Compliance Helper

Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1

Wed, 25 Jan 2012 16:42:33 GMT

This article is a good reminder that despite the final rules not being issued the law is in place. Business Associates should note that the the HIPAA Security Standards became applicable to them in February of 2010.

Here is the complete article:

During 2011, informal indications were given by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and various industry experts that the final Health Information Technology for Economic and Clinical Health Act (HITECH Act) regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, the regulations continue to be delayed due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS, according to a privacy specialist. Reasons for the lengthy time period include numerous policy reviews conducted by HHS and the need to formulate responses to over 300 comments received in connection with the July 14, 2010, proposed rule (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged or if revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards to address a changing healthcare environment and evolving privacy and security threats. Further, OCR currently is in the process of conducting HIPAA privacy and security audits of covered entities, as required under the HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.

Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach

Fri, 20 Jan 2012 16:43:16 GMT

Where have we heard this story before? Employee of a business associate leaves an unencrypted laptop containing PHI in a rental car. The laptop is stolen along with patient data records on 23,500 patients. Covered entities who gave PHI to the business assocate claim they are "redoubling their compliance efforts". So if they are redoubling that means that previously they doubled their efforts so by now they must be up to at least 50% compliant. Of course they have no idea about the compliance of their business associate. Using the rule of thumb of $1,000 per patient record times 23,500 and you get a significant number.

Here is the whole article:

"The consulting firm that lost a laptop computer with medical data on 23,500 Minnesotans last summer has been sued by Minnesota Attorney General Lori Swanson, who says it violated health privacy laws and state consumer protections.

Swanson said Accretive Health Inc., hired by two Twin Cities hospitals, was compiling individual medical checklists that included a "frailty'' evaluation, a "complexity" score of patients' physical condition and a prediction of whether a person would be hospitalized.

"Why should anyone other than a doctor have such basic and personal and intrusive information about a patient?'' Swanson said at a news conference in her State Capitol office.

Her lawsuit, filed Thursday in U.S. District Court, seeks an order requiring Accretive to inform Minnesota patients what information it has, how it has been used and where it has been sent.

"No corporation, especially a debt collector, should secretly slice and dice patients' medical statistics in such a way without ... full disclosure to patients,'' Swanson said.

Chicago-based Accretive, a cost and revenue consultant, issued a statement saying it has enhanced its security procedures and will cooperate with Swanson's office to resolve the lawsuit. Company spokeswoman Francesca Luthi said there is no evidence any patient data has been improperly accessed. She declined to answer questions.

The lawsuit stems from an investigation into an unencrypted laptop that was stolen July 25 in Minneapolis from the parked rental car of an Accretive employee.

The computer contained sensitive information on 23,500 Minnesota patients of two Minnesota hospital systems, Fairview Health Services and North Memorial Health Care. Both organizations had contracts with Accretive to help cut costs and boost revenues. Fairview's contract is even deeper, giving Accretive a management role in Fairview's "total cost of care.''

Hospitals respond

Fairview released a statement saying it is "redoubling'' its efforts to safeguard patient health information.

North Memorial CEO Larry Taylor said his company has systems in place to protect patient information and that Accretive's lost North Memorial files did not include Social Security numbers, credit card numbers, health policy numbers or home addresses.

Swanson's lawsuit alleges that Accretive's loss of the information violates federal and state patient privacy and informed-consent laws. The company also violated state consumer fraud and deceptive trade practices statutes by concealing from patients the extent of its involvement in their health care, the lawsuit alleges.

Asked if Fairview and North Memorial will be sued, Swanson did not answer.

Although it has consulting contracts with local hospitals, Accretive is a licensed debt collector in Minnesota. The lawsuit alleges that the company at times masked its true identity during collection calls and has not complied with all disclosure and registration requirements.

Swanson noted that Accretive Health is part of the New York private equity fund Accretive LLC. In 2009, Swanson's office filed a consumer lawsuit that broke up an affiliation between a major debt collection enterprise involving Accretive LLC and the National Arbitration Forum, then the nation's largest consumer credit arbitration company. Tony Kennedy • 612-673-4213

HIPAA HITECH Data Breach Costs Small Business Associate $300,000

Thu, 19 Jan 2012 17:12:29 GMT

I was in a recent discussion about hacking in healthcare and had to use the old Pogo line "We have seen the enemy and he is us". While we are worrying about Russian mobsters hacking our systems employees are blithely carrying around unencrypted patient data on their laptops. Compliance 101 would tell people that this is a bad habit. More data has been breached by business associates than by covered entities and most of it has to do with lost or stolen hardware, be it backup tapes, laptops, or servers.

