Compliance Helper

Lack of HIPAA HITECH Risk Assessment and Remediation Threatening Meaningful Use Funds

Wed, 23 May 2012 20:34:15 GMT

Here is a copy of a blog from our partner company ACR2 Solutions which does HIPAA risk assessments for organizations applying for meaningful use funds:

40,000 Providers Possibly at Risk of Losing EMR Subsidies

CMS reports that as of March 31, 2012 some 44,100 providers have attested to meaningful use under Medicare, each collecting $18,000 in Medicare subsidies. However, as many as 90% of these meaningful use subsidy applications may be inaccurate, putting the subsidies in danger of confiscation. The main problem appears to be the meaningful use risk assessment. At the HIMSS show in February, the CMS audit team stated that “…being found deficient on any one measure will cause provider to be out of compliance. In this case, CMS will recoup the provider’s entire stimulus for the reporting period in question”

In their 2011 webinars, the two leading meaningful use risk assessment software firms, Symantec (via AllScripts) and Hewlett Packard (via ACR 2 solutions) together claimed fewer than 2,000 assessments total. Assuming that the more expensive consultant driven manual assessments no more than doubled that figure, it still leaves tens of thousands of providers incorrectly attesting to meaningful use compliance.

Some of this confusion can be traced to EMR vendors. While some vendors (Allscripts, VersaSuite, Universal, others) provide guidance and access to risk assessment software, many others (Sage, Athena, others) put the total burden of compliance on providers who often have limited expertise. In addition some vendor sales staff are claiming full meaningful use compliance capability that their software does not provide. Certification does not ensure meaningful use capability, as the ONC pointed out firmly in their recently published Guide to Privacy and Security of Health Information.

Other problems in this area come from the Regional Extension Centers (RECs) some (not all) of whom have advocated the use of checklists as a substitute for a meaningful use risk assessment. As the recent ONC guidance states, “Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.”

The early audit reports by KPMG are short on details, but seem to imply that NONE of the 20 early audit targets had correctly performed a meaningful use risk assessment. If, as it appears, 90% of early attester providers did not perform a meaningful use risk assessment before attesting, then some $700 million dollars could be taken back.

What is even more significant is that many that did a risk assessment failed to follow up with remediation or mitgation of the risks discovered. This automatically qualifies them for "willful neglect".

Lack of HIPAA HITECH Risk Assessment and Remediation Threatening Meaningful Use Funds

Wed, 23 May 2012 20:36:46 GMT

Here is a copy of a blog from our partner company ACR2 Solutions which does HIPAA risk assessments for organizations applying for meaningful use funds:

40,000 Providers Possibly at Risk of Losing EMR Subsidies

Lack of HIPAA HITECH Risk Assessment and Remediation Threatening Meaningful Use Funds

Wed, 23 May 2012 20:38:18 GMT

Here is a copy of a blog from our partner company ACR2 Solutions which does HIPAA risk assessments for organizations applying for meaningful use funds:

40,000 Providers Possibly at Risk of Losing EMR Subsidies

Lack of HIPAA HITECH Risk Assessment and Remediation Threatening Meaningful Use Funds

Wed, 23 May 2012 20:38:46 GMT

Here is a copy of a blog from our partner company ACR2 Solutions which does HIPAA risk assessments for organizations applying for meaningful use funds:

40,000 Providers Possibly at Risk of Losing EMR Subsidies

Business Partners: A New Risk to Health Data Security? iHealthBeat

Mon, 14 May 2012 22:26:53 GMT

While I know that it seems that I only have one string on my banjo and that I am strumming it incessantly, please read this in-depth article about why you have to monitor your business associates and why business associates need to get compliant, stay compliant, and prove compliance, with our Compliance Meter(tm)

Monday, May 14, 2012

Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

Read more: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx#ixzz1usy3hzQg

Business Partners: A New Risk to Health Data Security? iHealthBeat

Mon, 14 May 2012 22:27:21 GMT

Monday, May 14, 2012

Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

Read more: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx#ixzz1usy3hzQg

Omnibus Package Applies HIPAA HITECH to Business Associates and Subs: Susan McAndrews,OCR's deputy director of health information privacy

Tue, 01 May 2012 15:27:40 GMT

We have been blogging about this for over two years but it looks like the day of reckoning for business associates and subs is finally upon us. Presuming that OMB delivers in under 90 days by June 23 we will have the omnibus package of rules which among other things will apply HIPAA HITECH to all BAs and Subs. This will also put additional pressure on covered entities (CE) to get "suitable assurances" that their BAs and Subs are compliant. This can include asking for a risk assessment if it is "reasonable and appropriate"

Let me tell you a little story about our experience in another market that had a regulatory shift similar to this. In 2007 CMS announced that all durable medical equipment (DME) dealers would have to be accredited by September 30, 2009 in order to continue billing CMS. 2007 and 2008 passed with little movement towards accreditation by the majority of DMEs. Then in January of 2009 CMS announced that DMEs would have to apply for accreditation by January 31, 2009 or not be guaranteed to get accredited by the deadline. Suddenly thousands of DMEs started applying, but even then there were holdouts. They believed that there would be an extension or even that somehow CMS would change their mind. In August of 2009 we had many calls from DME wanting a last minute accreditation consulting package. Needless to say it was too late and the rule went into effect on September 30, 2009.

