Privacy & security: 'Think and act like you will be audited' (Part 2 of 2)

Read on for part 2 of our article on the latest privacy and security information. Linn Foster Freedman, JD, an attorney with Nixon Peabody, presented a wealth of information during a recent program presented by the Rhode Island Quality Institute, about how hospitals need to better protect themselves against potential vulnerabilities, such as data breaches.

The HITECH Act has expanded some security and privacy protections to business associates (BAs). That’s a good thing for covered entities (CEs), Freedman said, because if a BA caused a breach or is the wrongdoer in something considered a HIPAA violation, the U.S. Department of Health and Human Services (HHS) will audit both the BA and the CE. “It’s your vendor, but it’s still your responsibility to have a contract in place. [HHS] is going to be looking for that.”

The security rule requires CEs and BAs to implement administrative physical and technical safeguards to protect PHI against threats or hazards to the security of the information. CEs must protect against wrongful use or disclosure of PHI. The most significant new requirement under the HITECH Act, Freedman said, is the breach notification requirement.

As of September 2009, every CE must have a breach notification compliance program in place to notify individuals when unsecured PHI has been breached--unauthorized acquisition of PHI that compromises the information. To fall under the definition of a breach, the compromise of the information must pose significant risk of financial, reputational or other harm to an individual. “That’s really important because a lot of people think with any breach to health information you have to tell the person. That’s not what the law says. The breach has to pose a significant risk.” However, if an unencrypted Social Security number if breached, “it’s a 100 percent no-brainer that you have to notify the individual, because they could become the victim of identity theft.”

Freedman again emphasized the need for CEs to conduct a risk assessment, noting that password protection is not enough. “The only way you get into the safe harbor of not having to notify individuals of a breach is if the information has encryption technology that complies with NIST Special Publication 800-88,” she said. Such technology is freely and easily available on the internet. CEs must clear, purge or destroy their data consistent with NIST standards or follow NIST standards for encryption.

There are exceptions, however. For example, a billing clerk could go into John Smith’s record to confirm a charge and see that she has the wrong date of birth because there are three different John Smiths in the records. “It happens all the time because it’s part of day-to-day activities. There’s no evil motive. When it happens in the normal course of business but it’s a mistake, you don’t have to notify. The key is that you don’t have to notify every time someone looks at their record if it was inadvertent, unintentional or doesn’t cause significant risk."

Providers also are required to implement systems for the discovery of breaches. Under HITECH Act requirements, CEs must train their employees on breach notification requirements. “It’s extremely important that your employees understand the importance of reporting any suspected breach.” That’s because there is a 60-day time limit to notify affected individuals and those 60 days start when the employee knew or should have known of the breach.

In the event of a breach, the CE must notify the affected individuals and HHS. If a BA discovers a breach, it must notify the CE. The notification has to happen within 60 days and be written in plain language. If a letter is returned as undeliverable, the CE can then contact via email.

If the breach affects more than 500 individuals, the CE must notify prominent media outlets. CEs must document the notification to each individual. “When you have a breach and you have to decide whether to notify or not, you have to document your decision,” Freedman said. HHS will require documentation of that decision in an audit.

Meaningful use core measure 15 requires you perform a security risk assessment as well as have HIPAA policies and procedures in place and security measures implemented. CMS has started auditing MU attestation over the last few months, Freedman said. If they find a problem with attestation, CMS can take away incentive payments and they can get the Office of Civil Rights (OCR) to come in as the HIPAA regulator and issue fines and penalties.

The objective of the core measure is to protect electronic health information, she said. It says that CEs must create and maintain personal health information (PHI) with certified EHR technology, and must implement appropriate technological capabilities. The measure calls for a security management process that includes conducting an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI. CEs must then implement security measures that are sufficient to reduce the risk and vulnerabilities to a reasonable and appropriate level.

“Don’t ignore your security risk assessment,” Freedman warned. Any vulnerabilities CEs discover during their assessment must be addressed. “Fix your deficiencies.” She said she is working on several OCR investigations and “the first thing they ask for, no matter what, is the security risk assessment.” CEs must conduct a security risk assessment at least once prior to the end of the EHR reporting period and then conduct a new review every subsequent reporting period. CEs also must document corrective actions. “The OCR and CMS want to make sure that when you do this, this analysis is not ignored,” said Freedman. “They want to make sure you’re doing things proactively to reduce risk. Make sure those efforts are all in writing.”

CEs also must have a sanction policy. Implement procedures to regularly review records and information system activity. If any member of the workforce violates HIPAA, CEs need a policy in place to make that person is sanctioned. “Talk to your EMR vendor to make sure you comply with all of those measures,” Freedman suggested.

Remember that if you get a subpoena for any of this information, CEs cannot just respond by providing this information. “Specific laws require you to make sure the patient knows, get consent or file a motion for a court order,” Freedman. CEs cannot disclose information without patient consent. “This is the scary part: Ever since HITECH, HHS has been conducting audits for HIPAA compliance. We’ve seen dramatic increases in enforcement activities and audits.” Under the HITECH Act, all civil monetary penalties go back to the OCR. Freedman said the OCR is simply using that money to send out more auditors.

“Think and act like you will be audited because they are auditing” CEs of all sizes, she said.

The OCR implemented a three-month pilot audit program and awarded a $9.2 million contract to KPMG to conduct the audits. They purposely chose a broad range of CEs, Freedman said. “Don’t think you’re immune from this process. The data requests are severe and crazy. They want everything.” The agency is particularly focused on risk assessment and security plans, and portable devices and removable media. “Have a written policy in place. They want to know that you’re limiting access to your network. Your policy should show that’s what you’re doing.”

The first round of audits has taken place and the word from the OCR is that no one is in compliance, she said. “There are huge problems with privacy and security” and CEs need to do a lot of work to comply. Supposedly the first audits were going to be educational, she said, “but they’ve learned a lot from the pilot project and are now going to go out and assess fines and penalties.”

Use your vendors, Freedman recommended. “You’re paying a lot of money and they are supposed to be up on all of this. Make sure they’re giving you all of the information you need.” Vendors can’t put policies and procedures in place and they can’t tell you whether you’re in compliance but they can do auditing and provide technological patches for intrusions and firewalls to help CEs comply with security rules. “But, providers own the responsibility.”

With the OCR looking at removable media, Freedman suggested that CEs have a policy in place that includes laptops and cell phones. “My recommendation is to have a policy around how you communicate with your patients via email and text.” A patient authorization form for this kind of communication should include release language. “You don’t want a patient to think they can text you if they’re having a heart attack.” She also recommended that CEs that do decide to communicate with patients via text or email should use the minimum amount of information necessary. “It’s common sense but I see it all the time: Don’t put any sensitive information in your texts. And, please don’t put anything about patients on Facebook. I see it all the time.”