Well, you can’t say we live in uninteresting times. Since my last newsletter (I know, way back in February, for goodness sake) a lot has changed in the world of healthcare information security, and, more recently, political changes may mean a few significantly impactful changes to the demand for certain patient rights. Along the way, HHS has expanded on its guidance on Access of PHI by Individuals first published in January, renewed the HIPAA Audit Program, begun issuing settlements for HIPAA violations at an increasing pace, with increasing “settlement amounts.” Let’s touch on a few things…
— Ransomware and Healthcare —
Make no mistake, the bad guys have healthcare clearly in their sights, and it’s not just to steal PHI any more. Today the threat is to lock up your data and systems. Tomorrow? Why not bring entire healthcare systems down and deny proper treatment to untold numbers of patients? It’s already happened in the UK…
Ransomware is two issues. One is, you’d better have good, frequent, network separated, protected backups; set up your networks, admin rights, and access controls to limit the damage any one infection can do; make sure all your anti-whatever and OSes are up to date; and train your staff as follows: “Don’t click on that link. Don’t open that attachment. If you are not absolutely sure about the authenticity of any attachment or link, pick up the phone and check.” Recently a phony e-mail was sent to numerous healthcare entities, made to look like an Audit message from HHS, with phony reply addresses made to look like HHS addresses. (HHS addresses end in “hhs.gov”, NOT “hhs-gov.us”.) Have your recovery plans in place and tested and be ready to analyze the incident — it may be a reportable breach. See http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
The other issue is that it is clear that the bad guys will do whatever they need to in order to get money, and they see healthcare as a traditionally complex, hard to secure environment, with generally underfunded security by normal standards to boot. It is not going to get any easier, and the increased exchanges of data and interactions with the cloud will only provide more opportunities for things to go wrong. I do think that healthcare IT is now starting to get the respect it deserves, but if your EHR provider is brought to its knees by someone focusing a distributed attack on their servers, you may have a significant patient safety issue on your hands. If your organization survives a cyber attack itself but can’t communicate with the outside world because the Internet is down in your area, what will you do?
Ransomware is only a symptom of the larger problem we all face today. It is an ugly, ugly symptom, but the problem is much larger, and anyone who is not working as hard as they can to be prepared for an unknown assault is missing the boat. By the way, If you do a good job with HIPAA Security Rule compliance, you can spot these issues and be prepared BEFORE they bring YOU down. That’s what I hear from my clients anyway.
— ACA Changes and HIPAA —
HIPAA and the Affordable Care Act are not linked at the hip; the more recent major changes to HIPAA came with the HITECH Act (part of the 2009 Recovery Act) and predate ACA. While a repeal or removal of ACA would not directly affect HIPAA, it would impact one area of change that was put in place under the HITECH Act’s HIPAA Omnibus Update rules in 2013.
The HITECH Act included a provision that if a patient wants, they can pay for their services out of pocket, and then ask that their health plan not be informed of the encounter, and providers MUST obey this request. There is an exception for “where required by law”, such as with Medicaid patient encounters, but otherwise this is an undeniable right under the regulations.
This rule is in place for two reasons. One, the more obscure, is for families where you have have one spouse opening an EOB that may show something embarrassing about the other, and maybe that was supposed to be a secret. The other reason is that, before the ACA, if your health plan found out you had a cancer diagnosis or some expensive to treat disease, they might cancel your policy or triple your rates (except in some states like Vermont that are ahead of the ACA). The ACA prohibits that, so this right is almost never exercised today.
But if the ACA goes away, there may suddenly be great demand to exercise this right. QUESTION: Does your EHR have a check box that says, “Don’t tell the insurance company”? I didn’t think so. The time to ask your EHR provider about this is RIGHT NOW. This may suddenly go from an unused right to one that is in great demand, and that you must comply with, right away. The rule has been final since 2013 — are you ready for it? You and your EHR vendor had better be…
— HHS Guidance Wave —
We’ve had the Privacy rule for going on 14 years and now the guidance is finally catching up, or at least the pace is increasing anyway. The big news in guidance this year was clearly the amazing, detailed, clear guidance on Access of PHI put out by Deven McGraw’s group at the Office for Civil Rights and updated twice so far, and at the recent annual NIST/OCR HIPAA Security Conference she dropped a hint that there would be new guidance coming soon on the topic of sharing PHI with the family and friends involved with a patient’s care.
Just as Patient Access has been an area of numerous compliance complaints, issues of sharing information with family and friends garners more than its share of complaints and needs some clarification. I know it’s an area I hear complaints about as I travel around. The current most recent information is in the 2014 Guidance on sharing information related to mental health: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/ As soon as the new guidance is released, you’d be well advised to review your organization’s practices, just as you have with the Access guidance, right? (Psssst — the Access guidance is at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ )
— HIPAA Audits, 2016-style —
As expected, sort of, the HIPAA Audit program was finally restarted this year with a new round, focusing on just a few areas: Notice of Privacy Practices, Provision and Denial of Individual Access to PHI, Breach Notification Processes, and Risk Analysis and Management. 167 Desk Audits of Covered Entities are under way, and just about a week ago HHS announced that, oh, by the way, they’ve sent out notices to the HIPAA Business Associates they’ll be targeting. This should be interesting — we’ll find out just who understands what being a HIPAA BA means, or not. If one of your BAs is selected, I hope they do well, because it reflects on you.
