Archive for February, 2010
The Federal Trade Commission (FTC) reports on its Web site it notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks.
The FTC reports the information is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.
OCR yesterday posted on its Web site a list of the covered entities that have reported breaches of unsecured PHI affecting more than 500 individuals. HITECH requires OCR to make public any breaches of 500 or more.
OCR says on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
Reports surfaced last Friday that HHS is, in fact, delaying enforcement of the HITECH compliance deadlines that passed last week — notably, the fact that business associates (BAs) must comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule. That deadline was February 17.
Is it true?
We haven’t seen anything formally yet, but that doesn’t mean it’s not coming. Experts we’ve spoken to this morning, such as William Miaoulis, CISA, CISM, HIPAA lead consultant for Phoenix Health Systems, say there’s no reason to delay your compliance program.
HITECH compliance for business associates (BAs) has come and gone. The date for BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule was February 17. Further, breach notification enforcement begins February 22.
So where does your organization stand? Are you ready? Your BAs?
We can give you a pretty good idea after seeing the results of HCPro’s HIPAA and HITECH survey that was rolled out the past two weeks. It attracted nearly 600 respondents, including mostly HIPAA compliance officers and HIM directors.
For starters, if your organization has done something with its HIPAA compliance program in light of the HITECH, you’re in the majority: 89% said they’ve responded.
And exactly what have they done?:
- Rewrite policies and procedures: 74%
- Revise or draft new business associate agreements: 71%
- Conduct additional training: 65%
- Conduct an internal audit to evaluate your organization’s program: 36%
- Purchase resources to educate yourself on changes to the law: 28%
- Hire a consultant to evaluate your organization’s HIPAA compliance program: 6%
One respondent said they created a breach notification action response team, which seems to be a good idea when you consider the interim final rule on breach notification took effect last summer.
Those regulations require:
- Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
- Notice to covered entities (CEs) by BAs when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
- Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
“Breach notification” earned the No. 1 spot to our survey’s question, “Which provision of the American Recovery and Reinvestment Act of 2009 do you feel is the most challenging?”
It took top honors at 39%, and only 29% said there were completely ready to comply with those requirements; 61% said there were “almost ready” to comply. Amending business associate contracts took No. 2 in terms of the most challenging aspects of ARRA/HITECH at 18%. Finishing third with 16% was “Patients rights to accounting on EHRs,” which some told us earlier will be a logistical “nightmare.”
BA requirements under HITECH have changed drastically. Most survey respondents said they feel their BAs are ready, but the scary part is 45% said they are not confident in their BAs’ readiness.
Thinking about updating your training? An overwhelming majority (71%) of respondents said they update their training only annually. And only 31% said they are “very comfortable” that the training is effective. Most (63%) said they are “fairly comfortable.”
So what’s the parting message here, now that HITECH has essentially arrived?
Kate Borten, CISSP, CISM, president of The Marblehead Group, offers these quick tips:
- Convert more organization leaders to become privacy and security believers
- Stay focused and do not become overwhelmed by privacy/security responsibilities or discouraged by setbacks
- Develop a 2010 work plan that is both achievable and a stretch for you and your organization
John Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and one of the members of the team that created the HIPAA Security Rule, says he hopes HITECH is the wakeup call that providers and enforcers need regarding HIPAA compliance.
“Having worked both with CEs and BAs over the years in attempting to foster HIPAA compliance, I am continually amazed at the lack of understanding and completeness in their HIPAA compliance,” Parmigiani says.
Covered entities have been “emboldened by a long-standing environment of lax enforcement” and a belief that HIPAA compliance is a one-time project. It is not, he says, and perhaps government enforcement will be a harbinger for better compliance.
Through HITECH, OCR should easily be able to gain some “street cred” by quickly launching an audit initiative and “thereby sending a signal that compliance with HIPAA security and privacy is an important component of healthcare,” he says.
Don’t leave all this HITECH and HIPAA stuff to the “tech folks.” Hospital leaders should know by now the threat of a public relations nightmare because of a breach of unsecure personal health information (PHI)—just ask CVS.
It’s a good time for the C-Suite to be involved in HIPAA compliance.
“‘Security’ often suggests ‘techie stuff’ passed off to the IT department,” says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC, in Schaumburg, IL. “I believe attending to privacy and security protections should start with the CEO and trickle down to everyone, including all members of the medical staff. It needs to be an extension of the Hippocratic Oath: Do no harm and keep your mouth shut.”
One good way to start is to learn from those who have not complied.
For instance, Providence Health & Services in Seattle in July 2008 reached a $100,000 resolution agreement for PHI breaches and had to implement a corrective action plan to ensure its security program.
- Your organization must avoid similar problems, such as:
- Unencrypted ePHI not otherwise safeguarded lost or stolenBackup tapes, optical disks, and laptops—all containing unencrypted ePHI—removed and left unattended
- Exposure of ePHI for patients (386,000 in Providence’s case)
- Management permitting employees to take home media containing ePHI despite a policy to the contrary
- Lack of policy and procedure enforcement, including encryption policies
So how can you avoid those messes?
Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, and John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, offered some tips during their HCPro, Inc., audio conference after Providence got dinged:
- Have a strong termination policy. When an employee is terminated or leaves your facility, completely suspend his or her access privileges.
- Create a policy and procedure. “Lawyers would say having a policy and looking the other way is worse than not having a policy at all,” Borten said.
- Encrypt all information on the Internet. If it isn’t encrypted, the information has the potential to be exposed, Borten said.
- Always be prepared. “You really have to be on your toes and make sure you constantly are audit-ready,” Parmigiani said. Conduct internal audits to keep on top of potential risks.
- Keep your training programs active. Beef up training, especially for remote access employees, many of whom use mobile devices. “Make sure people understand there are rules of engagement,” said Parmigiani. Update your training process frequently based on regulatory changes and offer your training via various methods. Don’t just stick to classroom settings or online training; mix it up and make it ongoing, he added.
- Act fast. Make sure you have an excellent detection and incident response program in the event a violation occurs.
- Know your players. HIPAA security auditors will no doubt ask who is responsible for what at your facility. Everyone should be able to explain what they do and why, Parmigiani said.
- Document compliance. “Lawyers will say if it’s not documented, it did not happen,” Borten said. “If it’s not in the record, I don’t have any evidence that it happened.” To be audit-ready, thoroughly document your efforts to remain compliant.
- Prepare for auditors, even if you’re small. Smaller hospital systems are not impervious to an audit, Borten and Parmigiani agreed.