How to Prepare for New HIPAA Privacy & Security Regulations in 2016

Wound care clinicians must ensure they’ve appropriately established and implemented safeguards for protected health information. This article provides an overview of what’s needed to meet regulatory standards.

The U.S. Department of Education’s Office for Civil Rights (OCR) has given fair warning that the 2016 round of compliance audits for healthcare professionals is about to unfold. Responsible for administering and enforcing HIPAA Privacy, Security, and Breach Notification Rules, the OCR also investigates complaints and compliance issues while maintaining an audit program mandated by the HITECH Act of 2009. 

Also in 2016, the OCR will relaunch its random audit program. In this new round of audits, the number of entities has been greatly increased (“small” providers — practices with fewer than 15 physicians — have been included) and, importantly, a healthcare organization’s “business associates” (BAs) will be included in the audit. (We’ll further discuss BAs later in this article.) It appears that providers will be randomly selected for these audits. If selected, an organization will be required to respond to a document request — regarding everything related to the organization’s HIPAA privacy and security programs. Document requests must be satisfied within a 20-day period and could require information to be collected from as far back as six years prior to an audit related to such items as security-risk assessment and remediation plans, policies and procedures, training logs, and any other documentation related to HIPAA privacy and security programs.

An organization that is under pressure from the United States’ Congress to complete audits, the OCR has also recently been pressured by the U.S. Department of Health & Human Services’ “Office of Inspector General (OIG), which completed a study in September titled OCR Should Strengthen its Oversight of Covered Entities’ Compliance With the HIPAA Privacy Standards. According to OIG officials, the OCR was not properly doing its job of proactively auditing covered entities (CEs). It seems logical to expect that with the demands of Congress, along with the public lashing by the OIG, the OCR will launch audits with renewed vigor. Indeed, in 2016 the OCR plans to conduct comprehensive onsite audits (during which OCR officials arrive onsite to review documentation, business processes, and policies and procedures) as well as desk audits (during which the OCR files a document request for preliminary review of the same types of materials required at an onsite audit but does not initially arrive onsite). Results of a desk audit determine whether or not further onsite auditing is necessary. Given this pressure to maintain compliance, it’s an appropriate time for healthcare providers to be reminded of HIPAA requirements. The information presented within this article is critical to one’s practice. While providers may feel overwhelmed by the depth of the information, there is good news: Resources are available to assist with the compliance process (and demystify the process) in order to address one’s compliance needs and produce a successful encounter with OCR in the event of an onsite or desk audit. 

Audit Overview

The audit protocol (ie, types of info auditors examine) covers all the aspects of one’s compliance efforts, including:

• notice of privacy practices;
• patients’ rights to request privacy for protected health information (PHI);
• access of individuals to PHI;
• administrative, physical, and technical safeguards;
• uses and disclosures of PHI;
• amendment to PHI; and
• requirements of the HIPAA Breach Notification Rule.¹

An onsite visit does not occur during desk audits, but the OCR will ask for documentation regarding various aspects of one’s compliance. Remember: Document requests must be satisfied within 20 days and could require information dating six years prior to an audit related to such items as security-risk assessment and remediation plans, policies and procedures, training logs, and any other documentation related to HIPAA privacy and security programs. The focus for both onsite and desk audits will be on those areas that OCR compliance investigations have historically found to be lacking. These include:

• the existence of an adequate security-risk assessment;
• an adequate and approved (typically by the chief security officer) remediation plan;
• an adequate training program appropriately documented (must include names of those trained, those conducting training, what was instructed; and
• adequate and easily available policies and procedures for staff and patients.

As part of the audit protocol, OCR will be collecting information on BAs, defined as contractors who need to see PHI in order to complete a task for the CE. For example, a billing company needs to see diagnostic codes of patients to review and submit bills. With the BA information, OCR will select potential BAs to audit. Why does this matter to healthcare providers? Under the Final HIPAA Omnibus rules that took effect in 2014, a provider’s relationship with business associates has significantly changed. Now, providers have an obligation to assure their BAs are complying with HIPAA regulations as well. If they’re not? Welcome to “double jeopardy.” But this is only the beginning. The OCR has published its intent to investigate and probe specific security regulations that will include:

Security Risk Assessment and Risk Management. OCR officials will inquire about one’s policies and procedures to conduct an accurate security-risk assessment of vulnerabilities related to confidentiality, availability, and integrity of patient PHI. They will assess whether one’s risk assessment covers any regulation updates or if it has evaluated changes to any operational or material changes within one’s organization (as well as determine whether the assessments have been done on a periodic basis). They will examine one’s remediation plan for addressing potential risks and vulnerabilities to PHI, decreasing risks to an “acceptable” level by implementing appropriate policies and procedures (the primary way being by shifting risks to another entity or insuring them away), and assessing for periodic updates to such plans. Security policies and procedures should address specified criteria of the security rule; CE/BAs should be clear to address data that is transported in and out of the organization.

