HHS has withdrawn the Interim Final Rule for Breach Notification for Unsecured Protected Health Information.  On the HHS website there is a notice that states:

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

Consumer advocates have criticized the HITECH breach reporting rules and point specifically to the “harm standard”.  The “harm standard” allows for healthcare organizations to determine if a breach of patient information presents a significant risk of harm to the individual(s).  Healthcare organizations would most likely perform a risk assessment to determine if the breach would presents a significant risk  in terms of financial, reputation or other harm to an individual.  Critics of the proposed rule say that allowing the healthcare organization to determine if the risk is significant and whether there is a need to disclose the breach would result in many breaches that will go undisclosed. Critics argue that the “harm standard” should be removed from the final rule and that all breaches should be disclosed.

I have mixed feelings on the “harm standard” and whether it should be included in the rule or removed from the rule.  On one hand I think the “harm standard” makes a lot of sense.  Assume a laptop is lost and it contains patient information (assuming the laptop was not encrypted) and then the laptop is returned 10 days later and it is also determined that the laptop information had not be accessed.  Under the “harm standard” most likely a healthcare organization will determine that there was no risk to the patients, who’s information was on the laptop, and therefore no breach notification would be required.  I would tend to agree with the determination to not disclose the breach because no patient information was accessed and no harm was done to the patient.

On the other hand, if a laptop is lost and it contained patient information and was not recovered then I believe that the breach should be disclosed.  Under the “harm standard”, a healthcare organization could perform a risk assessment and determine that the cost of reporting the breach was more then the risk to the patient and decide not to disclose the breach.  In this example I disagree with the “harm standard” and think it would be wrong for a healthcare organization to make the determination that the breach should not be disclosed.

As you can see the “harm standard” is not black and white.  In some cases it makes sense  and in others it does not make sense.  HHS will have a  challenge to revised the rule so that patients are properly protected but at the same time not every incident leads to a breach notification.

You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

In this article I discussed that the Office for Civil Rights (OCR) is getting ready to begin HIPAA Security Audits. The audits should begin by the end of this year.  In an interview with Susan McAndrew, OCR’s deputy director for privacy, she mentions the importance of performing a Risk Assessment.

OCR has published a paper called:

HIPAA Security Standards: Guidance on Risk Analysis

Below are some highlights from the paper.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

• Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
• What are the human, natural, and environmental threats to information systems that contain e-PHI?

Organizations should use the information gleaned from their risk analysis as they, for example:

• Design appropriate personnel screening processes. (45 C.F.R. §164.308(a)(3)(ii)(B).)
• Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
• Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
• Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
• Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

I encourage you to read the full paper to get a good overview of how OCR believes a Risk Assessment should be conducted.

The HITECH Act has shifted the responsible for enforcing the HIPAA Security rule from the Centers for Medicare & Medicaid Services (CMS) to Office for Civil Rights (OCR) which is a part of the Department of Health and Human Services.  OCR has been enforcing the HIPAA Privacy Rule since 2003.  OCR has been gearing up to start HIPAA Security Rule enforcement.  They are working with the consulting company Booz Allen Hamilton to determine the model they are going to be using and how fast they can implement the model.

Susan McAndrew, OCR’s deputy director for privacy said in an interview with HealthcareInfoSecurity.com that:

The audits likely will be outsourced and not conducted by OCR staff.

Security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical and physical safeguards.

Audits for compliance with the privacy rule will focus on organizations’ efforts to uphold individuals’ rights, such as their right to access their own medical records.

It seems clear that a major part of any HIPAA Security Audit will be based on how a practice conducted their risk assessment.  As I mentioned in this article, I believe the Risk Assessment is at the core of the HIPAA Security Rule.

