OCR has recently identified 10 recurring areas of enforcement. This post illustrates how the HIPAA Survival Guide's ("HSG") methodology and comprehensive remediation products help protect you against these problem areas. HSG's remediation examples are not intended to be exhaustive, simply representative of the kinds of curated content you will find in our Subscription Plan. Our commentary is offered in "blue bold" after each section.
- Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
- Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
- Covered entities publishing PHI on their website or on social media without an individual’s authorization.
- Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
- Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
- HSG has a proven methodology built into it our Breach Notification Framework and Privacy Policy Checklist for determining when an impermissible disclosure has occurred. Unfortunately, due to the legitimate importance of Risk Assessments after the promulgation of the HITECH Act the Privacy Rule has been somewhat neglected.
- Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements. Our Subscription Plan contains model Covered Entity-to-Business Associate contracts and Business Associate-to-Business Associate contracts.
- Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others. ExpressoTM allows you to conduct as many Risk Assessments over time consistent with the "risk appetite" of your organization.
- Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented. As important as Risk Assessments are they consist of a first step that is purely analytical. The real work starts with Risk Remediation, that's where our Subscription Plan products and training really accelerate your HIPAA compliance initiative ("HCI").
- Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs). There is simply no reason why the latest version of the Transmission Layer Security ("TLS") protocol should not be used everywhere it is required. Our Subscription Plan encourages such use by highlighting where said use is necessary under he requisite requirements.
- Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees. Our methodology mandates self-audits (see here and here) as the only real mechanism for ensuring compliance overtime. This mandate is reflected in all out products as required, but especially in our Privacy Rule and Security Rule checklists.
- Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.). The fact that this remains a problem is simply an indication that the healthcare industry writ large has failed to adopt the best practice of network scanning at regular intervals. Patches are something easily identified using market leading scanning products such as Network Detective. HSG plans to introduce a scanning service called Heartbeat that will be offered as part of our Subscription Plan at no additional cost to our customers.
- Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves. Our comprehensive training series and HIPAA Certification helps remediate this issue as well as our Checklists.
- Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization. Our Breach Notification Framework and Security Rule Checklist offer specific "how to" PHI disposal processes and tracking mechanisms based on the requisite NIST protocols. If you follow our recommendations then you will be able to take advantage of the Breach Notification safe harbor.
- Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary. Our recently released Contingency Framework was designed specifically to help our customers remediate this issue. Creating data backup plans, emergency mode operation plans and disaster recovery plans represent one of the most daunting aspects of Security Rule remediation.
Comments