Occasional Client Updates on Compliance | Lewis Creek Systems, LLC | Jim Sheldon-Dean

Gathering Storm Clouds on the Audit Front

Wed, 06 Mar 2013 06:00:53 -0500

-- With Apologies to Judy Garland, Harold Arlen, and a Cast of Flying Monkeys --

"Auntie Em! Auntie Em! There's a twister a-comin'!" Well, I won't vouch for the accuracy of the quote, but I see some pretty ugly clouds on the horizon. A few comments from Federal officials, a job posting, and a conversation with someone whose company went through one of the random audits last year, and now I'm concerned. Is there a HIPAA storm cellar? You may want one.

I guess I'm not reporting anything new if I take note of the numerous public comments by HHS officials that in the first round of random audits, they found that entities weren't doing much internal auditing of system and network activity to ensure proper use of systems and data by the appropriate people. It's also nothing new that the folks heading up the HHS Office for Civil Rights have said that enforcing the auditing requirements will be a focus of their work in the coming months. And I'm sure I'm among thousands of people on the HHS mailing list that in the last week received a notice that HHS OCR was looking to hire people to do HIPAA privacy and security audits. That's troubling enough. Those two things mean that if you haven't started to follow up on the HIPAA Security Rule's system monitoring and activity review safeguards, you're leaving yourself open to fines and corrective action plans with a growing workforce dedicated to enforcement, full-time.

Policy Changes and the New HIPAA Breach Evaluation Process

Fri, 08 Feb 2013 11:22:08 -0500

I keep chipping away at the issues related to the new final HIPAA rules (aka HIPAA2), looking for insights into the bottom-line question, "Just what needs to happen to become compliant with the new rules?" I provided a little bit of an outline in my last message, but the issues surrounding the changes to Breach Notification need a little more exploration at this point. In upcoming discussions I'm sure I'll be tackling the scope of the changes to the Privacy Rule, but for the moment I'll fill in a few blanks relating to the Security Rule and Breach Notification.

-- Security and Breach Rule Policies

For the most part, changes to the Security Rule consist of adding "...and Business Associates..." to many of the sections, and doing so probably won't affect your Information Security Policies. The changes may need to be reflected in your policy on Business Associates if the policy is specific about BA agreement contents and doesn't refer to the HHS regulations identifying required content (or even better, the Web page for that, http://tinyurl.com/7asm2qj ). If the policy does refer to the regulations, it's probably fine as is.

Nuances of the New HIPAA Rules, New BAA Template

Tue, 29 Jan 2013 06:44:57 -0500

As time goes by and we in the compliance community have the opportunity to digest the new rules a bit more and dig deeper into some of the tidbits hidden in the Preamble to the changes, new details will emerge, new understanding will develop, and framework for HIPAA update implementation will emerge. Here's how it looks so far:

-- A Framework for Implementing the HIPAA Changes

1) Policies will need to be modified or adopted to deal with the changes to business associates, individual access, breach notification, marketing and fundraising, and lots more. This will not be a simple job, depending on the complexity of your current policies, and must be executed by September 23, 2013.

2) Your Notice of Privacy Practices will need to be updated to reflect the new patient rights, and may be modified to remove language no longer required pertaining to some marketing activities that now will require an authorization instead. This also will need to be implemented by September 23, 2013. Providers will NOT have to mail out a new one to patients, but will need to use it and make it available and properly posted in their offices and on their Web sites.

New Final HIPAA Rule Released -- a few surprises!

Tue, 22 Jan 2013 07:12:48 -0500

Well, the big news is that we've finally been treated to a new final HIPAA rule, issued last Thursday, true to form, just before a holiday weekend, all 563 pages. A great deal is "as proposed" but there are some significant changes and some significant insights provided in the preamble. Here's a link to the pre-publication version https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf The actual date of issue of the official version in the Federal Register will be this Friday, January 25, whereupon the link above may stop working and links to the official version will be announced.

DISCLAIMER! I am not a lawyer and everyone in the HIPAA world is still sorting out all the impacts and changes, and I'd be a fool to think that I know what all the issues are and have everything interpreted correctly at this early stage. This is not a complete analysis, but just a few observations, and I'll have more information as things develop.

So, what's up with the final rule? For the most part, it's being finalized as proposed, but with some significant exceptions. Here are some tidbits.

HIPAA settlements continue, laptop again, small entity again

Fri, 04 Jan 2013 06:19:09 -0500

A Happy New Year to all, and here's to having better compliance with HIPAA in the coming months!

New Rules? What New Rules?

Well, we still have no new regulations yet, and even the head of HHS OCR, the folks making the rules, isn't sure when they'll appear. I mean, come on, the laws behind these rules, for the most part, went into effect more than two years ago. The longer the delay goes on, the more I begin to wonder if they'll throw into the "Omnibus Update" a final rule on the new Accounting of Disclosures provisions. (Yes, the final rule changes are likely to be about as subtle as a bus... or a bull in a china shop...)