A few thousand dollars invested in compliance training and encryption would have saved this business associate $300,000 not to mention the incalculable damage to their reputation. The story was in Healthcareinfosecurity.com Forum.

The Massachusetts eHealth Collaborative, a non-profit consultancy that experienced a health information breach, learned eight important lessons from the experience, says CEO Micky Tripathi.

Tripathi spelled out in a recent blog the details of the organization's breach, which involved the theft of an unencrypted laptop from an employee's car, The breach, which affected about 1,000 patients of the collaborative's physician group practice clients, cost almost $300,000 to resolve.

HIPAA HITECH Rules De Facto Standard?

Thu, 12 Jan 2012 23:19:56 GMT

Kirk Nahra ia a respected healthcare attorney with Wiley Rein, LLP. While this article is broad in it's scope he focuses in on healthcare and the widespread ramification of HIPAA HITECH if implemented as proposed in the NPRM. In a sense any company touching on healthcare must be HIPAA HITECH compliant and since healthcare is a third of the US economy that is a large net.

"What's Happening with Health Care, and Why Does It Affect Everyone?

While most of these top developments affect the full range of corporate America, our next issue to watch is focused on the health care industry. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security structure has created the most detailed and complex set of privacy and security requirements at the federal level, since the privacy rule first required compliance in 2003. Now, following passage of the Health Information Technology for Economic and Clinical Health (HITECH) law in 2009, we (finally) will see in 2012 the issuance of final HITECH regulations that will kick off the full Version 2.0 of the HIPAA era.

But this development is critical because HIPAA/HITECH no longer is limited in any meaningful way to the health care industry. Instead, two key developments-one not yet set in stone-demonstrate that these changes will affect an enormous range of companies across the country, many of which have no obvious tie to the health care industry. First, one of the key changes from the HITECH law concerns the applicability of the privacy and security rules to "business associates," which are service providers to the health care industry. These entities have had contractual obligations for many years, but the new law requires that these business associates face legal obligations directly under the rules as well. So, through this step (which is being implemented in rules that are not yet final), the scope of HIPAA now will extend to any company that provides services to health care companies that involve any health care information (as well as creating complex negotiations and various other debates about whether health care information really is involved in providing the service).

The second step expands this circle even more. In the proposed regulations applying this statutory language, the Department of Health and Human Services (HHS) proposed to expand coverage not only to the companies that contract directly with the health care companies (which clearly are encompassed by the statutory changes and would know that they are contracting with health care companies) but also to any downstream vendor that contracts with those service providers, and on down the chain, indefinitely. This creates a potentially never-ending chain of contractual entanglements that impose legal obligations -- even in situations where the downstream vendors may not have any idea they are involved in information from a health care company. This requirement would apply not only to specific "subcontractors" that perform a part of the work assigned to the business associate but also to a wide range of general service providers to the business associate (e.g., accounting firms, law firms, consultants, auditors) that perform work generally for the business associate that is not necessarily tied to any particular client or project. And, because the primary legal obligation imposed by these new provisions is to follow the full scope of the detailed and complicated HIPAA Security Rule, companies will be faced with a choice even before they receive any health care information about whether to take on the task of revamping overall security programs. So, we'll be watching closely how these final rules play out, and also how far down the corporate chain these rules apply. It is quite likely that the HIPAA rules will become almost a de facto national security standard, if the reach of these rules applies to anyone in the contracting chain."

HIPAA HITECH Data Breach: $1000 Per Patient?

Wed, 04 Jan 2012 17:08:18 GMT

The cost of a HIPAA HITECH data breach has escalated with the recent spate of class action lawsuits. There seems to be a consensus among the law firms that $1,000 per patient is at least the asking price for damages. This makes even a relatively small data breach attractive to the firms that specialize in class action lawsuits. Now are they going to win all these suits, probably not, but many organizations and their insurance companies will settle rather than pay the huge costs of defending these suits.

Stanford, Sutter Health, Anthem Blue Cross, and Tricare have also been hit with class action suits. The Tricare and Sutter Health are for over 1 billion dollars. Most of these have been caused by business associates yet covered entities still seem to think that by having a BA agreement in place they are safe. Not so much! It is imperative that CEs monitor their BAs. There are tools such as our BA Tracker that accomplish this at little or no cost to the CE. Penny wise and a billion foolish is a bad bet.

Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule

Fri, 23 Dec 2011 16:05:50 GMT

One year it was a shiny red bicycle, which I got, another year it was a Red Ryder BB gun, which I did not, so I understand that Santa doesn't always deliver the goods. This year it is "The Final Rule" and since we are only a few days before Christmas and I doubt anyone is working at HHS this week it looks like I will be disappointed again.

