Occasional HIPAA Update Newsletters

From time to time I'll send my clients and interested others an e-mail update on new or pending regulatory actions and news related to healthcare information privacy and security.  I'll also post them here for others to read.  If you'd like to be on the e-mail list, please contact me and I’ll be happy to add your e-mail address.  Please remember, I am not a lawyer and this is not legal advice, it is only information and resources, and personal opinions.  Thanks!

HIPAA Enforcement, Changes to Come, Information Sharing, and Your 2019 HIPAA To-Do List

I think I’m gaining — it was more than a year between the last two newsletters, and it’s not much more than nine months now since the last one!  But there is plenty to talk about, no question, including recent enforcement activity, which reflects on one of my pet issues, management of access to external Web sites, and the pace of enforcement actions, which had slowed to a trickle until the recent spate of announcements.  And state Attorneys General are now getting into the HIPAA enforcement game as well.  By the way, did you hear the announcement about the changes to the HIPAA Audit Protocol?  Me neither, but they were made last July.  Also on the agenda is a look at what to expect for changes in the rules.  Will we ever see a new proposed rule for Accounting of Disclosures now that we’re 10 (yes, ten) years out from the passage of the HITECH Act requiring a change?  Will there be changes in the Security Rule for improving the ability to audit and review access and use of data?  Will we dump the acknowledgment signature for the Notice of Privacy Practices?  And how are we going to solve this shameful situation where it is so difficult for patients to access their information and have it shared with any provider they so choose, without friction?  To finish things off, I’m sure we’d all appreciate a quick list of topics to put on your HIPAA list for review, so I’ll try to create that for you.

— “So, what should I DO?” — 

I’m really good at pointing out compliance issues that should be addressed somehow, but the client’s answer is often, “So, what should I DO?  Out of all the issues that are out there, what needs to be focused on first, and what kind of things can I do to address those issues?”  Well, thanks to the Cybersecurity Act of 2015 section 405d, we now have a good advisory document set to provide some distillation of the steps that need most to be taken to meet the numerous rules and standards in information security today.  As you know, I am a big fan of Risk Analysis, but this approach is assumes there are certain universal risks that need to be addressed, and provides actions that can be taken to reduce them.  On December 28, 2018 the Department of Health and Human Services released a guide to voluntary cybersecurity practices for healthcare organizations ranging in size from local clinics to large hospital systems — three sets of practices are provided, for small, medium, and large organizations.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients is a four-volume publication, the result of a two-year public-private partnership between HHS and more than 150 healthcare industry professionals.  The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends ten cybersecurity practices to mitigate them.  While this may be old news to mature, larger IT organizations, for smaller organizations it provides a useful way to explain the issues and show what needs to be done, to senior managers who may not have a lot of information security expertise at their disposal.  

Note that this does not replace a risk analysis, it supplements it, but if the considerations in the report are addressed, it can make the Risk Analysis a lot less traumatic.  I think it’s definitely worth it for those in charge of privacy and security to spend some time absorbing and addressing the issues included, as a defined project, not just a casual activity.  See:  https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx  

— HIPAA Enforcement Pace Increases — 

For a while it seemed that HIPAA enforcement was stalled, with few settlements being announced following the change in the administration a few years ago.  But things picked up considerably at the end of 2018, with four actions being announced, a record $16 million settlement for a breach of 79 million records, a $125K settlement for doctor going public with patient information to refute a claim made publicly by a patient, a $500K settlement for sharing information with a fraudulent business associate (with no BA agreement) who breached the information, and a $111.4K settlement for failing to terminate the access of a former employee to the organization’s scheduling calendar hosted by Google without a Business Associate Agreement.

While the Anthem settlement for $16 million sounds like a lot, we’re taking about 20 cents a record for the breached information.  Sounds pretty limp to me, but it does almost triple the previously high settlement amount.  As for going public with patient information, we now have three settlements with head honchos who couldn’t help themselves, who, in the most recent case, ignored the advice of their own compliance people (what do you pay them for then, eh?), and went public with a patient’s information, in two cases as a response to public statements by the patients.  Let’s make this clear, shall we?  Even if the patient hands out copies of their entire medical record to everyone in the street, the doctor still has to have a HIPAA Authorization from the patient to discuss their information in public.  

In the case of the fraudulent Business Associate, make sure someone you are dealing with is actually a representative of the company they claim to represent, and if they’re acting as a BA, get the BA Agreement in place!  You need to do research on the BA commensurate with the risk involved.  But the most recent enforcement settlement case really caught me by surprise.  As many of my clients know, I have a thing these days about staff access to external Web sites managed by other entities.  It’s easy to have well-controlled access to your own systems and networks, where when someone leaves, you have a process to throw the switch and cut off access.  But it’s less easy to deal with all the access to outside Web sites, which has really blossomed these days with the proliferation of electronic systems for all kinds of communications and transactions.  (And you may have inbound remote access of your own to protect.)

Do you know who has access to external sites that involve Protected Health Information and how to make sure your responsibilities are taken care of upon departure of the staff?  Do you know what your responsibilities are?  Yes, those external resources are responsible for their own security, but there could certainly be seen to be an ethical responsibility, if not contractual, to notify them if a user is no longer on your staff.  If that access might allow access to your own patients’ information, it may certainly be seen as your responsibility.  This settlement involved a former employee’s access to the organization’s calendar, which happened to be hosted improperly under the regulations (no BAA).  If you don’t have a defined process for tracking who has access to what and making sure that access is terminated when the employee is, you are leaving yourself open to a growing risk issue.  The time to deal with it is now.

Let me give you a quick example that may make your ears ring, about unterminated remote access into an organization.  A client of mine recently hired a new CFO who used to work at another facility some years ago.  While at the prior facility, the person needed to get remote access into some system or other, and at the time the organization did not have a defined remote access process, and the IT staff set up a special access method allowing the access that was needed.  As time passed, the IT staff and management turned over, and the individual needing the access moved on to another organization and eventually became the CFO I know today.  Based on the CFO’s awareness of the issue of remote access left open, the CFO checked, and yes, the CFO still has access to systems and networks at an organization they no longer work for, and haven’t for many years.  In fact, the recently-hired current IT staff at the old organization either isn’t aware of the access allowed, or is aware of it but is afraid to turn it off because they don’t know what it does and don’t want to break any existing processes.  Because the old access was never properly established and managed according to a documented process, it has been forgotten over time and now exists as a back door into systems that IT doesn’t know about, and that could potentially be discovered by hackers, depending on the security of the access, which is completely unknown by the IT staff.  The easiest fix is probably to rip everything out and start from scratch for networks and access.  Wouldn’t it have been easier to know who has access and how, and manage the access before it becomes a liability?

And even as HHS slowed its enforcement for a while, state attorneys general have been busy picking up the slack, with New Jersey hitting the headlines most recently in November with a $200K penalty and ban from ever working in New Jersey again for a transcription company that didn’t protect information properly, on top of a $414K penalty last April for the medical group that hired them.  New York had a $575K settlement last March for a health information breach exposing social over 80,000 social security numbers.  Clearly, even if HHS disappears form the scene, the state AGs are prepared to carry on in enforcement using HIPAA as the standard.

— Update to the HIPAA Audit Protocol — 

Did you see the announcement last July about the updated HIPAA Audit Protocol?  Me neither, because it wasn’t made, and HHS still hasn’t released an announcement or an overview of what’s different in the protocol.  So, here’s the scoop: there are a dozen questions changed, numbers 4, 58, 163, 164, 165, 170, 172, 173, 174, 175, 177, and 178, which translates to a few in the privacy realm and several in the breach notification section, updating the questions based on the experience gained in the 2016 Audit round.  There are no changes to the Security Rule questions.  This is all very nice, but in re-publishing the HIPAA Audit Protocol, they put it up on the Web site in such a way that copying it into some actually usable tool like a spreadsheet or database is a royal pain and takes a day of work to fix once you copy and paste.  This is same the problem the original 2016 protocol had, that was finally fixed after many months, and is now broken again, oh thanks.  

But, lucky you!  I have updated my spreadsheet copy with the changes, discovered by laboriously examining every one of the 180 questions for changes, since a direct comparison isn’t possible because of the insane formatting.  If you’d like to see the HHS HIPAA Audit Protocol, it’s still at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html and if you want an updated spreadsheet copy with the changes, please send me a message and I’ll be happy to send you one.  (See? This is the test to see if you’ve read this far — of course you want a copy!)  Please be aware that because of limitations in Excel, and the size of some entries, it may require double-clicking on a cell and/or reducing the font size to see or print the cell contents fully.  Make sure you look at ALL the details of each question.

— New Accounting of Disclosures Rule Coming — 

So, for you old-timers in HIPAA, we’re coming up on the 10th anniversary of the HITECH Act amending HIPAA, which might be nice, except that HHS still hasn’t come up with a decent plan for the required new rule for Accounting of Disclosures that the HITECH Act calls for.  The law requires some substantial changes, and HHS’s initial proposal was met with derision and laughter, as it went way beyond the requirements of the law and the capability of technology to reasonably support the proposed rule.  In short, no, it couldn’t possibly work, and was finally formally withdrawn earlier this year.  But the law still exists, and with it the obligation to make Accounting of Disclosures actually relevant to patients.  I mean, has anyone ever actually asked your organization for an Accounting of Disclosures, and would you even know what to do if they did?

So the development of the new rule is under way, with HHS asking for initial comments in a December 12 announcement of the Request For Information.  Based on the recommendations developed some years ago there are likely also to be changes recommended for the Security Rule to improve the ability to audit and review access and use of data, in support of the new Accounting rule.  (You can’t account for what you don’t know!)  That will make the first substantive change to the Security Rule since it was adopted, not counting the expansion of coverage to Business Associates, and probably about time.  When the government reopens, the RFI will be available at: https://www.federalregister.gov/public-inspection/ — comments are due by February 11, but who knows if the government will be open by then.

