ADVERTISEMENT
HIPAA Privacy & Security Compliance: Survey Results
Regardless of where they reside, it appears a number of Today’s Wound Clinic (TWC) readers live in a state of denial when it comes to their compliance of HIPAA privacy and security laws. Recently, TWC conducted the survey “Is your Wound Clinic HIPAA Compliant?” In this edition of Reader Report, we will present and discuss the results of this survey. First, let’s consider why compliance is so important in the wound clinic. While healthcare professionals most often think about HIPAA in terms of ongoing audits conducted by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the reality is providers are more likely to interact with a regulatory agency or a state attorney general as the result of a breach or a complaint. Additionally, what should be more important is keeping patients’ information private and secure (as safe and secure as you’d want your information kept).
How likely are program managers to interact with a regulatory agency, which could include the OCR, the U.S. Food & Drug Administration, and/or the Federal Trade Commission? That depends on the situation. Each regulatory body has oversight to some potential aspect of a given practice’s privacy and security programs. Waiting until after a security incident or complaint is not the time to begin to think about these programs.
The objective here is to present the results of the survey, compare them to a well-respected industry study (“Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,” Ponemon Institute LLC), and discuss the survey results in the context of this seminal study.
Let’s start with a presentation of the survey results. Note this was not a scientifically conducted study. The results (from 151 individuals who filled out the complete survey and an additional 150 who filled out part of the survey) are indicative of the state of the industry, but they should only be considered preliminary. Data reported here include both cohorts. Due to the sample size, an effort has not yet been made to separate the results between the cohorts. Thus, the information is presented in aggregate form with some results based on 301 answers while others are based on 151 answers.
Before we delve into the detail of these results and compare them with other studies, it’s important to note that unless information is documented in the way required by HIPAA regulations, it doesn’t exist in the eyes of those with the OCR. The adage, “If you didn’t document it, it didn’t happen,” is especially true for HIPAA compliance efforts. For example, while almost 81% of respondents indicated they conducted a routine security risk assessment and generated a remediation plan (see page 29), only about 60% could produce a risk assessment and about 57% the remediation plan, respectively. This is more in line with the 60% of organizations conducting a risk assessment as reported by Ponemon.1 Even this number may be inflated given that virtually every resolution agreement OCR signs with breach offenders indicates the lack of an adequate security risk assessment.2 Now, let’s drill down into the meaning of each survey number:*
*(Note: Question 1 of the survey was a screening question that required responses only from those providers working in an outpatient wound clinic.)
Again, note that the number of providers who indicate their policies and procedures are effective and up-to-date versus those who have the requisite documentation is about 28% lower (96.7% vs. 69.4%). To be able to answer this question in the affirmative, there are a number of criteria to consider. First, to be effective, there is a requirement that one’s policies and procedures accurately reflect how staff operates. For the sake of expediency, many organizations, particularly smaller ones, tend to purchase templates of policies and procedures without taking meaningful time to customize them. This results in policies and procedures that don’t reflect the organization’s actual privacy and security operations. To be current, an organization’s policies and procedures must be reviewed routinely (typically every year, scheduled based on management plan put in place) and typically laid out in an internal audit and management program. Additionally, if necessary, policies and procedures should be reviewed when: 1) the organization makes operating changes (to ensure policies and procedures continue to reflect how the organization operates); and 2) in the face of a security and/or privacy incident. The objective here is to use the incident as a “teachable moment” by reviewing and evaluating why an incident occurred, what can be learned from it, and solidifying internal processes to keep the incident from reoccurring. This last review should happen when a privacy or security incident occurs, not just when an incident rises to the level of a breach. This allows an organization to recalibrate and keep these incidents from rising to the level of reportable breaches.
HIPAA Training
When it comes to training, 95% of respondents indicated they conduct periodic training, but only about 68% of respondents indicated they could produce the documentation required by OCR.
This 67.8% is important because HIPAA regulations include documentation requirements (see 45 Code of Federal Regulations [CFR] 164.316). The lower number regarding training documentation is more indicative of the state of the wound clinic industry. Even this reported 67.8% of respondents may be artificially high, given that virtually all resolution plans published online by HHS indicate ineffective training as contributing to the vast majority of breaches addressed by those agreements. To be able to respond to this training question in the affirmative, we need to consider what defines “effective” and “up-to-date.” To be up-to-date, the training needs to be periodically reviewed (typically annually) and updated when one’s operations change, as well as when a security incident occurs. Effective training is one of the most misunderstood areas of HIPAA. While most organizations do a good job in providing periodic background training, unfortunately this kind of training does not satisfy the requirements of the regulations. The regulation (45 CFR 164.530) states:
(b) 1. Standard: training. “A covered entity (CE) must train all members of its work force on the policies and procedures with respect to protected health information (PHI) required by this subpart, as necessary and appropriate for the members of the work force to carry out their function within the CE.”
Essentially, organizations are required to train workforce members on specific policies and procedures to comply with the regulations. In the absence of this tailored, specific training, one’s training program will not pass regulatory scrutiny. In addition, documentation of one’s training program must include a log containing the following elements:
- who was trained,
- what was taught (contents of training),
- date of training,
- who conducted training, and
- a copy of the actual training provided.
One’s training program will not pass regulatory scrutiny without all these elements. There is a regulatory documentation requirement spanning the previous six years; thus, an organization can be asked to provide this information for this regulatory document-retention requirement (ie, organizations can be asked to provide the documentation regarding who was trained, what the training covered, when the training occurred, who did the training, and the training materials used).
