Web-Tones

Yesterday, we wrote about the deceptively short HHS Audit Protocol requirements related to the Breach Notification rule.  The following table contains those HHS Audit Protocol requirements. Note that there are only ten (10) Breach Notification requirements compared to eighty-one (81) for the Privacy Rule and seventy-eight (78) for the Security Rule.

 Want to learn more?  In our upcoming HIPAA Audit Preparation Webinar, a four part series starting October 7th, 2015, we will cover all 169 protocol requirements. 

 New to the HIPAA Survival Guide?  Sign-up for our monthly Newsletter and receive the HIPAA Survival Guide Fourth Edition (a $29.95 value) F*R*E*E. 

The HHS Audit Protocol for the Breach Notification Rule is something of an odd bird. First, it is very short compared to its importance in the grand scheme of things in the HIPAA universe (only 10 requirements). Second, it is more about "things" that you should be prepared to do rather than "things" you are (or should be) currently doing. If you look at HHS' Audit Protocol for sections 164.404 through 164.414 you will notice that the "protocol" doesn't do much more than repeat what is contained in the regulations AND, in addition, it provides for certain "inquiries." Now to be sure, the entire HHS Audit Protocol follows this format but in the case of the Breach Notification Rule the inquiries are about an "eventuality" that may never occur.

Essentially almost every requirement wants to know if management has a process in place to deal with the requirement, and whether there exists documentation (e.g. templates) that underpin the process. However, there are exceptions to this general rule. If you look at §164.402 under the rule you notice that it is labeled "Definitions." It has nothing directly to do with whether or not you have a Risk Assessment process in place, but the protocol for this section asks about a Risk Assessment process. Of course, a Risk Assessment is an implementation specification of the first standard of the Security Rule - what's it doing here? One answer is that it is HHS' Audit Protocol and they can do with it what the will. Additionally, it is likely HHS' way of emphasizing just how important a Risk Assessment is. How are you going to know there's a breach if you have never performed a Risk Assessment?

 Sure, you would probably know there was a breach even if you had never performed a Risk Assessment, but likely you would not have the necessary foundational information (e.g. an inventory of information systems) to effectively report on a breach. Notice that this audit protocol inquires into whether or not various processes exist, but you could summarize it by asking the following question of your organization: "Do you have a methodology in place, including the tools and templates that underpin it, with respect to breach notification?" In other words, are you prepared should a breach occur? If you can answer yes to this question then you should do well on this part of the audit.  

 Of course, if HHS is performing a comprehensive audit it will attempt to provide coverage of all 169 requirements in some way, shape, or form. However, if there has been a breach perhaps HHS will focus on these ten requirements and then branch out from there. Only time will tell.

New to the HIPAA Survival Guide?  Sign-up for our monthly Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) F*R*E*E.  And be sure to check out our Subscription Plan!

Make plans to join us for the HIPAA Audit Preparation Webinar, a four part series starting October 7th.  This will be a live online event to guide participants through the requirements in the HHS audit protocol.

We will host a new two-hour segment every Wednesday for four weeks.  This unique series will provide comprehensive coverage of the three HIPAA rules that may lead to an audit – the Security Rule, the Privacy Rule and the Breach Notification rule. The Audit Preparation Webinar is FREE to all HIPAA Survival Guide subscribers.  The webinar will cover all the important bases in preparing for an audit, will guide you through conducting a risk assessment, and the methodology for improving future assessments.

“We’re going to focus on both the big picture and the details.” -  Carlos Leyva, creator of the HIPAA Survival Guide and presenter of the upcoming series. “We’re going to hold your hand. We’re going to answer your questions. And most importantly, we’re going to give you the tools to remove the ‘deer in the headlights’ look when an audit occurs.”

New to the HIPAA Survival Guide?  Sign-up for our monthly Newsletter and receive the HIPAA Survival Guide Fourth Edition (a $29.95 value) F*R*E*E. 