The difference between the DME market and the BA and Subs is quantity. There were thousands of DME dealers but there are millions of BAs and Subs. The law has been in effect since February of 2010 and the Notice of Proposed Rule Making (NPRM) issued in July of 2010 told us the bulk of what the rules were going to be like. So in June of 2012 BAs and Subs will have had almost two years to figure out that they must get HIPAA compliant. Sadly the majority have done little or nothing. This means that we can expect similar reactions in this market. A big rush when the Omnibus Package is published and a lot of organizations that will simply not get compliant and therefore can't do business in healthcare.

Don't be in one of these categories. Get started now. With our programs you can get compliant in 45 days, stay compliant, and prove compliance with our Compliance Meter(tm). Go to www.compliancehelper.com and see which program works best for you. We have programs starting at $125 for small companies which is a small price to pay for the peace of mind of knowing that your can continue to do business in the healthcare market.

Here is the link to the complete interview with Susan McAndrew:

http://www.healthcareinfosecurity.com/hipaa-modifications-what-to-expect-a-4722/p-1

Only a Handful of Business Associates HIPAA HITECH Compliant

Thu, 26 Apr 2012 16:01:26 GMT

Our privacy and security expert and partner Rebecca Herold has done hundreds of risk assessments of business associates so I asked her what she had found in these organizations. Here is her answer:

"Of the hundreds of risk assessments I've done of BAs, I found really only a couple, up to a handful, that had a comprehensive plan and deep understanding of information security and privacy risk management. And these were large, long established organizations. Probably around 25% - 30% were completely clueless, lacking documentation and even any knowledge of information security terms and HIPAA requirements. The rest had some documentation and processes in place, but they were typically only 50% - 75% percent in compliance (with more on the low end of that scale)."

If you do business with business associates (BA) and share your PHI with them you probably don't know their compliance levels. Sure they may have signed a BA agreement but Rebecca's experience was that these were signed and filed by clerical people and rarely followed up with actual policies and procedures used by the staff. So what is the risk? Let's examine a recent example. Phoenix Cardiac Surgery recently settled with OCR and paid $100,000 for a breach of PHI caused by their two business associates. Here is the pertinent section of their agreement:

"(i) From September 1, 2005 until November 1, 2009, Covered Entity permitted the entity providing the Internet-based email account to receive, store, maintain and transmit ePHI on the Covered Entity’s behalf without obtaining satisfactory assurances in a business associate agreement with the entity; and

(ii) From July 3, 2007 until December 3, 2009, Covered Entity permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on its behalf without obtaining satisfactory assurances in a business associate agreement with the entity."

Note the term "satisfactory assurances", as this is the language that is in the HIPAA rules. Obviously this is subject to interpretation but the auditors are the ones that get to decice whether the CE did enough to qualify as "satisfactory assurances". Recent articles by the top healthcare law firms have stated that you must do more than get a BA agreement in place. You must actively monitor you business associates. Most CEs simply keep track of which BAs have signed an agreement, but you must go further.

BA Tracker was developed to help this effort. By enrolling the BAs in an active program to find out what type of PHI they receive, how they receive, how they store it, how they destroy it, and how they manage it. If gaps are found in their privacy and security programs cost effective and efficient remediation is offered to them.

Take a look at www.compliancehelper.com/batracker for more information

Covered Entities Need To Ensure That Business Associates are HIPAA HITECH Compliant, Lisa Gallagher, senior director of privacy and security, HIMSS

Thu, 12 Apr 2012 16:19:25 GMT

In this comprehensive study by Kroll Advisory Solutions, (link below) a very important section is the subject of third paries or business associate involvement in breaches. Here is the section on the covered entities view of this risk:

"The industry’s expectations of third party data security practices are not keeping pace with the increased outsourcing of patient data; third party breaches are on the rise.

• Eighteen (18) percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.

• Twenty-eight (28) percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).

• Half of respondents noted that they required proof of employee training from third parties.

• A little more than half (56) percent indicated they require proof of employee background checks.

• Approximately half (56 percent) of respondents indicated they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.