"The hearings also highlighted the need for a final rule to implement major provisions of the new HITECH Act, including those related to business associates and breach notification requirements. Franken characterized the lack of final HITECH regulations as “a really big problem,” and questioned Rodriguez about when Congress can expect a final rule from HHS. Rodriguez did not provide a specific timetable." (My emphasis)

This was the second panel of the Senate committee and followed up on the theme of the first, "Hurry Up". With millions of patient records being exposed, the incidence growing 32% according to The Ponemon Institute study you would think HHS would have released this months ago. Literally millions of business associates are delaying compliance because in February of 2010 HHS announced that they were "delaying enforcement".

Here is the link to the complete article:

http://www.insideprivacy.com/senate-hearings-focus-on-lack-of-hipaa-enforcement-final-hitech-rule/

The irony is that the law is actually in force and should the BA have a breach they must report the breach and are subject to punishment right along with the CE that trusted them with the PHI. CEs must take greater responsibility for their BAs because they are in fact responsible should the BA breach.

I highly recommend that you read an article being published in Compliance Today magazine entitled:

Effective practices for HIPAA and HITECH compliance measurements – By Rebecca Herold and Mahmood Sher-Jan
Metrics tied to an incident response lifecycle provide a defendable plan of action for data breaches and help restore trust. Page 30

HIPAA HITECH In Effect for Business Associates: Since February 2010

Tue, 20 Dec 2011 17:01:06 GMT

This article from a leading healthcare law firm explains that despite the "final rule" still being missing the law went into effect in February of 2010. "

During the past year, the healthcare privacy and security community has anxiously awaited publication of the "Final HITECH Regulations" amending certain provisions of the privacy and security standards of HIPAA that were mandated by the HITECH Act. But did you know that several components of the HITECH Act already are in effect? Business associates, in particular, need to be aware that the HITECH Act's imposition of specific technical, administrative and physical safeguards onto their operations became effective in early 2010, one year after the HITECH Act was enacted."

if you are audited you will be subject to compliance with this law whether the final rule has been issued or not. The Wall of Shame bears witness to the fact that you will be required to report any breaches and that the public will be informed. Further action including large fines may be imposed by OCR. I would refer you to my last blog that outlined what happened to a business associate who lost a laptop with unencrypted PHI. $300,000 in out of pocket expense plus hundreds of hours trying remediate when having proper policies and procedures in place and adhering to them would have saved him time, money, and lost reputation.

http://www.lexology.com/library/detail.aspx?g=f133a888-36b4-4b41-9ecd-12314c59292b&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+Federal+section&utm_campaign=Lexology+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2011-12-20&utm_term=

HIPAA HITECH Data Breach Costs Small Business Associate $300,000

Mon, 19 Dec 2011 20:45:57 GMT

It not only cost the business associtate (BA) $300,000 in direct costs but one of the covered entities (CE) who gave him patient data is now enshrined on the Wall of Shame at incalulable cost to the CE and the BA.

Both CE and BA need to face up to the fact that they are inextricably linked in the data breach universe. CEs need to monitor their BAs and BAs need to be able to provide proof of compliance to their CEs on an ongoing basis. If there was a BA agreement in place in this instance it did neither of them any good. The BA still breached and the CE got to share the blame.

BA Tracker is the solution and will available as a free service to CEs in January.

Here is the link to the article in the New York Times:

http://www.nytimes.com/2011/12/19/technology/as-patient-records-are-digitized-data-breaches-are-on-the-rise.html?_r=1&hpw

Nearly Half of HIPAA HITECH Data Breaches Caused By Business Associates (BA)

Fri, 09 Dec 2011 19:28:04 GMT

Yet another study has shown that nearly half of all HIPAA HITECH data breaches are caused by business associates (BA). Todays article is by a law firm that analyzed the large data breaches and discovered that 50% of the breaches above 1,000,000 records were caused by BA and 44.8% of the breaches between 30,000 and 999,999 were also caused by BA. The Ponemon Institute Study reported 46% caused by BAs which reinforces the argument that the BA is an area of great vulnerability for the covered entity.

Most CEs try to keep an uptodated list of BA agreements but go no further. There are many motives for this inaction including, lack of funding, avoidance of confronting their BA, lack of tools, and just plain old inertia. There is also the old argument that if we probe too deeply we are going to find many of our BA are non-compliant and if we then continue to do business with them we are guilty of willful neglect. Ostriches have not found this to be a great defense since with your head in the sand you are exposing another vulnerable area.

Time to confront the issue head on. Take your list of BAs and update it by surveying them on a regular basis. Have them answer compliance questions to ascertain their level of compliance. Inventory the PHI that they are accessing. Assign risk catories based on the access and their compliance level. Ask them to remediate the risks and provide you proof of compliance on an ongoing basis.

