Data Breach Prevention and Notification Plan

In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations amended by the recent HITECH Act can be daunting. For example, one new regulatory requirement includes establishing data breach notification requirements for HIPAA covered entities and their business associates. The challenge for healthcare organizations in this provision alone becomes the process of measuring exposure to a data breach, developing policies and procedures to reduce exposure and developing a data breach incident plan to help minimize risk.

Need for Compliance Support
While the process of implementing new data breach requirements appear simple enough, most healthcare organizations admit they are not equipped to meet new data breach requirements. In fact, a recent study[1] on Patient Privacy and Data Security by the Ponemon Institute reports a key takeaway…”Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations in our study told us they have inadequate resources (71 percent), few (if any) appropriately trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.”

Full Impact of Data Breach
According to another Ponemon Institute study[2] , the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays of investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Reducing Data Loss: People, Process and Technology
In response to the potential negative effects of a data breach, healthcare organizations continue to upgrade their technology, yet according to Rick Kam, president of ID Experts, a data breach solutions company, explains in a recent data breach press statement[3] that, “Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are “silver bullets” that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff’s lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.”

To be sure, any healthcare organization is complex, with countless internal and external data points touched by people, processes and technology. To achieve privacy and security assurance of data integrity a thorough analysis of “all” data points is key to a successful compliance program.

How We Can Help
Our data breach prevention audit examines PHI handled by people, processes and technology. Our audit will inventory PHI, evaluate policies and procedures, examine staffing roles, review business processes, conduct a security evaluation and upgrade training and awareness programs as needed.

[1] Benchmark study on patient privacy and data security, November 2010, Ponemon Institute, sponsored by ID Experts.
[2] Fourth Annual US Cost of Data Breach Study, January 2009, Ponemon Institute.
[3] Data breach risks and privacy compliance: The expanding role of the IT Security professional, Data Breach Press 2010, ID Experts.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

President Signs Red Flags Rule Clarification Act Into Law

The “Red Flags” Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts. By identifying red flags in advance, organizations are better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

The Red Flag Program Clarification Act of 2010 was the result of continued confusion over which businesses were required to implement Red Flags Rule Programs designed to prevent and mitigate the risk of identity theft by the end of the year. The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

The bill amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. This definition in effect excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the limitation was to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft, including creditors which use consumer reports, furnish information to consumer reporting agencies, or loan money to individuals.

For healthcare organizations that have developed and implemented the Red Flags rule, experts point out that you still have a duty to safeguard the confidentiality of protected health information, and an organization that had a policy in place and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft and didn’t. We recommend reviewing your policies and procedures regarding identity theft prevention.

You can find practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts. Learn how to put in place your written Identity Theft Prevention Program at http://www.ftc.gov/redflagsrule

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Business Associate Strategy and the HITECH Act

Expanded Scope and Enforcement of HIPAA

Whether you are a hospital, insurance company or a vendor to healthcare, recent federal legislation has dramatically changed the rules regarding privacy and security compliance.

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 [PDF], which contained provisions comprising the Health Information Technology for Economic and Clinical Health Act, or HITECH Act (“Act”). The Act makes sweeping changes to the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Act imposes additional privacy and security rules on business associates. For example, The Act provides for the business associate’s compliance with the terms of the business associate agreement a direct requirement of HIPAA. The Act also applies the administrative, physical and technical safeguard requirements of the security rule to business associates, including obligations related to policies, procedures and documentation.

Additionally, new data security breach notification requirements within the Act now apply to both covered entities and business associates, requiring patient notification of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. Moreover, increased civil and criminal penalties now apply to violations of HIPAA privacy and security requirements and authorize state attorneys general to bring civil actions on behalf of state residents adversely affected or threatened by such violations.

Healthcare organizations are faced with a growing trend of sharing confidential health information with vendors (business associates) in order to meet critical business needs, yet from a risk management perspective, little if any measurement of business associate compliance knowledge is evaluated, leaving little assurance of sound compliance practices by the business associate handling patient confidential health information.