— Changes to Signature Requirement for the NPP? — 

Will we dump the acknowledgment signature for the Notice of Privacy Practices?   Really, that’s the best we can do for finding ways to reduce the administrative burden of HIPAA?  Well, that’s the idea, but it’s not all that simple, since the signature for the NPP counts as a signature for consent under the Telephone Consumer Protection Act of 1991 to contact someone using their cell phone, which is how just about everyone communicates these days.  If you don’t have documented consent under TCPA, you can’t call or text someone’s cell phone for payment purposes AT ALL, and there are also limitations on uses for healthcare operations, like appointment reminders.  A judge ruled about a year ago that signing the NPP that says how your contact information may be used counts as a TCPA consent.  If that signature goes away, you’ll have to get a signature instead for TCPA consent, resulting in zero reduction in administrative burden and an expense of changing processes.  There is also some consideration of changing the TCPA rules to allow contact for treatment, payment, and healthcare operations as defined by HIPAA without consent, but unless that happens if and when the HIPAA rules are changed, there will be a net negative effect.  This is also an area ripe for comments on the RFI, if we can ever get a copy and submit the comments.

— 2019 is The Year of Sharing Health Information — 

Well, I’m calling it that anyway.  So, how are we going to solve this shameful situation where it is so difficult for patients to access their information and have it shared with any provider they so choose, without friction?  HIPAA is NOT the issue; misinterpretation of HIPAA is often the issue.  Doctor’s offices have always been shy about sharing their intellectual capital, their medical records, and their patients with other doctors.  Of course a doctor wants to keep his patients!  But now simple reluctance has turned into outright blocking of information transfers to protect an office’s business, contrary to HIPAA.  In so many of these cases, HIPAA is used as an excuse for not sharing information with other providers, when the rule explicitly allows such sharing.  MAKE SURE you are sharing information as requested by your patients, and as required by HIPAA.  If your organization is resisting this, fix it!  If you are dealing with another organization that won’t share what they should, it’s time to start making noise, with the organization’s leadership, with HHS, and with the Press (though be sure not to include any patient identifiable information in Press communications).  When you complain publicly, patients will start asking questions and putting pressure on their doctors to do the right thing.  We need to shake up the entire industry to make this happen, and we all need to step up for our patients’ and the nation’s health.

— Your 2019 HIPAA To-Do List — 

1. Review/update/establish your external Web site and remote access management processes

2. Check your termination processes and make sure they work

3. Review your access and use of systems and data

4. Update your Risk Analysis

5. Plan out your Risk Management Activities

6. Be ready to respond if there is a change in the rules

And please let me know if you have any questions.  



42 CFR Part 2 Revisited, Ready for the GDPR?, The Future of HIPAA Audits

Well, it’s been more than a year since my last newsletter, and to be sure many of you must have figured your name was lost from the list or something, but no, I’ve just been rather busy over the last year, with so much happening that its’ been hard to figure out where to start.  So I’ll just dive in and cover a few things on may mind and see where we get.

 — 42 CFR Part 2 Revisited — 

Interestingly enough my last newsletter looked at some of the changes being made to 42 CFR Part 2 (concerning substance use disorder treatment information) that finally went into effect in March of 2017, and now here we are with additional changes to 42 CFR Part 2 going into effect, and debate in congress as to how to make further changes to help combat the epidemic of opioid abuse that is destroying our communities.  Patient protections, designed when keeping addiction information secret was the best idea, appear to be contributing to the problems, as treatment for modern addiction calls for integrated, community-based, family-supporting treatment and communications.  

Anyway, the most recent changes are common sense changes to help move 42 CFR Part 2 a bit closer to HIPAA-like controls in some areas.  Under the new final rule, when an individual consents to their substance abuse information being disclosed for payment or health care operations purposes, the recipient may share that Substance Use Disorder (SUD — get used to yet another acronym!) information with their contractors, sub-contractors, and legal representatives as necessary to carry out the payment or health care operations.

Also, previously, only Part 2 programs (generally specialty SUD treatment programs) were permitted to disclose protected substance use disorder information without patient consent for audits and evaluations. Under the new Final Rule, other individuals and entities which have lawfully received Part 2-protected information may also disclose substance use disorder information for the purpose of certain audits and evaluations, and shared with auditors’ and evaluators’ contractors, sub-contractors, and legal representatives as needed.  The new Final Rule also allows for an abbreviated notice of the prohibition on re-disclosure that will fit better into EHR text fields.

These changes, on top of the 2017 changes allowing consent for disclosures to an individual’s providers in general (with changes allowed to the provider list without having to get a new consent every time), combined with an accounting of disclosures under such consent, make it easier to share information as needed, but it’s still a very sticky process.  The goal will be to make necessary information sharing easier in order to save lives, without destroying patient protections.  Stay tuned — we can expect action on this topic soon, I’d expect, the way the opioid crisis is getting out of hand.  

I’ve posted a set of useful links on my Resources pages, on the Regulations, Standards, and Laws page at http://www.lewiscreeksystems.com/resources_regulations_stand.html .  When you review the links and the information, understand that some of the links go to information prepared in 2017 that does not consider the 2018 changes, so check the dates on pages to be sure you know what you’re looking at.   (Marketing notice: If this is relevant to your operations, I’m doing a Webinar on this topic on April 9 — see the list on my Web site at http://www.lewiscreeksystems.com/upcoming_public_seminars.html .)

As with so much of our lives today, from addiction to personal privacy to gun control to Facebook, that which was taken as immutable must now be re-examined and the lines redrawn in the context of today.  We live in challenging times and we’ll have to grow and change to survive, which is, after all, the essence of life, so let’s embrace the challenge and do the best we can to make sense of it all, for the good of us all.

 — Ready for the GDPR? — 

The what?  Is this a new Federal regulation?  No.  It’s worse.  It’s a European Union regulation that applies to anyone, anywhere who has any personal information of any EU subject.  It doesn’t say what companies should do, it says that all identifiable personal information of EU subjects must be protected by whomever holds it.  It’s focused on the individual’s information, not the businesses that use it.  What a concept!

European rules apply to us??  That’s the story.  If you want to serve any customers who reside in the EU, you need to be in compliance with the GDPR.  In healthcare you can’t decide, “no, I’m not serving anyone from the EU,” you need to take care of whomever presents to you, and for some organizations, particularly near tourist destinations, the likelihood of serving someone from the EU is just about 100%.  NOTE: The care and services provided in the US to someone who is in the US would likely not be covered under the GDPR, but any communication to the EU about the individual would be covered (and the GDPR would cover US residents’ information if they receive services in the EU).  But if you actively market your services to EU residents, they may wind up under the GDPR, if they come to the US to receive services as a result.  Does you head hurt yet?

Violation penalties are based on the global profits of the organization, up to 4% for serious violations (or up to 10 million Euros, whichever is higher), and 2% for technical lack of compliance.  These can obviously be some very big numbers for companies like Microsoft and Google, but even for a small office, it can be a huge hit.

Healthcare is lucky — HIPAA has demanded a lot of the same protections for years now, but the net is cast a bit wider now, including all identifiable information, not just health-related information, and more stringent requirements for encryption for storage and transmission of identifiable personal information.  The Information Flow Analysis process I’ve been using for years for HIPAA Risk Analysis is the required approach — where does the information come from, where is it created, where is it stored, and where does it go to.  You need to have a handle on your data and make sure it is nailed down — that ought to be a familiar concept to you.

So far, I haven’t said anything too controversial — just open your eyes a bit wider and be a bit more hard-nosed about encrypting everything you can.  But when it comes to Breach Reporting, hold onto your hats.  Breaches of personal information must be reported to the “relevant supervising authority” within 72 hours when feasible.  In addition, opt-ins are required for any uses of the information, so an EU consent will be required from all EU patients.  Oh, and there’s also a “right to be forgotten” that must be dealt with somehow, and rights to correct errors in data.

I’m still getting my arms around the impacts and how to modify and update compliance processes and recommendations, but it’s clear that for many of my clients, compliance with the GDPR is going to be necessary.

Longer term, though, I hope you can see what this means.  Can you separate the information for EU subjects from your non-EU customers?  I didn’t think so.  This will force the de facto standard for treatment of personal information in the US to rise to the EU standard simply because so many organizations will have to comply.  Better security will be expected, will become the standard of care for personal information, even if our government can’t get it together to require it.  Longer term, a consistent approach to the security of personal information globally will be a good idea.  Short term, it’s another uh-oh moment in healthcare, as though we don’t get enough of those already anyway.

So, breathe deeply and don’t panic.  See the EU GDPR Web site to get more details, at: https://www.eugdpr.org and there’s a great summary at http://www.bio-itworld.com/2017/10/10/what-the-eu-general-data-protection-regulation-means-for-you.aspx  

 — The Future of HIPAA Audits — 

So, of course you did read the official announcements from HHS first stating that there would be no on-site audits as part of the Phase 2 2016-2017 Audits, and then that the HIPAA audit program was formally cancelled, didn’t you?  What?  You don’t see the official announcements?  Were there any such announcements?  Well, no.

In keeping with the informal (perhaps wild-west?) nature of government communications these days, a couple of significant changes in the direction of HIPAA enforcement occurred recently when HHS personnel mentioned in unofficial comments that first, the on-site audits that were to be done in 2017 were cancelled, and then more recently, that there would be no further HIPAA audits, and Phase Three of the HIPAA Audit program would be the development of reports on Phases One and Two including recommendations for best practices based on what was learned in those audits.

Once again, don’t you just love how a law can be passed for the government to do something, but implements it only if it feels like it this week?  The HITECH Act in section 13411 calls for periodic audits of HIPAA compliance of covered entities and business associates.  So, I guess the period is now, uh, “never”?  Or once a millennium?  Well, I guess the law doesn’t specify the period, so it’s up to the boss.