"There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”

Continuous monitoring and documentation are necessary to satisfy the requirement for "suitable assurances" that your business associates are HIPAA HITECH compliant. Compliance Helper supplies this through our BA Tracker while also giving the business associate the tools needed to cost effectively and efficiently get compliant, stay compliant, and prove compliance with our Compliance Meter(tm).

http://www.virtual-strategy.com/2012/04/11/healthcare-industry%E2%80%99s-prioritization-compliance-over-data-security-puts-patient-data-risk

HIPAA HITECH Data Breach Causes Business Associate Bankruptcy

Mon, 19 Mar 2012 15:39:07 GMT

While I am sure that this is not the first bankruptcy caused by a HIPAA HITECH data breach, I am also sure that it will not be the last. For a few thousand dollars and a little bit of work this company could have prevented this.

Here is the whole story from the Wall Street Journal article:

Bankruptcy Beat

Burglary Triggers Medical Records Firm’s Collapse

By Katy Stech

The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.

Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.

“The cost of dealing with the breach was prohibitive” for the company, Impairment Resources said when explaining its decision to file for Chapter 7 bankruptcy protection. That type of bankruptcy is used most often by companies to shut down and sell off what’s left to pay off their debts.

The company said its assets are worth about $226,000, an amount that, even after money trickles in from liquidating sales, likely won’t be enough to pay lender Insurance Recovery Group and its $583,000 loan, Impairment Resources said in court papers.

The company also faced the threat of even more debt with customers and individuals threatening to sue it over the privacy breach.

Impairment Resources reviewed medical records taken on workers’ compensation and auto casualty claims for roughly 600 insurance companies and other customers, according to court papers. It also had offices in Framingham, Mass., and Kailua, Hawaii.

Business Associate Responsible for BCBST HIPAA HITECH Data Breach?

Mon, 19 Mar 2012 15:14:43 GMT

I am not sure if the leasing company is considered a business associate in this case. Certainly they had posession of unencrypted EPHI but it is not clear from the reports whether they were even aware that they had it. Certainly they knew they had 57 hard drives but did they know what was on these hard drives? Interesting question. BCBST has taken the brunt of the punishment and rightly so since they should have known that those drives needed to be encrypted. I don't know whether a class action law suit has been filed yet, but the standard seems to be to file for $1,000 per record meaning this would be a billion dollar lawsuit. So the $17,000,000 plus the $1,500,000 fine could be the tip of the iceberg.

Lesson learned; don't turn over EPHI to a business associate unless you have proof that they are HIPAA HITECH compliant on an on-going basis. Here is the article:

Finding the messages to employers in $1.5m HIPAA settlement, Littler Mendelson, Philip L. Gordon, March 14 2012

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

To resolve HHS’s investigation, BCBST agreed not only to pay $1.5 million but also to enter into a corrective action plan (CAP). The CAP requires BCBST to do the following: (a) conduct a risk assessment and engage in a risk management process with respect to electronic PHI (ePHI) in BCBST’s possession; (b) develop facility access controls and a facility security plan to safeguard information systems and equipment containing ePHI; (c) develop physical safeguards for electronic storage media containing ePHI; (d) train all workforce members with access to ePHI in the policies and procedures embodying items (a) through (c); (e) monitor compliance with the policies and procedures; and (f) report to HHS concerning compliance with the CAP.

Employers can draw several lessons from this incident and its resolution:

First, to date, HHS’s monetary settlements with covered entities have focused on health care providers, such as hospitals and pharmacies. This is the first monetary settlement of which we are aware involving a covered health plan. Insurers and self-insured employers offering HIPAA-covered benefits should take note.

Second, this is the first monetary settlement triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act. It is critical for employers with HIPAA-covered plans, as well as other covered entities, to recognize that notifying HHS of a security breach in accordance with the HITECH Act could trigger an investigation into the circumstances underlying the breach and could ultimately result in an enforcement action.

Third, the underlying incident involved the theft of unencrypted hard drives. Had those hard drives been encrypted, BCBST would not have had an obligation to notify HHS of the theft. In other words, the Resolution Agreement highlights the importance of considering the feasibility of encrypting any movable storage media which contain ePHI.

Finally, HHS seems to have set a fairly high standard for adequate physical safeguards. The Resolution Agreement suggests that BCBST had in place fairly robust physical security for the stored hard drives, including “biometric and keycard scan security with a magnetic lock and an additional door with a key card lock” in addition to building security. HHS, nonetheless, appears to have taken the position that this security was inadequate. Consequently, the Resolution Agreement emphasizes the need for covered entities to pay as close attention to physical safeguards for ePHI as they do to administrative and technical safeguards.

OCR "Chomping on the Bit" to Audit Business Associates for HIPAA HITECH Compliance

Fri, 09 Mar 2012 16:47:34 GMT

Here is a quote from Rebecca Herold, CIPP, CISSP, CISM, FLMI, in the February 2010 edition of Compliance Today:

"CEs are now accountable for more active validation of BA security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions. Simply depending upon a security questionnaire answered once a year (or even less often), with no validation that the information provided is even accurate, isnot effective. CEs must take a more proactive approach to ensuring BAs have effective and compliant programs in place. After all, CEs are ultimately responsible for ensuring the security and privacy of the information they collect from their own clients, patients, customers, and employees."

