A Happy New Year to all, and here's to having better compliance with HIPAA in the coming months!
New Rules? What New Rules?
Well, we still have no new regulations yet, and even the head of HHS OCR, the folks making the rules, isn't sure when they'll appear. I mean, come on, the laws behind these rules, for the most part, went into effect more than two years ago. The longer the delay goes on, the more I begin to wonder if they'll throw into the "Omnibus Update" a final rule on the new Accounting of Disclosures provisions. (Yes, the final rule changes are likely to be about as subtle as a bus... or a bull in a china shop...)
The big takeaway from this is it's time for all the HIPAA business associates to face up to the fact that they're going to be covered under the rules, and have already been covered under the law for more than two years, and are subject to enforcement by state attorneys general. The delay in finalizing the rules has presented an opportunity for these entities to get their compliance houses in order before the clock starts ticking. When the final rules go into effect, BAs will have only six months to become compliant, and the competition for resources to get the job done will be fierce. The word from the head of HHS OCR is that BAs need to get ready now, and I would expect vigorous enforcement of the rules once they're enforceable. Here's a link to an interview with Leon Rodriguez that is very illuminating! http://www.govhealthit.com/news/ocr-looking-high-level-sensitivity-data-breaches
Another Settlement for a Laptop Breach, With a Small Hospice Agency
Oh, this one really hurts. Hospice of North Idaho (HONI) uses lots of laptops to provide its services. One got stolen. They hadn't done a risk analysis, and they hadn't implemented any mobile device security policies and procedures. 441 patients' information involved. $50,000 settlement plus corrective action plan.
OK, a few things here:
1) This is going to cost HONI a LOT more than the $50K settlement, and I'd guess they have NO money to spare at an outfit like this. This comes right out of their ability to provide services. Getting into compliance for a relatively straightforward organization like this would have cost a SMALL FRACTION of the costs of the breach and settlement.
2) Note that this is for a breach that's under the threshold of 500 to be reported as a large breach. Yes, folks, they're looking at the small breaches too, taking names, and finding examples to make.
3) I'm sure you can fill this one in yourself by now, if you've been listening to me... Do your risk analysis, implement some policies and procedures and encrypt all your mobile devices! Almost every day another breach is reported involving thousands of patient records on a laptop. Portable data is a clear, obvious, documented serious risk that is WAY cheaper to protect than recover from a breach thereof. STOP THE MADNESS! Do your homework and encrypt your laptops and any mobile health information. Do it NOW. No more excuses!
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html
And About That Guidance On Mobile Device Security...
The nice folks at the Office of the National Coordinator for Health IT have put together a good set of resources that everyone using any portable devices holding Protected Health Information should take a look at! With all the problems of breaches of mobile devices, this is a welcome addition to the educational arsenal. Use this to educate yourself, and to help show your bosses why putting in the time and money to protect these devices is such a good idea, and so much less expensive than not doing so. There are documents, FAQs, videos, and more. Check it out at http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
Seminars, Webinars, and Conferences, Oh My!
Hokey Smokes, Bullwinkle, here it is only the fourth of January, and I already have 27 speaking engagements set for 2013! 2012 saw a total of 62 sessions, some from my desk, some across the country -- I'm not sure I can do more and meet client needs at the same time. But I do cover a variety of topics and issues related to HIPAA. See the ever-evolving list at http://www.lewiscreeksystems.com/upcoming_public_seminars.html
And On That Note...
Please let me know if you have any questions or need any assistance with HIPAA compliance -- I'm always happy to have a conversation and do my best to get you headed in the right direction.
Thanks!
Jim