Pressure to Protect Health Data IntensifiesHIPAA Omnibus Rule Means Scrutiny Increases
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2014.
Under the new HIPAA Omnibus Rule, healthcare organizations and their business associates will be under more scrutiny than ever to protect patient information. But the important and complex job of safeguarding healthcare data - and avoiding potentially hefty federal penalties for HIPAA non-compliance - boils down to getting some basic steps right.
Those steps include updating privacy and security policies and procedures, communicating them clearly to the workforce, and above all, doing a thorough security risk analysis.
Those changes include a new breach notification rule that spells out a more objective way to determine whether a security incident must be reported to authorities as well as the individuals affected. The rule also expanded capacity for HIPAA enforcement activities and spelled out tougher penalties for HIPAA non-compliance.
"It's really important that organizations have policies and procedures in place to assure that they are following the requirements of HIPAA," says David Holtzman, vice president of privacy and security compliance services at the consulting firm CynergisTek. It's also essential that organizations successfully communicate that information to workforce members, he notes.
"They also need to have an appropriate and broad view and evaluation of the threats and vulnerabilities to their health information, whether it's electronic or printed, and then take appropriate measures to safeguard that information," says Holtzman, who formerly worked for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA compliance.
Too often, organizations view compliance with the HIPAA privacy and security rules as a burdensome expense, rather than a valuable investment, Holtzman says.
They need to keep in mind, for example, that under HIPAA Omnibus, non-compliance penalties range up to $1.5 million per HIPAA violation. Plus, they need to be aware that OCR has promised to ramp up its HIPAA compliance enforcement in 2014, including launching a permanent HIPAA compliance audit program and intensifying breach investigations in light of the HIPAA Omnibus Rule's modified breach notification rule.
And under HIPAA Omnibus, not only are covered entities, such as hospitals, physicians and health plans, liable for HIPAA compliance; so too are their business associates. That includes cloud services providers and other technology services vendors who handle patients' protected health information, as well as their subcontractors.
As a result, business associates are now subject to breach investigations by OCR as well as HIPAA compliance audits.
Covered entities and their business associates need to keep in mind that many HIPAA cases start out as relatively minor complaints "that are really customer-service oriented," Holtzman says. "Many of these [conflicts] could be resolved by the healthcare provider or facility," he says. But if organizations don't respond well to consumers' concerns, they may file a complaint with OCR, which then could conduct an investigation resulting in fines as well as federal monitoring of compliance with specific security recommendations.
To avoid becoming a target of OCR scrutiny, a crucial step is conducting a thorough security risk assessment to ensure vulnerabilities and threats are identified and appropriate steps are taken to protect patient data at risk. And that assessment should cover encrypting mobile devices because so many health data breaches have involved lost or stolen unencrypted devices.
"Doing a risk analysis that is consistent with HHS guidance is critical," says privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine. HHS has made available the protocol used for its preliminary HIPAA compliance audits and tip sheets that can aid organizations in their risk analysis. Those tools can also provide healthcare organizations and their business associates with a sense of what OCR might look for during an audit or an investigation following a breach.
Organizations also need to recognize the importance of carefully documenting the findings of the analysis as well as the steps taken to mitigate the risks identified.
HHS will demand such documentation if it investigates a breach or conducts an audit, Greene notes. Plus, hospitals and physicians that have qualified for the HITECH Act electronic health records incentive payment program, which provides bonus payments from Medicare and Medicaid, also must attest to having conducted an assessment.
Holtzman expects that HHS' Office of Inspector General will more closely scrutinize HITECH incentive payouts in 2014. That includes conducting more audits that look at whether a risk analysis was actually performed.
Unfortunately, many healthcare organizations are unprepared with documentation about HIPAA compliance, experts say.
"I've worked with many CEs and BAs large and small who could not illustrate how they were compliant with the HIPAA security rule," says independent security consultant Brian Evans. "One important step is to verify and validate your compliance status. Conducting a HIPAA security compliance gap analysis can provide insight as to what requirements need to be addressed in priority order."
A lack of a thorough risk analysis was found to be a major weakness at many organizations during OCR's preliminary HIPAA compliance audit program in 2012. OCR Director Leon Rodriguez "has repeatedly highlighted the importance of continually conducting a risk analysis in his comments and speeches," Evans notes. "This includes documenting its recommendations and the actions taken to address the most severe risk factors."
Greene points out that a risk analysis is not only critical in order to withstand regulatory scrutiny; it's also essential to having good privacy and security practices.
"A risk analysis will tell you what you need to do in your organization, whether it's implementing central auditing software, more robust training, data loss protection, encryption programs, or whatever is particular to the needs of your organization," Greene says. "One size does not fit all."
Enforcement in 2014
Susan McAndrew, OCR's deputy director for health information privacy, says OCR enforcement activities in 2014 will, indeed, include a focus on risk analysis.
OCR's permanent HIPAA compliance audit program will take into account key findings from the agency's evaluations of 115 pilot audits in 2012, she notes.
The most significant finding of the pilot audits, as well as OCR investigations into HIPAA breaches, is that "the failure to do a accurate and complete risk analysis was a failure across the board," McAndrew says.
An aim of OCR moving forward is make certain organizations are conducting risk assessments "so that we can help get ahead of the curve" in preventing breaches and other HIPAA violations, she says.
Even if an organization isn't chosen for a random audit, a reported breach can also launch an OCR investigation. And it's pretty much a sure bet that investigators will demand evidence of a thorough and timely risk analysis.
Policies and Procedures
Another important step in avoiding the scrutiny of regulators is implementing sound privacy and security policies and procedures and making sure they're documented.
Those policies and procedures need to ensure that organizations are following the requirements of the HIPAA rules.
For instance, under HIPAA Omnibus, patients now have a right to request an electronic copy of their digitized health information. And patients that pay cash for services can also request that their healthcare providers refrain from sharing information about their treatment with their health plan.
It's also crucial that policies and procedures are well communicated to the workforce, experts say.
"Education is a very big prerequisite for business associates and covered entities alike," says Stevie Davidson, CEO of Health Informatics Consulting, a New Jersey-based health IT and compliance consulting firm. Many organizations, particularly smaller vendors who are now considered business associates, are unclear what is required of them under HIPAA, Davidson says.
And one of the big mistakes that Davidson sees smaller healthcare organizations making is assuming their electronic heath records vendors, and other vendor partners, are taking care of all HIPAA compliance issues for them.
"Sure, [vendors] have a role that they play, but they are not responsible for managing [covered entitites'] entire compliance programs," she says. She points out that even if a business associate is responsible for a breach, for example, the covered entity is ultimately responsible for notifying patients.
Beware of Breaches
The HIPAA Omnibus Rule changed the guidelines for breach notification. Now, breach incidents must be reported unless the risk of compromise is low, taking into consider four factors in assessing the incident:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Having a breach response plan in place to deal with an incident is essential, says Michael Bruemmer, vice president at Experian Data Breach Resolution. "It's good to have a breach response plan, but you have to practice it," he says. "It's like doing a fire drill."
More than half of the major breaches reported to HHS since September 2009 have involved unencrypted devices and storage media, with laptops often involved. So encryption is a vital component of any breach prevention strategy, experts say.
"No matter what physical safeguards you have in place, it's becoming more challenging to convince the government that it was reasonable and appropriate not to encrypt," says Greene, the attorney.
"Reported breaches continually demonstrate the importance of encryption for protecting data in motion, such as e-mail, or at rest, such as on mobile devices," adds Evans, the consultant. "Since encryption is now provided either out of the box or through add-on products, this no-cost or low-cost solution can significantly reduce the likelihood of breaches from occurring."