So should you just forget about the audits?  No way!  Being prepared for an audit means you are prepared to withstand an enforcement investigation with a minimum of disruption and a maximum of success.  The 2016 HIPAA Audit protocol, stringent as it is, is still a great tool to see if you really have in place everything you need to answer any questions about compliance that come up.  And, of course, should there be a change of administration, there could again be a change of attitude about HIPAA audits.  

If you haven’t yet, copy the HIPAA Audit protocol from the HHS Web site ( https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html ), paste it into an Excel spreadsheet and do some reformatting, and then get busy.  Add some columns for item number, responses, documentation links, remaining issues, and priority, and you have a handy compliance review and management tool.  Or ask me for a copy of mine.

The word is, from these same officials, that enforcement activity is not backing off, just the audits, so you still need to be ready to respond to any inquiries about your compliance.  Recent settlements have been up to multi-millions of dollars, so it’s definitely better for you to do your own auditing, before someone else does.

— A Final Note from my morning news review… — 

A new study shows that patient deaths increase by a measurable amount following a data breach at a hospital.  Money is diverted from patient care to security, people are distracted, things take longer to get done than they should — and thousands of people die as a result.  Is there any better reason to get your security in order before a breach disrupts everything?  Better security = better patient care.  See the article in Becker’s Hospital Review, with a link to the Wall Street Journal article on the topic: https://www.beckershospitalreview.com/cybersecurity/study-hospital-data-breaches-tied-to-thousands-of-additional-patient-deaths.html 

And that ain’t all folks!  Check my News page at http://www.lewiscreeksystems.com/privacy_security_and_compli.html for lots more.

 — Go forth and be HIPAA! — 

I’ll see if I can put out another newsletter issue promptly.  That should be easy, right?  I’ll probably include some good Q&A I’ve gotten, and maybe discussion on two of the biggest areas of concern/difficulty in healthcare security today: texting, and managing access to external Web sites.  Of course, a nasty Ransomware attack can always wipe you out, but texting and managing access to external resources are things that we can devise solutions for, and need to, as the means of communicating in healthcare continue to change.

It’s never too late to improve your compliance, and it’s always a good idea to follow up on any HIPAA-related issues you suspect.  Trust your hunches and go looking for problems if you have any suspicions about the quality of your compliance.  If you don’t check, you’re leaving it up to HHS, or worse, the local TV News team.  Be positive forward thinking, and enjoy the breaking Spring!

And please let me know if you have any questions.  



New Settlements & Guidance, Changes to 42 CFR Part 2, HIPAA and 21st Century Cures and ACA, Free Training

I know, those of you who know me are surprised to see another newsletter so soon after my last one, but there is just so much going on!  New lessons are being taught in HIPAA enforcement settlements, the changes to 42 CFR Part 2 (pertaining to substance abuse treatment information) have just been finalized this week, and there are HIPAA impacts resulting from the 21st Century Cures Act as well as the impending repeal or defunding of the Affordable Care Act.  On top of all that, I’ve begun offering free short PowerPoint show-based security reminders you can download and use with your staff.  The first one is posted with more to come over the coming year.

 — What’s in the HIPAA News?  — 

Looks like the trickle of HIPAA Settlements is becoming a wave — two new settlements for potential HIPAA violations were announced in just the last two weeks.  The lessons?  Report your breaches on time ($475K + action plan https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence).  Implement your safeguards, such as risk analysis, encryption of portable devices, and follow through with whatever you have promised OCR you’d do following a breach ($2.2 million + action plan https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE). 

Also new is updated guidance and FAQs from HHS on disclosures to loved ones.  I don’t think this is the anticipated new guidance on sharing information with family and friends involved with an individual’s care, but it contributes to knowledge in that realm.  OCR’s updated guidance and FAQ may be found at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html and the FAQ is also available at https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html  I still have hope the more complete guidance is on the way, because this is an area of some sensitivity for patients.

One of the more useful and relevant guides released by NIST is the new Special Publication 800-184, which is an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning.  The press release (at https://www.nist.gov/news-events/news/2016/12/nist-guide-provides-way-tackle-cybersecurity-incidents-recovery-plan) provides a good overview, and the Guide is available at:  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf  

From the press release: "The publication supplies tactical and strategic guidance for developing, testing and improving recovery plans, and calls for organizations to create a specific playbook for each possible cybersecurity incident. The guide provides examples of playbooks to handle data breaches and ransomware.”  This approach supports my view that developing and working through drills on various scenarios is one of the best ways to be prepared for a nasty security event. 

And what’s this?  Yet another security framework from our friends at NIST?  The new Draft 1.1 of the NIST Cybersecurity Framework is out (https://www.nist.gov/cyberframework/draft-version-11), and while it is indeed useful, I echo the sentiments of security expert Stephen Northcutt as he commented in the SANS NewsBites newsletter of January 13 (https://www.sans.org/newsletters/newsbites/xix/4), “In one sense, another framework makes me want to puke. However this organized security framework is the path to better risk management. Why NIST could not read and use the critical security controls is beyond my understanding.”  [sigh]  Yes, it is useful, at least as far as some of the simple rubrics contained within are concerned (Identify, Protect, Detect, Respond, and Recover) but again, I feel this kind of work should be coming from government-funded university research (at least partly because so many computer science programs barely acknowledge security and need this kind of a boost) not NIST.  This framework comes from a clean sheet and doesn’t consider other valuable, established processes much, so it’s just a bit annoying.  Please, no more new frameworks.

 — Final Changes to 42 CFR Part 2 — 

If you don’t know what 42 CFR Part 2 is, you probably don’t care much about this, but in the world of mental health and substance abuse treatment, this is news.  Basically, 42 CFR Part 2 puts limitations on the sharing of information related to drug abuse treatment.  Each disclosure requires a consent, and information cannot be re-disclosed by a recipient without another consent.  It’s burdensome, especially in the new world of information sharing and coordinated treatment among providers.  

The new final changes to 42 CFR Part 2 (https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records), among other things, allow release of information to a qualified researcher, but more importantly, allow a patient to consent to disclosing their information using a general designation (such as “my healthcare providers”), to allow patients to benefit from integrated health care systems.  Patients do not have to agree to such disclosures, but patients who do agree to the general disclosure designation have the option to request a list of entities to whom their information has been disclosed.  A nice summary is in the press release, at https://www.samhsa.gov/newsroom/press-announcements/201701131200

 — Hot Off the Presses: Common Rule Update Finalized — 

And if you’re into research, it’s time to look into the finalized Common Rule revisions, also just out this week.  So many new intersections between HIPAA, 42 CFR Part 2, and research!  Those of you who do research with health information relating to substance abuse have some homework to do.  You have a little time, until 2018, to implement the new rule.  See https://www.federalregister.gov/documents/2017/01/19/2017-01058/federal-policy-for-protection-of-human-subjects 

 — HIPAA implications of 21st Century Cures Act — 

While the 21st Century Cures Act doesn’t directly affect HIPAA, it calls for a lot that is related to HIPAA.  On December 8, 2016, AHIMA published an informative guide to the Health IT and HIM related sections.  There are numerous sections pertinent to those in HIPAA compliance, and this overview guide from AHIMA is easy to use and understand.  In fact, many of the things called for relating to HIPAA, such as guidance on sharing information with family, friends, and others involved with an individual’s care, are already in the works at HHS Office for Civil Rights, but the legislation provides a solid foundation for these activities.  The law also reinforces patient access rights, and touches on issues relating to research, mental health, and 42 CFR Part 2.  This legislation has non-trivial, wide ranging impacts on HIPAA.  See the AHIMA guide at:  http://bok.ahima.org/doc?oid=302012  

 — HIPAA implications of ACA Repeal or Defunding — 

As I mentioned in my last newsletter, if the ACA is repealed, there could be huge demand from patients to exercise their right to not tell the insurance company about an encounter if they pay out of pocket.  Now that may be fueled by more than just fears of having your insurance cancelled or your rates quadrupled.  Certain ethnic minorities that may be being targeted by the new Administration will also want to stay out of as many databases as possible.

It seems likely at the moment that ACA will die through de-funding, not outright repeal, but who knows?  What a mess.  Be ready to deal with it.  And write your senators and congressmen if you don’t want to see healthcare denied to a significant portion of the population through lack of insurance — maybe even you!

 — Free Training Reminder PPT on E-mail, Texting, and Mobile Device Hazards — 

I have begun offering a new series of training products, available on my Web site.  First up is a free, nine minute Powerpoint show with audio, on the topic of E-mail, Texting, and Mobile Device Hazards, which you may download and use as a security reminder for your staff.  Over the coming year, I’ll be adding more free reminders, as well as a suite of 90-minute training sessions available for a fee.  Also, I find an increasing number of my clients ask me to prepare a pre-recorded staff training session that is specific to their organization and their policies, which is, after all, the right way to do it.  See what’s up at http://www.lewiscreeksystems.com/hipaa-training-products.html 

As for live training sessions coming up:

SFO can be nice in February, maybe a 1.5 day Privacy Rule session February 23 and 24 would be good — see: http://www.complianceonline.com/hipaa-privacy-rule-compliance-new-rules-and-responsibilities-of-privacy-officer-seminar-training-80142SEM-prdsm  

Washington, DC can be lovely at the end of March, nice enough on March 23 and 24 for a 2-day A to Z session — see: http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900754SEMINAR?HIPAA-privacy-security-compliance-Washington-DC  

And I have other live Webinars scheduled well into 2017 already, so be sure to check my upcoming public seminars page, at: http://www.lewiscreeksystems.com/upcoming_public_seminars.html 

 — Go Forth and Be HIPAA! — 

Please enjoy your winter — it’s been strange here in Vermont so far — ticks in January??  And please let me know if you have any questions.