The big takeaway from this is it's time for all the HIPAA business associates to face up to the fact that they're going to be covered under the rules, and have already been covered under the law for more than two years, and are subject to enforcement by state attorneys general. The delay in finalizing the rules has presented an opportunity for these entities to get their compliance houses in order before the clock starts ticking. When the final rules go into effect, BAs will have only six months to become compliant, and the competition for resources to get the job done will be fierce. The word from the head of HHS OCR is that BAs need to get ready now, and I would expect vigorous enforcement of the rules once they're enforceable. Here's a link to an interview with Leon Rodriguez that is very illuminating! http://www.govhealthit.com/news/ocr-looking-high-level-sensitivity-data-breaches

Plenty of HIPAA Action but Regs in Holding Pattern

Thu, 18 Oct 2012 06:36:04 -0400

Greetings, All,

If I keep waiting for the new rules to send a client message out, it may never happen, or so it seems. So here's a summary of the latest goings on in the world of HIPAA.

Final HIPAA Rules Expected Maybe Someday

OK, so it's gotten so bad that I've about given up updating my slides in HIPAA presentations with the latest expected dates for release of the final HIPAA changes in the big Omnibus rule, and now it's clear we'll hear nothing before the election, so we'll see. All of the uncertainty is causing a lot of inaction and stalling a lot of work that really needs to be done to get healthcare down the road to at least the present day, if not the future. When will we see the regs? Someday, maybe, maybe not. Meanwhile, state attorneys general have sued business associates for violations under the HITECH act, even without the regulations in place. So we continue in regulatory limbo -- both the old and new rules apply...

HIPAA Audit Protocol Updated

At some point during September, without announcement, the HIPAA Audit Protocol was updated, improved, and moved to a new web page, leaving the old one still active without any notice that a new version had been published elsewhere. Hey thanks for the heads up! http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html Anyway, it's up from 165 to 169 questions, but the big news is the "Export" button that makes it possible to export the contents to something useful like a spreadsheet, where you can add columns for Item Number (so you can always sort things back to the original order!), unresolved questions, issues to be addressed, supporting documentation, and priority for resolution. Once you do this, you can format the cells so the contents are readable (what a concept!) and use the HIPAA Audit Protocol as a master HIPAA compliance guide and documentation record. Sort of like a simpler, less detailed, lightweight version of the NIST HIPAA Security Rule Toolkit. It's still not perfect, and there are still some wonky questions, but it can be actually used. Let me know if you'd like a copy of the protocol (as published on October 15, 2012) in a formatted .xlsx spreadsheet something like what I described, and I'll e-mail you one.

HIPAA Audit Protocol, items from the NIST/OCR HIPAA Security Conference, and more

Wed, 27 Jun 2012 17:18:33 -0400

Hi All,

-- The NIST/OCR HIPAA Security Conference --

Oh how I wish I had more news to report from the annual NIST/OCR (National Institute of Standards and Technology / US Department of Health and Human Services Office for Civil Rights) HIPAA Security conference down in DC on June 6 and 7. Presentations from the conference are available at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html

Well, the big news I was hoping to hear more about was the release date for the final rule changes to HIPAA (except Accounting of Disclosures), and the best "official" word, expressed by senior officials at OCR (and by folks informed of the official line over at the big Privacy conference happening almost concurrently in DC) is that the new rules will be out by the "end of the summer", whatever that means.

But while that's the official word, the remarks by Leon Rodriguez, the head of HHS OCR, were slightly different, and if anyone's slightly different words should be considered, it's the head guy's. Rodriguez used phrasing like, "I wish I could give you a date, but it's very, very, very soon." Now, in my family, when you repeat something three times, you really mean it. Leon's not one of our kids, but if he's the top guy at OCR, the nuances of his speech can't be ignored. I still think it will be out soon -- what do you bet, just in time for the 4th of July holiday -- wouldn't that be just like them... But I'll probably be wrong again.

New HIPAA Rules at OMB, out by July; Breaches get expensive

Mon, 26 Mar 2012 07:15:33 -0400

Hello all,

Well, it seems like a long road, but the new final HIPAA rules with all the changes from HITECH except for the Accounting of Disclosures rules, and including the GINA changes, has finally been submitted to the Office of Management and Budget, the final step before release. Thanks to Ruth Carr, Sue Miller, and my friends on the American Health Lawyers Association list serv, I learned that the rules were noted as submitted to OMB on Saturday, March 24. The final process can take up to 90 days, so we should see a final rule by the end of June, and probably not earlier. I feel like I must be crazy to toss out yet another expected date for release of the final rule changes, but this is based on actual information, and not hopes and expectations. So, fasten your seat belts, and get ready to find out what's changed from the proposed and interim final rules and what's not. Will there be changes to the harm standard in Breach Notification? We'll know, finally, before the end of June. At least it won't be released for the 4th of July weekend. Bite my tongue!

