Web-Tones

The September 23, 2013 Omnibus Rule deadline came and went over three years ago, but no worries because many of you have filled in the blanks of your new set of templates and are good to go. Right? Wrong! 

First, it is likely that many of you don't understand the templates that you have carefully modified with your organization's "name, rank, and serial number." Second, the vast majority of you probably don't have any organizational processes in place to underpin your policies (i.e. your templates). And finally, almost no one has effective tracking mechanisms in place to track process results. In short, your organization may be a long ways from being able to show visible, demonstrable, evidence of compliance.

Perhaps if we were still living in the old HIPAA universe where HIPAA was a paper tiger and the dirty little secret in the healthcare industry was that everyone knew that it wasn't enforced; perhaps then you would be just fine with a new set of templates. That world was shattered when the HITECH Act was signed into law in February 2009. It completely exploded and became unrecognizable on September 23, 2013. For those of you that are just now joining us, I have a news flash for you: this ain't your daddy's HIPAA anymore! 

Of course, you old timers already know that HIPAA 2.0 is "a horse of a different color" and that is why many of you have continued to read these compliance rants over the last six years. So this article will be a short walk down memory lane, and then a discussion about where we are headed. 

Going forward we assume that you understand that the status quo will only lead to a finding of willful neglect, and that you want to avoid that at all cost. Therefore, we are going to cover specific topics in detail that help you "jumpstart" a compliance program that has a reasonable chance of succeeding. 

Ground Already Covered? 

There are many reasons to review our Newsletter Archives but here we will highlight just a few:

• Omnibus Rule articles can be found here, here and here;  
• Breach Notification articles can be found here, here, here, and here;  
• Business Associate articles can be found here, here, here, here and here; 
• Security Rule articles can be found here, here, here and here; 
• Privacy Rule articles can be found here, here, and here; and
• Governance and thematic articles can be found here, here, here, here, here, here, here, here, here, and here. 

This is not an exhaustive list of articles, we simply wanted to provide a "quick index" if you are trying to get caught up. 

 Further Down the Road? 

Going forward we will focus on a more detailed "birds eye" view of the HIPAA regulations as most of you continue to build a good compliance story. We will usually write about topics that our Webinars indicate our audience is struggling with. In this week's article we look at the "out of pocket" restriction that is now mandatory under the Omnibus Rule. 

§164.522 Rights to request privacy protection for protected health information.

Section 164.522(a) of the "Privacy Rule's Patient's Bill of Rights" (i.e. sections 164.520 - 164.528) controls a patient's right to ask for restrictions regarding how a his or hers PHI is to be used and disclosed, the process by which restrictions should be requested, and whether or not a covered entity is required to honor the restriction.

Under the "old HIPAA," a covered entity had to provide a process by which a patient could request a restriction, but was NOT required to honor any such restriction. That remains true under HIPAA 2.0 with one important exception mandated by the HITECH Act and clarified under the Omnibus Rule. That is the so called "out of pocket paid in full" restriction. 

HITECH Act 13405(a) states that if a patient requests a restriction regarding PHI potentially shareable with a health plan AND the patient (or anyone else on behalf of the patient) has "paid in full" for the provider's particular "item or service" then that restriction request must be honored by the covered entity.

The Omnibus Rule also clarified that the covered entity must cooperate with the patient to prevent "downstream covered entities" from providing the PHI to a health plan. The example given in the Omnibus Rule was that if a patiert requested a paper prescription, instead of an electronic one, presumably so that the patient could notify the pharmacy of the restriction, then the covered entity had to honor that request. However, the Omnibus Rule also made it clear that the burden was on the patient to notify downstream covered entities and NOT on the covered entity who provided the service.

Just to be clear, if this use case applies and the patient asks for the restriction (e.g. does not want to notify a health plan that they tested positive for HIV) then the covered entity must honor it and modify its systems accordingly. You don't have to be a health information technologist to understand that this type of restriction may have implications for a number of the covered entity's applications and will likely require custom programming, training, and/or a redefined workflow process to implement.