Appropriate Information Technology (IT) Systems and Services. The security rule is technology neutral and does not mandate any particular technology, but OCR officials will assess the appropriateness of the provider’s/facility’s IT solutions for protecting the PHI that’s created, received, maintained, or transmitted. They will also want to ensure patients are protected against threats or hazards to the security and integrity of PHI and that the provider has protected against unauthorized disclosures. Lastly, they will want to ensure that one’s staff has been trained in policies and procedures in this area. Security measures for CEs and BAs can be adopted in relation to an entity’s size, complexity, and capabilities of the CE/BA and the CE/BAs technical infrastructure, hardware, and software security capabilities, as well as probability and criticality of potential risks to electronic PHI (ePHI). 

An Assigned Security Official with Documented Responsibilities. The OCR will check to determine whether providers and their BAs have assigned a specific security official to oversee the development, implementation, monitoring, and communication of security policies and procedures. (For those who have not yet done this, a chief security officer must be identified and assigned. Typically, this is someone within the organization, but outsourcing can be an option. Those caught without this individual in place will be deemed to be engaged in “willful neglect” (ie sticking your head in the sand and ignoring the requirement). If determined to be engaging in willful neglect, minimum fines go from $100 to $50,000.

The job description for the appointed individual must clearly state assigned responsibilities. The content of the job description should both match the requirements of the security rule and the official’s responsibilities while evaluating the content in relation to the specified criteria. The OCR will decide if the responsibilities of one’s security official have been clearly defined and communicated throughout the organization.

Workforce security and verification of proper access to ePHI. The OCR will evaluate the knowledge, skills, and abilities of one’s staff to fulfill defined roles and whether management has verified everyone’s experience and qualifications for the jobs they hold. Policies and procedures for granting access to ePHI will be evaluated, as will evidence of this approval process. Healthcare organizations must provide evidence that their workforce members do in fact have appropriate access to ePHI from their job function. Evidence of policies and procedures for terminating access to ePHI when employment of a workforce member ends (eg, voluntarily or involuntarily) or job functions change (eg, transfers, promotions), and procedures for monitoring this process, must be available. Note that workforce security is an addressable standard. This means if workforce security measures have not been fully implemented as required in the HIPAA regulations, the organization must be prepared to provide the rationale for not doing so and, rather, to justify the measures that have been substituted. 

Information Access Management. All healthcare providers must provide evidence that there are specific criteria for granting BAs and volunteers access to ePHI as well as access controls (and security measures around access controls) that must also be proven to be periodically reviewed and updated. Criteria on security measures for access controls must be in place. The OCR will determine if the entity’s IT system has the capacity to set access controls to ePHI. Criteria must also be established for standards to authorize access and to document, review, and modify a user’s right of access to a workstation, transaction, program, and/or process. Since access authorization, access establishment, and access modification are addressable specifications, evidence must be provided (as well as rationale) if one has not fully established workforce security measures. Documentation as to how this process is evaluated, documented, and periodically reviewed will also be necessary.

Workstation Use. All types of workstations must be identified, physical surroundings must be analyzed (need to maintain up-to-date listing of devices and physical safeguards (proper, safe access to workstations), and established procedures must limit access to workstations and implement physical safeguards for workstations. These practices must be established through policies and procedures with evidence of periodic reviews.

Device and Media Controls. Evidence of policies and procedures that address methods for final disposal of ePHI, accountability for all movement and disposal of hardware and electronic media, data backup and storage procedures, and procedures for reuse of electronic media is required in all settings.

Encryption and Decryption. The OCR will assess one’s policies and procedures related to encryption standards, which must be reasonable and appropriate based on the size and complexity of one’s organization/facility. As an addressable specification, for ePHI being stored, if encryption measures have not been fully instituted there is a requirement for rationale explaining why this has not been done and justifying the alternate implementation.

Access Controls. OCR officials will ensure adequate access controls are the result of having: one’s workloads and operations analyzed, needs of all users identified, technical access control capabilities assessed, all users being assigned unique identifiers, and access control policies being developed. Hardware and software related to access controls will be evaluated. Policies and procedures should address user access, reviewing and updating of user access, and emergency access procedures. Automatic logoff, termination of access as needed, determination of which activities will be tracked or audited, auditing and system activity review tools, and standard operating procedures will be evaluated.

Integrity. Policies and procedures related to integrity of ePHI must be in place, including identification of all users who have been authorized to access ePHI, mechanisms to authenticate ePHI, authentication methods, and the applicability and evaluation of authentication method to current systems and applications.

As author Jane Wagner has said: “Reality is the leading cause of stress amongst those in touch with it.” At this point it’s common for healthcare providers to experience stress related to the depth of information and tasks associated with HIPAA compliance.  There are resources available to demystify these processes in order to assist with compliance regulations and to help produce a successful encounter in the event of an OCR inspection.

Roger Shindell is chief executive of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. Shindell currently is chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindel@carosh.com.

References

1. U.S. Department of Health and Human Services. HIPAA Breach Notification Rule. Accessed online: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html