— Talk About Busy —
Well, as anyone in HIPAA compliance will tell you, it has been a very busy period since my last missive, way back in May, no less. The Omnibus compliance deadline of September 23 has come and gone, and the sun still comes up in the morning, well usually, anyway, unless it’s obscured by the latest winter storm. But the good thing is that the sense of panic is giving out, being replaced by an increase of interest in just plain getting down to work and slaying the HIPAA dragon. And the good thing for me about this latest winter storm is that it has disrupted my travel plans and allowed me to actually take a few moments to compose an Occasional Client Update Newsletter. And there is most certainly plenty too talk about! I won’t cover everything that’s happened since last May — you can see all that on my News page, at http://www.lewiscreeksystems.com/privacy_security_and_compli.html — but here are some important highlights.
— Accounting of Disclosures Rears Its Ugly Head —
Well, I think I was a little critical in my prior discussions of the proposed new Accounting of Disclosures rule, and I guess I wasn’t the only one. The proposed rule has been stopped in its tracks, and in the meantime, HHS gathered a US Department of Health and Human Services Office of the National Coordinator for Health IT Health IT Policy Committee Privacy and Security Tiger Team (the USDHHS-ONCHIT-HITPC-PSTT?) that released a report with its recommendations on the topic, available as a PDF of slides, at http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf or http://tinyurl.com/lhym4qh
The recommendations call for a staged implementation relying on available technologies, with pilot projects, an accounting of disclosures outside the organization from certified EHRs as the first step, a new right to request an investigation of internal access, and recommendations to expand the Security Rule to call for more detailed ability to log access for auditing. Simplifying the question of how to distinguish between uses or disclosures at hospitals by community physicians (in the hospital or from their office), the proposal calls for all such accesses to be treated as disclosures. Compared with the proposed rule, the recommendations are more reasonable, more implementable, and more likely to satisfy the desires of patients.
My guess, and we all know how incredibly accurate my guesses are (not!), is that these recommendations will come out as an Interim Final Rule this year at some point, so be ready to hear about it, but don’t panic, as it shouldn’t be too bad. (Famous last words…)
— New Changes for Lab Access —
OK, so who here thinks it’s a good idea for patients to get their lab results without any consultation or interpretation from their doctor? Not many hands going up… But who here thinks a patient should have a right to have direct access to the information so they can develop their own personal health record? More hands up, I’d suspect.
So, that’s the deal in the new final rule, being published February 6, in effect April 7 and Enforceable October 4, 2014, that allows access of authenticated lab results by authenticated individuals or their authorized representatives under HIPAA. (That’s a lot of “auth…” words in one sentence.) Patients will still be able to get their results, with interpretation and counseling, from their care provider, and providers will still have access to the information for treatment. The change simply allows the individual to ask the lab directly for a copy.
Of course, “simple” is in the eye of the beholder — for the laboratories that must now establish a public-facing operation where there was none before, this is not simple at all, and will require the development of new policies and procedures. And updated Notices of Privacy Practices. As usual, it’s worth taking the time to read through the Preamble for all the insights into HHS thinking.
See the new rule here: https://www.federalregister.gov/articles/2014/02/06/2014-02280/patients-access-to-test-reports-clia-program-and-hipaa-privacy-rule or http://tinyurl.com/or63d9q
— Proposed Changes for Reporting to Background Check Database —
Along with recommended new rules and new final rules, of course we have a proposed rule, this one to allow freer flow of information from healthcare providers into the National Instant Criminal Background Check System (sounds Orwellian, eh?), permitting certain HIPAA-covered entities to disclose to the NICS the identities of people prohibited by federal law from possessing or receiving a firearm for mental health reasons. HIPAA has ALWAYS had a provision for the disclosure of PHI in the event of a threat to health or safety, but this would clarify what information and how it should be disclosed.
This one is not a final rule, so there is no action to take now, but you should be aware that it may require some modifications to your HIPAA policies once it is finalized. When? Oh dear, I don’t want to guess… Maybe this year? We’ll see. Here’s the proposed rule, so you can see what’s being considered: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html or http://tinyurl.com/m6xpnwx
— New Settlement for Stolen Data Stick and Lack of Breach Policies —
Have I mentioned before that it is important to encrypt portable devices such as memory sticks? APDerm, a provider with six offices in New Hampshire and Massachusetts found out the hard way by losing one of theirs and not having it encrypted. Breach time! And when you do have a breach, what do you do? You follow your incident management policies and procedures to see if it’s reportable, and follow through on your established process. What’s that you say? You don’t have policies and procedures sufficient to meet the HIPAA Breach Notification Rule requirements? You might be next in line for a $150,000 settlement and a Corrective Action Plan. APDerm apparently didn’t have written down what they should have.
Time now to dust off your Breach Notification policies and procedures and make sure you can do what’s necessary when the time comes. And if you don’t like what you find, check out the NIST Special Publication on Computer Security Incident Management, SP 800-61, Revision 2, at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf or http://tinyurl.com/8ouxxsn . In addition, see the September 2012 NIST ITL Bulletin for additional insights and guidance, at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf or http://tinyurl.com/kx5empm
Oh, and did I mention that the HHS Office of Inspector General wants OCR to get off their butts and get busy with some real audits and enforcement? I just love the title of the report — it says it all: "The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule” Yes, but what did they really think? See: http://oig.hhs.gov/oas/reports/region4/41105025.pdf or http://tinyurl.com/pj55cnr . Time to get ready for a HIPAA audit, I’d say.
— Speaking of Enforcement, Say Hello to the FTC —
And if that wasn’t enough, now the Federal Trade Commission says that just being a HIPAA Covered Entity doesn’t get you out of obligations under the Deceptive Trade laws that FTC so artfully uses to go after those who allow breaches of personal information. If you say you will protect someone’s personal information and then you don’t, that’s a deceptive practice and the FTC will make your future a gray one if they decide to go after you, which they can, whether HHS is interested or not. I’d guess that as a matter of practice FTC won’t step in if they feel HHS OCR is doing their job, but, well, see the OIG report on OCR in the paragraph above. Here’s a link to a Bloomberg News story on the order: http://www.bna.com/ftc-affirms-data-n17179881620/
— It’s February 4 - do you know where your small breach reports are? —
And finally, don’t forget that we’re in that magical time before March 1, that 60 days within the end of each year when you must all report all your small breaches (under 500 individuals affected) to HHS, using their Web site, at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ or http://tinyurl.com/3z3bj4y . Of course, you do have a breach reporting policy and procedure, don’t you? (Is there an echo in here?)
So, Happy HIPAA to all, and let me know if you have any questions. Also, see the latest in my schedule of upcoming seminars and Webinars. http://www.lewiscreeksystems.com/upcoming_public_seminars.html or http://tinyurl.com/a5gplbr . Soon to be added are 2-day HIPAA sessions in Sao Paulo, Brazil (!) and Toronto, Canada in March, as well as other sessions. At least I’m not doing Brazil and Canada in the same week — how would I pack for that?...
Jim