Anticipated HIPAA Changes, Enforcement Pace Increasing, Next Focus for Guidance

Well, you can’t say we live in uninteresting times.  Since my last newsletter (I know, way back in February, for goodness sake) a lot has changed in the world of healthcare information security, and, more recently, political changes may mean a few significantly impactful changes to the demand for certain patient rights.  Along the way, HHS has expanded on its guidance on Access of PHI by Individuals first published in January, renewed the HIPAA Audit Program, begun issuing settlements for HIPAA violations at an increasing pace, with increasing “settlement amounts.”  Let’s touch on a few things…

 — Ransomware and Healthcare — 

Make no mistake, the bad guys have healthcare clearly in their sights, and it’s not just to steal PHI any more.  Today the threat is to lock up your data and systems.  Tomorrow?  Why not bring entire healthcare systems down and deny proper treatment to untold numbers of patients?  It’s already happened in the UK… 

Ransomware is two issues.  One is, you’d better have good, frequent, network separated, protected backups; set up your networks, admin rights, and access controls to limit the damage any one infection can do; make sure all your anti-whatever and OSes are up to date; and train your staff as follows:  “Don’t click on that link.  Don’t open that attachment.  If you are not absolutely sure about the authenticity of any attachment or link, pick up the phone and check.”  Recently a phony e-mail was sent to numerous healthcare entities, made to look like an Audit message from HHS, with phony reply addresses made to look like HHS addresses.  (HHS addresses end in “hhs.gov”, NOT “hhs-gov.us”.)  Have your recovery plans in place and tested and be ready to analyze the incident — it may be a reportable breach.  See  http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf 

The other issue is that it is clear that the bad guys will do whatever they need to in order to get money, and they see healthcare as a traditionally complex, hard to secure environment, with generally underfunded security by normal standards to boot.  It is not going to get any easier, and the increased exchanges of data and interactions with the cloud will only provide more opportunities for things to go wrong.  I do think that healthcare IT is now starting to get the respect it deserves, but if your EHR provider is brought to its knees by someone focusing a distributed attack on their servers, you may have a significant patient safety issue on your hands.  If your organization survives a cyber attack itself but can’t communicate with the outside world because the Internet is down in your area, what will you do?

Ransomware is only a symptom of the larger problem we all face today.  It is an ugly, ugly symptom, but the problem is much larger, and anyone who is not working as hard as they can to be prepared for an unknown assault is missing the boat.  By the way, If you do a good job with HIPAA Security Rule compliance, you can spot these issues and be prepared BEFORE they bring YOU down.  That’s what I hear from my clients anyway.

 — ACA Changes and HIPAA — 

HIPAA and the Affordable Care Act are not linked at the hip; the more recent major changes to HIPAA came with the HITECH Act (part of the 2009 Recovery Act) and predate ACA.  While a repeal or removal of ACA would not directly affect HIPAA, it would impact one area of change that was put in place under the HITECH Act’s HIPAA Omnibus Update rules in 2013.

The HITECH Act included a provision that if a patient wants, they can pay for their services out of pocket, and then ask that their health plan not be informed of the encounter, and providers MUST obey this request.  There is an exception for “where required by law”, such as with Medicaid patient encounters, but otherwise this is an undeniable right under the regulations.

This rule is in place for two reasons.  One, the more obscure, is for families where you have have one spouse opening an EOB that may show something embarrassing about the other, and maybe that was supposed to be a secret.  The other reason is that, before the ACA, if your health plan found out you had a cancer diagnosis or some expensive to treat disease, they might cancel your policy or triple your rates (except in some states like Vermont that are ahead of the ACA).  The ACA prohibits that, so this right is almost never exercised today.

But if the ACA goes away, there may suddenly be great demand to exercise this right.  QUESTION:  Does your EHR have a check box that says, “Don’t tell the insurance company”?  I didn’t think so.  The time to ask your EHR provider about this is RIGHT NOW.  This may suddenly go from an unused right to one that is in great demand, and that you must comply with, right away.  The rule has been final since 2013 — are you ready for it?  You and your EHR vendor had better be…

 — HHS Guidance Wave — 

We’ve had the Privacy rule for going on 14 years and now the guidance is finally catching up, or at least the pace is increasing anyway.  The big news in guidance this year was clearly the amazing, detailed, clear guidance on Access of PHI put out by Deven McGraw’s group at the Office for Civil Rights and updated twice so far, and at the recent annual NIST/OCR HIPAA Security Conference she dropped a hint that there would be new guidance coming soon on the topic of sharing PHI with the family and friends involved with a patient’s care.  

Just as Patient Access has been an area of numerous compliance complaints, issues of sharing information with family and friends garners more than its share of complaints and needs some clarification.  I know it’s an area I hear complaints about as I travel around.  The current most recent information is in the 2014 Guidance on sharing information related to mental health: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/  As soon as the new guidance is released, you’d be well advised to review your organization’s practices, just as you have with the Access guidance, right?  (Psssst — the Access guidance is at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ )

 — HIPAA Audits, 2016-style — 

As expected, sort of, the HIPAA Audit program was finally restarted this year with a new round, focusing on just a few areas: Notice of Privacy Practices, Provision and Denial of Individual Access to PHI, Breach Notification Processes, and Risk Analysis and Management.  167 Desk Audits of Covered Entities are under way, and just about a week ago HHS announced that, oh, by the way, they’ve sent out notices to the HIPAA Business Associates they’ll be targeting.  This should be interesting — we’ll find out just who understands what being a HIPAA BA means, or not.  If one of your BAs is selected, I hope they do well, because it reflects on you.

There are still expected to be on-site audits in this current round as well, currently unannounced.  The latest on the Audit program is at:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html  

 — And Speaking of Business Associates — 

So if you’re a HIPAA BA, and especially if you provide an EHR, listen up.  Be ready to accommodate the right for an individual to ask that the health plan not be informed if they pay out of pocket.  Your customers will need that, big time, if the ACA goes away.  Also be aware that BAs may not deny access to PHI they hold on behalf of a provider, no matter whether the bills have been paid or not.  According to the latest guidance from HHS on the topic, released in September, PHI must be returned in a usable way upon termination of an agreement.  Also, if the covered entity signs an agreement that prevents it from ensuring the availability of its PHI, it is not in compliance.  Check your contracts!  See:  http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html

As for Covered Entities, it is now time for them to be asking their higher risk Business Associates for assurances beyond those which are provided in the standard Business Associate Agreement.  If your BA manages your EHR for you, they have control and access of a lot of your PHI, and are a higher risk vendor than one that handles limited information.  You need to have more than just “I promise” from these vendors.  It is time to start asking higher risk vendors for assurances such as evidence that they have and use security policies and perform a risk analysis.  A third-party attestation of good practices is great, and even an SSAE 16 SOC 2 Type 1 or 2 audit summary is a reasonable to expect from something like a data center or major cloud service provider.

It’s time to start asking for those additional assurances.  Ask them, “What can you show me that will reassure me that you actually do have safeguards in place and a continuing security management program?”  See what they can provide you beyond their own statements created by the marketing department.  For guidance on cloud computing see http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html  Frequently Asked Questions about Business Associates are available at  http://www.hhs.gov/hipaa/for-professionals/faq/business-associates 

 — Settlements, Settlements, and More Settlements — 

I guess it’s becoming the settlement-of-the-month club, with the current rate of HIPAA enforcement settlement announcements.  Dollar amounts are regularly in the millions, unless you get a break because you’re operating at a loss, like UMass Amherst did; just $650K in that case.  Just $650K?  The latest lessons to be learned are as follows.  If you’re a hybrid entity, make sure you properly find and identify ALL the portions that may be covered, not just the obvious ones, and then implement the appropriate safeguards.  Have a checklist for implementing new systems and servers, to be sure they are configured correctly.  Make sure your Business Associate agreements are properly in place and up to date.  Secure your backup tapes.  Do a thorough Risk Analysis, and then follow up by managing the risks, not ignoring them.  Include smart phones and mobile devices in your Risk Analysis, establish policies, and secure the devices.  Nothing new, really — these are all part of any decent security program, so you have no excuse if you make any of these mistakes.  See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

But the what-were-you-thinking award goes to NY Presbyterian Hospital for allowing TV crews into the ED to film without any authorizations from any of the patients.  The crew shouldn’t even have been there without authorizations, much less filming tragedies.  This makes me personally angry.  My Dad headed the Columbia-Presbyterian ED back in the late 60s and early 70s and helped it become the world-class institution it is today.  He instituted the first triage process there, and even won the support of his nurses who wouldn’t strike when the rest of them did.  To see an institution that he improved and shepherded into the end of the 20th century abused by an incompetent administration that would allow such atrocities just boils my blood.  The $2.2 million should have been $22 million and come right from the pockets of whomever allowed this, all the way up to the directors and trustees.  Academic medical centers are a compliance nightmare and this is a prime example — great healthcare and clueless, confused management.

But don’t think for a moment that it’s just the big issues they’re going after at HHS.  The word has gone out to the district offices that they’ll need to investigate the smaller breaches and complaints more rigorously.  If they see a pattern of recurring small breaches by you, you can expect a call.  You had better be ready to explain how you are doing everything you can to stop the recurring breaches, or they will ask you why you are not.  My personal experience in dealing with district offices is that they take their role in HIPAA very seriously.

 — Be On the Lookout For New Rules in 2017

We may finally get a new rule on Accounting of Disclosures but that seems to be not so much in the minds of OCR leadership these days.  What will likely be finalized is the changes to 42 CFR Part 2 concerning substance abuse information, to reduce consent requirements and enable better integrated care for individuals who have multiple issues.  So keep your ears open for these changes that could have significant impacts, depending on what is in the final rules.

 — And Finally, Is It Cold in January?