Or let BA Tracker do all of this for you, for free. Take a look at www.compliancehelper.com/batracker

Here is the link to the article: http://hipaahealthlaw.foxrothschild.com/2011/12/articles/breaches/the-silent-brigade-in-the-parade-of-major-reported-phi-breaches-of-security-and-privacy-business-associates-an-update/#page=1

BA Tracker HIPAA HITECH Compliance Checklist

Mon, 05 Dec 2011 17:50:01 GMT

Keeping track of their BAs is becoming a high priority for CEs. The recent Ponemon Institute study had two very revealing statistics. Breaches by BAs are the second leading cause and the percentage is increasing and at the same time the percentage of BAs covered by BA agreements is falling. Having a BA agreement in place is a HIPAA HITECH requirement as is the requirement to seek "suitable assurances" that the BA is HIPAA compliant. Under NIST guidelines for HIPAA Security Rule Compliance, Covered Entities “May consider asking the business associate to conduct a risk assessment that addresses administrative, technical, and physical risks, if reasonable and appropriate.” (NIST 800-66, rev 1, p48.

BA Tracker is a free service to the CE that meets all of the HIPAA HITECH requirements by tracking the compliance level of the BAs, identifying gaps, and offering remediation to the BA at a reasonable and appropriate cost in time and money. As part of that program BAs are surveyed monthly and asked the following questions:

III. Compliance Questions:

1.Name the formally designated person or position that serves as your organization's privacy and security officer. If none, type None.

2. When was the last time you updated your documented privacy and information security policies and procedures? Leave blank if not documented.

3. Have they been reviewed and updated, where appropriate, in the last six months?

Describe how the privacy and information security policies and procedures are communicated to all personnel, and made available for them to review at any time. Check all that apply.
A) Via email
B) Put on company Intranet
C) Put on an Internet site
D) Distribute printed copies
E) Make available in management policy binders
F) Give access via Compliance Helper portal
G) Some other method

5. Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?

6. Provide the date for the most recent information security and privacy training.

7. Provide the date for when you performed your most recent information security risk assessment in the last 12 months.

8. Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?

9 . Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?

10. Do you require information, in all forms, to be disposed of using secure methods?

11. Do you have a documented breach response and notification plan, and a team to support the plan?

12. Do you outsource any activities involving business data?

13. Check all the following standards for which you can verify compliance:

A. HIPAA/HITECH

B. ISO/IEC 27001

C. PCI-DSS

D. COPPA

E. Other (Please Specify): _____________

F. None

Third Parties (BAs) Second Leading Cause of HIPAA HITECH Data Breach: Ponemon Institute 2d Annual Study

Fri, 02 Dec 2011 16:52:16 GMT

As an ex military person I am quite familiar with the term snafu but have never seen it used in a formal study before. The Second Annual Ponemon Institute Study of Data Breaches refers to "Third Party Snafu" as the second leading cause of data breaches. For those of you not familiar with snafu the first two letters refer to "situation normal" and I would state that this has to change. In another part of the study they state that the percentage of BAs with BA agreements in place has decreased from 66% to 56%. This qualifies as a snafu also.

If the BA is your seconding leading cause of breaches and you can't even be bothered to have a BA agreement in place you have given the BA a very strong signal of your disregard for their efforts to protect PHI. Of course HHS qualifies since they can't even be bothered to actually release the rules, which is another very strong signal. Stuff really does roll down hill so if there is lack of commitment at the top you can expect there to be even less of a commitmen at the bottom.

In our software, task 1.1 in setting up a privacy and security program is to get the commitment of management and convey that to the entire organization. In this scenario it starts with HHS, rolls down the the CE, rolls down to the BA, and finally rolls down to the Sub-Contractor. If I am the Sub you can bet that if the folks above me in the food chain are not demanding commitment I am certainly not going to either.

HHS needs to "hurry up" and start the stuff rolling downhill.

Here is the link to the study: http://www.linkedin.com/news?viewArticle=&articleID=948922088&gid=3873240&type=member&item=83081349&articleURL=http%3A%2F%2Fwww2%2Eidexpertscorp%2Ecom%2Fponemon-study-2011%2F&urlhash=-GDK&goback=%2Egde_3873240_member_83081349

BAs Must Provide Proof of HIPAA HITECH Compliance: Hennepin County Medical Center privacy officer Kari Myrold

Tue, 29 Nov 2011 16:05:43 GMT

We have heard it from the law firms and we have heard it from the consultants, now we are hearing it from the hospitals. Business associates must be able to provide proof of compliance. In this case they are requiring a risk assessment and without knowing the details I can't say whether this is a "reasonable and appropriate" request, but clearly the writing on the wall is writ large and clear: If you share PHI you must provide proof of compliance.

