HIPAA Audit Protocol, items from the NIST/OCR HIPAA Security Conference, and more

Hi All,

 -- The NIST/OCR HIPAA Security Conference -- 

Oh how I wish I had more news to report from the annual NIST/OCR (National Institute of Standards and Technology / US Department of Health and Human Services Office for Civil Rights) HIPAA Security conference down in DC on June 6 and 7.  Presentations from the conference are available at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html 

Well, the big news I was hoping to hear more about was the release date for the final rule changes to HIPAA (except Accounting of Disclosures), and the best "official" word, expressed by senior officials at OCR (and by folks informed of the official line over at the big Privacy conference happening almost concurrently in DC) is that the new rules will be out by the "end of the summer", whatever that means.

But while that's the official word, the remarks by Leon Rodriguez, the head of HHS OCR, were slightly different, and if anyone's slightly different words should be considered, it's the head guy's.  Rodriguez used phrasing like, "I wish I could give you a date, but it's very, very, very soon."  Now, in my family, when you repeat something three times, you really mean it.  Leon's not one of our kids, but if he's the top guy at OCR, the nuances of his speech can't be ignored.  I still think it will be out soon -- what do you bet, just in time for the 4th of July holiday -- wouldn't that be just like them...  But I'll probably be wrong again.

Another choice tidbit is that the folks who are implementing the incentive funding for EHRs are planning to audit the meaningful use attestation of, hold on for this, 10% of all entities receiving funding.  Yikes!  10%??  That's a LOT of audits, and I know there are some who are doing a skimpy job on meeting Objective 15 (requiring a HIPAA Security Risk Analysis) who will get snagged.  My advice (and it's not legal advice because I'm not a lawyer and I don't play one on TV) is to make sure you have a real risk analysis done, one that you can point to and show you've been paying attention to.  10%??  Wow.  Hey, a real risk analysis is the smartest thing you can do anyway.

Other items from the conference:  
 -- Breaches caused by lost, stolen, or improperly disposed of PHI are holding steady at about 2/3 of all breaches; about half of all breaches could be avoided through proper use of encryption and access controls.  No big news there, just a confirmation of what's been happening for quite some time now.
 -- Breaches by hacking are on the increase.  No question.  Health data IS a rich target, identified by international identity thieves.  The hacking breach at Utah Medicaid led to 700,000 records being exposed and the state CIO's turning in his resignation.  Health information security has recently become a much more serious game.  Less Keystone Cops and more James Bond.  IT staffs will have to adjust, and fast.
 -- Have an incident that might be a breach?  Calm down, stop the damage, and do the research.  It's not a breach until you decide it is, indeed, a breach.  If you decide too soon, without complete evidence, you may wind up notifying incorrectly.  Have a good INCIDENT handling policy and procedure that tells you what to do and how to proceed, and how to get to the point where you say, OK, yes, it is actually a breach, and we have to treat it as such, or not.  You will have both regulatory and technical considerations as to how you call it; don't jump to conclusions.
 -- The Office of the National Coordinator has done a great analysis of smart phone security, available in the sessions listed for June 6, "ONC Mobile Device Project".  Find your devices there and see if you're doing all you can to protect PHI.

 -- The HIPAA Audit Protocol -- 

Of course, there's a lot more to report.  One biggy is that OCR would be publishing its audit protocol for the HIPAA privacy and security compliance audits now taking place, and the protocol was just announced yesterday -- see http://ocrnotifications.hhs.gov/hipaa.html  Take a look, and see how you'd do.  (Don't Panic!)

Now, this audit protocol is just what we've all been waiting for, so we can know how to be prepared for an audit, but I have to admit it is something of a disappointment.  It has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria".  I can write the questions they've written myself, and so can anyone familiar with the regulations, but what are these mysterious "criteria"?  THAT's what we all want to know.

In my cursory review, I've found some questions that don't seem to relate to the regulations they specify.  For instance, one question on §164.308(a)(7)(i), the Contingency Planning standard, is all about identifying preventive measures.  That section of the regulation calls for a response to various disasters, but says absolutely nothing about preventing them.  Preventive measures would be covered under other safeguards.  Very disturbing.

And there is no way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way.

But it is a great way to see just what kind of documentation you might be asked to produce.  There is plenty of call for explanations and justifications for variations under addressable specifications, so it's clear that full documentation of your compliance decisions is necessary.  It can certainly be overwhelming to look at the level of detail they're asking about.

Overall, on first review, what a let down, but we'll all have to work with it as best we can.  It IS the protocol currently.  At least it will be good for scaring the heck out of clients, CEOs, CFOs...

 -- $1.7 million Settlement with Alaska Medicaid -- 

Lest you think the folks at HHS OCR have been too busy with audits and conferences to engage in good ol' enforcement, just take a look at the latest installment of OCR's fun game, "Let's go make HIPAA enforcement examples of every kind of entity there is!".  A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures.  This time?  A state Medicaid agency, and the press release ( http://www.hhs.gov/news/press/2012pres/06/20120626a.html ) makes it clear that state agencies are not exempt from HIPAA.  The toll?  A $1.7 million settlement, a corrective action plan, and monitoring.  The message?  There are no sacred cows in HIPAA compliance any more, not even up in Alaska.  See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html 

 -- California Releases HIPAA Security Toolkit for Small Entities -- 

Well, I really don't know how I stand on this one.  It's an online toolkit provided by the state of California that anyone can use for looking at their HIPAA security compliance, designed for physician offices and smaller entities.  It consists of data collection and risk analysis portions.  The questionnaire part I like a great deal and is a great way to dive into HIPAA compliance for a smaller organization.  

Where I do have issues is with their interpretation of how to take the information collected and turn it into a risk analysis.  Their approach is very much oriented toward assigning dollar values to various security events using Annual Loss Expectancy to come up with a way to decide about what actions to take based on financial terms.  But much of information security doesn't work based on ALEs and other mathematical approaches -- too many of the risks are too unpredictable and changing too fast for the rigorous methods to be of real value.  And I can't imagine a small office suffering through this process when there are less formal, easier to use methods that just plain work better.

Now, keep in mind that the questionnaire in the California toolkit is nowhere near as detailed as the one in the NIST HIPAA Security Rule Toolkit, and unlike the NIST toolkit it is designed to feed into a risk analysis, so a direct comparison between the two toolkits is difficult, but the questions are useful for making sure the issues are considered.  However I think if this tool is used without guidance it could be very dangerous, because it can be too easy to say you have safeguards in place when in fact they may be insufficient.  If you say you have safeguards, it won't show up as a risk issue in the risk analysis, but if the safeguards are actually insufficient based on a qualified review, the risk analysis is faulty.

So, appreciate it, use it with caution, and be prepared to run screaming from the Risk Analysis portion as though your hair were on fire.  The user guide with complete instructions is available at https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf and the toolkit is accessed at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx 

 -- And in conclusion... -- 

I used to have to make up stories about HIPAA compliance issues and security issues and breaches and penalties, but no more.  It seems there's another example of what not to do with PHI in the press every day.  HHS OCR is doing all the explaining now and we'd best pay attention or be prepared to pay the price.


              Copyright © 2002-2019 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us