Sounds like a good time to head for Phoenix, January 26 and 27, for my next 2-day HIPAA A to Z session — see http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900752SEMINAR?HIPAA-privacy-security-compliance-Phoenix-AZ  

SFO can be nice in February, maybe a 1.5 day Privacy Rule session February 23 and 24 would be good — see: http://www.complianceonline.com/hipaa-privacy-rule-compliance-new-rules-and-responsibilities-of-privacy-officer-seminar-training-80142SEM-prdsm  

Washington, DC can be lovely at the end of March, nice enough on March 23 and 24 for a 2-day A to Z session — see: http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900754SEMINAR?HIPAA-privacy-security-compliance-Washington-DC  

And I have other live Webinars scheduled well into 2017 already, so be sure to check my upcoming public seminars page, at: http://www.lewiscreeksystems.com/upcoming_public_seminars.html 


I’m sorry, I should just give up all the stale HIPAA jokes, especially when we all have so much work to do with so much uncertainty and so many new threats.  But I do wish you all a safe, satisfying, and healthful holiday season.  Let’s all do what we can to make everyone smile a little more.  We have a great opportunity with to use the tension in the world today for positive benefit.  Things are unstuck, things are beginning to move; let’s all try to move things to the good to the best of our own abilities, each in our own way.  It is the least we can ask of ourselves, and all we can ask of ourselves.

And of course, if you have any questions for me in the meantime, I always learn as much from you as you do from me, so please let me know.



HIPAA Changes, HIPAA Guidance, and Q&A

Welcome to my first newsletter in more than ten months.  I dare say things have been busy in the world of healthcare information privacy and security regulatory compliance.  Everyone is a bit scared that they’re already in trouble and don’t even know it.  If the introduction of mobile technologies hasn’t created privacy and security issues enough, now the bad guys have finally woken up to the most poorly held secret in healthcare information privacy and security: if you want to steal someone’s identity to commit fraud, healthcare information is pure gold.  

And of course that information is often used to commit health insurance fraud, which can affect the integrity of the patient’s record and present serious safety issues.  On top of that, the complexity of health information handling and processing makes securing it nearly impossible.  It’s just not getting any easier anytime soon.  That’s why we love this work, right?

I’ll cover a few hot topics for you, and then get into some compliance questions and answers that I have received and provided over the last several months.  Some of the best questions come from people who listen to a Webinar or seminar and have a particular wrinkle for which the answer is not immediately obvious.  I can learn a lot from a new question, and many of you may have similar circumstances, so I’ll share a few in these newsletters.  Not surprisingly, a lot of them have to do with communications, and with mobile devices and all the creative ways people use them, and their risks.

 — HIPAA Changes — 

 ••• As part of the executive branch implementation of federal gun control measures, on January 6, 2016, a new final rule was published to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  The impact of this rule is limited to certain organizations, “only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes.”  

In other words, this is for the most part focused on government entities such as county courts, for instance.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  https://www.federalregister.gov/articles/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant   

 ••• Speaking of changes, HHS has updated its Web site and it is much easier to use, much easier to find things on, more mobile-friendly, a huge improvement.  But.  In the process they’ve broken a lot of the links that led to many, many guidance documents and resources.  I have looked through my links on the Resources pages of www.lewiscreeksystems.com and fixed dozens, and I keep checking them in my presentation and handouts, so I think I have them pretty well nailed down on my end, but if you find any faulty ones, please let me know.  If you have older materials with now-broken links, you can find the new ones on my resources pages at http://www.lewiscreeksystems.com/resources.html or you can try fixing it by inserting "/sites/default/files" right after "hhs.gov", which works most of the time.

 — HIPAA Guidance — 

 ••• If you’re looking for guidance (and couldn't we ALL stand a little guidance these days?), one link that sure does work, and ain’t it grand, is for the new guidance from the HHS Office for Civil Rights on individuals’ rights to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign.  

The guidance is clear, well written, and well organized, and directly addresses one of the issues that has been consistently identified as a weakness in HIPAA compliance: patient access of records.  The regulation is presented in detail and the Q&A section addresses many of the questions I have gotten from all of you.  Providing access properly, and handling denials of access properly, have been identified by HHS enforcement leadership as an area where it is time for there to be better compliance, so we can expect to see this as a target issue in the upcoming round of HIPAA audits, expected “real soon now."

If you have questions on providing access under HIPAA, look here first.  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html  If you don’t have questions, look it over anyway, and you may learn an important detail relevant to you.  Are you prepared to handle denials of access properly?  Make that your HIPAA compliance task of the week, and document it to show your consideration of compliance.  See?  Wasn’t that easy?

 ••• A little trickier is the work needed if you want to actually de-identify data for one purpose or another.  The question is often, “what if I de-identify the data?”  Well, what does that mean?  Sure you can remove all 18 identifiers listed in the regulation, but context still remains, and context can reveal a lot about the identity associated with a piece of data.  While the ultimate answer is far from always clear, NIST has announced a report on De-Identification of Personal Information, NIST Internal Report 8053.  

The report summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!  Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf  (And yes, I fixed that link.)

 ••• If you’re thinking about how your mobile device connects to your cloud-based EHR (and let’s face it, isn’t just EVERYbody these days?) best to take a look at the first industry specific special publication in draft from NIST in SP 1800-1, focusing on the use of mobile devices in health care.  The idea is, use multiple layers of security in controlling access (a.k.a. strong authentication), and ask your EHR vendor some hard questions — a good questionnaire is included in part “e” of the guidance.  With the alarming increase in the number of breaches by hacking, caution is indicated.   https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices

 — Q&A — 

Here is a question I get frequently in one variation or another, and my reply, regarding texting with patients.

Question: Are offices allowing their clinical and/or front desk staff to text with patients? We want to allow our providers to text for scheduling and location purposes. All of our patients are homeless or recently rehoused and sometimes they go off the radar. They tell our providers, nurses, case managers over and over again "Just text me - I ran out of minutes." So they are asking for this form of communication.  We're a small practice and want to make sure we aren't doing anything "crazy" if we start allowing texting.

Answer: The short answer is yes you can use texting, but you need to be prepared to handle it properly as a communication medium.  That is, you need to be sure you document any text exchanges that could be considered part of the record, just as you would any communication.  And you need to be ready to deal with people wanting to text 24/7, and the proper handling of those.

The idea is, the Security Rule requires you to consider encryption of all transmissions, but doesn’t outright require encryption.  When you do the risk analysis, you see that you really should encrypt all communications like e-mail and texting that contain any PHI, because the information is not secured and could be exposed, and that would be a breach.  For business communications involving PHI, yes, encryption is basically necessary.

But when it comes to communication with patients/clients, they have certain rights under the Privacy Rule to communicate in the way they see fit so long as you can reasonably do that.  The guidance says, if they want to use insecure e-mail (and by extension, texting), let them know that it is not a secure communication and it could be exposed, and if they want to go ahead, you can.  It’s a good idea to document their consent to use an insecure method, either through having a good process, or getting a signature, or both.

And that gets us back to the issue I mentioned at the top, that you need to be prepared to handle it properly.  Always have a secure, documented method of communication you can start from, and then allow insecure ones as necessary to provide services, with consent.  If it’s more than you feel you can handle, you don’t need to do it.  But if you want to, you can; just explain the risks and get a consent to do so, and document your exchanges.


Here is a question on texting of reminders of appointments, which is a growing practice.

Question: We [a dental office] periodically text appointment reminders to our patients using a web based text system. We do NOT include their names in the text, just the day and time of their appointment. Is this OK? If we were to move to texting phi in the future, how do we do this securely?

Answer: This is one of those gray areas.  The phone number can be an identifier, so it depends on the detail in the reminder.  If you don’t explicitly identify the organization, but use its initials, you’d be better off than if you used the entity name, which could provide some information about the kind of services being provided.  Of course, a dental appointment is not the same as an appointment for cancer treatment or reproductive health, so the actual risk of a real issue is small [for a dental office].

Nonetheless, I would also secure consent from the individuals to send reminders by text message, advising them of the insecurity of text messages.  Even if you have consent, keep the content to a minimum and as de-identified as you can.  [The most secure reminders do not identify the office or the nature of the appointment, they come from a reminder company and only say for what time the appointment is scheduled.]  The consent doesn’t need to be terribly complicated, but should be documented somehow. 

Also, take a moment to document your accepted practices for this, so you can help prevent the use of texting for other purposes that you haven’t protected.


And finally, a question on Business Associates and Risk Analysis.

Question: My concern is getting business associates to comply with doing a risk analysis.  How have you seen other CE’s do this? Also, if there is a breach by a business associate, would HHS hold the CE or the business associate accountable? Or both?

Answer: CE’s are beginning with making sure they have the right kind of a BAA in place first, and that calls for the BA to be in compliance with the HIPAA rules, including the Security Rule, which requires a risk analysis.  You need to feel sure that the BA is in compliance, which ties into your second question.  If you feel you have assurances that the BA is in compliance (which begins with the BAA, but doesn’t necessarily end there), chances are that any breach will be their responsibility.  But if you don’t have sufficient assurances that they’re meeting the requirements in their BAA, you could also be held liable for breaches — the new rule doesn’t let you off the hook entirely.

This is a very difficult situation, as there are many BA relationships in which the BA does not realize what they’re signing when they sign a BAA with the CE.

While the entirety of the security rule applies, the place to begin is for them to do a risk analysis and make sure they have breach notification policies and procedures.  I suggest you let them know that they need to follow the rules according to the regulations and the BAA, and that they have a period of time (60-90 days) within which to provide you some kind of documentation that they have actually done something to be in compliance with the rules.  You’d like to see a summary of their risk analysis report or the table of contents to their HIPAA policies, things like that.

This will take time, but it is being tackled, slowly, by the industry.  [You can also ask to see a third-party evaluation such as an SSAE 16 SOC Type 1 or 2 Report, or submit a questionnaire similar to that presented by NIST in their draft guidance in SP 1800-1 part e, available at: https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices ]

I wish it was easier, but with the high profile breaches these days on the increase in health care, these are good things to do.


I have a lot more questions I can answer, but this is a start, and I hope to get to the next newsletter in something less than ten months so I’ll save some.  I also hope to get the next one out using a modern newsletter management platform, so expect to see a different look and feel, but the same attitude inside.

