EXECUTIVE SUMMARY
Proposed rules aimed at strengthening HIPAA privacy and security requirements have put CIOs and security officers at provider organizations on alert. Experts weigh in on how the changes will play out and what it means for provider organizations.
In February 2011, when 900-bed Massachusetts General Hospital in Boston paid the government $1 million to settle potential violations of the HIPAA Privacy Rule [one element in the federal Health Insurance Portability and Accountability Act of 1996], it sent shock waves through the industry.
“People were surprised because this seemed like a run-of-the-mill data breach,” explains Christine Arevalo, director of Healthcare Identity Management at ID Experts, a Portland, Ore.-based consultancy. “There was no willful neglect involved.” Mass General's was the very first fine for the loss of protected health information under the Health Information Technology for Economic and Clinical Health (HITECH) Act, she adds, but there will likely be many more to come.
The U.S. Department of Health & Human Services' (HHS) website listing data breaches affecting 500 or more individuals is known informally as the “Wall of Shame.” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html)
SHIFTING LANDSCAPE
Hospital CIOs, chief information security officers, and privacy officers are working diligently to keep their names off that wall. But they are dealing with a regulatory environment that is still in flux. A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. HHS also has proposed a rule for the accounting of disclosures from electronic records. The biggest shift under way may be a new enforcement regime as the HHS Office for Civil Rights (OCR) shifts gears from only reacting to data breach reports to begin random audits of the privacy and security safeguards of large and small providers and their business associates. Another new wrinkle under the HITECH Act is that state attorneys general can file civil lawsuits for HIPAA violations.
With providers eager to see how many resources OCR will apply to audits, one hint came in the form of a scathing May 2011 report from the HHS Office of Inspector General (OIG) criticizing OCR for not being proactive enough. The OIG independently audited seven hospitals and found 151 vulnerabilities in the systems and controls intended to protect patient data, of which 124 were categorized as high impact. It recommended that OCR continue to move forward with implementing procedures for conducting compliance reviews to ensure that security rule controls are in place and operating as intended.
“The response from OCR will probably be knee-jerk,” says Chris Apgar, president of consultancy Apgar & Associates in Portland, Ore. “They are likely to take that report seriously. We know they have hired many new investigators and they will feel prodded to do something.”
From OCR's perspective, hospitals have been especially delinquent, Apgar says. The agency has done investigations of breaches and found hospitals that didn't even have notices of their privacy practices posted.
“A common phrase OCR uses is ‘culture of compliance.’ What they mean by that is that the biggest sin is a lack of policies and procedures to document and correct issues,” Apgar says. Beyond that, he adds, providers should focus on training, disaster recovery, and making sure they have a security incident response team in place.
A PROVIDER'S PERSPECTIVE
Terrell Herzig, data security officer at UAB Health System in Birmingham, Ala., says one uncertainty for people in his position involves the proposed rule's data breach notification details. Initially, HHS established a harm standard that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual,” and the providers themselves would get to make that determination. When privacy advocates and members of Congress criticized that proposal, HHS pulled it back for further study.
“There is some frustration that if there isn't consideration of the harm standard, it will have an impact on patient confidence in healthcare institutions,” Herzig says. “If you report to them a breach when they really aren't impacted-for instance, if the information breached is just their name-patients will get shell-shocked and anxious.” It may make sense, he adds, to have a third party such as a government agency make the harm determination.
Herzig is also closely watching the new rules around business associates being covered by HIPAA. “We still go into meetings with some vendors who haven't read the HITECH Act,” he says. “We are negotiating contracts and we tell them they have to go back and read it. And they and their subcontractors are really unaware that they will have to comply.”
Herzig says he has a strong seven-person HIPAA compliance team, and is lucky to have his CIO, Joan Hicks, also serving as UAB's privacy officer. “That is unusual,” he says. “She is a busy person, but if a situation comes up, she is right on it.”
Strong documentation is a key to compliance, he says. UAB uses an intranet site to document policies, procedures, and internal controls, including metrics around each one. “It is critical to have that documentation,” Herzig says. “That is the tool you are going to use to communicate in the case that you are audited.”
ID Experts' Arevalo agrees that software with a dashboard view is valuable. “Without one, providers are terrified they are going to miss something. They have spreadsheets and stacks of paper piling up on their desks,” she says, adding that a holistic approach should start with doing an inventory of where protected health information resides across all applications.
ID Experts works closely with hospital incident response teams and privacy offices, Arevalo says. Some have HIPAA compliance offices and even HITECH compliance offices, while others are still struggling with too few resources, and are far less prepared. “Our clients are a little terrified about random audits,” she admits. “People are wondering how OCR will split its resources between random audits and responses to data breaches. Where will the real focus be?”
EHR DISCLOSURE ACCOUNTING
OCR recently proposed a rule for the accounting of disclosures from electronic records. The proposal would establish guidelines for providing an “access report” to patients indicating who has accessed data in a designated record set. One problem hospitals face is that compiling that log data from multiple systems for reporting is a complex task. For instance, at 711-bed Maimonides Medical Center in the New York City borough of Brooklyn, 99 different applications hold patient records. “We needed to capture meaningful information about data in transit for two main types of reports,” says Gabriel Sandu, Maimonides' senior director of technical services. The first is to find out who accessed a certain patient's record over the three days they were in the hospital. The second is looking at the data a specific employee accessed over a certain period of time. “Imagine how hard it is to narrow it down by looking into all those logs, and literally millions of records,” Sandu says.
