No doubt, your organization has some sort of playbook in place to comply with the Health Insurance Portability & Accountability Act (HIPAA), but with the field of privacy and security changing daily, new risks abound. Some are driving down midfield; some are lurking on the sidelines, for now.
With more than a decade of HIPAA and its Privacy and Security Rules practice under our belts, you’d think that healthcare organizations would have the compliance part down cold. Unfortunately, that’s not the case. Much like that 250-pound defensive end, The Department of Health and Human Service’s Office for Civil Rights (OCR) is out there actively enforcing HIPAA every week. In 2014, the OCR tackled 14,293 enforcement resolutions and took corrective action on 3,472. That equates to more than nine every day of the year, proving that there is no off-season when it comes to HIPAA!
Whether you look at these risks as threats or opportunities, there are three things you can do now to enhance your existing HIPAA compliance efforts.
1 - Know and Use the Breach Notification Rule.
HIPAA’s primary tenets have been in place since 2003, but it continues to evolve. In 2013, the OCR issued a new breach notification rule that changed the standard for what constitutes a breach of Protected Health Information (PHI) that requires OCR notification. Now, a breach is presumed UNLESS there is a low probability that PHI has been compromised.
That probability is determined based on the results of a four-part risk assessment. The risk assessment is a little bit like the instant replay. It gives both covered entities and business associates the opportunity to walk through exactly what occurred and to closely review how their team performed – or not – in a real-life situation. The answers obtained through the risk assessment are your chance to demonstrate that there is a low probability that PHI, even though it may have been disclosed, has been compromised.
Breaches and breach notifications are a little bit like being offside. The reporting requirements change depending upon the specific circumstances. For example, breaches involving more than 500 patients may involve notifying patients, the media and your state’s Attorney General. No matter how small, breaches, and the resulting investigations, always cost organizations time and money.
2 – Make Your Business Associates Your Business.
Another way the OCR is attempting to block the disclosure and breach of PHI is through enforcement actions against “business associates,” or vendors, that work with the hospitals and medical practices that are considered “covered entities” under HIPAA. Previously, business associates were somewhat protected from penalties. Today, if the OCR discovers business associates acted with “willful neglect,” civil penalties are mandatory. Plus, because business associates self-report information breaches to covered entities, both parties are impacted.
This exposure is why it’s critically important to know how exactly business associates are handling the PHI of your patients. Who is accessing the data? How is it protected? Is it being transferred and stored in a secure manner? These are just a few of the questions that you should be asking, and for which business associates should be providing documentation.
Last but not least, make sure you have a list of all current business associates and that there is a current Business Associate Agreement in place with all vendors. The OCR is taking that fact into account when determining enforcement actions and calculating financial settlement amounts. Case in point: North Memorial Health Care of Minnesota recently settled for $1.5 million after a laptop was stolen from the vehicle of an employee working for a business associate. The laptop contained 9,497 individuals’ PHI and the business associate had access to a database of nearly 300,000 patients. And there was no Business Associate Agreement in place.
3 – Recommit to Cybersecurity.
If there’s one area you don’t want to be calling an audible, it’s cybersecurity. According to a 2015 KPMG survey, four out five healthcare organizations have experienced a cyberattack and less than half of the executives surveyed say their organizations are prepared. Today’s hackers are forcing fumbles inside provider organizations with sophisticated attacks that evolve quickly.
One of the most troubling types of cyberattacks is ransomware. Earlier this year, a Los Angeles hospital was brought to its knees when hackers took over its computer and email systems and demanded millions of dollars in ransom to return access. The hospital ultimately paid $17,000 in bitcoin versus the millions demanded, but the incident illustrated just how vulnerable healthcare organizations are. Further evidence of the changing landscape? The Federal Bureau of Investigation (FBI) now advises organizations to not pay ransom requests and to focus instead on internal system recovery.
You should know that the OCR views ransomware as a breach. Despite the criminal element involved, all ransomware is considered a disclosure. This means you must conduct the four-part risk assessment as part of your breach reporting process. Of course, you also need to huddle up with your privacy officer, mobilize your incident response team and, most importantly, know and follow your incident response plan (IRP). Although designed to help you respond, IRPs ideally can help intercept attacks before attacks advance.
Even though it’s tough to get as pumped up about HIPAA as it is college football, no one can dispute that both are serious business. By focusing on the new breach notification assessment, Business Associate Agreements and cybersecurity, you’ll put your team in the best position possible to protect patients’ privacy and security.
Randy Wobig is Chief Information Officer for CQuence Health Group, where he leads planning and strategy for technology requirements, IT security, compliance and business continuity.