHS Wall of Shame, and protect both the reputation of your practice and the data of your patients, it seems worth the investment.  

It’s All About Access

So with all the talk about the OCR HIPAA Audit program, and the initial findings that have been reported, we are brought right back to basics. Among other things, the KPMG auditors are looking at the privacy practices we were putting into place back nearly 10 years ago. And the OCR has recently issued a memo on patients' right of access to their protected health information (PHI), encouraging patients to actively participate in their own medical care. Patient rights are supreme.

Even so, one area of repeated deficiency found by the auditors relates to an absence of policies and procedures around patient access to their PHI. Does that surprise you? Or perhaps it resonates with you?

Practices generally are required to allow patients to see or receive a copy of their PHI within a designated period of time. Under HIPAA, the deadline is 30 days, unless an extension of time is requested. State laws will vary. In Maine, patients whose specially-protected category of Mental Health information is impacted by the Maine Rights of Recipients of Mental Health Services (“Rights Rules”), may review their information with supervision within 3 business days. Likewise, a Meaningful Use Core Measure also requires proof that more than 50 percent of all patients who request an electronic copy of their PHI are provided it within 3 business days.

Under the HITECH Interim Final Rule, covered entities, such as medical and other clinical practices, that maintain PHI electronically, are required to provide patients with their record in electronic format, or transmit the data to a designated entity or individual at the patient’s request. These few words in the HITECH Act creates a sizable change for the operations of a practice or health care organization, especially where the entity is in a hybrid state, meaning that the PHI is kept in paper, electronic and/or other formats. Do you provide the electronic record on a flash drive, on a CD? Are you able to transmit the electronic record securely?

Note that HITECH only allows for the labor costs associated with providing electronic PHI electronically, while state law tends to cover the costs associated with paper copying fees. 

Does your practice have a patient access policy and process that is being followed for PHI in varying formats? How are requests by personal representatives handled? When was the last time this area of your organization was monitored for compliance? Are you aware of the high enforcement penalties associated with lack of compliance?

In light of the OCR’s emphasis on HIPAA patient rights, the new audit programs under HITECH, and now under the recently announced CMS Meaningful Use Attestation Audits, being sure that you have a practice in place, including a process for denial of access if necessary (for example, if there is a risk of harm by providing access to the record) has never been more necessary. Be sure to record your efforts, as well as all requests and responses, to prove your actions and good faith. And know that you are doing the right thing for the patients, for your practice's reputation, and for your bottom line.   

Thoughts on the 20th National HIPAA Summit in Washington, D.C.

I have always loved umbrellas both for form and function. In my part of Maine, you don’t see them very much. But I prefer being covered widely and still being able to see what is around me, or what is coming at me, to being partially exposed to the elements with little protection, no protection at all.

I'm sure you can see where I am going with this.  While there was the usual cast characters at the 20th National HIPAA Summit, all lined up with their presentations and pie charts, and while no one said these words specifically, my common sense take-away was this: Even though the current focus on electronic PHI seems the most compelling right now, don't look at the various privacy and security rules, regulations and requirements in isolation. The regulators, investigators, auditors and/or enforcers, are coming from all sides.

If only all the regulators would talk to each other, and harmonize all their requirements into one nice checklist.  Consider, for example, the CMS Meaningful Use EHR Incentive Program. In order to attest to "meaningful use" the provider must conduct a risk analysis and related follow-up according to the HIPAA Security Rule, but only with regard to electronic PHI.  But it seems a bit short-sighted, from a global compliance perspective, to conduct an analysis of security protections surrounding electronic PHI and exclude an analysis of HIPAA, HITECH and state law privacy protections as part of the overall review.  

HITECH Breach Notification Requirements under the current Interim Final Rules, and no doubt, the “final final” rules due out within the next few months, addresses breaches of unsecured PHI in all formats.  Likewise, the KPMG audit guru mentioned certain common sense HIPAA privacy and security issues that are included under the ongoing OCR audits, although he refused to share any findings. 

I never conduct a risk analysis in a vacuum, especially in this regulatory environment. To me, it just makes sense to conduct a “privacy and security risk/gap analysis” because risks to and loss of paper, (as well as loss or theft of portable devices), are still the most common reasons for reporting a breach to the DHHS Wall of Shame. You would be amazed at what you can find, and the simple fixes you can implement, when you take this approach.  Why open yourself up to any number of obvious, or not-so-obvious privacy and security gaps that easily could be addressed, if only you knew about them?

So bottom line, investing in your preparation for a possible audit, and prevention of a possible privacy or security failure or breach, has never been more pressing. The enforcement penalties are huge, and the posse of federal regulators and state Attorneys General are at the ready. Cover yourself all around. 

Are the Final Regulations Finally Coming?

It has been reported that the final HITECH rules are due out this month. The Office of Civil Rights (OCR) supposedly is “making every effort” to publish the final rules, according to an interview with Susan McAndrew, Deputy Director of Health Information Privacy for the OCR, by the internet journal Healthcare Info Security.

The federal Department of Health and Human Services ("HHS") issued its unified agenda in January, 2012, (at Regulations.gov), which listed March 2012 as the deadline for the HITECH final rules. I actually called the listed agency contact to see if I could get any information about a true release date. The contact graciously called me back and could not give me any specific information, except that 1) the upcoming rules will have suggested language for the Business Associate Agreement and 2) confirmed that the Office of Management and Budget, which needs to review and approve the final rules, has not seen the final HITECH rules yet. And she told me to join the OCR list serve for the latest updates. 

Additional federal regulator action in process includes a) the final "Accounting of Disclosures" rule, on the regulatory agenda for June 2012; upcoming changes to the HIPAA authorization rule with regard to clinical research; and a retrospective review of the HIPAA requirements for distribution of Notices of Privacy Practices. The description in the chart attached to the announcement focuses on reducing costs to insurance plans. http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201110&RIN=0945-AA03

So the final rules may not be out in March, but the final rules are coming, and they will be here soon. Don't wait to start getting your HIPAA and HITECH house in order. The OCR audits of basic HIPAA privacy and security requirements are underway now.  Assessing your risks and putting policies and procedures in place will make the next steps easier in the long run.

HIPAA, Facebook and Temporary Staff

HIPAA, Facebook and Temporary Staff  

When I conduct a training or draft policies for practices, I always include a prohibition against sharing patient information on social media sites. I usually get a few laughs or rolling eyes in response, as if to say "that's obvious!"  Unfortunately for a patient in California, it wasn't obvious to a temporary staff person at Providence Holy Cross Medical Center in Mission Hills, who is said to have recently posted a medical record on Facebook.  Allegedly, the patient's name and other complete identifiers were included in the post.  According to reports, this agency employee rejected complaints of a HIPAA violation and thought the post was both funny and perfectly acceptable to post to her page.   

Along those same lines, I recently received a note from a client asking what to do in terms of privacy and security when a student or temporary staff comes on board.  My response? Training first and foremost. Clearly, the agency employee in the Facebook incident had not received appropriate education or preparation in this area.

A "temp" is considered part of your workforce. A new workforce member should not access protected health information (PHI) in any format without first reviewing appropriate privacy and security policies, and signing off on a confidentiality/sanction agreement.  Ideally, the new staff member already should have been trained about privacy and security concepts, either by his or her school or staffing agency. You need to screen the individual and confirm background education in this area. Then you need to ensure that the new workforce member is trained in your practices, and the "do's-and-don'ts" of accessing, creating, using and disclosing your PHI. 

Remember: Only allow access to electronic records, especially those hosted on a cloud system, during those hours that the the temporary workforce member is actually working for your organization.  Failing to terminate access for all those days and weeks in between work days in your office creates a huge risk for you.

Proactively attending to these preliminary steps up front, as a matter of office practice, could spare your entity from dealing with breach issues, investigations, and legal or regulatory sanctions later on.

Thoughts for the New Year

Much continues to happen in the compliance world.  Before the turn of the New Year, I found myself helping a number of small practices move through their HIPAA security risk analysis process, which was inspired by their desire to meet the Meaningful Use criteria and receive incentive dollars.

Meaningful Use Core Measure 15 requires the eligible professional to attest “Yes” to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.  This only relates to ePHI.

But wait, the federal HIPAA audits are underway. The regulators, through their private auditors, will be looking at privacy and security compliance, risks and best practices. So the providers I assist get a review of both privacy and security gaps and risks, because one cannot operate without the other. The resulting action plan and risk management process incorporate common sense steps to reasonably address our findings, and weave compliance through their regular operations. Both privacy and security must be woven together, especially in the face of breach notification requirements at both the state and federal level.

Not to mention the mandates of the Medicare Conditions of Participation, Medicaid, Joint Commission and both hospital and professional licensing boards for keeping PHI private and secure. A failure to have policies and systems to protect your patient data could lead to headaches on many levels.

For the new year, make it a priority to put your HIPAA and HITECH house in order.  You can't afford to work in a silo, addressing only electronic security or only privacy protections.  Both items must be on your to-do list.  Let me know if I can help.