It turns out that most projects fail because of people and process challenges that have very little to do with the underlying technologies implemented. A Security Rule implementation is more aptly described as a change project. Learning how to effectively Manage Risk is a BIG part of that change. An iterative/agile (“Agile”) methodology is required—but what exactly is Agile in the compliance context?

Agile compliance is a group of methods based on an iterative and incremental approach where compliance solutions evolve through collaboration between cross-functional teams. Agile promotes adaptive planning, evolutionary development and implementation, and a time-boxed iterative approach which encourages rapid and flexible response to changing regulations and operational environments that are quickly morphing. Agile is a conceptual framework that promotes foreseen interactions throughout the implementation cycle and acknowledges that due to a changing operational, technical, and regulatory environment, the implementation cycle never ends. Agile compliance is how an organization goes about changing its compliance DNA. Agile focuses on delivering visible, demonstrable, evidence of compliance early and often.

Agile is underpinned by the counter intuitive notion that you should "fail, forward, fast." Why? Because this approach is the only effective way of “solving” wicked (as in difficult) problems! In general, a wicked problem has the following characteristics: (1) you don’t understand the problem until you have started developing the solution; (2) there is no stopping rule…since there is no definitive “problem” there can be no definitive “solution;" (3) solutions are not right or wrong…just “better” than others, or “worse” or “good enough;” (4) every wicked problem is unique and novel; and (5) almost always, every solution to a wicked problem is a “one shot operation.” A shorthand way of thinking about a wicked problem is a problem that has more social/organizational complexity than technical complexity.

Launching a HITECH / HIPAA compliance initiative is a wicked problem. Your "solution" may have more to do with "when that old curmudgeon retires" than with the amount of financial and technical resources you have at your disposal.  If you understand that the biggest part of your compliance initiative challenge is organizational, then you are, at a minimum, "in the right ball park." Now you just need to figure out how to "get around the bases" in order to make it all the way home.

New to the HIPAA Survival Guide?  Sign-up for our monthly Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) F*R*E*E.  And be sure to check out our Subscription Plan!

Join us this Thursday, August 20th for the HIPAA Survival Guide's August Webinar.   The topic this month is

"How To Launch Your HIPAA Initiative in 10 Steps."  

DATE:  Thursday, August 20, 2015

TIME:  2:00-3:30 p.m. EDT

Best of all, it is F*R*E*E!

Space is limited, so Sign up Now!

New to the HIPAA Survival Guide?  Be sure to sign-up for our Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) FREE. 

Sign-up for our monthly Newsletter and receive the HIPAA Survival Guide Fourth Edition (a $29.95 value) for FREE.  Get Yours Now!

With the promulgation of the HITECH Act, meaningful use, breach notification, and increased HIPAA violation fines, it appears that the HIPAA Security Rule has taken all of the oxygen out of the room, and rightfully so.  The Security Rule had largely been neglected for all of those years that the healthcare industry remained on paper. After HITECH and the mass movement to EHRs, it could no longer be ignored. All of a sudden Risk Assessments, encryption, and a host of other Security Rule topics dominated the conversation. In the "rush" to comply with the Security Rule, many organizations have neglected the Privacy Rule because after all, most of these organizations felt (or had been told by their compliance officers) that they had long since achieved full compliance with the Privacy Rule. It was that Security Rule that required all their attention.  Despite protestations to the contrary, many organizations are not even close to full compliance with the Privacy Rule.

 We like to break down the Privacy Rule into three major sections: (1) Uses & Disclosures; (2) Patients' Bill of Rights; and (3) Administrative requirements. The Uses & Disclosures encompasses Sections 164.502 (the "General Rules") through 164.514. The General Rules are key to unlocking the meaning and purpose of the Privacy Rule and can be summarized as follows: 

§ 164.502 Uses and disclosures of protected health information: general rules

(a) Standard:

    (1) Permitted uses & disclosures

    (2) Required disclosures

(b) Standard: minimum necessary

    (1) Minimum necessary applies

    (2) Minimum necessary does not apply

(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction

(d) Standard: Uses and disclosures of de-identified protected health information

    (1) Uses and disclosures to create de-identified information

    (2) Uses and disclosures of de-identified information

(e) (1) Standard: disclosures to business associates

     (2) Implementation specification: documentation

(f) Standard: deceased individuals

(g) (1) Standard: personal representatives

    (2) Implementation specification: adults and emancipated minors

    (3) Implementation specification: unemancipated minors

    (4) Implementation specification: deceased individuals

    (5) Implementation specification: abuse, neglect, endangerment situations

(h) Standard: confidential communications

(i) Standard: uses and disclosures consistent with notice

(j) Standard: disclosures by whistleblowers and workforce member crime victims

    (1) Disclosures by whistleblowers

    (2) Disclosures by workforce members who are victims of a crime

  The General Rules "swallow" all of the other rules up to and including Section 164.514. It is the starting point for determining whether or not the Privacy Rule has been violated. Recall that the Privacy Rule concerns itself with permissible (or impermissible depending on your perspective) uses and disclosures of protected health information ("PHI").   Before you can determine whether or not a Breach has occurred you need to determine whether or not the Privacy Rule has been violated. If the Privacy Rule has NOT been violated then there is no Breach by definition. Just to refresh your memory, although we are quite certain that most of you have this memorized by now, there is a three-step process/framework used to determine whether or not a Breach has occurred:

1.Was there an impermissible use or disclosure of unsecured PHI?

2.Does an exception to the breach rule apply?

3.Is there a low probability that the protected health information was compromised?

Step 1 (in part) asks the question: "Has the Privacy Rule been violated?" if the answer to this question is NO then there is no need to continue further with the analysis; there has not been a Breach (See our Breach Notification Framework for more information). We are willing to bet "dollars to donuts" that most covered entities do not have a rigorous (or any) methodology for determining when the Privacy Rule has been violated.   

 Because there is so much more to the Privacy Rule than meets the eye, covered entities are well advised to go back and revisit their Privacy Rule initiatives.

New to the HIPAA Survival Guide?  Be sure to sign-up for our Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) FREE. 

HIPAA Survival Guide's FREE August Webinar is Now open for Registration!  The topic this month is

"How To Launch Your HIPAA Initiative in 10 Steps."  

DATE:  Thursday, August 20, 2015

TIME:  2:00-3:30 p.m. EDT

Space is limited, so Sign up Now!

New to the HIPAA Survival Guide?  Be sure to sign-up for our Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) FREE. 

The HIPAA audits are on; no they are off; wait they are back on again.  Arggh!  For most of the healthcare industry this "wringing of hands and gnashing of the teeth" is probably futile for a number of reasons: (1) your chances of getting audited (i.e. as opposed to experiencing a major breach or having a patient complaint lead to a finding of "willful neglect") are small; and (2) most of the industry will be ill-prepared for audits no matter when they come.  We believe that the best use of your time is to improve the quality of your HIPAA initiative rather than worrying about the machinations of the HHS. Some things, like when a specific government agency will take action, are simply out of your control.  But, you CAN control your own HIPAA compliance initiative. 

 Let's be honest, the "gnashing of teeth" regarding HIPAA audits is entirely based on the well known "dirty little secret" that most Covered Entities and Business Associates, both large, small, and everything in between, are not likely to do well when their compliance initiatives are placed under a microscope. This is especially true for small to midsize Covered Entities and Business Associates for reasons that we have previously discussed. Therefore, when weighing where to put your efforts and your dollars, our money would be on compliance and risk management. 

New to the HIPAA Survival Guide?  Sign-up for our Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) FREE.  And be sure to check out our Subscription Plan!

There are simply no cookbooks, no maps, no videos, no books, no webinars, no conferences, no software and certainly no checklists that are capable of providing a step-by-step approach to solving ALL organizational problems that surround a HIPAA compliance initiative. That is why an Agile Compliance methodology is required. Our Subscription Service and HIPAA Agile Compliance™ methodology will help you get started and help guide you along the way.  

Click here to learn more about our Subscription Service Today! 

New to the HIPAA Survival Guide?  Sign-up for our Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) FREE.