healthcarecompliance101

Healthcare Compliance 101

Archive for the category “HIPAA Security”

Phase Two HIPAA Audits Have Begun

July 12, 2016

OCR’s Phase Two HIPAA Audits Have Begun

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program.  Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities).  The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below).  OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.  Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service.  Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.   One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.    Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.

For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Responding to a CyberSecurity Incident

July 2016

Is your Covered Entity or Business Associate Capable of Responding to a CyberSecurity Incident?

Computer security incident response is an important element of an information technology program.  It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal.

HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  (See the definition of security incident at 45 CFR 164.304).  HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).

According to a survey recently conducted, 43% of the survey respondents lack formal incident response plans and procedures, and 55% percent of them lack formal incident response teams.  Also, 61% of these respondents have experienced a data breach in over the past two years, which included unauthorized access, denial of service, or malware infection.   Cybersecurity-related attacks have continued to rise and become more destructive and disruptive.  According to a different study, in 2014 the average cost to a company suffering a data breach affecting personally identifiable information (PII) was $3.5 million, with an average cost of $145 per individual.

With the constant upsurge of security breaches that involve cyberattacks and as required by the HIPAA Security Rule, Covered Entities and Business Associates should have security incident response capabilities established.  Although effective incident response planning can be a complex task, it should be one of Covered Entities’ and Business Associates’ priorities.

When establishing incident response capabilities, Covered Entities and Business Associates should consider:

Ø  Developing incident response policies , plans, and procedures

An incident response policy assists Covered Entities and Business Associates in having a proper, concentrated, and coordinated approach to responding to incidents. The incident response plan should provide a roadmap for implementing the entity’s incident response capabilities.  The plan should also meet the Covered Entities’ and Business Associates’ distinctive requirements that relates to their mission, sizes, structures, and functions, and identify the necessary resources and management support. Incident response policies and plans should be approved by management and reviewed on an annual basis.

 

The incident response procedures should be based on the incident response policy and plan.  Incident response procedures are outlines of the specific technical processes, tools, techniques, and forms that are utilized not only by the incident response team, but also by staff who need to report an incident.  These procedures should include the entity’s processes for:

  • preparing for incidents;
  • detecting and analyzing incidents;
  • containing, eradicating and recovering from incidents; and
  • conducting post-incident activities and reviews.

 

Ø  Building relationships and setting up plans for communicating with internal and external parties regarding incidents

Building relationships and lines of communication between the incident response team and other groups, both internal and external can be challenging.  Covered Entities and Business Associates should plan the communication with these groups before an incident occurs.

 

Before establishing incident response policies and procedures, the incident response team should first develop relationships and lines of communication with internal groups within its organization, such as the IT department, public affairs office, legal department, internal law enforcement, and management.

 

Also, the incident response team should discuss with its entity’s public affairs office, legal department, and management about sharing information with external groups.  Covered Entities and Business Associates are often required to communicate with external parties regarding an incident and should comply whenever applicable.  External parties could consist of federal agencies, law enforcement, media, internet service providers (ISPs), vendors, or other incident response teams.

 

Ø  Staffing and training
Covered Entities and Business Associates should staff their incident response team with people who have the appropriate skillsets.  These skills could include network administration, programming, technical support, intrusion detection, and CyberSecurity forensic analysis; team members should also possess teamwork and communication skills.

 

Furthermore, incident response team and staff members should be provided with the necessary training to be effective in their roles, and to carry out their responsibilities during an incident or when an incident is suspected.

 

Resources:

National Institute of Standardization and Technology (NIST): http://csrc.nist.gov/publications/PubsSPs.html(Special Publication 800-61, Computer Security Incident Handling Guide)

Office for Civil Rights (OCR): http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html(HIPAA Breach Notification guida

New Guidance on Ransomware – Protect ePHI

Your Money or Your PHI:  New Guidance on Ransomware

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.  The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals. In recognition of the threat that ransomware poses to critical healthcare infrastructure, the Secretary of HHS recently sent the attached letter to chief executive officers (CEOs) of companies in the health care sector.  This letter highlights the importance of robust security compliance to combat ransomware attacks.

To help health care entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights today released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

 

Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup.  The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule.  Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.

Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.

The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Please feel free to share the attached letter, and the link to the new HIPAA guidance, with interested colleagues.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits.

OCR Settles HIPAA Privacy and Security Case With UCLA

OCR Settles HIPAA Privacy and Security Case With UCLA.

Celebrity snooping  by employees results in stiff civil monetary penalties and a resolution agreement to University of California Los Angeles Health Services (UCLAHS).

Accounting of Disclosures – Proposed Rule

Patient rights in the healthcare industry have been a critical issue for years.  One such right that the public has insisted on is their right to access their own health information and amend health information when it is deemed to be incorrect. 

On May 31, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under HITECH.  OCR will now receive comments on this proposed rule until August 1, 2011 and is expected to publish a final rule by the end of 2011. Compliance with the accounting of disclosures requirements would then begin sometime mid 2012.

The purpose of this rule is to implement the requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations where such disclosures are made through an electronic health record. This rule will expand the accounting provision so that individuals would have the right to receive an access report indicating who has accessed ePHI in a designated record set.  A Designated Record Set means a group of records maintained by or for a health plan or health care provider that are 1) the medical records and billing records about individuals maintained by or for a covered health care provider; 2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; used, in whole or in part, by or for the health plan or health care provider to make decisions about individuals.

There are a couple of noteworthy points about this NPRM. First, the covered entity accounting information must be for all disclosures by the covered entity or its business associates (if that business associate creates, receives, maintains, or transmits record set information). So this would include all non-routine and routine (those for treatment, payment and operations) disclosures of PHI from an electronic database (ePHI).  Beginning Jan. 1, 2013, individuals would have the right to receive a report of who accessed their ePHI (access report) for a three year period from the date of the request.  Secondly, covered entities will have to revise their Notice of Privacy Practices (NPP) to reflect these changes and provide individuals with a Notice of Privacy Practice that discloses how the covered entity may use and disclose PHI and the individuals’ rights regarding their health information.  Thirdly, this NPRM will reduce the time for a covered entity to respond to a request for an accounting of disclosures from 60 days to 30 days.

The time to start preparing for these new accounting of disclosure requirements is now – not December 2012.  Why now?  A big challenge will be whether your system vendors can handle this new ePHI accounting of disclosures requirement and how they will do it. Covered Entities and Business Associates will have to revise their NPP to explain to individuals that they now have a right to an accounting of all disclosures of their ePHI.  Changes will have to be made administratively on how a Covered Entity and Business Associate will manage non-routine disclosures of hardcopy PHI for 6 years and routine disclosures of ePHI for 3 years.  With another new rule (accounting disclosures) coming down the pike shortly, be prepared and start planning now. 

Dave Sina – Author of A Healthcare Compliance Plan for Less that Two Dollars ($2.00) Per Day.

OIG Results of HIPAA Security Audits of Hospitals

Audit (A-04-08-05069)

05-16-2011
Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Executive Summary

Our review found that the Centers for Medicare & Medicaid Services’ (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise. Both the Social Security Act and the Security Rule require a covered entity, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, to (1) ensure the confidentiality, integrity, and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information.

Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

We recommended that the Department’s Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. OCR did not comment on our specific findings and stated that it had considered our recommendations. OCR also noted that it maintains a process for initiating covered entity compliance reviews in the absence of complaints and that it had used this process to open compliance reviews as a result of our hospital audits. Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.

Complete Report

Notification Download the complete report (PDF)
Adobe Acrobat Reader This link exits the Office of Inspector General Web site is required to view PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

Post Navigation