McAndrews also mentions the importance of using encryption technology on mobile devices.  She goes on to say:

I am continually surprised by the fact that you actually have to lose your laptop before the light bulb goes on and you say, “Gee, maybe I need an encryption policy here.” You know, you are a lot better off if you can learn from your neighbor. Don’t let it happen to you; encrypt those things now and don’t wait until they are lost to suddenly decide, “Gosh that’s probably a good idea.” And the other lesson I hope people learn is that it is not good enough just to have the policy or to have that light bulb go on. Once you have established that as your policy, you really have to make sure that you train people and it is part of your culture to ensure that encryption happens because, two weeks after you issue the e-mail saying this is what you have to do, life takes over and people think it is too much trouble or they have to go see an IT person and they don’t have time and they walk out the door without getting their laptop encrypted and bad things happen. So it is to have a good policy and enforce that policy so that we don’t have to enforce that policy.

Susan McAndrews give some good insights into what is going to occur with HIPAA Security Audits.  The audits will most likely begin by the end of the year.  They will most likely be outsourced and will not be handled by OCR personnel.  A major focus of the HIPAA Security Audit will be based on a Risk Assessment and how a practice implements the Administrative, Technical and Physical safeguards.  In addition, her advice is to start using encryption on all mobile devices.

The writing is now on the wall.  Now is the time to start thinking about HIPPA security.  It does not matter what phase you are in regarding electronic personal health information (EPHI).  If you are researching EMRs a major concern should be on how the EMR fits into your overall security strategy.  If you have already implemented an EMR then you should make sure that you have completed your risk assessment and that you have implemented the steps required to protect your EPHI.

Update:  OCR has published a paper with guidelines to performing a Risk Analysis.

It seems pretty obvious that if you keep your software updated you decrease the chances of incurring a security breach.  Software updates include Operating Systems (Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, etc.), Adobe Acrobat, Microsoft Office, Internet Explorer, Microsoft SQL Server, etc. .  By security breach I am referring to a virus attack, spyware / malware or a theft of data from an external entity to your network.

Microsoft published Version 8 of its Security Intelligence Report (SIR) which is a 250 page report on security.

Wolfgang Kandek the CTO of Qualys, a maker of vulnerability scanning products does a nice job summarizing some of the key points of the Microsoft SIR:

Running updated software decreases the attack surface and increases general robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Statistics on the OS level reveal that the newer versions of Windows are less likely to be infected by malware — Windows XP SP3 is more than five times better than the original Windows XP, and Windows 7 is another three times better than XP SP3 (pg. 85). In addition, 64-bit implementations add another layer of robustness.

 

Application attacks continue to increase. Adobe Reader attacks were used in 44 percent of the investigated cases, followed by an attack on a recent Internet Explorer vulnerability with 16 percent. The remaining 40 percent are divided by attacks on the OS and a variety of different software packages, including RealPlayer, Apple QuickTime, and AOL software (pg.26).

 

Attacks against Microsoft Office make use of older vulnerabilities and can easily be avoided by keeping the software suite up to date. By applying the respective service packs, users can avoid the majority of Office file format attacks (pg. 43).

 

While Windows 7 (and Vista SP2) are clearly much better than the older versions of Windows, there has been an uptake in the infection rate. Attackers are starting to focus their attention on Windows 7 as it become wider deployed and it will be interesting to see how its performance develops.

It is clear to say that Microsoft believes that the more you patch and update your products the less the chances of experiencing a security breach / attack.  If you are cynical and say that of course Microsoft wants you to upgrade your products because it make them more money, I won’t argue with you.

A best practice and one that you should do as you are implementing the HIPAA Security Rule is to do a Risk Assessment which includes a vulnerability scan.  The vulnerability scan will identify all the holes and vulnerabilities in your current software (Operating System, application software, network equipment, etc.).  Once you get the results of the vulnerability scan, you will want to ensure that you apply the appropriate software patches and/or upgrades to eliminate or minimize the risk of the vulnerabilities.  Moving forward you will want to adopt a software patching process that applies the latest patches that software vendors release.  Microsoft offers a few free ways of keeping your software up to date. 

Once again, the more you keep your software updated, the less likely you will experience a security breach / attack.