Archive for HIPAA Staff Training
HHS audits coming to you? Who knows?
The HITECH Act calls for “periodic audits” to ensure HIPAA privacy and security compliance.
But what does that mean? Even the government itself doesn’t know – yet.
We are e-attending (did I just make that up?) the 17th annual national HIPAA Summit at the Wardman Park Hotel in Washington, DC.
Through its live online chat yesterday, we asked two government speakers what they knew about enforcement and audits. Each said the process has yet to be determined.
David Blumenthal, MD, MPH, national coordinator for HHS’ Health Information Technology, deferred the question to his Office for Civil Rights (OCR) colleagues. OCR, of course, oversees HIPAA privacy and security.
When HIPAA Update asked Sue McAndrew, the OCR deputy director for Health Information Privacy, she said she did not yet know the process by which HHS will conduct audits.
OCR may build on existing types of audits or perhaps partner with the Inspector General, McAndrew speculated.
“We are basically in the process of doing some scanning and weighing our options of what kinds of audit programs are out there and what turns out to be the most effective,” McAndrew said.
Consider these tips to maintain compliance with the HHS interim final rule on breach notification:
-
Know what constitutes a breach. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says covered entities (CEs) and business associates (BAs) must read closely and understand section 164.402 of the interim final rule on definitions, especially the definition of a breach. “The exclusions listed are commonly the cause of much confusion,” she says.
-
Know when to provide notification. CEs should know they must provide breach notification to affected individuals, and BAs should know they must notify CEs as soon as possible when breaches occur, Herold says. “Great confusion and harm could result if a BA notified individuals and provided inaccurate, incomplete, or otherwise inappropriate information,” she adds.
-
Sharpen your training. Under section 164.530 of the interim final rule, CEs must train all staff members on the new requirements. The clock starts ticking on the notification requirements as soon as you know—or reasonably should have known—about the breach, says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, ME. Staff members should receive training on how to report any breach regardless of its significance, and ongoing communication is also crucial for compliance, Herold adds. “Make sure you are providing effective training,” Herold says. “Effective training is a comparatively low-cost activity, but can provide the greatest impacts for improving information security and privacy.”
The economic recession probably brought healthcare CEOs closer to their organizations’ day-to-day activities. New federal HIPAA laws should have too. Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST), believes compliance with HIPAA privacy and security starts from the top.
“Our experience shows that the more executive management and the board of directors are engaged in understanding the challenges and issues the more diligent the organization is in addressing information protection,” says Nutkis. “HITRUST has seen a significant increase in the number of organizations that have added information protection as a component of their overall corporate responsibility measure or corporate philosophy.”
HIPAA Update caught up this week with Nutkis for a Q&A about HIPAA privacy and security. The following are some highlights. The full Q&A can be found here.
HIPAA Update: Federal laws on HIPAA changed with the signing of the American Recovery and Reinvestment Act (ARRA) of 2009. Did you see this coming?
Nutkis: ARRA is pushing for the broad adoption and utilization of health information systems, electronic health records, and electronic exchanges of health information. ARRA also recognizes the importance of information security in meeting this objective. Efficiency and reduced costs for consumers was the driver. HITRUST recognized this long before the signing of the bill, and we continue to be an advocate for more effective and efficient information protection in the healthcare industry.
HIPAA Update: What were the major flaws in HIPAA rules before the signing of the ARRA?
Nutkis: The primary issues with HIPAA are a lack of clear requirements and enforcement by government agencies. ARRA allows for a risk-based implementation of the safeguards outlined in HIPAA, which are themselves subject to interpretation, meaning there is no consistent application of security controls across the industry. While there are penalties for non-compliance, the industry rarely saw repercussions and subsequently rarely took HIPAA serious. While ARRA does not necessarily provide the prescriptive security requirements needed in HIPAA—like we find with PCI https://www.pcisecuritystandards.org/—it does provide focus for covered entities on breach notification, securing PHI, and business associate compliance.