Now more than two years later the rest of the privacy and security world is realizing that she was right. Compliance Helper and Rebecca Herold & Associates have collaborated on developing a solution called BA Tracker. Using the cloud computing model this service allows a CE to monitor their business associates, cost effectively and efficiently. With our Compliance Meter^tm the business associate is able to demonstrate their HIPAA HITECH compliance on an on-going basis. Take a look at www.compliancehelper.com/batracker

Here is Doug Pollack's article:

Office for Civil Rights to Focus on Business Associate Security Risks

by Doug Pollack March 8, 2012

Kirk Nahra, an attorney with Wiley Rein, today interviewed Leon Rodriguez, Director for the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) at the IAPP Global Summit 2012. The session really illuminated that OCR is stepping up their volume and breadth of enforcement actions.

Director Rodriguez noted that 63% of the individuals affected by healthcare data breaches reported to OCR were a result of a security breach at a Business Associate rather than a Covered Entity. He commented that he and OCR are “chomping at the bit” in order to directly target Business Associates for violations of the Security Rule and take enforcement actions.

When asked why it is that Business Associates are responsible for a majority of the individuals affected by reported data breach incidents, he suggested that it wasn’t obvious that they were any less rigorous in their security programs, vis-à-vis Covered Entities, although that is a possibility. But he did comment that many Business Associates tend to work with many Covered Entities and as a result will aggregate large quantities of confidential personal health information, in many cases more than any one particular hospital or other provider.

When looking at the targets of enforcement actions, he indicated that their primary focus is on situations where there was an “abject failure” of organizations in terms of trying to comply with the privacy and security rules. He indicated that situations such as the Massachusetts General breach, where sensitive patient information was left on mass transit, and the CVS and RiteAid cases where patient information was placed in a dumpster, are good examples illustrative of such abject failure of a security and privacy program.

An interesting additional comment was made that it is the Covered Entities that are working very hard to comply diligently with the security and privacy rules that are asking OCR to take aggressive enforcement actions on their brethen as well as Business Associates that are not working hard at all on implementing reasonable security measures. Also these lines, he also commented that he expected that there would be an enforcement action before too long for “failure to notify” in a situation where a breach should have led to notification but where the Covered Entity did not take such action. Be forewarned.

So in terms of takeways from this interview.

First, healthcare organizations need to get their acts together in privacy, but especially security. If you haven’t taken actions that demonstrate that you’ve tried to comply, you will be extremely exposed.

Second, if you are a HIPAA Business Associate, you’re on notice that OCR is going to be, starting very soon, scrutinizing your security posture, and that violators are likely to be facing stiff monetary penalties.

And third, if they conclude that a breach was the result of an “abject failure” of security systems and procedures and focus, that the entity is likely to be dealt with harshly.

Business Associate Monitoring: Brian Selfridge CISO Atlanticare

Thu, 01 Mar 2012 21:07:47 GMT

This is a slide from a presentation to the New Jersey HIMSS group. It is yet another example of the growing awarness that monitoring business associates for HIPAA HITECH compliance is critical for covered entities. The partnership between ACR2 Solutions and Compliance Helper provides these tools to monitor and help remediate compliance for business associates. Get compliant, stay compliant, and prove compliance with the Compliance Meter(tm).

Business Associate Monitoring

•HITECH puts BA’s front and center

•Update business associate agreements and bake compliance requirements into contracts

•Implement due diligence compliance reviews and automate where possible

•Perform a risk assessment to identify high value systems

•Survey vendors for compliance on a routine basis, not just at time of purchase

•Leverage the HITRUST framework

•Consider cyber insurance for breach response

Brian Selfridge, Chief Information Security Officer, Atlanitcare

OIG Investigating False Attestations of Meaningful Use

Fri, 24 Feb 2012 18:48:39 GMT

Item 15 of the Core Measures for Meaningful Use requires you to do a 45 CFR 164.308(a)(1) HIPAA risk assessment and correct identified security deficiencies as part of a risk management process. In walking the floor at HIMSS and talking to various vendors I found widespread ignorance of this requirement. Some knew that a risk assessment was necessary but thought a simple checklist would satisfy. Others didn't understand that when you do a risk assessment you are required to fix the risks discovered in that process. If you identify a risk and don't remediate the risk you are guilty of willful neglect and subect to heavy fines.

All of this confusion and lack of knowledge has contributed to what are probably a large number of false attestations of meaningul use. OIG has begun investigations through their fraud group. A false attestation can lead to fines and criminal actions.

