By Lisa A. Eramo
Additional guidance regarding various HITECH provisions will be forthcoming from the Department of Health and Human Services’ Office for Civil Rights (OCR) in the year ahead, according to Deven McGraw, Esq., OCR’s deputy director of health information privacy, who spoke during the second day of AHIMA’s Privacy and Security Institute.
Just what can health information management (HIM) professionals expect exactly?
For starters, McGraw said OCR plans to provide information about how providers can take reasonable steps to verify patient identity—something she acknowledged is increasingly difficult in a digital environment. McGraw did not specify when this guidance would be released.
McGraw also acknowledged the difficulties that HIM professionals face in terms of differentiating between requests for protected health information (PHI) from individuals versus third party entities. She said OCR is working on additional guidance regarding how to make this distinction, and she invited HIM input.
“We are well aware that this particular provision in HITECH has caused a lot of confusion,” she said. “We’re continuing to think through ways that we can be more clear about this. The language in HITECH is very broad … We remain open to suggestions for how we can provide more clarification about this.”
OCR is also giving further consideration to how it can help healthcare technology and mobile app developers better understand the HIPAA regulations to which they’re subject—and how they can comply accordingly. This includes cloud-service providers with which McGraw says covered entities are permitted to contract per HIPAA.
OCR also plans to publish what McGraw referred to as an “anatomy of a case” that will serve as guidance regarding penalty amounts and the specific circumstances that OCR takes into consideration when reaching a settlement. She said a 2017 publication date is targeted.
Phase 2 HIPAA Audits Continue
In addition, McGraw said OCR plans to release aggregated data regarding its audit findings that providers can use to perform proactive monitoring. “It’s a really good idea to put together lessons learned from all of the settlements and instances of civil monetary penalties,” she said.
HIPAA Phase 2 audits were also a topic of discussion, and McGraw reiterated that these audits will target smaller breaches affecting 500 or fewer individuals. “We’re doing more investigations of smaller breaches. I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” she said.
Business associates (BA) will also be subject to audits during this second phase. McGraw said BA desk audits are certainly on the horizon and that audit notifications may be in the mail as soon as later this month or early next month. She urged attendees to review all vendor and contractor relationships to ensure BA agreements are in place and that these agreements address breach/security incident obligations.
Desk audits of covered entities remain ongoing, with onsite audits soon to follow. McGraw said additional OCR guidance regarding how to prepare for onsite audits is forthcoming.
HIM are HIPAA’s “Boots on the Ground’
In addition to detailing information that HIM can expect in the year ahead, McGraw also reminded attendees of the important role they play in HIPAA compliance. She referred to HIM as “boots on the ground” ensuring HIPAA compliance on a daily basis.
“There is no privacy and security of health information without good records management,” she said.
Make cybersecurity and data backups a priority, she said. Ask this question: What are the newest threats, and how are you trying to prevent them within your own organization? “Hackers are smart, and they’re getting smarter every day. It’s a struggle to keep up with them,” she said. “Ransomware of unencrypted data meets our definition of a breach.” CEs must notify individuals whose PHI was involved in a breach unless they can determine—and document—a low risk of compromise.
During his presentation “Cyber Strategic Plans and Tactical Options,” Mark Dill, CISM, CRISC, principal consultant at tw-Security, also reiterated the importance of preparing for ransomware attacks that continue to wreak havoc on healthcare providers forced to pay bitcoins to recover critical patient data. Dill said these types of intrusions may eventually attack backup systems.
“Being a privacy or security officer today is no job for the meek or timid,” he said, adding that successful privacy and security officers are those who create clear policies and procedures, focus on proactive intrusion prevention, and integrate technology to mitigate risk. For example, he urged attendees to consider behavior analytics tools that flag activity that deviates from normal device usage patterns.
Organizations also need ways to quickly identify and remedy the dozens or even hundreds of infected devices that fly under the radar daily, Dill said. “You’ll never find them unless you’re moving to some of these next-generation tools,” he added.
Creating an incident response plan is critical to managing any type of risk, including cyber-threats, said Chris Apgar, CISSP, CEO at Apgar & Associates during his presentation “Security Incident Response (IR)—It’s Old News, But are You Really Doing It?”
Not only does HIPAA require an IR plan, but it’s also simply good business practice because it helps organizations mitigate risk and address vulnerabilities. However, he stressed the importance of having a IR plan that’s dynamic in nature.
“You can’t build an IR plan and put it on the shelf to last forever,” he said. “There are all sorts of changes in the black market that you need to worry about.” He urged attendees to revisit the IR plan any time new threats emerge and as hardware and software updates occur. At a minimum, update the plan annually, he said.
Also be sure to test your IR plan. “A plan is great, but if you’ve never tested it, how do you know it’s going to work?… Untested plans may not do what you expect them to do,” he said.
Use caution when it comes to BAs, he warned, adding that the BA must be able to demonstrate privacy and security compliance. “Don’t take them for their word—make them prove it,” he said.