This is a time of change in HIPAA and a change in the privacy and security landscape the likes of which we’re not likely to fully comprehend for some time.  It’s a good time to keep your eyes open and look for ways to protect privacy and security before you discover you haven’t.

I don’t want to turn this into a promotional newsletter, but my mission is to make HIPAA easier for the world, so I have to mention that I have several Webinars and seminars scheduled around the country coming up — check in at http://www.lewiscreeksystems.com/upcoming_public_seminars.html  And I’m working on a book on the "10 Day HIPAA Compliance Plan," for which I have been asked by many, and which I hope to have completed in the next few months.  Would it be of interest to you?  Something to answer the question, “Yeah Jim, but where do I start and what do I actually do?”  Would you prefer a hard copy or electronic or both?

And of course, if you have any questions for me in the meantime, I always learn as much from you as you do from me, so please let me know.



Signs of Spring in HIPAA?

 — HHS Updates “Wall of Shame” Web page — Now on the new HHS OCR Portal — 

The calendar says it’s spring, but today has a forecast of below zero wind chill and the lawn furniture is solidly frozen into the ground.  Don’t even think of trying to get that last row of firewood off of the ground — it’s not going anywhere until when, May?  I think we’ve all stopped hoping for warm weather, yet we dream…

Well, time to snap out of it, because there are indeed signs of Spring over at the HHS Office for Civil Rights, in the form of the new HIPAA Breach Notification “Wall of Shame” Web page for larger breaches, now located at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf .  The new page is designed well, using modern, secure technology, and offers a huge variety of search and analysis options, built-in.  You can click on any entry and get more details, sort, and export the data to Excel, PDF, CSV, and XML formats.  Click on the “Show Advanced Options” link and you’ll have access to powerful searching and sorting capabilities, so you can see for yourself what kind of issues are prevalent at what kind of entity, over what time period, for instance.

But that’s not the only story here.  In addition to the vastly improved Wall of Shame, you’ll note that the page is located in the new ocrportal.hhs.gov domain, which will host the communications and data submissions for the revived HIPAA Audit Program.  As you may know, HHS OCR is eager to get under way with the new HIPAA Audit Program for 2014 — oops! — now 2015, and they’ve been waiting to get the new portal set up to handle the process for the hundreds of desk audits that will take place.  So, while I long ago gave up on trying to crystal ball any predictions of when certain activities or regulations would be forthcoming from HHS, this new site does indicate that HHS OCR is moving forward and that the mystical, mythical new portal has appeared.  How long before they get started on Audits?  Who knows, not me, but there are signs of life.  Signs of Spring.

 — NIST Relocates link to SP 800-61 rev 2, Computer Security Incident Handling Guide — 

While we’re on the topic of new links, here’s a new one for the eminently useful NIST Special Publication 800-61 revision 2.  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf  If you have some kind of a security incident and HHS wants to ask any questions, they’ll want to see your incident report.  You know, the one you’ll create to describe the incident handling process you used to determine the facts and the right course of action to take.  You do have such a process, don’t you?  Well, I know many of you don’t have much of a process, but this publication from NIST is accessible, useful, and well-founded.  While you’re updating your bookmark for this, take a look through and see what you can do to beef up your incident handling.

 — Speaking of Beefing Up Security — 

So, is it clear now that health information has become a very real target?  And please, don’t let the hackers roam around in your networks for most of a year before you discover it.  You really do need to apply the resources to actively monitor your network health; the only way you’ll see the bad guys these days is if you notice any anomalies in your traffic and system use, and that requires a consistent effort involving the establishment and fine tuning of monitoring tools and processes.  

 — And Backups?  Do you know how you’d recover from the loss of your data center? — 

So, did you hear about that hospital in California that lost its EHR for a week after an air conditioner died at the data center?  One cooling unit went down, then the other overheated trying to keep up, and it died too.  And so did the hospital’s EHR system.  And oh sure, everyone went back to using the paper processes and life went on as normal.  No?  

Here’s the problem, and I’ve seen it, and it makes me worry.  In the olden days, a hospital’s EHR was a relatively simple thing (compared to today) and it took resources to operate it that would seem almost trivial today, such that it was reasonable for a hospital to keep nearby the systems, backups, and capacity to quickly recover from any outages.  But, as the newer systems go in, what once would run on a few boxes now requires a dozen or two, and the amount of data being managed has exploded, such that many hospitals don’t have the robustness needed for recovery from the loss of a data center’s worth of equipment.

I think this recent example may send a wake up call to the facilities in similar situations — either you get what you need in place to reasonably recover without making national news, or you look at having it hosted in the cloud, not that that’s exempt from availability issues either.  No matter what, and with inadequate Contingency Planning identified as a leading issue in the 2012 HIPAA Audits, we are more wedded to our EHRs than ever before, and need to put some serious thinking into making sure that disaster recovery really will work.

 — Cell Phones and Texting — 

Face it.  You can’t deny it any longer.  Texting is happening and you can’t stop it.  You’d better say in your policies how texting may or may not be used, and how.  If you need it for casual intra-office communications, get one of the free secure texting apps, like Cortext from Imprivata, or TigerText, or DocHalo.  If you need it to communicate with your patients, use one of the new texting tools that provide integration with your EHR, team-based communication management, and security, like the system from OhMD.com (no financial interest in them, but they’re a client of mine and I provided them guidance on HIPAA, and they’re local).

But most of all, don’t try to deny the devices are being used — manage them!  And don’t forget the end-of-term issues.  What happens when someone turns in their old phone full of PHI, for a new one?  Even if you have it managed well, once it’s been turned in you can’t remotely wipe it and there it may be, loaded with PHI, out of your hands.  People need to know about this before they decide a nice shiny new Android or iPhone 6 is essential to their happiness.  Manage, inform, train, and audit.  Back to the basics.

 — And before I forget… (Department of Shameless Self-Promotion) — 

Be sure to check out my list of upcoming Webinars and seminars.  I know many of you are your organizations' key HIPAA compliance specialists, and if you are, I know folks really enjoy my two-day HIPAA A to Z sessions, and I really love teaching them.  My next 2-day session is in Baltimore, Maryland, April 16 and 17, and I’d love to see any of my clients or former students there.  Yes, HIPAA can be fun!  See the whole list of sessions at http://www.lewiscreeksystems.com/upcoming_public_seminars.html and sign up for my 2-day session at https://www.globalcompliancepanel.com/control/globalseminars/~product_id=900187SEMINAR  You will learn a TON about HIPAA.

So, stay warm and keep your snow shovel nearby!  Maybe my next newsletter will be when it’s actually warm outside…


Encrypting Medical Records and a Great New NIST Security Guide

 — Encrypting Medical Records Sent On Electronic Media — 

One of the most frequent questions I hear these days involves sending out medical records that used to go out in the mail on hard copy, but now go on electronic media, such as flash drives or CDs.  In the old days you’d just put the records in the envelope and hope for the best.  If you can do that, why would you need to encrypt electronic media?  It wouldn’t be any less secure than the paper.  But the Security Rule most certainly includes provisions about encryption of electronic PHI, so what should you do?

There is not a strict requirement to encrypt anything, but there are requirements to consider encryption of any PHI at rest and in motion.  One of the most common ways for PHI breaches to occur involves records that are sent and are misdirected or the packaging becomes compromised.  There isn't much you can do with hard copy records other than check addresses and use strong packaging, but a risk assessment of electronic PHI would probably indicate that encrypting records sent on a CD or other electronic medium is a very good idea, because it eliminates the most common cause of breaches, which can be expensive to respond to and lead to enforcement investigations.

In fact, organizations that haven’t adequately considered encryption of data at rest on portable media wind up with some of the biggest HIPAA fines that have been handed out, and risk analysis for encryption of data at rest on portable media is a target area for meaningful use attestation in stage 2.  It’s also expected to be a topic in the 2015 random HIPAA audits.

So, while there is no strict requirement to encrypt, any reasonable risk analysis would indicate that you’d be nuts not to encrypt for professional communications.  It is extremely do-able today with minimal effort and cost, and there are severe consequences if you don’t and something goes wrong.

When it comes to sending records to the patients, though, they do have a right to ask that you send the media unencrypted so they don’t have to deal with passwords.  You should have a plan to accommodate unencrypted records the same way you would a request to communicate via plain e-mail — explain the risks (which also depend on the amount of information and level of detail), ask if they want to do it anyway, and document their assent if that’s what they want.  

But it’s certainly a good idea to have the default behavior be to send records encrypted.  As part of a dialogue about a records release, you may wish to inform your patients that the records will be sent encrypted with the password sent separately, and if they object, let them know they can get them unencrypted, with the explanation of risks and their approval.  

For professional communications, such as between provider offices, encryption is the standard of care for electronic PHI, without question.

 — New NIST Draft SP 800-171 Provides Excellent Summary of Security — 

On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.  I recommend every HIPAA Security Officer review this remarkably compact and useful draft document.  It can help every organization working to secure its information systems, without overwhelming anyone.  It is clear, easy to use, and fully digestible.  To view the full announcement and link to the draft document, visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171

The draft is open for comments until January 16, 2015, and I encourage anyone who does have comments to be sure to pass them on, because information received during the comment period can have a tremendous impact in the usefulness of new documents.  If you would like to submit comments on the draft, you can Email your comments by January 16 to: sec-cert@nist.gov

In my estimation, any Health IT shop that fully addresses NIST SP 800-171 and the SANS Top 20 Critical Security Controls ( https://www.sans.org/critical-security-controls/ ) would be one of the more secure Health IT operations in the country.  It’s good to have decent tools to help you prioritize and provide the best protection you can with the resources you have available.