Another interesting group are the MU monitoring or analytics companies. They provide organizations with information on their progress toward acheiving meaningful use. While this is a useful tool I found that when remediation was needed these companies did not provide a solution. Again, if you discover a risk you must remediate that risk.

We have teamed with ACR 2 Solutions, www.acr2solutions.com to provide the complete cycle of compliance. Their elegant software solution does the 45 CFR 164.308(a)(1) HIPAA risk assessment, and if they need remediation they are referred to Compliance Helper. We help them set up documented policies, procedures and forms that meet the standards, document the process, and provide them with the proof of compliance needed to meet the standards.

Get compliant, stay compliant, and prove compliance with our Compliance Meter^tm.

Business Associates in Massachusetts Must Be HIPAA Compliant by March 1.

Tue, 21 Feb 2012 16:33:42 GMT

The noose is tightening on business associate compliance. The states are stepping in while HHS is dilly dallying. If you are a covered entity in Massachusetts you must get "satisfactory assurances" that your business associates are compliant. If you are a business associate be prepared to provide proof of compliance.

Here is the whole article:

Massachusetts: all contracts with vendors that handle personal information must institute safeguards by March 1, Baker & Hostetler LLP, Theodore J. Kobus III, February 16 2012

Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors. The Health Insurance Portability and Accountability Act (HIPAA) has in place requirements for engaging business associates. The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors. And the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third party service providers. This is no surprise since many studies suggest that over a third of breaches are caused by vendors.

Since March 1, 2010, businesses that handle personal information of Massachusetts residents have been addressing the requirements of Massachusetts 201 CMR 17.00 -- Standards for the Protection of Personal Information of Residents of the Commonwealth. There are many requirements -- from employing a comprehensive information security program to developing security policies for current and terminated employees. Additionally, organizations are required to include language in contracts with vendors who handle personal information of Massachusetts residents regarding the employment of appropriate safeguards. This has always been a requirement under 201 CMR 17.03(f)(2); however, there was a two-year "safe harbor" for contracts that were entered into prior to March 1, 2010. That "safe harbor" expires on March 1, 2012, and all contracts with vendors who handle personal information of Massachusetts residents must require vendors to implement and maintain appropriate security measures for personal information.

Personal information defined by the Massachusetts statute, includes information that is frequently kept by healthcare providers:

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Whether you are a vendor, or the organization providing the data to the vendor, you must have a Written Information Security Program (WISP) in place to be compliant under Massachusetts 201 CMR 17.00. If a breach occurs, the Massachusetts Attorney General must be notified and very likely will ask for a copy of your WISP. Generally, when we assist clients with the preparation of a WISP, we address both technical and administrative safeguards, such as:

Encryption;
Employee training;
Sanction policies;
Regular monitoring of the implementation of the policies in place;
Risk assessments;
Breach response plans;
Access controls;
Antivirus protections; and
Firewall protections.

Moreover, notwithstanding the requirements of the Massachusetts law, it is good practice to update old contracts to address issues that have evolved over the past few years related to privacy. Some of these include:

Independent audit of a vendor (e.g., American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE 16));
Cyber insurance coverage, including notification costs;
Preapproval of the use of cloud services;
Preapproval of the downstream sharing of data with subvendors; and
Compliance with local, state and federal data security laws.

Whether or not you need to comply with the Massachusetts Data Security Regulations, now is a good time to take your dusty old contracts out of the drawer to see how they can be improved. Vendors should be reviewing their contracts, too -- not just from a regulatory compliance standpoint, but to make sure they are not committing to something they are unable to deliver.

On-Line HIPAA HITECH Breach at St Joseph Health System in California

Fri, 17 Feb 2012 16:18:53 GMT

This is very similar to the data breach at Anthem Blue Cross last year where through an error in security over 200,000 records of patients applying for health insurance were exposed for over a year. As was also true in that case a patient discovered the breach. Imagine doing a Google search and finding your medical record on display to the world.

The Anthem case was only revealed to them as they were served with a class action lawsuit. I predict the same result here. California has privacy and security laws that are more strict than the federal laws and attorneys in the state are aggressively going after healthcare organizations that have a breach.

One of the hospitals involved is very close to where I live so I am getting a lot of local news concerning the breach. Santa Rosa Memorial made the front page of the local newspaper, The Press Democrat which until recently was owned by the New York Times. I will be curious to see how this all plays out on the local scene.

here is the link to the article:

http://www.healthcareinfosecurity.com/articles.php?art_id=4515&rf=2012-02-17-eh

HIPAA HITECH Rules in March Says Susan McAndrew, OCR's deputy director for health information privacy.