CMS Proposed Meaningful Use Stage 2 Regs: Increased Security

Fri, 24 Feb 2012 07:27:51 -0500

Hi All,

First of all, for all the expected dates for final regulations I gave you in my last missive, add 90-120 days. The HHS calendar is already out of date, as items expected for release shortly have not even made it to OMB for final review, which can take a few months. So, breathe deeply, and relax -- stay the course and keep moving toward what will likely be required in the regulations. Eventually they'll see the light of day.

Well, even if we don't have finalize HIPAA changes from HHS, we do have new proposed Stage 2 Meaningful Use regulations, and those beef up the security requirements by specifically bringing attention to the encryption of data at rest and the use of secure messaging with patients by eligible professionals (EPs) but, curiously, not by hospitals and Critical Access Hospitals (CAHs).

In 42 CFR §495.6(j)(16) (for EPs) and (l)(15) (for hospitals and CAHs) the existing Stage 1 measures calling for a HIPAA Security Rule risk analysis would have added to them a new phrase, "including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)" which means you really have to seriously look at encrypting portable devices holding data at rest. The preamble specifically calls out the issue of breaches of data held on portable devices as the reason for the change. It doesn't really change what you should be doing anyway, but does put some teeth into the notion that it's really time to lock down portable data.

New HIPAA Rule Release Dates and Enforcement Budgets -- On Your Marks, Get Set...

Fri, 17 Feb 2012 07:44:10 -0500

Hello all,

It seems the crystal ball is clearing a bit...

HHS work plans and budgeting have been announced for the coming year, and here how things shake out, with some surprises, of course!

According to the work plan released January 20, 2012 (see http://www.regulations.gov/#!documentDetail;D=HHS-ASAM-2012-0002-0001), the Big HIPAA Update looks to be on track for release in March, and it includes finalization of the proposed privacy and security rule changes (business associates, disclosure restrictions, access, etc.), and finalization of the interim final enforcement and breach notification rules. It also includes the finalization of changes to HIPAA regarding CLIA (the Clinical Laboratory Information Act), which could have a significant impact on laboratory operations depending on the extent to which individuals would interact directly with labs.

Most of what's in this package should be pretty close to what's been proposed, but there may be some changes to the harm standard in the Brach Notification Rule. As a security purist, I'd say that the harm standard has to go, but as a healthcare information realist, I know that there needs to be something like the harm standard to temper breach notification, because the potential for needless notification of harmless releases under the HIPAA definitions is huge. We'll see what we get.

New NIST HIPAA toolkit; Hope Dims for Final HIPAA Regs by end of 2011?

Tue, 13 Dec 2011 06:34:49 -0500

Hello All,

Well, the wait isn't over yet, and there I thought my last client message would trigger the release of the new final HIPAA regulation changes. Maybe this one will! I haven't heard any rumors of its being close either, so I'm starting to think we may have to wait into 2012 for the changes in regulations to be finalized for laws that went into effect in 2009 and 2010. Patience, Jim, patience.

But the news isn't all bad these days -- NIST has released its HIPAA Security Rule Toolkit (see http://scap.nist.gov/hipaa/ ) which provides a comprehensive (to say the least!) set of questions pertaining Security Rule compliance and a way to catalog and gather all of your supporting documentation of compliance, such as policies, procedures, and other actions taken in pursuit of good security practices.

The tool includes two surveys, standard and enterprise, with 492 or 809 questions, respectively. Now, that's a lot of questions to work through, even for the "lightweight" version. It's based on the HIPAA regulations and the HITECH expansions that are expected to be finalized Real Soon Now (and I thought only software companies had vaporware!) and the NIST guides for Security Controls and HIPAA Security Compliance, so it really covers the bases. Even if you only read through the questions, you can learn a lot about what the regulations require and how you might relate that to what you do.

New HIPAA Audit Program Announced; Still Waiting for New Regs; New NIST tool coming

Sun, 13 Nov 2011 07:04:14 -0500

Hi All,

What usually happens is that I send out one of these messages about how a rule is expected any day, and the next day the rule comes out. Well, we're there again with the giant update to HIPAA, expected out by year end, even though the folks at HHS OCR won't give us a date. I'll expect the giant omnibus HIPAA update to be announced any day now that I'm sending out this message about it's not being announced yet. I'll cover a little about what to expect, about how HHS has finally announced more about the new Audit program now actually getting under way, and about a new tool to assist with HIPAA Security Rule compliance, being released shortly by NIST.

-- The Big HIPAA Rule Update

The big update is actually coming, as was represented by HHS Office for Civil Rights deputy director Sue McAndrew on October 25th at the WEDI fall conference. She refused to give a date as to when, but it did not appear on the slide of what to expect in 2012, so I'll read between the lines and say it will be out by year's end.