In this interview in Healthcare Info Security, Hennepin County Medical Center privacy officer Kari Myrold states:

"Hennepin County Medical Center has beefed up its agreements with business associates in light of the high number of breaches across the nation that have involved vendors. For example, the hospital requires business associates to strictly limit who has access to patient data as well as provide evidence of the results of an audit of their security procedures."

A formal HIPAA risk assessment when conducted by a privacy and information security consultant is an expensive and time consuming operation. It also rapidly decreases in value as things change in the organization. New systems, new business lines, and staff turnover are among the issues that can change the level of compliance. A better solution is an on-going monitoring system that measures different areas of compliance and displays the results through meter and dashboards. Even more important is the underlying process of informing staff of their duties, giving them the tools to accomplish them and documenting their actions. With the cloud computing or SaaS model an organization can allow their business partners to literally see their compliance program and it's results.

The Compliance Meter^tm is the quick reference but the business associate may also supply their covered entity with a read only password enabling them to "drill down" and view all compliance activities. BA Tracker is a new service for covered entities that keeps track of all of their BAs and provides a clear picture of their ongoing HIPAA HITECH compliance. For more information go to www.compliancehelper.com/batracker

Here is a link to the complete interview: http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1298&rf=2011-11-29-eh&elq=fc726d0282e44bcd8fd743a52601ddef&elqCampaignId=886

BAs Must Provide Proof of HIPAA HITECH Compliance: Hennepin County Medical Center privacy officer Kari Myrold

Tue, 29 Nov 2011 16:05:43 GMT

In this interview in Healthcare Info Security, Hennepin County Medical Center privacy officer Kari Myrold states:

Here is a link to the complete interview: http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1298&rf=2011-11-29-eh&elq=fc726d0282e44bcd8fd743a52601ddef&elqCampaignId=886

Monitor Business Associate's HIPAA HITECH Compliance: Security specialist Tom Walsh, president of Tom Walsh Consulting

Mon, 28 Nov 2011 16:25:05 GMT

I know I am starting to sound like a one note singer but the note is very important and the audience is starting to hear it. In this important article discussing the new tactic of class action lawsuites against healthcare organizations that have had a data breach the alarm is also sounded by both Adam Greene, an attorney at Davis, Wright, Tremain, formerly with HHS and OCR, and Security specialist Tom Walsh, president of Tom Walsh Consulting to monitor your business associates.

BA Tracker is an elegant solution for both the covered entity and the business associate. The CE gets a free service for tracking the on-going compliance of their BAs and the BAs get an inexpensive way to get compliant, stay compliant, and prove compliance to all of their CEs through our Compliance Meter^tm.

Thanks again to Howard Anderson at Health Info Security for this timely article: http://www.healthcareinfosecurity.com/articles.php?art_id=4275&pg=1

HIPAA HITECH Breach Concerns Rise For Healthcare Firms: Judy Greenwald, Business Insurance

Sun, 27 Nov 2011 18:18:03 GMT

There is growing interest in HIPAA HITECH insurance. A number of companes are writing S&P or Security and Privacy policies to protect healthcare companies in the event of a breach. The tricky bit is figuring out what the level of risk is with each organization. We feel that having metrics for measuring the ongoing level of compliance is a critical factor. A risk assessment is a good start but things change pretty quickly in organizations. Staff turnover, neeffew systems, new lines of business lines and lack of ongoing compliance efforts can have a major influence on the level of compliance.

Compliance is a process, an ogoing process that requires monitoring to ensure that the proper levels are being maintained. Our Compliance Meter^tm displays the percentages of policies, procedures, and forms edited by the organization and approved by their Helper and the percentage of compliance tasks accomplished that month. The Helper is a privacy and security expert who provides oversight and advice through the cloud or SaaS model.

We think it would be wise for the insurance companies to require this sort of monitoring to be sure that their clients are doing everything possible to stay compliant. It seems it would be a good partnership, with us being the canary in the mine.

With our new BA Tracker service we can provide oversight on thousands of organizations efficiently and cost effectively.

Here is the link to the article in Business Insurance:

http://www.businessinsurance.com/article/20111127/NEWS07/311279968?tags=%7C299%7C74%7C303%7C335

$1 Billion Class Action Suite in Sutter HIPAA HITECH Data Breach

Wed, 23 Nov 2011 18:06:39 GMT

There must be something in the air here in Northern California that causes huge data breaches. HealthNet and IBM in Sacramento team up to lose some servers with 1.9 million patient records, Sutter in Sacramento loses over 4 million and in a relatvely minor episode Stanford has a business associate post 20,000 records on the InternetNotice these are not mom and pop outfits. These are folks with big budgets for IT security and privacy. I don't suppose Sutter budgeted for a $1 billion dollar loss and I hear that there is a $20 million dollar lawsuit against Stanford. Maybe E&O insurance will at least help cover the cost of legal defense.