Privacy violations and security data loss by business associates and their sub-contractors have also become a strategic liability issue for healthcare organizations. For example, new security breach notification rules of the require patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. New security breach notification requirements apply to covered entities and require business associates to notify covered entities of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information they hold on behalf of the covered entity, including the identity of each individual who is the subject of the unsecured protected health information.

According to the Ponemon Institute [PDF], a privacy and information management research firm, the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays for detection, escalation, notification and response, along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Bottom line. Make sure you have updated business associate agreements* in place by February 17, 2010.

*To view a sample HITECH Act Business Associate Agreement, view the RECENT ARTICLES section above entitled Healthdatamanagement.com—February 9, 2010 — New Model BA Agreement, or simply click here to go directly to the site.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

HIPAA Security Evaluation: Checking Your Compliance Vital Signs

Checking Your Compliance Vital Signs
In health care, we think of “Vital Signs” as the measurements of body temperature, pulse, respiration rate, and blood pressure. Vital signs provide information about your general health. They offer clues to medical conditions. When you are sick, they are used to help check your return to good health.

In a similar way, HIPAA has “Vital Signs”, although not measurements of body temperature, pulse, respiration rate, and blood pressure. HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with security policy and the security rule requirements. In the case of your HIPAA program, the required periodic evaluation provides information about your organizations compliance health. The evaluation offers clues to the condition of security safeguards. If safeguards are found lacking, the evaluation is used to help check the return to good compliance health. Let’s examine the specific rule:

Evaluation 164.308(a)(8)
HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

Required Standard
HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation (emphasis added) of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. Required standard, means, “a covered entity must implement the implementation specifications”.

Some Thoughts on Conducting an Evaluation

  1. Decide whether the evaluation will be conducted with internal staff resources or external consultants.
  2. Engage external expertise to assist the internal evaluation team where additional skills and expertise is determined to be reasonable and appropriate.
  3. Use internal resources to supplement an external source of help, because these internal resources can provide the best institutional knowledge and history of internal policies and practices.

Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule

  1. Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist.
  2. Implement tools that help document and report on the level of compliance, integration, or maturity of a particular security safeguard deployed to protect EPHI.
  3. If available, consider engaging specific staff or management having responsibilities that include security (for example, billing manager).
  4. Leverage any existing reports or documentation that may already be prepared by the organization addressing compliance, integration, or maturity of a particular security safeguard deployed to protect EPHI.

Conduct Evaluation

  1. Determine, in advance, what departments and/or staff will participate in the evaluation.
  2. Secure management support for the evaluation process ensures participation.
  3. Collect and document all needed information.
  4. Collection methods may include the following: Interviews, surveys, third party examinations
  5. Outputs of automated tools, such as access control auditing tools, system logs, and results of penetration testing.
  6. Conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.

Document Results

  1. Reasonable and appropriate documentation practices will often include:
  2. Analyze the evaluation results.
  3. Identify security weaknesses.
  4. Document in writing every finding and decision.
  5. Develop security program priorities and establish targets for continuous improvement.

Repeat Evaluations Periodically

  1. Establish the frequency of evaluations, taking into account the sensitivity of the EPHI controlled by the organization, its size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements).
  2. In addition to periodic re-evaluations, consider repeating evaluations when environmental and operational changes are made to the organization that affect the security of EPHI (e.g., if new technology is adopted or if there are newly recognized risks to the security of the information).

Conducting your annual security evaluation is an excellent way to insure you have complied with Evaluation Standard 164.308(a)(8) of HIPAA and have documented your organizations HIPAA vital signs.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

HIPAA Privacy and Security Rules – Linked?

Healthcare officials often ask if the Hipaa Privacy and Security Rules are linked?

My stock answer is yes, however further examination is required to fully explain how the two rules work together and the value in referring to both rules in planning and managing a compliance program. Let’s start by reviewing the HIPAA Privacy and Security rules.