 — Heads Down, Back To The Holidays! — 

Egad!  December?  2015 around the corner?  I’ve already started scheduling seminars and Webinars into next June, no less!  (See: http://www.lewiscreeksystems.com/upcoming_public_seminars.html )  I suppose we all have way too much work to do already so I’ll keep this short, and wish you a happy holiday season!  


Looks Like HIPAA Compliance Isn’t Getting Any Easier Soon

 – No Magic Bullet for Compliance? – 

Goodness – I haven’t written one of these since last February, and I guess that’s partly because I’ve been busy, but also partly because the world keeps changing and the issues along with it.  In the meantime, HIPAA compliance doesn’t go away, and the threats keep on coming.  I haven’t seen a magic HIPAA compliance bullet yet, but there are some things you can do to help reduce your compliance exposure, even if they may not be something you can accomplish right away.

Using a highly integrated, cloud-based infrastructure for your medical records system is one thing I’ve seen that helps eliminate points of risk, so long as it is implemented correctly and includes sufficient protections for continued operations when connectivity goes out.  Having all the access, management, and communication of your PHI take place within a system that keeps persistent data off of remote devices and simplifies operation (which prevents issues) avoids many of the security weaknesses that plague modern health IT.  Not only that, but by essentially outsourcing a good portion of your backup and restoration operations, you are releasing time that can be used for other essential activities, such as new projects and government mandates, and good old security monitoring.

Of course, you want to be sure any contracts provide for access to patient records no matter what contract disputes arise (which would be necessary to meet Privacy Rule requirements for Business Associate contracts), due your due diligence with the vendor, and speak with your peers using the same system to find out about the gotchas before they getcha. 

 – Speaking of Monitoring… – 

Probably one of the most painful and widespread issues I see as I visit health care organizations from Maine to California, from Florida to Alaska, is that organizations have not done what’s necessary to audit and review the access and use of PHI in their systems.  

The Privacy Rule still has its basic Minimum Necessary foundation in place, and entities have an obligation to make sure only the right access is taking place.  The Security Rule calls for both the technical ability to track accesses of electronic information, and the administrative process to regularly review access lists and logs to determine if policies are being followed.

One of the top security-related issues identified in the post mortem of the 2012 HIPAA Audit Program is that these internal audits and reviews have not been taking place.  Why?  Because they are a pain to do, and require not just an IT review, but some kind of evaluation of the access that has taken place to see if it is appropriate or not, and it may not be easy to determine without the involvement of overworked managers for whom HIPAA compliance is a burr in the saddle.

And it’s not going to be getting any easier soon.  One of the recommendations from the team that examined how to implement the HITECH Act changes required for Accounting of Disclosures is to modify the Security Rule and enhance requirements for the ability to record details of who accessed what information and when, so that more accurate Accountings to be provided, and auditing ability is enhanced.  Here is a link to a great set of slides from the team about Accounting of Disclosures and the latest proposals (provided in my last newsletter as well): http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf   

So how do you look at access of records?  In a small organization it may be reasonable to look at a week’s worth of access logs for all users and see if there is any unreasonable access.  If you don’t find any problems, look again in a few months, and if you’re lucky, you can just keep checking on a quarterly or semi-annual basis.  If you do find problems, you need to deal with the issues and keep a tight focus on the issues until you’re sure they’re resolved.

For a larger organization, take some samples of staff and some samples of patients over a period of time, to see if all the accesses look right.  If you take a good sample you won’t annoy everyone on staff at once, and if you don’t see any issues, you’re in pretty good shape, just keep checking periodically.  But if you do find issues, you need to look deeper and wider until you feel you have a handle on it.

And this is important why?  Because this is a well-identified issue from prior audits and it will likely be a target question once they get those HIPAA Audits rolling again.  Of course, this also is tied to doing regular security audits to ensure your systems haven’t been hacked, and what it all really points to is a need to establish your Information Security Management Calendar that schedules your regular reviews and audits so that you can show what you have done and what you are planning to do, if you are asked any questions about it.

 – And what about those HIPAA Audits? – 

So, will they ever reappear?  They’ve been discussed and hyped and planned for, and now, guess what?  We’re waiting for HHS to finish the Web portal that will be used for exchanging information in the new audit process.  Yes, the very same HHS that has such a good reputation for quality, timeliness, and security in its Web sites (OK, I really can’t kid about this) hasn’t been able to finish the portal, so the whole HIPAA Audit process is on hold.

The good news is that you have more time to deal with other top issues before they start up again, Real Soon Now (that’s a term from the software development world).  You might take a look at another access-related issue, access of patient information by individuals, family, and representatives, and the handling of denials of access, which is identified as a top Privacy compliance issue in the 2012 Audits.

 – Patient Access, that’s simple, right? – 

Apparently not so much.  This is an area that trips up many providers and is one of the areas of most frequently asked questions that I get.  You probably have some policies about providing access and how you handle denying access that were put in place in 2003 and haven’t been looked at since then.  Go dig them out and see what they say.  They at least need to be updated for the Omnibus updates of 2013.

A few pointers:  If someone wants a copy of their records including the records received from another provider that you used to make decisions about the individual, you need to provide all of that.  Individuals have a right to know what you were looking at when you made decisions about their care, with a few exceptions, such as for psychotherapy notes, disclosures that could cause harm to the individual or others, or disclosures that would reveal the source of information given in confidence (not from another provider).

Note that individuals now have the right to access their laboratory test results directly from the laboratories, as well as new rights to get electronic copies of information held electronically.  Also, there is no longer an automatic extra 30-day allowance for provision of records held offsite.  In addition, changes to the Privacy Rule allow personal representatives and family members the same access to a deceased patient’s PHI they had prior to death, to help preserve continuity of communication and care for the family.

But more importantly, make sure you have the proper processes in place for making acceptance or denial decisions for requests for access, and for having the proper denial appeal process in place for the denials that may be appealed.  I won’t go into all the details here, because there are many, but suffice it to say that improper handling of access requests and denials has been identified as a 2012 Audit issue, so you would be well advised to make sure you have the proper policies in place and people know what they are.  We are dealing with one of the foremost rights of individuals under HIPAA and one that people complain about when they feel their rights have not been satisfied.  Mishandle requests for access at your peril.

And I haven’t even discussed patient access and communication using e-mail and texting, which could take a few paragraphs more than you can stand to read right now

Here are some links to recent (since my last newsletter) guidance on access issues:
 • Guidance on mental health information and circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html 
 • Guidance clarifying that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html  

 – But don’t worry, I’m never far away – 

There is so much to consider under HIPAA these days, and the issues will only be growing.  I cover a lot of what you need to know in my Webinars and seminars.  Come see me next week (October 30 and 31) in Raleigh, NC for one of my highly acclaimed two-day soup-to-nuts in-person sessions, or any of my upcoming sessions.  Here’s the latest in my schedule: http://www.lewiscreeksystems.com/upcoming_public_seminars.html  or  http://tinyurl.com/a5gplbr  


Too much HIPAA news to be silent any longer

 — Talk About Busy — 

Well, as anyone in HIPAA compliance will tell you, it has been a very busy period since my last missive, way back in May, no less.  The Omnibus compliance deadline of September 23 has come and gone, and the sun still comes up in the morning, well usually, anyway, unless it’s obscured by the latest winter storm.  But the good thing is that the sense of panic is giving out, being replaced by an increase of interest in just plain getting down to work and slaying the HIPAA dragon.  And the good thing for me about this latest winter storm is that it has disrupted my travel plans and allowed me to actually take a few moments to compose an Occasional Client Update Newsletter.  And there is most certainly plenty too talk about!  I won’t cover everything that’s happened since last May — you can see all that on my News page, at http://www.lewiscreeksystems.com/privacy_security_and_compli.html — but here are some important highlights.

 — Accounting of Disclosures Rears Its Ugly Head — 

Well, I think I was a little critical in my prior discussions of the proposed new Accounting of Disclosures rule, and I guess I wasn’t the only one.  The proposed rule has been stopped in its tracks, and in the meantime, HHS gathered a US Department of Health and Human Services Office of the National Coordinator for Health IT Health IT Policy Committee Privacy and Security Tiger Team (the USDHHS-ONCHIT-HITPC-PSTT?) that released a report with its recommendations on the topic, available as a PDF of slides, at  http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf  or  http://tinyurl.com/lhym4qh   

The recommendations call for a staged implementation relying on available technologies, with pilot projects, an accounting of disclosures outside the organization from certified EHRs as the first step, a new right to request an investigation of internal access, and recommendations to expand the Security Rule to call for more detailed ability to log access for auditing.  Simplifying the question of how to distinguish between uses or disclosures at hospitals by community physicians (in the hospital or from their office), the proposal calls for all such accesses to be treated as disclosures.  Compared with the proposed rule, the recommendations are more reasonable, more implementable, and more likely to satisfy the desires of patients. 

My guess, and we all know how incredibly accurate my guesses are (not!), is that these recommendations will come out as an Interim Final Rule this year at some point, so be ready to hear about it, but don’t panic, as it shouldn’t be too bad.  (Famous last words…)

 — New Changes for Lab Access — 

OK, so who here thinks it’s a good idea for patients to get their lab results without any consultation or interpretation from their doctor?  Not many hands going up…  But who here thinks a patient should have a right to have direct access to the information so they can develop their own personal health record?  More hands up, I’d suspect.

So, that’s the deal in the new final rule, being published February 6, in effect April 7 and Enforceable October 4, 2014, that allows access of authenticated lab results by authenticated individuals or their authorized representatives under HIPAA.  (That’s a lot of “auth…” words in one sentence.)  Patients will still be able to get their results, with interpretation and counseling, from their care provider, and providers will still have access to the information for treatment.  The change simply allows the individual to ask the lab directly for a copy.

Of course, “simple” is in the eye of the beholder — for the laboratories that must now establish a public-facing operation where there was none before, this is not simple at all, and will require the development of new policies and procedures.  And updated Notices of Privacy Practices.  As usual, it’s worth taking the time to read through the Preamble for all the insights into HHS thinking.