Wed, 15 Feb 2012 17:07:30 GMT

Is Susan McAndrew playing Lucy and the football with us or are we really going to get the "Final Rules"? Her famous prediction that the rules would be out by the end of 2011 or she would be out failed to happen. It would make some bureaucratic sense to wait until after HIMSS so that the HHS folks attending don't have to answer questions about the rules. Of course they will have to answer questions about why we don't have the rules nearly 18 months after the NPRM and exactly 2 years after they were supposed to go into effect.

Here is the link to the whole article, you be the judge:

http://www.govinfosecurity.com/articles.php?art_id=4508

ATTESTATION: Strengthening “Satisfactory Assurances” of the HIPAA Business Associate Agreement, Grant Peterson, JD

Fri, 10 Feb 2012 21:23:42 GMT

In yet another article by a well known healthcare attorney and consultant the warning is sounded about managing business associate compliance. Here the topic is attestation as a tool for measuring and reporting on compliance. This is a tool Compliance Helper uses for our CO-OP and BA Tracker services. We add a little compliance quiz to give a little more validity as well as the ability to drill down remotely for a better view of ther compliance efforts.

Here is a link to the whole article with credit to our friends at Privacy Analytics: http://www.privacyanalytics.ca/riskybusiness/january-2012.pdf

First Lawsuit Against Business Associate for HIPAA Violation

Mon, 06 Feb 2012 16:49:35 GMT

This is an interesting article that points out that despite the final rules not being issued yet, business associates are lable for data breaches. Here the focus is on the Attorney General of Minnesota. Other articles have pointed out the liability from class action lawsuits. All of these concerns should compel covered entities to manage their business associate relationships more closely and inform business associates that they need to be HIPAA HITECH compliant, now.

Case Filed by Minnesota Raises Significant HIPAA Enforcement Issues

Kirk J. Nahra

February 3, 2012

A recent lawsuit brought by the Attorney General (AG) of Minnesota raises significant recent enforcement issues related to the Health Insurance Portability and Accountability Act (HIPAA). This development is important to both HIPAA covered entities and, even more significantly, to business associates under the HIPAA rules.

The case—brought against a company called Accretive Health—involves a relatively common situation, a lost laptop containing patient information. Accretive Health is a debt collection organization, engaged as a HIPAA business associate by various hospitals and others.

This case is important in two significant—yet different—ways.

First, this case reflects a HIPAA enforcement action brought by a state Attorney General based largely on political concerns rather than true compliance issues. These suits have been relatively uncommon, even though the Attorneys General clearly have HIPAA enforcement authority. This case is important because it reflects the more "political" concerns about enforcement from Attorneys General. It is clear that the Minnesota AG did not like what the company was doing under its contracts with hospitals. The company was engaged in debt collection efforts, but also had created various financial profiles about the patients as part of these efforts. The Minnesota AG did not like these activities, and was critical of the company for not informing Minnesota patients about its activities (even though there was no HIPAA obligation to do so). There is nothing on the face of these facts that reflects a violation of HIPAA in the activities engaged in by this company, and the Minnesota Attorney General appears to be using the security breach as an opportunity/excuse to pursue enforcement actions (under HIPAA and other laws) against practices that it simply does not like. The first paragraph of the complaint even references the company's "controversial history in Minnesota." So, this case is of significant concern to covered entities and business associates because it seems driven by politics rather than HIPAA.

Second, this case is the first to be brought against a business associate under HIPAA. The HHS Office of Civil Rights—the primary enforcement agency for HIPAA—has made clear that it does not believe it can engage in enforcement activities involving business associates until final rules are issued and the compliance period has run. This case indicates that at least one state Attorney general does not believe that final rules are necessary before it can engage in enforcement activity involving business associates. Therefore, this case is an indication that business associates should be prepared to face HIPAA enforcement challenges now—particularly related to security practices where the substance of the applicable requirements is not in question—even before the final rules are issued.

For more information, please contact Kirk J. Nahra at 202.719.7335 or knahra@wileyrein.com

Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1

Wed, 25 Jan 2012 16:42:33 GMT

This article is a good reminder that despite the final rules not being issued the law is in place. Business Associates should note that the the HIPAA Security Standards became applicable to them in February of 2010.

Here is the complete article:

During 2011, informal indications were given by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and various industry experts that the final Health Information Technology for Economic and Clinical Health Act (HITECH Act) regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, the regulations continue to be delayed due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS, according to a privacy specialist. Reasons for the lengthy time period include numerous policy reviews conducted by HHS and the need to formulate responses to over 300 comments received in connection with the July 14, 2010, proposed rule (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged or if revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards to address a changing healthcare environment and evolving privacy and security threats. Further, OCR currently is in the process of conducting HIPAA privacy and security audits of covered entities, as required under the HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.

Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach

Fri, 20 Jan 2012 16:43:16 GMT

Where have we heard this story before? Employee of a business associate leaves an unencrypted laptop containing PHI in a rental car. The laptop is stolen along with patient data records on 23,500 patients. Covered entities who gave PHI to the business assocate claim they are "redoubling their compliance efforts". So if they are redoubling that means that previously they doubled their efforts so by now they must be up to at least 50% compliant. Of course they have no idea about the compliance of their business associate. Using the rule of thumb of $1,000 per patient record times 23,500 and you get a significant number.

Here is the whole article:

"The consulting firm that lost a laptop computer with medical data on 23,500 Minnesotans last summer has been sued by Minnesota Attorney General Lori Swanson, who says it violated health privacy laws and state consumer protections.

Swanson said Accretive Health Inc., hired by two Twin Cities hospitals, was compiling individual medical checklists that included a "frailty'' evaluation, a "complexity" score of patients' physical condition and a prediction of whether a person would be hospitalized.

"Why should anyone other than a doctor have such basic and personal and intrusive information about a patient?'' Swanson said at a news conference in her State Capitol office.

Her lawsuit, filed Thursday in U.S. District Court, seeks an order requiring Accretive to inform Minnesota patients what information it has, how it has been used and where it has been sent.

"No corporation, especially a debt collector, should secretly slice and dice patients' medical statistics in such a way without ... full disclosure to patients,'' Swanson said.

Chicago-based Accretive, a cost and revenue consultant, issued a statement saying it has enhanced its security procedures and will cooperate with Swanson's office to resolve the lawsuit. Company spokeswoman Francesca Luthi said there is no evidence any patient data has been improperly accessed. She declined to answer questions.

The lawsuit stems from an investigation into an unencrypted laptop that was stolen July 25 in Minneapolis from the parked rental car of an Accretive employee.

The computer contained sensitive information on 23,500 Minnesota patients of two Minnesota hospital systems, Fairview Health Services and North Memorial Health Care. Both organizations had contracts with Accretive to help cut costs and boost revenues. Fairview's contract is even deeper, giving Accretive a management role in Fairview's "total cost of care.''

Hospitals respond

Fairview released a statement saying it is "redoubling'' its efforts to safeguard patient health information.

North Memorial CEO Larry Taylor said his company has systems in place to protect patient information and that Accretive's lost North Memorial files did not include Social Security numbers, credit card numbers, health policy numbers or home addresses.

Swanson's lawsuit alleges that Accretive's loss of the information violates federal and state patient privacy and informed-consent laws. The company also violated state consumer fraud and deceptive trade practices statutes by concealing from patients the extent of its involvement in their health care, the lawsuit alleges.

Asked if Fairview and North Memorial will be sued, Swanson did not answer.

Although it has consulting contracts with local hospitals, Accretive is a licensed debt collector in Minnesota. The lawsuit alleges that the company at times masked its true identity during collection calls and has not complied with all disclosure and registration requirements.

Swanson noted that Accretive Health is part of the New York private equity fund Accretive LLC. In 2009, Swanson's office filed a consumer lawsuit that broke up an affiliation between a major debt collection enterprise involving Accretive LLC and the National Arbitration Forum, then the nation's largest consumer credit arbitration company. Tony Kennedy • 612-673-4213

HIPAA HITECH Data Breach Costs Small Business Associate $300,000

Thu, 19 Jan 2012 17:12:29 GMT

I was in a recent discussion about hacking in healthcare and had to use the old Pogo line "We have seen the enemy and he is us". While we are worrying about Russian mobsters hacking our systems employees are blithely carrying around unencrypted patient data on their laptops. Compliance 101 would tell people that this is a bad habit. More data has been breached by business associates than by covered entities and most of it has to do with lost or stolen hardware, be it backup tapes, laptops, or servers.

A few thousand dollars invested in compliance training and encryption would have saved this business associate $300,000 not to mention the incalculable damage to their reputation. The story was in Healthcareinfosecurity.com Forum.

The Massachusetts eHealth Collaborative, a non-profit consultancy that experienced a health information breach, learned eight important lessons from the experience, says CEO Micky Tripathi.

Tripathi spelled out in a recent blog the details of the organization's breach, which involved the theft of an unencrypted laptop from an employee's car, The breach, which affected about 1,000 patients of the collaborative's physician group practice clients, cost almost $300,000 to resolve.

HIPAA HITECH Rules De Facto Standard?

Thu, 12 Jan 2012 23:19:56 GMT

Kirk Nahra ia a respected healthcare attorney with Wiley Rein, LLP. While this article is broad in it's scope he focuses in on healthcare and the widespread ramification of HIPAA HITECH if implemented as proposed in the NPRM. In a sense any company touching on healthcare must be HIPAA HITECH compliant and since healthcare is a third of the US economy that is a large net.

"What's Happening with Health Care, and Why Does It Affect Everyone?