HIPAA Update: What kind of an impact does the move to electronic health records have on HIPAA privacy and security?
Nutkis: The impact from EHRs comes in the form of increased focus on privacy and security. It is widely known to the general public that this is the direction the healthcare industry must go to contain costs and increase efficiency in healthcare. However, without proper security and assurance that personal health information will be kept private, consumers will be no more willing to share their health information electronically than they would their bank account or credit card number.
HIPAA Update: How should healthcare facilities be reacting right now to the new HIPAA laws in the Health Information for Economic and Clinical Health (HITECH) Act?
Nutkis: Healthcare organizations will need to revisit and adjust their information security governance practices and make additional areas of investment to align with the new requirements. HITRUST recommends that healthcare organizations focus on the following key areas for their security strategic plans over the next 24 months:
- Develop and implement an overall compliance strategy: Update policies, processes, and technologies to manage and document compliance efforts
- Realign policies: Ensure that internal policies, standards, and procedures are aligned with regulatory requirements
- Perform a gap analysis: Conduct a gap analysis of existing security practices against HIPAA and new regulatory requirements
- Develop a roadmap for compliance: Develop a plan outlining responsibilities, budget, and timelines to address gaps identified during the assessment
- Maintain an audit ready state: Based on recommendations by the OIG in 2008 and the new legislation, HHS will more assertively perform compliance audits in the upcoming years.
HIPAA Update: What are some weaknesses you see with healthcare facilities as they attempt to comply with HIPAA privacy and security?
Nutkis: During the development of our Common Security Framework (CSF), a certifiable framework that any and all organizations in the healthcare industry can implement and be certified against to reduce risk, the professionals from healthcare organizations of all segments provided us with input on the top issues affecting the industry resulting in the most severe breaches and loss of covered information. These include:
- Insecure and/or unauthorized removable transportable media and laptops (internal and external movements)
- Insecure and/or unauthorized external electronic transmissions of covered information
- Insecure and/or unauthorized remote access by internal and third-party personnel
- Insider snooping and data theft
- Malicious code and inconsistent implementation and update of prevention software
- Inadequate and irregular information security awareness for the entire workforce
- Lack of consistent network isolation between internal and external domains
- Insecure and/or unauthorized implementation of wireless technology
- Lack of consistent service provider, third party, and product support for information security
Editor’s note: This is the first of a two-part series from our interview with Nutkis. In the next installment: The importance of business associates complying with the HIPAA Security Rule.
Step into the office of Brandon Ho, HIPAA compliance specialist for the Army in Honolulu, and you won't see a compliance officer scrambling through mountains of paperwork regarding new HIPAA laws.
President Barack Obama signed into law February 17, 2009 the American Recovery and Reinvestment Act of 2009 that includes new HIPAA laws, and Ho is certainly aware of them.
But panic? Urgency?
Not quite.
"Overzealous compliance," Ho says when HealthLeaders Media asked him what was the No. 1 pitfall for HIPAA privacy and security officers. "I've actually seen privacy practices where providers are so overly zealous with regulations and compliance with HIPAA that they end up spending more money than they ever have to. They just have to look at ways to comply in the best and most efficient way."
Ho says even with new HIPAA laws (in the Health Information Technology for Economic and Clinical Health Act), privacy and security officers need to keep it simple and not feel the need to revamp the house.
Ho, affectionately called "The HIPAA Guy" at Pacific Regional Medical Command, Tripler Army Medical Center, spoke to HealthLeaders Media about his HIPAA compliance program at his Honolulu facility and the 121st Medical Group in Korea and Camp Zama in Japan.
He also offered advice for fellow HIPAA privacy and security officers in a time of changing laws and regulations and increased patient awareness of privacy rights.
Read the full story and Ho’s tips in a HealthLeaders Media piece by Dom Nicastro.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!