Most covered entities do not have ANY rigorous process in place for dealing with a patient's right to request a restriction, let alone how they will handle this complex issue from both a technology and organizational process perspective. In short, there is still much work to be done in order to comply with HITECH/Omnibus Rule requirements. Just having your "fill in the blanks" policies in place is not only simplistic, it is likely to produce a finding of willful neglect when something inevitably goes wrong (e.g. a breach, a patient complaint, an audit or a lawsuit).

What is Cyber Insurance?

As it turns out, this is not a simple question to answer. It means different things to different organizations. One thing is clear, whatever is covered under cyber-liability insurance is almost certainly not covered under an organization's general liability, errors and omissions, or malpractice policies. This is a beast unto itself, and an expensive one at that. Cyber-liability generally covers the following:

1. Regulatory fines that may be imposed as a result of a data breach.
2. Class action lawsuits usually brought under a state law claim such as negligence.
3. Response costs for notifying individuals, the media, and HHS.
4. Business interruption in case a cyber-attack stops your operations "dead in its tracks."
5. Content liability for such things as copyright and trademark infringement. 

This is not an exhaustive list, but it should give you a "feel" for the kinds of questions that you should be asking your prospective provider. As you can tell from this list, many of these items are hard to quantify as to the actual exposure. Given that there is this much uncertainty, it should go without saying that the policies available are not cheap and can run from $20,000 to $50,000 a year or more.

But as a baseline, you absolutely need to understand what it is that you are buying. Insurance policies are notoriously difficult to comprehend and the "fine print" in the details are likely to "kill you." For example, as more and more providers continue rolling out patient portals for meaningful use, the ACA, and for other reasons, Covered Entities may not understand that a "simple move to the Internet" increases your potential liability (e.g. what happens if your technology staff "borrows" photos and content from some other provider's website; you are now likely facing a copyright infringement lawsuit that you never anticipated). However, if your cyber-liability policy does not include "content liability" then you are now looking at paying out-of-pocket for (usually) very expensive litigation in Federal Court.

Further, you need to take a close look at the conditions set forth in the policy. If the policy is conditioned upon the organization implementing the "necessary and proper" security safeguards then you could be paying thousands of dollars a year for illusory coverage. Most healthcare organizations are not even close to implementing the necessary and proper safeguards. In short, the insurance companies are not your friends. The reason for all the "fine print" and convoluted language is to avoid covering you if you fail to comply with the entire minutia. For example, your policy is likely to include a "notice requirement;" which means that within so many days after a breach or attempted breach you must notify your provider. However, you are not likely going to notify until you have investigated sufficiently and by then the notification period may have expired.

What's the Cyber-Liability Risk Pool Look Like?

Anecdotally, although there has been a tremendous amount of discussion of late regarding cyber-liability insurance, there is no strong evidence that the healthcare industry, en masse, has adopted this approach. Therefore, the risk pool is rather small. When the risk pool is small the premiums are going to be so high such that only the dominant players can afford it. I may be going out on a limb, but most small to mid-size covered entities and business associates are not excited about paying $20,000.00 a year for additional insurance. Especially when, as a condition of coverage, they are expected to have the "necessary and proper" safeguards in place. What about all the state and local government covered entities? Does anyone seriously think that their currently stretched budgets allow for the luxury of cyber-liability insurance?

Given a large enough risk pool, almost anything can be insured in a reasonably competitive manner. However, the current cyber-liability risk pool appears to be so small that cost prohibitive policies for the majority of market players is all that will likely be available. AND, even for these players the critical take away is CAVEAT EMPTOR.

How Much Coverage Is Available?

Well the answer to that question likely depends on how much you are willing to spend. But for the purposes of this article let's define a "small breach" as one wherein 5,000 patient records were compromised. If we take a conservative estimate that it will cost you $200 per record to clean up this mess, then you would need at least a million dollars in coverage. 