Four Questions for Susan McAndrew, deputy director for health information privacy, HHS Office for Civil Rights
The HHS Office for Civil Rights has taken on a much higher profile in recent years. That's in part because in 2009 HHS transferred authority for the enforcement of HIPAA security provisions to OCR from the Centers for Medicare & Medicaid Services.
As deputy director for health information privacy, Susan McAndrew has responsibility for implementing and enforcing the Privacy Rule. Healthcare Informatics asked her to describe some of the challenges her office is facing.
Healthcare Informatics: A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. Is there any one aspect that has been the most difficult for OCR to develop? For instance, the rules around data breach notifications?
Susan McAndrew: The HITECH Act was specific in laying out what needed to be accomplished in the different components intended to strengthen the HIPAA Privacy and Security Rules. Careful attention has been paid to finding the right balance between strengthening the HIPAA Privacy and Security Rules and maintaining the workability of the requirements so that covered entities of all sizes can smoothly adapt to the changes.
It has always been understood that these changes would have a great impact on covered entities' behavior, which can be seen in what has already been happening with the breach notification rule. Breach incidents, particularly those breaches affecting 500 or more individuals, have received an immense amount of publicity, which should act as motivation for covered entities to take proactive measures to prevent similar breaches in the future. Furthermore, business associates will be accountable in the same ways covered entities have been accountable for their obligations under the HITECH Act. The growing adoption of electronic health records means there are an increased number of intermediaries involved in a person's protected health information, so it is important that all of these parties are held accountable in similar ways.
HCI: In the past, HHS has worked largely in a reactive manner to reports of possible HIPAA violations. If it does indeed begin a program of audits, that will require a larger and much broader effort. Is it requiring the OCR to build a much larger staff? Are you now working toward a pilot project? Could you describe some issues you need to work through and a timeline?
McAndrew: OCR is in the process of developing a sound and strategic audit program that will complement our ongoing enforcement activities. At this time, details on this program are still pre-decisional and OCR does not have an update on a schedule for implementation.
HCI: There have been two high-profile enforcements involving violations of the HIPAA privacy rule, involving Cignet Health and Massachusetts General. Are there lessons other providers can learn from how these cases were resolved?
McAndrew: OCR is serious about enforcement. Providers of healthcare services must be aware of their legal responsibilities and be compliant with the HIPAA Privacy Rule. It is HHS' expectation that covered entities and their business associates take these requirements seriously. HHS will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.
Policies and procedures are not just a stack of binders on a shelf. They must be an everyday part of an organization's culture. OCR strongly encourages covered entities and business associates to build and maintain a culture of compliance within their organization by regularly reviewing their policies and procedures to ensure full compliance with HIPAA. While HITECH may be an incentive for covered entities, self-evaluation should be standard practice. To ensure compliance, covered entities and business associates should conduct regular internal audits, hold regular trainings for their employees, and have a prompt action plan in place to respond to incidents.
HCI: Do you see signs that providers are getting more serious about their compliance efforts? Are there specific steps you would like to see more health systems take?
McAndrew: It is important to keep in mind the bigger picture-the purpose for all of these requirements is to protect and safeguard the patient's protected health information. Covered entities should not forget that building a culture of compliance is purposeful, and that purpose is to ensure and improve the quality of healthcare delivered to people. After all, covered entities are the custodians of a people's information and it is inevitable that this responsibility is accompanied by obligations under federal law.
In 2010 Maimonides turned to a solution from PacketMotion (Sunnyvale, Calif.) that works at the data center level to monitor user activity across applications. Its PacketSentry program audits PHI resources and can be used to lock down access. “In the past producing this type of report was time-consuming and expensive,” Sandu says. “This system fits with our methodology and workflow and is making it possible to produce the reports we need to be compliant.”
Nancy Dean, vice president for compliance, privacy, and internal audit at the three-hospital NYU Langone Medical Center in New York City, says one concern is that simply providing a list of names without any context may result in numerous questions from patients seeking to understand why all of the individuals listed accessed the record, resulting in significantly increased time in responding to HIPAA issues.
Dean's office conducts regular training and audits and is constantly assessing how to change, improve, or respond to HIPAA issues. The Compliance Office also set up a separate HIPAA Hotline in response to the HITECH regulations, separate from the general Compliance Helpline, in order to emphasize the importance of HIPAA issues and also to help ensure timely notification of any possible breaches, she says. Also, her office hired an additional staff member to focus entirely on HIPAA compliance issues, implemented a breach reporting and tracking system to keep track of reported potential breaches and to record the outcomes of the breach investigations.
“When OCR does come knocking, some providers freak out and come across as uncooperative, and that can be one of the biggest mistakes,” ID Experts Averalo says. “Remember that OCR investigators are not the bad guys,” she says. “They have a job to do and a right to ask questions.” OCR may even broaden out from a breach investigation to a full look at your entire compliance program. They have every right to do that. And most of the HIPAA requirements are not new, she notes. “Providers have had almost a decade to comply, so claiming ignorance is not going to fly.”
Healthcare Informatics 2011 August;28(8):26