Privacy Rule
The Privacy Rule applies to health information in any form or media, whether electronic, paper or oral. Healthcare organizations, called Covered Entities, are required under HIPAA to protect the privacy of a person’s identifiable health information, referred to as Protected Health Information (PHI).

The Privacy Rule was designed to protect all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule provides patients with the right to receive a notice of privacy, receive a listing of uses and disclosures of their health information, inspect, copy and request amendments to their medical records, file a formal complaint about violations of privacy and establishes criminal and civil penalties for improper use and disclosure.

Security Rule
Unlike the HIPAA Privacy Rule, which applies to PHI in “any form or medium,” the Security Rule covers only PHI that is electronically stored or transmitted by covered entities, called (ePHI). The Security Rule has a broader aim than the confidentiality focus of the Privacy Rule. Although protection against unauthorized use or disclosure is also a core goal, the Security Rule aims at assuring the integrity and availability of ePHI too. As such, the Security Rule addresses issues such as data backup, disaster recovery and emergency operations. The general requirement of the Security Rule can be simply stated: covered entities that “collect, maintain, use or transmit” PHI in electronic form must construct “reasonable and appropriate administrative, physical and technical safeguards” that ensure integrity, availability and confidentiality.

Federal Regulators Intent
A good starting point for examining the linkage between the Privacy and Security Rule begins with those responsible for the development and application of the Rules. The Department of Health and Human Services has stated that, “…in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work hand in glove (emphasis added) with any relevant requirements in the Privacy Rule”[1]. Health and Human Services has also stated that, “As many commenters recognized, security and privacy are inextricably linked (emphasis added). The protection of the privacy of information depends in large part on the existence of security measures to protect that information.”[2] To be sure, federal regulators intend for Privacy and Security Rules to work in conjunction with one another.

Privacy and Security “Inextricably Linked”
A careful examination of the two rules shows important intersections that must be considered when managing HIPAA compliance to ensure a cohesive compliance plan.

The Value of a Cohesive Compliance Plan: Easy to Understand and Apply

The goal of any compliance program is to provide guidelines that promote an understanding and compliance with the regulations. Recognizing how Privacy and Security rules work together, gives healthcare compliance officers and management a method for delivering a cohesive compliance plan that is easy to understand and apply. Joint privacy and security functions to coordinate include -

  • Establishing HIPAA policies and procedures for proper use, disclosure and safeguarding of PHI and ePHI
  • Develop and implement ongoing training programs to ensure organization members are aware of and updated on required standards for healthcare privacy and security
  • Document the privacy and security compliance efforts
  • Create methods to communicate new HIPAA regulations and standards to all organization members
  • Establishing a mechanism for receiving, investigating and addressing complaints regarding privacy and/or security practices or actions of the organization
  • Perform regular reviews of compliance efforts of both privacy and security to determine the need to improve the compliance program
  • Formulate a corrective action plan to address any issues of non-compliance with organizations compliance privacy or security policies and standards

Bottom Line
The Department of Health and Human Services has stated that, “…in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work hand in glove (emphasis added) with any relevant requirements in the Privacy Rule”

1″Standards for Privacy of Individually Identifiable Health Information, Final Rule.” Federal Register 67 (14 August 2002): 52194

2 “Health Insurance Reform: Security Standards, Final Rule.” Federal Register 68 (20 February 2003): 8335

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Producers Agreement Adds HIPAA Requirements for Insurance Agents and Risks for Insurance Carriers

In a recent blog, I discussed the Business Associate provisions found within the Health Insurance Portability and Accountability Act (HIPAA). In that discussion, I pointed out that most healthcare organizations and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (Business Associates).