If this is happening at the upper echelon of healthcare organizations think about the thousands of minor (under 500) reported and maybe more scarily think about the unreported leaks. Particuarly at the business associate and sub contractor level we see the vast majority as being non-compliant with HIPAA HITECH at this time so they don't even know the rules let alone whether they are breaking them. I just saw a statistic that said that health care organizations only budget 3% for information security and privacy. After 40 plus years in healthcare and 30 plus in healthcare IT I shouldn't be surprised by anything but that is an astoundly low number.

In support of Senator Al, What does this mean to me? Franken I can only say HHS, Hurry UP! Give us the rules, draw the line in the sand, show us that you are serious about HIPAA, this time.

HIPAA HITECH Documentation and Metrics

Tue, 22 Nov 2011 17:16:06 GMT

There are many old sayings about documentation, including "The job is not over until the paperwork is done". In HIPAA HITECH it starts with documented policies, procedures, and forms that are acutally used to run the organization, but it goes beyond that. A document management system will only take you so far. You must be documenting actions such as, notes, editing or updating, or accomplishing compliance tasks. It is also important to have third party oversight to verify these actions. A privacy and security officer or an outside consultant can add greater validity if they are providing oversight and advice. Again, it is important to document these interactions.

Naturally you need tools and a process to ensure proper documentation. Our model is to use a cloud computing model to deliver the documented content, track the edits, have a privacy and security expert called a Helper, check the work and automatically document all of these actions. Questions are answered by the Helper and these interactions are also documented. As the standards change new policies, procedures and forms are delivered and again the process of editing and updating is documented with oversight from the Helper.

Documentation also allows us to establish HIPAA HITECH metrics. If you didn't document it you can't measure it. What are the percentages of policies, procedures, and forms edited or updated measured on an ongoing basis? So if a policy is revised the score goes down until someone either accepts the revision without changes, or edits it and sends to the Helper for approval. Monthly task lists provide a process for maintaining compliance on an ongoing basis and these activities are documented and measured.

These metrics feed the Compliance Meter^tm. It may be displayed on the organizations own website or deployed to their business partners so that they may track compliance quickly, easily, and remotely. If necessary they may be given a password that allows them to drill down and view all activities, thus achieving true transparency.

In 2012 if you can't prove that you are HIPAA HITECH compliant it is going to be very difficult to work in the healthcare sector.

A lack of ongoing HIPAA compliance training increases the risk of internal breaches, says Terrell Herzig, information security officer at UAB Medicine.

Mon, 14 Nov 2011 17:52:47 GMT

Here is a view of the business associate management issue from the perspective of a HIPAA privacy officer from a large covered entity. His recommendation that the CE ask for a recent risk assessment from their BAs is good one but I doubt that many of them can comply. According to the survey done by Health Information Security only 26% of respondents had done a risk assessment and none of them did it annually.

HIPAA says that a CE may request a risk assessment from a BA "if it is reasonable and appropriate". That may preclude asking a small BA to spend thousands on a third party risk assessment. On the other hand a low cost tools such as BA Tracker would meet the reasonable and appropriate requirement.

http://www.linkedin.com/news?viewArticle=&articleID=911566405&gid=2729867&type=member&item=80281201&articleURL=http%3A%2F%2Fwww%2Ehealthcareinfosecurity%2Ecom%2Fpodcasts%2Ephp%3FpodcastID%3D1271&urlhash=Ffb6&goback=%2Egde_2729867_member_80281201

HIPAA/HITECH update: the waiting is the hardest part, Wiley Rein LLP, Kirk J. Nahra, November 8 2011

Mon, 14 Nov 2011 17:06:42 GMT

In another in-depth analysis by Kirk Nahra, a prominent healthcare attorney we see the admonition to monitor you business associates. His prognostication is that we will get the final rule by the end of the year and that business associates will have seven months to get compliant. He feels that their biggest challenge will be the security rule if they have been in compliance with the privacy rule. He seems to think that BAs have been living up to their BA agreements but iwe don't think that is true in many cases. Our partner Rebecca Herols has done over 200 BA risk assessments and most cases she found the BA agreement in a file cabinet in HR or legal and that the staff had never even seen the agreements let alone lived up to the terms.

We feel that it is vital for the covered entity to set standards and require proolf of compliance. With tools like our BA Tracker this can be accomplished efficiently and at no cost to the covered entity. The BA pays a small fee but gets the advantage of being able to prove their compliance.

