HIPAA Priority Support Meets Healthcare’s Ongoing Compliance Needs

HIPAA Analytics has responded to client interests in providing a HIPAA Priority Support service for healthcare covered entities and business associates to cost effectively add specialized HIPAA skills, experience and best practices to the growing demands of compliance administration.

HIPAA compliance for healthcare covered entities and business associates is becoming a risk management challenge. Today, business managers and compliance officers are tasked with growing responsibilities of conducting a risk assessment, monitoring business processes for compliance, managing privacy and security policies and procedures, data breach preparedness and coordinating compliance requirements with covered entities or business associates, to name a few.

In addition, new regulations and guidance documents require the compliance officer to research federal and state regulations. The U.S. Department of Health & Human Services for example, implements regulatory change via a process of public Notice of Proposed Rulemaking for modifying privacy and security rules, compliance and investigations, imposition of civil money penalties, and procedures for hearings issued under HIPAA, all of which must be monitored closely to maintain compliance relevancy and accuracy in a HIPAA program. Privacy and security oversight has reached a new level of demand and the time between an issue arising and when it must be resolved is shrinking fast in order to protect patients protected health information and the healthcare organizations exposure.

HIPAA Priority Compliance Support 

Teaming with HIPAA Analytics is a business strategy to cost effectively add specialized skills, experience and best practices that benefits the organization with a subject matter expert in HIPAA compliance, and knowledge sharing that improves the organizations compliance performance.

The remote subscription based service includes:

  • Dedicated Consultant Serving Clients HIPAA Compliance Program
  • Direct Phone and Email Support with Compliance Officer
  • Provide Guidance on Business Issues Impacting Compliance Requirements
  • Provide Actionable Insight and Best Practices to Improve Compliance Program
  • Compliance Document Review, for Example, Business Associate Agreements
  • Assist with Development of Additional HIPAA Policies, Procedures and Implementation
  • Provide Guidance on Data Breach or Security Incident Investigation
  • Provide Advisory Opinion on HIPAA Regulations Impacting Business Process
  • Quarterly Compliance Review to Check Progress, Discuss Issues and Make Recommendations
  • Provide Back-up to Compliance Officer in Emergencies
  • Risk Analysis: Assist Client with Annual Risk Analysis Review


ATTESTATION: Strengthening “Satisfactory Assurances” of the HIPAA Business Associate Agreement

Today, healthcare organizations are faced with a growing trend of sharing confidential health information with vendors (business associates) in order to meet critical business needs. Yet from a risk management perspective, little if any assessment of business associate compliance is performed, leaving little assurance of sound compliance practices by the business associate handling patients’ confidential health information. Read the complete article here.

Reprinted with permission of Privacy Analytics

HIPAA Enforcement Training for State Attorneys General

Enforcement By State Attorneys General
One of the more notable enforcement provisions of the HITECH Act is Section 13410. Improved Enforcement, provides for the State Attorneys General to file a HIPAA federal civil lawsuit. Ramping up for potential state action against HIPAA violations, Health and Human Services, through the Office of Civil Rights (OCR) have now taken the next step to help State Attorneys General begin to implement their enforcement authority under the HITECH Act, OCR will hold a 2-day, instructor-led HIPAA Enforcement Training course in 4 locations across the country. At each of these HIPAA Enforcement Training sessions, attendees will receive instruction on the following topics:

  • General introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

More information on the training can be found here

About HITECH Act Section 13410. Improved Enforcement.
In particular, the Act amends Section 1176 of the Social Security Act (42 U.S.C. 1320d-5) by adding at the end of the new subsection:
“(d) Enforcement By State Attorneys General.
CIVIL ACTION. Except as provided in subsection (b),
in any case in which the attorney general of a State has
reason to believe that an interest of one or more of the residents
of that State has been or is threatened or adversely affected
by any person who violates a provision of this part, the attorney
general of the State, as parens patriae, may bring a civil
action on behalf of such residents of the State in a district
court of the United States of appropriate jurisdiction—
‘‘(A) to enjoin further such violation by the defendant;
‘‘(B) to obtain damages on behalf of such residents
of the State, in an amount equal to the amount determined
under paragraph (2).
‘‘(A) IN GENERAL.—For purposes of paragraph (1)(B),
the amount determined under this paragraph is the amount
calculated by multiplying the number of violations by up
to $100. For purposes of the preceding sentence, in the
case of a continuing violation, the number of violations
shall be determined consistent with the HIPAA privacy
regulations (as defined in section 1180(b)(3)) for violations
of subsection (a).
‘‘(B) LIMITATION.—The total amount of damages
imposed on the person for all violations of an identical
requirement or prohibition during a calendar year may
not exceed $25,000.
‘‘(C) REDUCTION OF DAMAGES.—In assessing damages
under subparagraph (A), the court may consider the factors
the Secretary may consider in determining the amount
of a civil money penalty under subsection (a) under the
HIPAA privacy regulations. Read complete provision here at page 49

Data Breach Prevention and Notification Plan

In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations amended by the recent HITECH Act can be daunting. For example, one new regulatory requirement includes establishing data breach notification requirements for HIPAA covered entities and their business associates. The challenge for healthcare organizations in this provision alone becomes the process of measuring exposure to a data breach, developing policies and procedures to reduce exposure and developing a data breach incident plan to help minimize risk.

Need for Compliance Support
While the process of implementing new data breach requirements appear simple enough, most healthcare organizations admit they are not equipped to meet new data breach requirements. In fact, a recent study[1] on Patient Privacy and Data Security by the Ponemon Institute reports a key takeaway…”Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations in our study told us they have inadequate resources (71 percent), few (if any) appropriately trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.”

Full Impact of Data Breach
According to another Ponemon Institute study[2] , the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays of investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Reducing Data Loss: People, Process and Technology
In response to the potential negative effects of a data breach, healthcare organizations continue to upgrade their technology, yet according to Rick Kam, president of ID Experts, a data breach solutions company, explains in a recent data breach press statement[3] that, “Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are “silver bullets” that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff’s lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.”

To be sure, any healthcare organization is complex, with countless internal and external data points touched by people, processes and technology. To achieve privacy and security assurance of data integrity a thorough analysis of “all” data points is key to a successful compliance program.

How We Can Help
Our data breach prevention audit examines PHI handled by people, processes and technology. Our audit will inventory PHI, evaluate policies and procedures, examine staffing roles, review business processes, conduct a security evaluation and upgrade training and awareness programs as needed.

[1] Benchmark study on patient privacy and data security, November 2010, Ponemon Institute, sponsored by ID Experts.
[2] Fourth Annual US Cost of Data Breach Study, January 2009, Ponemon Institute.
[3] Data breach risks and privacy compliance: The expanding role of the IT Security professional, Data Breach Press 2010, ID Experts.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

President Signs Red Flags Rule Clarification Act Into Law

The “Red Flags” Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts. By identifying red flags in advance, organizations are better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

The Red Flag Program Clarification Act of 2010 was the result of continued confusion over which businesses were required to implement Red Flags Rule Programs designed to prevent and mitigate the risk of identity theft by the end of the year. The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

The bill amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. This definition in effect excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the limitation was to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft, including creditors which use consumer reports, furnish information to consumer reporting agencies, or loan money to individuals.

For healthcare organizations that have developed and implemented the Red Flags rule, experts point out that you still have a duty to safeguard the confidentiality of protected health information, and an organization that had a policy in place and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft and didn’t. We recommend reviewing your policies and procedures regarding identity theft prevention.

You can find practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts. Learn how to put in place your written Identity Theft Prevention Program at http://www.ftc.gov/redflagsrule

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us