From time to time I'll send my clients and interested others an e-mail update on new or pending regulatory actions and news related to healthcare information privacy and security. I'll also post them here for others to read. If you'd like to be on the e-mail list, please contact me, or, subscribe to the RSS feed. Thanks!
New HIPAA Rule Release Dates and Enforcement Budgets -- On Your Marks, Get Set...
Hello all,
It seems the crystal ball is clearing a bit...
HHS work plans and budgeting have been announced for the coming year, and here how things shake out, with some surprises, of course!
According to the work plan released January 20, 2012 (see http://www.regulations.gov/#!documentDetail;D=HHS-ASAM-2012-0002-0001), the Big HIPAA Update looks to be on track for release in March, and it includes finalization of the proposed privacy and security rule changes (business associates, disclosure restrictions, access, etc.), and finalization of the interim final enforcement and breach notification rules. It also includes the finalization of changes to HIPAA regarding CLIA (the Clinical Laboratory Information Act), which could have a significant impact on laboratory operations depending on the extent to which individuals would interact directly with labs.
Most of what's in this package should be pretty close to what's been proposed, but there may be some changes to the harm standard in the Brach Notification Rule. As a security purist, I'd say that the harm standard has to go, but as a healthcare information realist, I know that there needs to be something like the harm standard to temper breach notification, because the potential for needless notification of harmless releases under the HIPAA definitions is huge. We'll see what we get.
Probably the biggest surprise is that the expected date for release of final rules for the new Accounting of Disclosures is set to June of this year. This rule has potentially very significant impact on healthcare information operations, to say the least. I wasn't expecting to see a final rule on this until late 2012 at the earliest, based on past performance in the release of final rules. Well, heck, what with all the free time IT and HIM departments will have now that ICD-10 is being pushed back, there should be no problem implementing this, right? (Or, "no probs" as my daughters would say.) Well, at least we have until June to find out how the final rule will differ from the proposed one, which certainly generated its share of controversy. I do hope the implementation timelines are more realistic than those proposed.
The other interesting tidbit is that in the proposed 2013 White House budgets, enforcement of HIPAA has been specifically targeted for spending even though the budget for the Office for Civil Rights at HHS (the enforcers) is down about 5% through improvements in process and cost savings. The HHS Budget-in-brief is available at http://www.hhs.gov/budget/budget-brief-fy2013.pdf . It's kind of funny (but not in a ha-ha kind of way) that there is plenty of mention of the importance of enforcing the rules alongside a budget cut. But I think audits and enforcement are certainly here to stay.
So, stay tuned -- we should have some real regulations to dissect in weeks now. (How many times have I said that? Will I become the HIPAA guy who cried wolf too many times?)
In other news, NIST has released a new draft update of their Security Incident Handling Guide (SP 800-61 Rev 2), available at: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf . Hint: HHS lists lack of incident handling processes as one of its Top 5 security issues. Hint: Questions asked of entities in HIPAA security audits always include requests to see incident policies, procedures, and reports. Hint: Audits are on the increase. Hint: If you don't have a good incident handling process, now is the time to start, and this guide is a great way to start. Get the hint?
Please let me know if you have questions -- I'm always happy to help.
Jim
New NIST HIPAA toolkit; Hope Dims for Final HIPAA Regs by end of 2011?
Hello All,
Well, the wait isn't over yet, and there I thought my last client message would trigger the release of the new final HIPAA regulation changes. Maybe this one will! I haven't heard any rumors of its being close either, so I'm starting to think we may have to wait into 2012 for the changes in regulations to be finalized for laws that went into effect in 2009 and 2010. Patience, Jim, patience.
But the news isn't all bad these days -- NIST has released its HIPAA Security Rule Toolkit (see http://scap.nist.gov/hipaa/ ) which provides a comprehensive (to say the least!) set of questions pertaining Security Rule compliance and a way to catalog and gather all of your supporting documentation of compliance, such as policies, procedures, and other actions taken in pursuit of good security practices.
