Health Info Security has published the transcript from an interview with Susan McAndrew of the Department of Health and Human Services’ Office for Civil Rights. The article is very good and should be read in its entirety. Below are some of the key points.

When asked if business associates as well as covered entities will be part of the 150 audits, McAndrew responded:

Eventually. I’m not sure whether business associates will be part of the initial selection process because they are a little more difficult to obtain information about. We don’t have a list or a registry yet of who is a business associate. We’re still strategizing as to how to collect information about business associates to make a meaningful selection, but we certainly are looking to KPMG to have protocols developed to give us the capability of auditing business associates.

It’s unclear at this point whether or not we will be able to conduct and test the business associate protocols. We are hopeful of being able to do so. The primary focus is going to be on the protocols for the covered entities and proving the audit results with regard to covered

If should be interesting to see how they collect the list of business associates. Will they require each covered entity to identify their own business associates?

When asked if the audits will be looking for general compliance or more specific issues of compliance McAndrew replied:

However, at least initially, because we’re very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance

That can be read into as they will be looking to see how closely an organization is compliant with the HIPAA regulations. High level may include policies and procedure, when the last risk assessment was conducted, employee training, incident response procedures, etc.

When asked about onsite audits and if results will be publicly published, she responded:

The model that we’re testing is your typical onsite audit. … There will definitely be advanced notice to the entity. There will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite. And then, as is typical following the onsite visit, the auditors, if they need to, will collect more information. They will complete their draft report. Typically the draft report is shared with the covered entity before it’s final, and the covered entity’s responses to the findings of the auditor would be incorporated as part of the final audit report.

We haven’t decided that (publishing results publicly) yet. Part of this whole endeavor is to have an evaluation component where we can be assured that the information that we are getting through this audit process is accurate and meaningful.

That said, whether we do it in summary form or publish the individual report similar to the way that the inspector general does with their audit materials still needs to be worked out. I think that we will be looking at that very closely as part of our evaluation criteria.

So audits will be onsite and the organization will have advanced notice. Draft reports will be prepared prior to publication. It is not clear if the results will be published for each audit or just a summary will be published. Will this turn into another wall of shame?

And finally, McAndrew gives insight to organizations of how to prepare for the coming audits:

But this is certainly an opportunity for the covered entities to review their policies and procedures to make sure that they are complete and up-to-date. Also, the way that they are managing the information, whether it’s in computerized files or good old-fashioned paper records, make sure that they are fully documenting what’s being done with the information and how it’s being managed and safeguarded. The [HIPAA] security rule has its own requirements for risk analysis and risk management programs. …

Through the experience that we’ve been having with covered entities on breaches and incident response plans, [those plans] need to be up-to-date and flexible, as well as emergency backup systems. I think this is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities.

So she recommends:

• Creating or reviewing the appropriate policies and procedures
• Preforming a risk assessment and well as a risk management program (implementing the results of the risk assessment)
• Creating incident response plans
• Training employees and implementing an employee awareness program

Good advice for every organization!

Microsoft’s latest cloud based service called Office 365 was recently released. More than 200,000 organizations participated in the beta testing period. Office 365 provides the following:

Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync Online in an always-up-to-date cloud service, at a predictable monthly subscription.

In addition, Microsoft is trying to target the healthcare industry by offering Business Associate Agreements (BAA). Microsoft is one of the first large organizations to offer a HIPAA BAA for their cloud based service.

Due to the requirements of HIPAA, the Health & Life Sciences industry requires privacy, security, and confidentiality of patient data (“protected health information”). With this in mind, Microsoft will be among the first in industry to offer a Business Associate Agreements (BAA) as an operationalized part of its solution to address requirements associated with hosting protected health information. Customers can obtain more information on BAA availability from their designated Microsoft account manager.

By offering a BAA it will make it easier for healthcare organizations to utilize the Office 365 cloud service. On the other hand, companies such as Google have not offered a BAA for their cloud based services. Microsoft has made a wise choice of offering the BAA and will make it easier for organizations to implement Office 365 and stay compliant with HIPAA regulations.

Let’s hope more cloud based services step up and offer Business Associate Agreements to customers.

The consulting company Deloitte release a study called Privacy and Security in Health Care: A Fresh Look. (PDF)

The report is a 20 page overview that addresses the following:

• Provides an update about current and emergent privacy and security challenges in health care;
• Examines notable hot spots where current policies, rules, and regulations are a focus of industry risk;
• Reviews the state of preparedness for privacy and security risk throughout the industry;
• Suggests an approach to assessing an organization’s current preparedness.

They have a good graph that shows a breakdown of breaches since 2009 that have been reported to HHS.

As you can see, laptops continue to be the leading source of data breaches.

The study went on to look at other healthcare industry studies and the results show that organizations are clearly not doing enough to protect patient privacy.

Some highlight of the studies include:

• 85% of hospitals are not in compliance with HITECH
• Data breaches cost organizations on average $1 million annually
• The top three causes of a data breach are: unintentional employee action,lost or stolen computing devices, and third-party snafu
• Inadequate budget and lack of trained staff or end users are top two reasons for data breach

The findings from a CMS study were eye opening:

• CEs did not perform a risk assessment and did not have a formalized, documented risk assessment process
• Risk assessments were outdated and did not address all potential areas of risk
• CEs had few and inadequate policies and procedures and they did not address the HIPAA Security Standards and Implementation Specifications
• Documented procedures were inconsistent with procedures followed by CE personnel
• CEs did not conduct security awareness training prior to granting user access
• CEs had BAs but Business Associate Agreements (BAAs) did not  exist between the two parties or existing BAAs were inadequate

The report is very interesting and worth a thorough read.

In the movie The Perfect Storm, all the forces had to come together to cause the perfect storm.  A storm so big and so powerful, well you know,  the Andrea Gail had no chance against the storm.

If I was to think of a scenario where everything came together to cause an environment where there were a huge amount of data breaches affecting patient data, this is what I would come up with:

1. The government would encourage health organizations to switch from paper records to electronic records by giving away billions of dollars to provide incentives.
2. The government would not give these organizations the money upfront but would slowly pay them over a few years.
3. The health organizations would spend an enormous amount of money implementing electronic medical record systems.
4. The large outlay of money would leave these organizations financially strapped with minimal resources for training and security of the new EMR systems.
5. A severe economic recession would cut down on the amount of patients that these health organizations would provide services to.  This would add to the financial burden already being felt by the organizations.
6. A shortage of skilled IT workers would make it difficult for health organizations to find workers to help secure these new EMRs.
7. Computer viruses and malware would become more sophisticated and harder to prevent.  The malware would steal data and leak patient information to external parties.
8. Portable devices, laptops, tablets and smartphones would become cheap and ubiquitous.  These portable devices could easily hold  a lot of patient data.
9. A large number of portable devices would be lost and/or stolen.
10. Patient medical data would become valuable and would be in high demand by criminals looking to utilize the data for identity theft and other crimes.
11. The government’s regulations protecting patient medical data would largely be ignored due to a lack of resources and a lack of government enforcement.

Altogether these forces would cause the perfect storm of patient data breaches.  Hundreds of health organizations would have data breaches.  Millions of patients would have their information compromised.  And while this was occurring the government would sit back and watch.

The scenario is very frightening.  Good thing stories like this only happen in the movies.

Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.