There are still expected to be on-site audits in this current round as well, currently unannounced. The latest on the Audit program is at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
— And Speaking of Business Associates —
So if you’re a HIPAA BA, and especially if you provide an EHR, listen up. Be ready to accommodate the right for an individual to ask that the health plan not be informed if they pay out of pocket. Your customers will need that, big time, if the ACA goes away. Also be aware that BAs may not deny access to PHI they hold on behalf of a provider, no matter whether the bills have been paid or not. According to the latest guidance from HHS on the topic, released in September, PHI must be returned in a usable way upon termination of an agreement. Also, if the covered entity signs an agreement that prevents it from ensuring the availability of its PHI, it is not in compliance. Check your contracts! See: http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html
As for Covered Entities, it is now time for them to be asking their higher risk Business Associates for assurances beyond those which are provided in the standard Business Associate Agreement. If your BA manages your EHR for you, they have control and access of a lot of your PHI, and are a higher risk vendor than one that handles limited information. You need to have more than just “I promise” from these vendors. It is time to start asking higher risk vendors for assurances such as evidence that they have and use security policies and perform a risk analysis. A third-party attestation of good practices is great, and even an SSAE 16 SOC 2 Type 1 or 2 audit summary is a reasonable to expect from something like a data center or major cloud service provider.
It’s time to start asking for those additional assurances. Ask them, “What can you show me that will reassure me that you actually do have safeguards in place and a continuing security management program?” See what they can provide you beyond their own statements created by the marketing department. For guidance on cloud computing see http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html Frequently Asked Questions about Business Associates are available at http://www.hhs.gov/hipaa/for-professionals/faq/business-associates
— Settlements, Settlements, and More Settlements —
I guess it’s becoming the settlement-of-the-month club, with the current rate of HIPAA enforcement settlement announcements. Dollar amounts are regularly in the millions, unless you get a break because you’re operating at a loss, like UMass Amherst did; just $650K in that case. Just $650K? The latest lessons to be learned are as follows. If you’re a hybrid entity, make sure you properly find and identify ALL the portions that may be covered, not just the obvious ones, and then implement the appropriate safeguards. Have a checklist for implementing new systems and servers, to be sure they are configured correctly. Make sure your Business Associate agreements are properly in place and up to date. Secure your backup tapes. Do a thorough Risk Analysis, and then follow up by managing the risks, not ignoring them. Include smart phones and mobile devices in your Risk Analysis, establish policies, and secure the devices. Nothing new, really — these are all part of any decent security program, so you have no excuse if you make any of these mistakes. See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
But the what-were-you-thinking award goes to NY Presbyterian Hospital for allowing TV crews into the ED to film without any authorizations from any of the patients. The crew shouldn’t even have been there without authorizations, much less filming tragedies. This makes me personally angry. My Dad headed the Columbia-Presbyterian ED back in the late 60s and early 70s and helped it become the world-class institution it is today. He instituted the first triage process there, and even won the support of his nurses who wouldn’t strike when the rest of them did. To see an institution that he improved and shepherded into the end of the 20th century abused by an incompetent administration that would allow such atrocities just boils my blood. The $2.2 million should have been $22 million and come right from the pockets of whomever allowed this, all the way up to the directors and trustees. Academic medical centers are a compliance nightmare and this is a prime example — great healthcare and clueless, confused management.
But don’t think for a moment that it’s just the big issues they’re going after at HHS. The word has gone out to the district offices that they’ll need to investigate the smaller breaches and complaints more rigorously. If they see a pattern of recurring small breaches by you, you can expect a call. You had better be ready to explain how you are doing everything you can to stop the recurring breaches, or they will ask you why you are not. My personal experience in dealing with district offices is that they take their role in HIPAA very seriously.
— Be On the Lookout For New Rules in 2017
We may finally get a new rule on Accounting of Disclosures but that seems to be not so much in the minds of OCR leadership these days. What will likely be finalized is the changes to 42 CFR Part 2 concerning substance abuse information, to reduce consent requirements and enable better integrated care for individuals who have multiple issues. So keep your ears open for these changes that could have significant impacts, depending on what is in the final rules.
— And Finally, Is It Cold in January?
Sounds like a good time to head for Phoenix, January 26 and 27, for my next 2-day HIPAA A to Z session — see http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900752SEMINAR?HIPAA-privacy-security-compliance-Phoenix-AZ
SFO can be nice in February, maybe a 1.5 day Privacy Rule session February 23 and 24 would be good — see: http://www.complianceonline.com/hipaa-privacy-rule-compliance-new-rules-and-responsibilities-of-privacy-officer-seminar-training-80142SEM-prdsm
Washington, DC can be lovely at the end of March, nice enough on March 23 and 24 for a 2-day A to Z session — see: http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900754SEMINAR?HIPAA-privacy-security-compliance-Washington-DC
And I have other live Webinars scheduled well into 2017 already, so be sure to check my upcoming public seminars page, at: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
— HIPAA HOLIDAYS! —
I’m sorry, I should just give up all the stale HIPAA jokes, especially when we all have so much work to do with so much uncertainty and so many new threats. But I do wish you all a safe, satisfying, and healthful holiday season. Let’s all do what we can to make everyone smile a little more. We have a great opportunity with to use the tension in the world today for positive benefit. Things are unstuck, things are beginning to move; let’s all try to move things to the good to the best of our own abilities, each in our own way. It is the least we can ask of ourselves, and all we can ask of ourselves.
And of course, if you have any questions for me in the meantime, I always learn as much from you as you do from me, so please let me know.
Thanks.
Jim