2016 Convention: OCR Deputy Director Discusses Upcoming HITECH Guidance, HIPAA Audits

By Lisa A. Eramo


Additional guidance regarding various HITECH provisions will be forthcoming from the Department of Health and Human Services’ Office for Civil Rights (OCR) in the year ahead, according to Deven McGraw, Esq., OCR’s deputy director of health information privacy, who spoke during the second day of AHIMA’s Privacy and Security Institute.

Just what can health information management (HIM) professionals expect exactly?

deven-mcgrawFor starters, McGraw said OCR plans to provide information about how providers can take reasonable steps to verify patient identity—something she acknowledged is increasingly difficult in a digital environment. McGraw did not specify when this guidance would be released.

McGraw also acknowledged the difficulties that HIM professionals face in terms of differentiating between requests for protected health information (PHI) from individuals versus third party entities. She said OCR is working on additional guidance regarding how to make this distinction, and she invited HIM input.

“We are well aware that this particular provision in HITECH has caused a lot of confusion,” she said. “We’re continuing to think through ways that we can be more clear about this. The language in HITECH is very broad … We remain open to suggestions for how we can provide more clarification about this.”

OCR is also giving further consideration to how it can help healthcare technology and mobile app developers better understand the HIPAA regulations to which they’re subject—and how they can comply accordingly. This includes cloud-service providers with which McGraw says covered entities are permitted to contract per HIPAA.

OCR also plans to publish what McGraw referred to as an “anatomy of a case” that will serve as guidance regarding penalty amounts and the specific circumstances that OCR takes into consideration when reaching a settlement. She said a 2017 publication date is targeted.

Phase 2 HIPAA Audits Continue

In addition, McGraw said OCR plans to release aggregated data regarding its audit findings that providers can use to perform proactive monitoring. “It’s a really good idea to put together lessons learned from all of the settlements and instances of civil monetary penalties,” she said.

HIPAA Phase 2 audits were also a topic of discussion, and McGraw reiterated that these audits will target smaller breaches affecting 500 or fewer individuals. “We’re doing more investigations of smaller breaches. I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” she said.

Business associates (BA) will also be subject to audits during this second phase. McGraw said BA desk audits are certainly on the horizon and that audit notifications may be in the mail as soon as later this month or early next month. She urged attendees to review all vendor and contractor relationships to ensure BA agreements are in place and that these agreements address breach/security incident obligations.

Desk audits of covered entities remain ongoing, with onsite audits soon to follow. McGraw said additional OCR guidance regarding how to prepare for onsite audits is forthcoming.

HIM are HIPAA’s “Boots on the Ground’

In addition to detailing information that HIM can expect in the year ahead, McGraw also reminded attendees of the important role they play in HIPAA compliance. She referred to HIM as “boots on the ground” ensuring HIPAA compliance on a daily basis.

“There is no privacy and security of health information without good records management,” she said.

Make cybersecurity and data backups a priority, she said. Ask this question: What are the newest threats, and how are you trying to prevent them within your own organization? “Hackers are smart, and they’re getting smarter every day. It’s a struggle to keep up with them,” she said. “Ransomware of unencrypted data meets our definition of a breach.” CEs must notify individuals whose PHI was involved in a breach unless they can determine—and document—a low risk of compromise.

privacy-and-security-institute-10-year-cakeHealthcare Privacy, Security ‘Not for the Meek’

During his presentation “Cyber Strategic Plans and Tactical Options,” Mark Dill, CISM, CRISC, principal consultant at tw-Security, also reiterated the importance of preparing for ransomware attacks that continue to wreak havoc on healthcare providers forced to pay bitcoins to recover critical patient data. Dill said these types of intrusions may eventually attack backup systems.

“Being a privacy or security officer today is no job for the meek or timid,” he said, adding that successful privacy and security officers are those who create clear policies and procedures, focus on proactive intrusion prevention, and integrate technology to mitigate risk. For example, he urged attendees to consider behavior analytics tools that flag activity that deviates from normal device usage patterns.

Organizations also need ways to quickly identify and remedy the dozens or even hundreds of infected devices that fly under the radar daily, Dill said. “You’ll never find them unless you’re moving to some of these next-generation tools,” he added.

Creating an incident response plan is critical to managing any type of risk, including cyber-threats, said Chris Apgar, CISSP, CEO at Apgar & Associates during his presentation “Security Incident Response (IR)—It’s Old News, But are You Really Doing It?”

Not only does HIPAA require an IR plan, but it’s also simply good business practice because it helps organizations mitigate risk and address vulnerabilities. However, he stressed the importance of having a IR plan that’s dynamic in nature.

“You can’t build an IR plan and put it on the shelf to last forever,” he said. “There are all sorts of changes in the black market that you need to worry about.” He urged attendees to revisit the IR plan any time new threats emerge and as hardware and software updates occur. At a minimum, update the plan annually, he said.

Also be sure to test your IR plan. “A plan is great, but if you’ve never tested it, how do you know it’s going to work?… Untested plans may not do what you expect them to do,” he said.

Use caution when it comes to BAs, he warned, adding that the BA must be able to demonstrate privacy and security compliance. “Don’t take them for their word—make them prove it,” he said.



1 Comment

  1. Attorneys are drafting letters for patients to sign in their office requesting information under HITECH referencing HITECH rules and asking for certified records to be sent the attorney’s office to be used for legal purposes. This seems to be a way to circumvent state established rules for release of information and informed consent. There are costs involved in reviewing requests, retrieving information (even in an electronic environment), printing appropriate information, scanning it in to be able to be sent secure e-mail and if there are bills and/or certification of the records and/or bills which creates additional expenses. Staff time needs to be allocated for this process. I have also seen a request that stated that the requests could be sent electronically even if they could not be sent securely. Patients do not understand the ramifications of what they are agreeing to when they include all information (including behavioral health, drug and alcohol abuse, HIV tests, AIDS treatment and sexually transmitted disease) particularly allowing unsecured transmission of this potentially sensitive information. Usually, we could use the rule of thumb to choose the legislation which was more strict but in this case HITECH supersedes state law. I would be interested in opinions if the expenses for certifying records should be considered outside of the HITECH fee structure? Do you see some clarification of this legislation based on purpose, specifically if it is not being requested for continuity of care?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!