The Privacy Rule allows covered entities and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Insurance Carriers Contract with Agents (Business Associates)

As a result of the Business Associate provisions of HIPAA, insurance carriers have added HIPAA Business Associate specific requirements to the Producers Agreement, due to the fact:

1.Insurance carriers most often use independent insurance agents

2.Allow the disclosure (and collection) of protected health information to the agent

3.Are required to obtain satisfactory assurances in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

A Developing Risk for Insurance Companies and Their Agents

In speaking with insurance company officials, I have asked how their agents meet the “contractual” obligations of their producer’s agreement, as it relates to the administrative, physical and technical safeguards the agents are required to implement? The answers vary from, “we provide HIPAA training for those agents who attend one of our conferences” to “we leave that up to the agents”.

In my opinion, the risk associated with thousands of agents handling protected health information, without a formal HIPAA compliance program adds unnecessary risk to the company and agent. To get a better idea of exactly what an agent is contractually agreeing to, let’s take a look at an example of a producer’s agreement covering confidentiality of information and security and privacy (HIPAA)…

(Sample) K. CONFIDENTIALITY OF INFORMATION/PRIVACY and SECURITY STANDARDS (HIPAA)…

4. Producer agrees that it will implement appropriate safeguards to prevent the use or disclosure of Protected Health Information in any manner other than pursuant to the terms and conditions of this Agreement.

5. Producer shall, within five (5) business days of becoming aware of a disclosure of Protected Health Information in violation of this Agreement by Producer, its officers, directors, employees, contractors or agents or by a third party to which Producer disclosed Protected Health Information pursuant to paragraph 2 of this Section of the Agreement, report any such disclosure to Company.

6. Within five (5) business days of a request by Company for access to Protected Health Information, Producer shall make available to Company such Protected Health Information for so long as such information is maintained. In the event any individual requests access to Protected Health Information directly from Producer, Producer may not deny access to the Protected Health Information requested. Rather, Producer shall, within two (2) business days, forward such request to Company.

7. Within ten (10) business days of receipt of a request from Company for the amendment of an individual’s Protected Health Information, Producer shall incorporate any such amendments in the Protected Health Information that Producer maintains. In the event that an individual’s request for the amendment of Protected Health Information is made directly to the Producer, Producer may not deny the requested amendment. Rather, Producer shall, within two (2) business days, forward such request to Company.

8. Within ten (10) business days of notice by Company to Producer that it has received a request for an accounting of disclosures of Protected Health Information regarding an individual during the six (6) years prior to the date on which the accounting was requested, Producer shall make such information regarding its disclosures available to Company as is required for Company to make the accounting. At a minimum, Producer shall provide Company with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the Protected Health Information, and, if known, the address of such entity or person, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure that includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to Producer, Producer shall within two (2) business days forward such request to Company.

9. Producer hereby agrees to implement an appropriate recordkeeping process to enable it to comply with the requirements of this Section.

10. Producer hereby agrees to make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Producer on behalf of, Company available to the Company and to the Secretary for purposes of determining Company’s and Producer’s compliance with the Privacy Standards.

11. At termination of this Agreement, if feasible, Producer shall return or destroy all Protected Health Information received from, or created or received on behalf of, Company that Producer maintains in any form and shall not retain any copies of such information, or if such return or destruction is not feasible, extend the protections in this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of such information infeasible.

12. With respect to Electronic Protected Health Information, no later than the compliance date for the Security Standards and at all times thereafter, Producer shall comply with the requirements of the HIPAA Security Standards set forth in 45 C.F.R. Parts 160 and 164, Subpart C (“Security Standards”), and, in particular, shall:

a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Producer creates, receives, maintains, or transmits on behalf of Company as required by the Security Standards;.

b) Ensure that any agent, including a subcontractor, to whom Producer provides such information agrees to implement reasonable and appropriate safeguards to protect it; and

c) Report to Company any Security Incident of which it becomes aware.

13. This confidentiality provision shall survive the termination of this Agreement.

Diffusing Liability for Insurance Company and Agent

After reviewing the sample confidentiality and HIPAA provisions of the producer’s agreement above, the question becomes -

1.How will an agent accomplish (or more specifically, meet the contractual obligations) of the producer’s agreement?

2.What compliance management tools will be available as an agent resource?

Take a look at a sampling of agent requirements and resource needs below.