Risk Assessment
The next part of the survey evaluated risk assessment. While almost 81% of respondents indicated they did a routine security risk assessment and generated a remediation plan, only about 60% could produce the risk assessment and about 57% the remediation plan, respectively.
This result is more in line with the Ponemon report that indicated 60% of organizations surveyed conducted a risk assessment.1 However, even Ponemon’s numbers may be inflated given that virtually every resolution agreement the OCR signs with breach offenders indicates the lack of an adequate security risk assessment.2 While no specific security risk assessment protocol is specified in the actual regulations, the OCR’s guidance on security risk assessments specifies the protocol as presented in the “National Institute for Standards and Technology Special Paper 800-30.” (NIST SP800-30).3 Under NIST protocol, for every vulnerability (each is specified in the regulations) a probability that the vulnerability will be exploited needs to be assigned. Additionally, if a vulnerability is exploited, a level of impact to the organization and the individuals whose information is exposed needs to be assigned. Then, a vulnerability risk score must be calculated from these probabilities and potential impacts. With that information, a remediation plan needs to be created by assigning milestones that would address each vulnerability along with how they would be addressed and who would be responsible for ensuring remediation steps are conducted. Only with this protocol in place can an organization answer in the affirmative to this question. Because risk assessment is an ongoing process, organizations should update their risk analysis at least annually to ensure risks are appropriately identified, remediated, and monitored. Additionally, internal controls and security measures used should be regularly monitored and evaluated to ensure PHI is appropriately and effectively protected. Without an adequate risk assessment, one’s practice is not only in violation of HIPAA regulations, fraud may have been committed in the eyes of the government if the organization has attested for Meaningful Use monies.
Auditing & Monitoring
Under the category of auditing and monitoring, about half of respondents stated they would be unable to provide a copy of their most recent network vulnerability scan.
One under-recognized requirement of HIPAA is to conduct ongoing auditing of one’s technology, specifically a variety of log files. Also required is to provide an inventory of information technology assets, including operating systems and security patches. Additionally, organizations are required to review access log files. One indicator of having this information is the presence of a network vulnerability scan, which should collect the aforementioned requisite information. Along with the vulnerability scan, organizations should monitor their HIPAA privacy and security compliance on an ongoing basis. Compliance officers, in conjunction with the HIPAA privacy and security officers, should monitor completion of HIPAA education as well as the detection and investigation of potential HIPAA compliance incidents occurring during daily operations. Additionally, there should be several HIPAA items included in the organization’s annual audit plan, specifically focusing on ensuring that patient records are accessed and disclosed appropriately and that internal controls are effectively securing PHI. As with the other responses to the survey, the number of organizations that can provide documentation of this activity is almost half of those that report having such a program in place. This raises the concern that the majority of wound care clinics are not going to be in line with the regulations if/when called to demonstrate this compliance.
Business Associates
Next, let’s look at how CEs evaluate their business associates (BAs).
Most organizations have, as required, rewritten their business associate agreements (BAAs) since 2013, when the regulatory requirements of the BAA were enacted. Unfortunately, many organizations rely only on the BAA to demonstrate the BA’s compliance with the HIPAA regulations, as outlined in the BAA. While in our survey more than 80% of respondents say they have vetted their BAs, the Ponemon Institute study indicated only 51% of their respondents claimed they felt they had the technical expertise to comply with the regulations.1 Again, it’s important to note that, according to the Ponemon study, 61% of BAs experienced at least one breach in the past 24 months.1 Ongoing vetting of BAs is an imperative task for organizations. The regulations are explicit on this point: 45 CFR 164.502(e) specifies that a “BA is not in compliance with the standards if the BA knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the BA took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.” An example of a CE who did not follow this mandate follows: Woman & Infants Hospital of Rhode Island, as the CE, was fined by the Massachusetts attorney general’s office $150,000, and Care New England Health System was fined $400,000 by the OCR for not having an appropriate BAA in place when a breach occurred. It’s interesting to note that for the first time both a CE and BA were fined for the same incident. The days of not being sure whether or not BAs comply with regulations are over!
Conclusion
The TWC survey represents a number of areas that the OCR has designated as areas of concern and those that arise repeatedly during audits and investigations. They represent a quick way to evaluate an organization’s position within the compliance spectrum of HIPAA. Note the numbers in the first part of the survey indicate respondents believe they’re compliant. Yet, when respondents were asked if they could verify said compliance, numbers drastically dropped. This discrepancy is reflective of other studies on these topics. The majority of the healthcare organizations “do the right thing,” but lack sufficient documentation to pass inevitable regulatory scrutiny. Remember, 89% of CEs and 61% of BAs report at least one breach every 24 months. Ensuring all compliance bases are covered before these inevitable breaches occur will hold an organization in good stead when needing to address one’s compliance program with regulatory agencies.
Note: Anyone wishing to retake the survey or to see the ongoing results can find another version of the survey online at: https://hipaacomplianceusa.net/hipaadiagnostic.
References
1. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Ponemon Institute LLC. 2016. Accessed online: www.ponemon.org
2. Resolution Agreements and Civil Money Penalties. U.S. Department of Health & Human Services. Accessed online: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements
3. Guide for Conducting Risk Assessments - Information Security. National Institute of Standards and Technology. Revision 1. 2012. Accessed online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf