Well, it seems like a long road, but the new final HIPAA rules with all the changes from HITECH except for the Accounting of Disclosures rules, and including the GINA changes, has finally been submitted to the Office of Management and Budget, the final step before release. Thanks to Ruth Carr, Sue Miller, and my friends on the American Health Lawyers Association list serv, I learned that the rules were noted as submitted to OMB on Saturday, March 24. The final process can take up to 90 days, so we should see a final rule by the end of June, and probably not earlier. I feel like I must be crazy to toss out yet another expected date for release of the final rule changes, but this is based on actual information, and not hopes and expectations. So, fasten your seat belts, and get ready to find out what's changed from the proposed and interim final rules and what's not. Will there be changes to the harm standard in Breach Notification? We'll know, finally, before the end of June. At least it won't be released for the 4th of July weekend. Bite my tongue!
In the meantime, breaches continue to be in the news, with a $1.5 million settlement with Blue Cross and Blue Shield of Tennessee, for having 57 hard drives full of customer service conversations disappear from one of their offices. Lesson 1: If you're going to keep it, physically secure it. Lesson 2: If it's got data on it and can be lost or stolen, encrypt it. Lesson 3: What the heck were they keeping these for anyway? Before you bother to keep it, make sure you need it, and if you don't, get rid of it securely! Beyond the settlement, this breach has cost BCBST more than $17 million. Nowadays they encrypt all data at rest, everywhere. See how easy it is to avoid breaches? Ow! For the article in Modern Healthcare see: http://www.modernhealthcare.com/article/20120313/NEWS/303139960/ The settlement agreement between BCBST and HHS is at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf
Some other poor company that reviews medical records had one of their offices burglarized last New Year's Eve, and the resulting costs of the breach have pushed them into bankruptcy. See: http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/ And in case you haven't gotten the idea that breaches can be expensive, the American National Standards Institute (ANSI) has released a new report: The Financial Impact of Breached Protected Health Information -- A Business Case for Enhanced PHI Security, available at no charge with registration at: http://webstore.ansi.org/phi/ Forewarned is forearmed!
My five steps to avoid breaches and their costs:
1. Do your information flow analysis and risk analysis so you know where all your data are, and get rid of what you don't need
2. Encrypt all data at rest that can be stolen (especially laptops, memory sticks, etc.) -- encrypted data can't be breached
3. Have good policies, procedures, and processes for managing the encryption and its keys -- know how and when to encrypt
4. Train staff on how to securely handle all data, including technical and physical measures -- don't keep the password attached to the device!
5. Have an incident handling policy and procedure so you know what to do when something DOES go wrong, and have regular drills to test it
I have a ton of seminars and webinars coming up over the next few weeks, including a two-day all-about-HIPAA-privacy-and-security session at the Marriott Long Wharf in Boston May 17-18, so take a look at the list and see if one has the focus you're looking for. See: http://www.lewiscreeksystems.com/upcoming_public_seminars.html
As always, please let me know if you have any questions -- I'm always happy to help.