I have always loved umbrellas both for form and function. In my part of Maine, you don’t see them very much. But I prefer being covered widely and still being able to see what is around me, or what is coming at me, to being partially exposed to the elements with little protection, no protection at all.
I'm sure you can see where I am going with this. While there was the usual cast characters at the 20th National HIPAA Summit, all lined up with their presentations and pie charts, and while no one said these words specifically, my common sense take-away was this: Even though the current focus on electronic PHI seems the most compelling right now, don't look at the various privacy and security rules, regulations and requirements in isolation. The regulators, investigators, auditors and/or enforcers, are coming from all sides.
If only all the regulators would talk to each other, and harmonize all their requirements into one nice checklist. Consider, for example, the CMS Meaningful Use EHR Incentive Program. In order to attest to "meaningful use" the provider must conduct a risk analysis and related follow-up according to the HIPAA Security Rule, but only with regard to electronic PHI. But it seems a bit short-sighted, from a global compliance perspective, to conduct an analysis of security protections surrounding electronic PHI and exclude an analysis of HIPAA, HITECH and state law privacy protections as part of the overall review.
HITECH Breach Notification Requirements under the current Interim Final Rules, and no doubt, the “final final” rules due out within the next few months, addresses breaches of unsecured PHI in all formats. Likewise, the KPMG audit guru mentioned certain common sense HIPAA privacy and security issues that are included under the ongoing OCR audits, although he refused to share any findings.
I never conduct a risk analysis in a vacuum, especially in this regulatory environment. To me, it just makes sense to conduct a “privacy and security risk/gap analysis” because risks to and loss of paper, (as well as loss or theft of portable devices), are still the most common reasons for reporting a breach to the DHHS Wall of Shame. You would be amazed at what you can find, and the simple fixes you can implement, when you take this approach. Why open yourself up to any number of obvious, or not-so-obvious privacy and security gaps that easily could be addressed, if only you knew about them?
So bottom line, investing in your preparation for a possible audit, and prevention of a possible privacy or security failure or breach, has never been more pressing. The enforcement penalties are huge, and the posse of federal regulators and state Attorneys General are at the ready. Cover yourself all around.