While most of these top developments affect the full range of corporate America, our next issue to watch is focused on the health care industry. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security structure has created the most detailed and complex set of privacy and security requirements at the federal level, since the privacy rule first required compliance in 2003. Now, following passage of the Health Information Technology for Economic and Clinical Health (HITECH) law in 2009, we (finally) will see in 2012 the issuance of final HITECH regulations that will kick off the full Version 2.0 of the HIPAA era.

But this development is critical because HIPAA/HITECH no longer is limited in any meaningful way to the health care industry. Instead, two key developments-one not yet set in stone-demonstrate that these changes will affect an enormous range of companies across the country, many of which have no obvious tie to the health care industry. First, one of the key changes from the HITECH law concerns the applicability of the privacy and security rules to "business associates," which are service providers to the health care industry. These entities have had contractual obligations for many years, but the new law requires that these business associates face legal obligations directly under the rules as well. So, through this step (which is being implemented in rules that are not yet final), the scope of HIPAA now will extend to any company that provides services to health care companies that involve any health care information (as well as creating complex negotiations and various other debates about whether health care information really is involved in providing the service).

The second step expands this circle even more. In the proposed regulations applying this statutory language, the Department of Health and Human Services (HHS) proposed to expand coverage not only to the companies that contract directly with the health care companies (which clearly are encompassed by the statutory changes and would know that they are contracting with health care companies) but also to any downstream vendor that contracts with those service providers, and on down the chain, indefinitely. This creates a potentially never-ending chain of contractual entanglements that impose legal obligations -- even in situations where the downstream vendors may not have any idea they are involved in information from a health care company. This requirement would apply not only to specific "subcontractors" that perform a part of the work assigned to the business associate but also to a wide range of general service providers to the business associate (e.g., accounting firms, law firms, consultants, auditors) that perform work generally for the business associate that is not necessarily tied to any particular client or project. And, because the primary legal obligation imposed by these new provisions is to follow the full scope of the detailed and complicated HIPAA Security Rule, companies will be faced with a choice even before they receive any health care information about whether to take on the task of revamping overall security programs. So, we'll be watching closely how these final rules play out, and also how far down the corporate chain these rules apply. It is quite likely that the HIPAA rules will become almost a de facto national security standard, if the reach of these rules applies to anyone in the contracting chain."

HIPAA HITECH Data Breach: $1000 Per Patient?

Wed, 04 Jan 2012 17:08:18 GMT

The cost of a HIPAA HITECH data breach has escalated with the recent spate of class action lawsuits. There seems to be a consensus among the law firms that $1,000 per patient is at least the asking price for damages. This makes even a relatively small data breach attractive to the firms that specialize in class action lawsuits. Now are they going to win all these suits, probably not, but many organizations and their insurance companies will settle rather than pay the huge costs of defending these suits.

Stanford, Sutter Health, Anthem Blue Cross, and Tricare have also been hit with class action suits. The Tricare and Sutter Health are for over 1 billion dollars. Most of these have been caused by business associates yet covered entities still seem to think that by having a BA agreement in place they are safe. Not so much! It is imperative that CEs monitor their BAs. There are tools such as our BA Tracker that accomplish this at little or no cost to the CE. Penny wise and a billion foolish is a bad bet.

Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule

Fri, 23 Dec 2011 16:05:50 GMT

One year it was a shiny red bicycle, which I got, another year it was a Red Ryder BB gun, which I did not, so I understand that Santa doesn't always deliver the goods. This year it is "The Final Rule" and since we are only a few days before Christmas and I doubt anyone is working at HHS this week it looks like I will be disappointed again.

"The hearings also highlighted the need for a final rule to implement major provisions of the new HITECH Act, including those related to business associates and breach notification requirements. Franken characterized the lack of final HITECH regulations as “a really big problem,” and questioned Rodriguez about when Congress can expect a final rule from HHS. Rodriguez did not provide a specific timetable." (My emphasis)

This was the second panel of the Senate committee and followed up on the theme of the first, "Hurry Up". With millions of patient records being exposed, the incidence growing 32% according to The Ponemon Institute study you would think HHS would have released this months ago. Literally millions of business associates are delaying compliance because in February of 2010 HHS announced that they were "delaying enforcement".

Here is the link to the complete article:

http://www.insideprivacy.com/senate-hearings-focus-on-lack-of-hipaa-enforcement-final-hitech-rule/

The irony is that the law is actually in force and should the BA have a breach they must report the breach and are subject to punishment right along with the CE that trusted them with the PHI. CEs must take greater responsibility for their BAs because they are in fact responsible should the BA breach.

I highly recommend that you read an article being published in Compliance Today magazine entitled:

Effective practices for HIPAA and HITECH compliance measurements – By Rebecca Herold and Mahmood Sher-Jan
Metrics tied to an incident response lifecycle provide a defendable plan of action for data breaches and help restore trust. Page 30