Just having a spreadsheet that keeps track of who has signed a BA agreement is not enough. You must monitor your BAs on an on-going basis to be able to identify risks and remediate them.

Here is the complete article:

http://www.lexology.com/library/detail.aspx?g=e86eb05a-7e1f-4ade-856d-ea97c9c266f7&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+Federal+section&utm_campaign=Lexology+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2011-11-14&utm_term=

Keeping an Eye on Business Associates (HIPAA HITECH)

Sat, 12 Nov 2011 17:40:00 GMT

In the software industry there is a term for an idea that simultaneously occurs to a number of different people in different places. We refer to something being "in the air". Managing business associates is clearly in the air. It is popping up in many different places with many different authors. Here is a recent in-depth article in Health Data Management (see link below) that states the problem well and suggests some solutions. We would add the need for compliance metrics tied to external meters and dashboards to monitor on-going compliance of business associates and subs.

http://www.healthdatamanagement.com/issues/19_11/hipaa-privacy-security-business-associates-43504-1.html?pg=1

Business Associate Proof of HIPAA HITECH Compliance

Fri, 11 Nov 2011 17:20:35 GMT

With pressure mounting on HHS to release the updated rules, including a recent Senate hearing where the new head of HHS was told to "hurry up", we will see the Final Rule by early 2012. Based on the 234 page Notice of Proposed Rule Making (NPRM) issued in July of 2010 all business associates and their subs will have to meet the same rules as the covered entities.

As a BA, and I will use this to describe all business associates and subs, you will be required to present proof of compliance to your covered entities. This is already happening. We have helped many BA who have come to us stating that their covered entity requires proof of compliance. So what constitutes proof of compliance? The basic rules are that you have an appointed privacy and security officer, documented policies and procedures, training and awareness, and on-going activities to remain compliant. One proof of this is a HIPAA risk assessment conducted according to the standards established by the National Institute of Standards and Technology (NIST). If conducted by an on-site consultant this will cost thousands of dollars. There are new software tools such as those provided by ACR2 Solutions that can reduce the cost and hassle. Either way you will get a Gap Analysis report telling you where you are falling short of meeting the standards and you must then remediate or mitigate these risks. This Cycle of Compliance, risk assessment, remediation, and training must be maintained at all times to maintain your compliance.

Documentation is critical. If you didn't document it, it didn't happen. So you must engage in continuous compliance activity that meet the standards, document these activities, and deliver proof to your healthcare business partners. Fortunately, 21st century technology helps provide some tools for managing this challenge.

The cloud computing model or SaaS allows for delivery of a step by step process for setting up a compliant privacy and information security program. Embedded metrics measure your progress and a personal Helper provides advice, encouragement, and gentle nagging to get you through the process. Once the initial program is set up you move to maintenace mode where you receive a monthly list of tasks required to stay compliant. Every action is documented by the software and reported out thrugh the Compliance Meter(tm). The Compliance Meter(tm) is a widget that can be displayed on your website or deployed to your business partners so that they can observe you your compliance scores.

By delivering the personal Helper, the content, the step by step process and the metrics though the cloud model the cost is reasonable. Most BAs can get compliant for under a thousand dollars, stay compliant for under a hundred dollars a month, and prove compliance for free. Very small organizations can get compliant for $125 and stay compliant for $35 per month.

Beginning in 2012, if you can't prove HIPAA HITECH compliance you can't do business in healthcare. The covered entity has a responsibility to get "suitable assurances" that you are compliant. If they observe "a pattern of non-compliance" they are obliged to get the BA become compliant or sever the business relationship and report them to HHS.

To understand the process better go to our website at www.compliancehelper.com and watch the BA demo.

HIPAA Updates: Hurry Up!, Senator Al Franken at a Senate hearing

Thu, 10 Nov 2011 17:04:56 GMT

This is the most notable in a series of public statements urging HHS to issue the updates including the ones listed in the NPRM from July 2010. In July of 2011 Susan McAndrew stated that it would be "weeks not months" and that it would be out by the end of the year or she would be out by the end of the year. I hope she is really taking it that seriously because literally millions of business associates and sub-contractors are delaying because of the delay in enforcement announced in February of 2010. If you can write a 234 page NPRM in July of 2010 there is no excuse for not having the final rule 18 months later.

I would hope that this chorus of voices including Senator Al Franken and a Senate hearing would prod HHS into action. Here is the link to the full story:

http://blogs.healthcareinfosecurity.com/posts.php?postID=1118&rf=2011-11-10-eh&elq=cfd486d36bf24a3482b3e7f17d077fba&elqCampaignId=799

HIPAA HITECH Webinar featuring Rebecca Herold

Mon, 17 Oct 2011 16:53:54 GMT

Our partner, Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI was recently voted the 3rd best privacy advisor in the world by Computer World. She is featured in a webinar sponsored by Credant Technologies on Thursday Oct, 27 at 1 pm Central Time.