The Ponemon Institute is the market leader in coming up with these costs and under their methodology $200 per record is really conservative, for healthcare it could be 50% higher. According to the Institute's 2014 study "average cost [for a breach] to a company was $3.5 million in US dollars and 15 percent more than what it cost last year." In other words, a million dollars’ worth of coverage is not enough to cover the average breach. Consider that 50,000 records can now easily fit on a thumb drive and you begin to get a feel for the magnitude of the problem.

What Will Insurers Require?

As previously mentioned, cyber-liability policies are likely to contain language requiring that the "necessary and proper safeguards" be implemented as a condition of coverage. If you have not done a risk assessment and completely implemented the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule then obviously you are not going to meet this condition and your coverage will likely be denied. Moreover, if you store credit card information and have not complied with PCI DSS then your coverage will also likely be denied.

What's the Alternative?

For the cost of one year's premium (or less) you can "stand up" a robust HIPAA Compliance Program given the cost effective solutions that are now available. Sure, you are going to need some help getting this done; but essentially a robust HIPAA Compliance Program is a cost effective form of "self-insurance." For example, if you encrypt ALL your PHI, then even if the bad guys get into your network (and they will) there will nothing for them to obtain. You can sleep at night knowing that encryption (according to NIST standards) allows you to take advantage of the Breach Notification Rule's safe harbor. Is encryption a panacea? NO! Is it worth doing? ABSOLUTELY!

Self-insurance is likely to be the ONLY form of insurance affordable for small to mid-size covered entities and business associates. The good news is that it is far less expensive than a cyber-liability policy. The bad news is that standing up a robust HIPAA Compliance Program is a non-trivial wicked problem.

NIST just recently releases it proposed 2016 Cybersecurity Framework and it is telling in many useful ways, but NOT in the ways that you would imagine. We often write about methodology and process. Why? Because they are an integral part of any HIPAA Compliance Initiative ("HCI"). However, we NEVER advocate methodology and process as if they were some kind religious practice only to be understood by those in the priesthood. We have had religious practices dominate American consultancies for decades now (i.e. does anyone remember the "re-engineering craze?"). Now to be clear, there's LOTS to like about the concept of re-engineering...we simply believe that you should do more of it and talk/study less about it.

Whoa, BUT that kind of approach was NOT how the Big Six consultants (Big whatever now) monetized their clients. NO, what was required was religion. A formalized process regarding how "everything in sight" was going to be re-engineered, with corporate America spending billions to worship at the alter. Now if re-engineering was a one-off then there would be nothing much to write about. Far from it: (1) Data Warehousing; (2) Client Server; (3) Graphical Users Interfaces; (4) SAP; (5) Object Oriented Programming; (6) the Cloud and countless others religions have been adopted and similarly yielded dubious results (i.e for those that "drank the Kool-aide" and invested the billions).

That's not to say that each and every one of the technologies have not been disruptive and have had overwhelming successful within certain contexts. They have. They simply have NOT been panaceas...but they were almost always marketed as such. Now here come the Cybersecurity Frameworks: (1) HITRUST; (2) ISO 27000 (or pick your number); and (3) NIST. The following diagram comes from the NIST Framework and purports to explain how your Risk Management Framework should be implemented: 

No one, not even the large organizations, have time for this formalistic approach anymore. You could spend a year developing and implementing this Framework throughout your organization. The world is moving much too fast for this sort of nonsense. It is the antithesis of fail fast. Compare this to our approach with Expresso. With Expresso you can perform a Risk Assessment in three hours our less. How? Because we help you identify (quickly) all 29 Security Controls that you need to implement in order to be in compliance with the Security Rule. We then provide you products that mitigate the Risks associated with not having those controls in place. It's a completely heuristic based approach that allows you to get results fast while at the same learning more about the product you are attempting to solve than a year's worth of committee meetings!

We are all for frameworks BUT they need to be lightweight!