The tool includes two surveys, standard and enterprise, with 492 or 809 questions, respectively. Now, that's a lot of questions to work through, even for the "lightweight" version. It's based on the HIPAA regulations and the HITECH expansions that are expected to be finalized Real Soon Now (and I thought only software companies had vaporware!) and the NIST guides for Security Controls and HIPAA Security Compliance, so it really covers the bases. Even if you only read through the questions, you can learn a lot about what the regulations require and how you might relate that to what you do.
So, don't think for a minute that the NIST Security Rule Toolkit makes compliance something you can knock off in an afternoon. You will best approach it by taking an hour to become familiar with it and how it works, then taking a day to read through the questions and start to think about how you'd answer them, if you can. Using the toolkit will be a project, and you will need to plan how to use it and the amount of effort you will put into it. For almost any entity, simply diving right in and answering questions will quickly show you what you don't know and can't document, and your progress will slow to a discouraging crawl. You are far better off just reading through it first, and then formulating your plan of attack, and it will take some time.
As you formulate your plan, look over the sources of questions that have been asked in the past in HIPAA Security Rule audits so you can see how you'd be able to answer those questions with the information collected in the Toolkit. See:
» 42 questions asked in first OIG HIPAA Security audit in March 2007 at http://tinyurl.com/2ac9jm.
» CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews, at http://tinyurl.com/27eakjz
» Questions asked of a small provider after a data breach involving theft of a laptop and server, at: http://tinyurl.com/3jpoa4p
But when you're done, you will have a great set of documentation that should make it possible to answer any audit questions that come your way, in case you're hit with a breach, complaint, or one of those nifty new random audits that are getting under way now.
Can the question sets be modified? Yes, if you're handy with XML, but a tool is not provided within the Toolkit itself. As I look at it, I might wish to "roll-up" some questions into fewer questions, as there is some overlap with this level of detail, so I suspect I'll check out what's involved with that in my free time, or, more likely, when a client decides it's worth having the questions customized to their particular situation.
Overall? Definitely not a panacea, and definitely worth including in your compliance arsenal, at least for its educational value. If you are already using a Wiki or a SharePoint server to organize your compliance documentation, you might just use the Toolkit to verify that you have what you need and create a list of things you need to do, but you can certainly make it the basis of your compliance documentation if you wish -- just know that the Toolkit, like compliance, is not to be taken lightly.
At this point, I think I'll say that I'd rather not see the new final regulations until after the holidays -- do you think that will cause their release on Christmas Eve?
I wish you all a safe and happy holiday season, with health and the companionship of the people you love.
Jim
New HIPAA Audit Program Announced; Still Waiting for New Regs; New NIST tool coming
Hi All,
What usually happens is that I send out one of these messages about how a rule is expected any day, and the next day the rule comes out. Well, we're there again with the giant update to HIPAA, expected out by year end, even though the folks at HHS OCR won't give us a date. I'll expect the giant omnibus HIPAA update to be announced any day now that I'm sending out this message about it's not being announced yet. I'll cover a little about what to expect, about how HHS has finally announced more about the new Audit program now actually getting under way, and about a new tool to assist with HIPAA Security Rule compliance, being released shortly by NIST.
-- The Big HIPAA Rule Update
The big update is actually coming, as was represented by HHS Office for Civil Rights deputy director Sue McAndrew on October 25th at the WEDI fall conference. She refused to give a date as to when, but it did not appear on the slide of what to expect in 2012, so I'll read between the lines and say it will be out by year's end.
What is it? It is a final rule for all the proposed and interim final rules affecting HIPAA that have been put forth over the last few years, including all the HITECH changes (with one important exception), and the Genetic Information Nondiscrimination Act (GINA). It includes breach notification, new violation categories and penalty levels, covering Business Associates and their subcontractors directly under the regulations, rights of electronic access of electronic PHI, new restrictions on disclosures, revisions to Business Associate Agreements, and pretty much everything that's been put forth EXCEPT for the changes to Accounting of Disclosures. The changes to Accounting of Disclosures were just proposed this last summer and HHS has not had the time necessary for absorbing and reacting to all the comments that were submitted about the proposal. I wouldn't expect to see a final rule on Accounting of Disclosures (and the dreaded Access Report) until later in 2012, or 2013.