As one of the top experts in the world on HIPAA HITECH and other privacy and information security topics as well as an engaging speaker, be sure to listen to her explanations. Working with Compliance Helper she has developed a comprehensive program for helping CEs and BAs get compliant, stay compliant, and prove compliance with the Compliance Meter^tm.

Law Firms Advising CEs to Monitor BAs for HIPAA HITECH Compliance

Tue, 11 Oct 2011 15:53:39 GMT

This is only the most recent article from leading healthcare law firms advising covered entities to more actively monitor their business associates. Of course Rebecca Herold, our privacy and security expert and partner has been saying this for over two years. In fact her article in the February issue of Compliance Today was emphatic in stating that just having a BA agreement in place was not enough.

To attempt to manage this risk the CE could send questionnaires, do phone interviews, request copies of policies and procedures, request new risk assessments and security audits, or even do an on-site visit. Since most CEs have hundreds of BAs, and some have thousands, this could be an expensive proposition in both time and money.

Working with Rebecca Herold, Compliance Helper (CH) has developed BA Tracker^tm to do the job for the CE, for free. We charge the BA a small fee for measuring and displaying their compliance on an ongoing basis and reporting that to the CE.

The CE delivers a list of their BAs to CH and informs them that they must supply proof of compliance on an ongoing basis. BA Tracker™ is described by the CE as an acceptable proof of compliance along with any other acceptable methods. CH contacts the BAs and offers their services.

Each month the BA receives an attestation form requiring them to verify their profile information, attest that they are doing ongoing training, maintenance of their policies and procedures and requires them to answer a HIPAA HITECH quiz. They will be given a score that will be reflected through their Compliance Meter^tm and through a dashboard report on the CE website. Should the BA need additional help they may sign up for the CO-OP or Prepare/Care services which will enable them to set up a comprehensive privacy and information security program and maintain their compliance.

The CE gets a private and secure website with profiles of their BAs enrolled in BA Tracker™, along with the BAs’ current and past scores reflected through meters and dashboards. With the BA’s permission the CE may drill down, remotely, to view all compliance activities of the BA.

The cost to the BA is less than a hundred dollars a month for BA Tracker™ and only a few thousand if they need the full Prepare/Care Services.

For more information contact Jack Anderson, jack@compliancehelper.com

Over Half of Patient Data Records Breached Caused by Third Parties (BAs and Subs)

Thu, 22 Sep 2011 16:19:29 GMT

A lot has been written about the Stanford data breach of over 20,000 patient records posted on-line for over a year, but I found an even more compelling statement late in the NY Times article.

"Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers, said nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed.

Dr. Cline said health care providers depend unjustifiably on legal contracts with vendors to protect medical records. “That just doesn’t work, as we can see,” he said. “You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”"

Since the HITECH Act went into effect in February of 2011 I have been watching the process of law firms and covered entities struggling with the problem of data breaches by business associates and sub-contractors. The prevailing opinions have shifted from just modifying the existing BA agreements to Dr Cline's view.

The challenge for the CE is how to do due diligence with hundreds of BAs. Various methods have been tried, including mailing out questionnaires, doing telephone interviews, asking for copies of policies and procedures, requesting a HIPAA risk assessment, and as a last resort doing an on-site audit. All of these are expensive, time consuming, and only give a single day snapshot of the compliance level of the BA.

There is no HHS approved "certification" process. It is up to the CE to set the standards and for the BA to provide proof that they are meeting the standards on an ongoing basis. Fortunately, new technology and methodology offer a good solution for both the CE and the BA. With the cloud computing model and a task based methodology the BA can manage their compliance on an ongoing basis and provide transparency to the CE.

Rebecca Herold and Associates and Compliance Helper (CH) have worked together to develop BA Tracker^tm, a free service to the CE. The CE provides a list of BAs to CH and send them a letter asking them to enroll in the program. They enroll on-line and provide information about their business model and current level of compliance. Based on this they are enrolled in the appropriate level of service. If they are fully compliant they need only fill out a monthly attestation form and answer a few HIPAA questions. If they need help getting compliant and staying compliant they can enroll in the Prepare/Care program or CO-OP. These programs are reasonably priced, effective, and efficient.

Their ongoing compliance activities are documented and the results displayed through the Compliance Meter^tmand dashboard displays. Their business profile is available to the CE and with their permission the CE may drill down to observe all of their compliance activities.

For more information contact Jack Anderson, jack@compliancehelper.com, or call 866-984-3573, ext 709