Occasional Client Updates on Compliance | Lewis Creek Systems, LLC | Jim Sheldon-Dean

New HIPAA Rules at OMB, out by July; Breaches get expensive

Mon, 26 Mar 2012 07:15:33 -0400

Hello all,

Well, it seems like a long road, but the new final HIPAA rules with all the changes from HITECH except for the Accounting of Disclosures rules, and including the GINA changes, has finally been submitted to the Office of Management and Budget, the final step before release. Thanks to Ruth Carr, Sue Miller, and my friends on the American Health Lawyers Association list serv, I learned that the rules were noted as submitted to OMB on Saturday, March 24. The final process can take up to 90 days, so we should see a final rule by the end of June, and probably not earlier. I feel like I must be crazy to toss out yet another expected date for release of the final rule changes, but this is based on actual information, and not hopes and expectations. So, fasten your seat belts, and get ready to find out what's changed from the proposed and interim final rules and what's not. Will there be changes to the harm standard in Breach Notification? We'll know, finally, before the end of June. At least it won't be released for the 4th of July weekend. Bite my tongue!

CMS Proposed Meaningful Use Stage 2 Regs: Increased Security

Fri, 24 Feb 2012 07:27:51 -0500

Hi All,

First of all, for all the expected dates for final regulations I gave you in my last missive, add 90-120 days. The HHS calendar is already out of date, as items expected for release shortly have not even made it to OMB for final review, which can take a few months. So, breathe deeply, and relax -- stay the course and keep moving toward what will likely be required in the regulations. Eventually they'll see the light of day.

Well, even if we don't have finalize HIPAA changes from HHS, we do have new proposed Stage 2 Meaningful Use regulations, and those beef up the security requirements by specifically bringing attention to the encryption of data at rest and the use of secure messaging with patients by eligible professionals (EPs) but, curiously, not by hospitals and Critical Access Hospitals (CAHs).

In 42 CFR §495.6(j)(16) (for EPs) and (l)(15) (for hospitals and CAHs) the existing Stage 1 measures calling for a HIPAA Security Rule risk analysis would have added to them a new phrase, "including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)" which means you really have to seriously look at encrypting portable devices holding data at rest. The preamble specifically calls out the issue of breaches of data held on portable devices as the reason for the change. It doesn't really change what you should be doing anyway, but does put some teeth into the notion that it's really time to lock down portable data.

New HIPAA Rule Release Dates and Enforcement Budgets -- On Your Marks, Get Set...

Fri, 17 Feb 2012 07:44:10 -0500

Hello all,

It seems the crystal ball is clearing a bit...

HHS work plans and budgeting have been announced for the coming year, and here how things shake out, with some surprises, of course!

According to the work plan released January 20, 2012 (see http://www.regulations.gov/#!documentDetail;D=HHS-ASAM-2012-0002-0001), the Big HIPAA Update looks to be on track for release in March, and it includes finalization of the proposed privacy and security rule changes (business associates, disclosure restrictions, access, etc.), and finalization of the interim final enforcement and breach notification rules. It also includes the finalization of changes to HIPAA regarding CLIA (the Clinical Laboratory Information Act), which could have a significant impact on laboratory operations depending on the extent to which individuals would interact directly with labs.

Most of what's in this package should be pretty close to what's been proposed, but there may be some changes to the harm standard in the Brach Notification Rule. As a security purist, I'd say that the harm standard has to go, but as a healthcare information realist, I know that there needs to be something like the harm standard to temper breach notification, because the potential for needless notification of harmless releases under the HIPAA definitions is huge. We'll see what we get.

New NIST HIPAA toolkit; Hope Dims for Final HIPAA Regs by end of 2011?

Tue, 13 Dec 2011 06:34:49 -0500

Hello All,

Well, the wait isn't over yet, and there I thought my last client message would trigger the release of the new final HIPAA regulation changes. Maybe this one will! I haven't heard any rumors of its being close either, so I'm starting to think we may have to wait into 2012 for the changes in regulations to be finalized for laws that went into effect in 2009 and 2010. Patience, Jim, patience.

But the news isn't all bad these days -- NIST has released its HIPAA Security Rule Toolkit (see http://scap.nist.gov/hipaa/ ) which provides a comprehensive (to say the least!) set of questions pertaining Security Rule compliance and a way to catalog and gather all of your supporting documentation of compliance, such as policies, procedures, and other actions taken in pursuit of good security practices.

The tool includes two surveys, standard and enterprise, with 492 or 809 questions, respectively. Now, that's a lot of questions to work through, even for the "lightweight" version. It's based on the HIPAA regulations and the HITECH expansions that are expected to be finalized Real Soon Now (and I thought only software companies had vaporware!) and the NIST guides for Security Controls and HIPAA Security Compliance, so it really covers the bases. Even if you only read through the questions, you can learn a lot about what the regulations require and how you might relate that to what you do.

New HIPAA Audit Program Announced; Still Waiting for New Regs; New NIST tool coming

Sun, 13 Nov 2011 07:04:14 -0500

Hi All,

What usually happens is that I send out one of these messages about how a rule is expected any day, and the next day the rule comes out. Well, we're there again with the giant update to HIPAA, expected out by year end, even though the folks at HHS OCR won't give us a date. I'll expect the giant omnibus HIPAA update to be announced any day now that I'm sending out this message about it's not being announced yet. I'll cover a little about what to expect, about how HHS has finally announced more about the new Audit program now actually getting under way, and about a new tool to assist with HIPAA Security Rule compliance, being released shortly by NIST.

-- The Big HIPAA Rule Update

The big update is actually coming, as was represented by HHS Office for Civil Rights deputy director Sue McAndrew on October 25th at the WEDI fall conference. She refused to give a date as to when, but it did not appear on the slide of what to expect in 2012, so I'll read between the lines and say it will be out by year's end.