So, everyone who has to deal with HIPAA will need to deal with the final rule changes once they're issued. I'll let you know when it comes out and what will need to be done differently from what you're already doing. Remember, the interim final rules, like for Breach Notification and Enforcement, are already enforceable, so you should have a lot of what will be needed in place already, but more changes to policy and procedures will be required. Most of the changes affect Privacy Rule sections, and the Security Rule is essentially unchanged, except for the addition of BAs to the listings of who must comply.
What can you do now? Start finding and prioritizing your BAAs for renewal, and do your best to come up with new BAA wording that will meet the proposed regulations, which are not expected to change in final form for this topic area. If you start using BAAs that meet the new language requirements now, you probably won't have to update those later. Update the ones for BAs that handle the most PHI or the most detailed PHI first, as those are likely to be your bigger breach risks, and include the proper language for notification, liability, and indemnification of breaches.
And dig out your HIPAA Privacy policies and start looking at changes you need to add for the new Privacy rights for electronic copies and restrictions of disclosures. Don't forget that as you change policies and patient rights change, you'll need to update your Notice of Privacy Practices.
In short, start getting ready for the changes; they're coming soon now, really they are.
-- HIPAA Audit Program Now In Action
Of course, new violation categories and penalty levels wouldn't be any fun at all without a new audit program to find violations, and the new one required by the HITECH Act is finally rolling, with the first "auditees" being notified right now. First they're looking at 20 entities by the and of April to work the bugs out of their program and protocols, and then they'll do up to 150 covered entities total by the end of 2012. No Business Associates this time -- I don't think HHS really has any way to figure out who are the BAs from whom they can draw a random sample, so this will be a difficult legislative mandate to meet, for the BA reviews. And Sue McAndrews, in the same presentation at the WEDI conference, said that the 150 is just an upper limit, and that they may not get to all 150 by the end of 2012. So, it's only Covered Entities, and not necessarily 150.
Well, no matter, the program is now under way, so any covered entity, even with no complaints having been filed or breaches having been reported, could be hit with an audit by the KPMG team implementing this first program, and even if they only do 100, you or someone you know will probably get put under the HIPAA microscope. Now is the time to review your compliance, and be ready for the changes. If they ask you, you'll have only 10 business days to respond, which is no time at all.
Here's a link to the HHS page all about the program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
And here are some links to HIPAA Audit questions that have been asked in the past -- get comfortable with these and you'll be in better shape than most:
http://tinyurl.com/2ac9jm - http://tinyurl.com/27eakjz - http://tinyurl.com/3jpoa4p
I'm hoping that current details about what goes into the new audits will be made available soon -- it's always better to have some clear idea of how to prepare and what to expect. I'll let you know if I find out more (and, of course, check the www.lewiscreeksystems.com website regularly).
-- New NIST HIPAA Security Toolkit Coming Soon
Another great thing discovered at this fall's WEDI conference is that NIST is about to release a new HIPAA Security Toolkit that is a no-cost web-based application written in Java, available for Windows, Mac OS, and a number of Unix platforms. The Toolkit steps the person using the toolkit (and it can individually track several toolkit users in one institution at once) through a series of questions reflecting the HIPAA Security Rule and all the relevant NIST publications (SP 800-53 series, SP 800-66, etc) for Security Rule compliance.
The toolkit wisely avoids little tricks like giving you a meaningless summary such as a "level of compliance" -- but it does point out the areas where you weren't able to supply enough information to show you are in compliance. It will be updated as rules and normal security procedures change, and the results will be updated automatically. Based on the demo I saw at the WEDI conference, the toolkit will be an excellent weapon in the HIPAA compliance arsenal, and while it won't be the kind of thing that turns an office manager into a security expert, it will enable those who do HIPAA security analyses to develop consistent, repeatable results, which is a breakthrough at the $0 price point.
I know it will be a part of my arsenal anyway, and I'll pass along the info as soon as I find out it's released. (I've got a contact inside the project, so I'm sure to know ASAP when it's publicly available.)
-- In the meantime...
Please have a safe and happy Thanksgiving holiday week!
Jim