See the new rule here:  https://www.federalregister.gov/articles/2014/02/06/2014-02280/patients-access-to-test-reports-clia-program-and-hipaa-privacy-rule   or  http://tinyurl.com/or63d9q  

 — Proposed Changes for Reporting to Background Check Database — 

Along with recommended new rules and new final rules, of course we have a proposed rule, this one to allow freer flow of information from healthcare providers into the National Instant Criminal Background Check System (sounds Orwellian, eh?), permitting certain HIPAA-covered entities to disclose to the NICS the identities of people prohibited by federal law from possessing or receiving a firearm for mental health reasons.  HIPAA has ALWAYS had a provision for the disclosure of PHI in the event of a threat to health or safety, but this would clarify what information and how it should be disclosed.  

This one is not a final rule, so there is no action to take now, but you should be aware that it may require some modifications to your HIPAA policies once it is finalized.  When?  Oh dear, I don’t want to guess…  Maybe this year?  We’ll see.  Here’s the proposed rule, so you can see what’s being considered:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html  or  http://tinyurl.com/m6xpnwx  

 — New Settlement for Stolen Data Stick and Lack of Breach Policies — 

Have I mentioned before that it is important to encrypt portable devices such as memory sticks?  APDerm, a provider with six offices in New Hampshire and Massachusetts found out the hard way by losing one of theirs and not having it encrypted.  Breach time!  And when you do have a breach, what do you do?  You follow your incident management policies and procedures to see if it’s reportable, and follow through on your established process.  What’s that you say?  You don’t have policies and procedures sufficient to meet the HIPAA Breach Notification Rule requirements?  You might be next in line for a $150,000 settlement and a Corrective Action Plan.  APDerm apparently didn’t have written down what they should have.

Time now to dust off your Breach Notification policies and procedures and make sure you can do what’s necessary when the time comes.  And if you don’t like what you find, check out the NIST Special Publication on Computer Security Incident Management, SP 800-61, Revision 2, at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf  or  http://tinyurl.com/8ouxxsn .  In addition, see the September 2012 NIST ITL Bulletin for additional insights and guidance, at:  http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf  or  http://tinyurl.com/kx5empm 

Oh, and did I mention that the HHS Office of Inspector General wants OCR to get off their butts and get busy with some real audits and enforcement?  I just love the title of the report — it says it all:  "The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule”  Yes, but what did they really think?  See:  http://oig.hhs.gov/oas/reports/region4/41105025.pdf  or  http://tinyurl.com/pj55cnr .  Time to get ready for a HIPAA audit, I’d say.

 — Speaking of Enforcement, Say Hello to the FTC — 

And if that wasn’t enough, now the Federal Trade Commission says that just being a HIPAA Covered Entity doesn’t get you out of obligations under the Deceptive Trade laws that FTC so artfully uses to go after those who allow breaches of personal information.  If you say you will protect someone’s personal information and then you don’t, that’s a deceptive practice and the FTC will make your future a gray one if they decide to go after you, which they can, whether HHS is interested or not.  I’d guess that as a matter of practice FTC won’t step in if they feel HHS OCR is doing their job, but, well, see the OIG report on OCR in the paragraph above.  Here’s a link to a Bloomberg News story on the order:  http://www.bna.com/ftc-affirms-data-n17179881620/  

 — It’s February 4 - do you know where your small breach reports are? — 

And finally, don’t forget that we’re in that magical time before March 1, that 60 days within the end of each year when you must all report all your small breaches (under 500 individuals affected) to HHS, using their Web site, at:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/  or  http://tinyurl.com/3z3bj4y .  Of course, you do have a breach reporting policy and procedure, don’t you?  (Is there an echo in here?)

So, Happy HIPAA to all, and let me know if you have any questions.  Also, see the latest in my schedule of upcoming seminars and Webinars.  http://www.lewiscreeksystems.com/upcoming_public_seminars.html  or  http://tinyurl.com/a5gplbr .  Soon to be added are 2-day HIPAA sessions in Sao Paulo, Brazil (!) and Toronto, Canada in March, as well as other sessions.  At least I’m not doing Brazil and Canada in the same week — how would I pack for that?...


HIPAA - Focus but don't over-think it

--  Enforcement Panic  --

OK, so none of us really has much time, what with the summer now upon us and a September 23, 2013 compliance deadline for the new HIPAA rules, but I figured I'd better pass along a few nuggets gleaned from the annual NIST-OCR HIPAA Security Conference, held last week in Washington, DC.  With apologies to Douglas Adams and the Hitchhiker's Guide to the Galaxy, DON'T PANIC!  In large capital letters.

Leon Rodriguez, head honcho at the HHS Office for Civil Rights arranged to have a nice new violation settlement announced after the end of the first day of the conference, so he'd have plenty to discuss in his opening session on day two.  But the real gem in his commentary is not so much about that particular incident, but about their approach to enforcement in general, which is, if you're being a fool and refuse to deal with obvious problems, you're going to get in trouble with OCR.  The other side of that is that OCR is not going after organizations that make simple mistakes.  If a doctor makes a bad judgement call and passes along information he shouldn't have, nobody's going to jail or getting a penalty.  Just that you even seriously considered HIPAA is something that makes them happy.  They're not fussy about what kind of encryption you use -- just that you have considered it and are doing ANYTHING puts you in good stead.

Where they get cranky is when you ignore the rules and ignore known issues.  Considering the rules and making a bad call is a chance to learn, not cause to be penalized.  And for goodness sake, don't let HIPAA get in the way of what you think is reasonable and appropriate.  Don't over-think it and unreasonably restrict reasonable disclosures.  Rule #1 -- do what the patient wants you to -- "the patient is at the top of the pyramid", and Rule #2 -- there are big exceptions when the health or safety of the patient or others is at risk -- "HIPAA is a valve, not a block."

So, do a risk analysis, consider the clear and obvious issues like laptops and paper records, and update the risk analysis when you change how you do business -- compliance is a process.  Folks, I am not making this up -- I am paraphrasing Rodriguez's words, and they echo my longtime advice.  Enforcement is not based on one bad decision on one bad day, it's based on the systemic violation of sets of rules.

Oh, and as for that settlement?  Be sure you check the security configuration of your servers and systems upon installation and regularly thereafter, and don't leave things vulnerable for months at a time.

-- Cloud Vendors, Conduits, and Persistence of Custody, Oh My! --

Hey, hey, hey, now, enough of the Wizard of Oz references -- that was the last newsletter.  (But why are the monkeys still flying around?)

So, there were some important insights into the as-yet-unresolved question of whether Amazon will need to start signing BA Agreements if it wants to continue serving health information clients with its Amazon Web Services products.  And, of course, it's not just Amazon, it's any "cloud" vendor handling PHI.  The thinking used to be, if it's encrypted and they don't have a key and can't access unencrypted PHI, they're not a BA.  Like a landlord relationship -- they're not responsible for your stuff, they're just renting you space and you have to secure it.  

But the new rules challenge that notion.  The new rules say anyone acting on behalf of a CE that receives, transmits, creates, or maintains PHI is a Business Associate.  "Cloud" vendors like "Box" and Verizon are indeed willing to sign BA Agreements and will start siphoning off AWS clients.  Will Amazon be able to resist the tide of BAA requests and the inevitable defections to providers that will sign a BAA?

"Persistence of Custody" has emerged as the key phrase.  HHS now has this issue under review, and I would expect there to be some kind of official guidance on the topic issued someday, hopefully before it becomes a dead issue.  (And if you think I'll hazard a guess as to when, you've got another think coming!)   The thinking is, if there is persistent custody of PHI, a BA is warranted, even if the PHI is encrypted.  

There is a very limited exception for Conduits, such as the postal service, FedEx, or an ISP that simply provides transmission capability.  In the Conduit model, there is no persistence of PHI -- it's passed off and no longer in the courier's hands.  But that's not so clear when it comes to electronic delivery.  Often a copy remains and can remain on backups indefinitely.  A conduit is a pipe, not an opaque bucket.

And don't forget security includes availability as well as confidentiality and integrity, so if your cloud vendor is responsible for ensuring good backups of essential health information and resilience in the face of disasters or "events", they're performing an essential service for your security compliance, helping to preserve your data, so they really should be under some kind of a BA agreement anyway.  They would, indeed, clearly, be responsible for aspects of the "maintenance" of your PHI.  Sounds like a BA to me.

-- And the Compliance Issue of the Day Is... --

Well, it could be laptops and portable data, since those breaches are still being reported almost daily, but that would be too easy.  Let's take a lesson from the kind folks at OCR who were nice enough to do their latest enforcement thing on Idaho State University and not you, so you can learn from their mistakes.  What happened there?  Nobody checked to make sure some servers were properly secured upon installation and regularly thereafter, and an insecure server allowed uncontrolled access to more than 17K patient records for nearly a year.  

The lesson?  Make sure your technical people follow good practices whenever new equipment and systems are installed, and have a security check done regularly -- there are even tools that can do a lot of this for you if you just set them up right.  Let's all say the words together now, it's just eight syllables, "reg-u-lar tech-ni-cal re-views."  I'd put money on the audits that start in October having some questions on this topic, so get started now with some good, regular, documented practices that can go a long way toward protecting you from breaches.

-- Your Mantra Is, Repeat After Me... --

Risk Analysis, Encryption, and Regular Reviews.  Like the nice Mr. Rodriguez says, compliance is a process.  Risk Analysis, Encryption, and Regular Reviews.  If you can document these and keep them up to date, you're on top of the biggest issues on OCR's radar.  Risk Analysis, Encryption, and Regular Reviews.  No time like right now...

So please let me know if you have any questions, and do check my news, resources, and upcoming training sessions sections on www.lewiscreeksystems.com -- I have lots of training sessions scheduled, including two more intensive two-day HIPAA training sessions, now set for Chicago August 29 and 30, and Phoenix October 24 and 24.



              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us