Clearly, the table above points out the need for a formal compliance program for agents. Equally important, is the opportunity for the Company to make HIPAA management tools available to agents to in order to obtain satisfactory assurances that the agent (business associate) will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the Company comply with the duties under the Privacy Rule and Security Rule. In doing so, HIPAA liability will be diffused for both the agent and Company.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Why Outsourcing is Healthcare’s Newest Compliance Tool

I recently had the chance to meet with a healthcare organization to discuss the issues facing midsize medical groups. As you might guess, HIPAA compliance made the top ten list.

Here’s what I learned. First, there is general acknowledgement that it takes time to keep current with HIPAA compliance tasks. Second, most administrators (particularly in organizations smaller than a hospital) have added duties of “Compliance Officer” to their already full plate of tasks and finally, compliance officers believe that they do not have the time nor skill sets to meet the objectives of strong privacy and security management.

You can probably see a good news/bad news story developing here! You’re right. Let’s start with the bad news first. HIPAA is not going away and in fact most predict it to follow other regulations (OSHA as an example). Already we are seeing a strengthening of enforcement – read more about  Providence Health & Services loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. http://www.bizjournals.com/portland/stories/2008/07/21/daily9.html

In addition, a Senate bill (called HIPSA) has been introduced to significantly enhance the enforcement of HIPAA, read more at: http://www.bizjournals.com/memphis/stories/2007/10/22/focus4.html?b=1193025600%5E1537387

So what about the good news? Thanks to technology, coupled with experienced compliance specialists, outsourcing a compliance officer may be your newest compliance tool. Here’s how it works – to adequately manage HIPAA compliance, consultants like this author use a comprehensive Web-based program to create, manage and monitor the outsource client. In doing so, it allows the consultant to track all staff, manage polices & procedures and forms, monitor training and conduct a limited number of on-site visits to conduct a periodic gap assessment and report on the client’s compliance status.

The result,  you have a professional compliance officer managing your HIPAA compliance program, reducing administrative costs, increasing ability for the administrator to focus on core business activities and improved compliance excellence.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Business Associates and HIPAA – The Basics

In the Business Associate Category, we will be discussing issues that surface as organizations develop business relationships with outside agents and vendors. Let’s start with some basics first -

The HIPAA Privacy Rule applies only to covered entities (health plans, healthcare clearinghouses, and certain healthcare organizations). However, most healthcare organizations and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (Business Associates).

The Privacy Rule allows covered entities and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Aside from the obvious users of identifiable health information (hospitals, clinics, nursing homes etc.), others may be referred to as Business Associates (agents and vendors) that also come in contact with identifiable health information. For Business Associates, HIPAA requires hospitals, clinics, insurance companies and others that use agents and vendors to use a Business Associate Agreement. The regulation states –

PART 164—SECURITY AND PRIVACY
(Business associate contracts or other arrangements)

§ 164.314 Organizational requirements.
(a)(1) Standard: Business associate contracts or other arrangements.(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

(C) Report to the covered entity any security incident of which it becomes aware;

(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract… for complete regulation click here: http://www.hhs.gov/ocr/AdminSimpRegText.pdf

Watch for future posts on developing issues regarding Business Associates and the clients they serve.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Long-Term Care: Quality Training on Your Budget!

I recently read an interesting long-term care report on the topic of Driving for Quality in Long-Term Care: A Board of Directors Dashboard.

http://www.oig.hhs.gov/fraud/docs/complianceguidance/Roundtable013007.pdf

The report was the result of roundtable discussion involving 35 long-term care (LTC) professionals and 10 government representatives. The participants represented a wide spectrum of LTC organizations and professionals, including not-for-profit and for-profit organizations, multi-facility and single facility organizations, nationally and locally based organizations, clinicians, administrators, compliance officers, outside and corporate counsel, and monitors involved in OIG quality of care Corporate Integrity Agreements.

Breakout discussion groups were designed around three perspectives on the oversight of quality of care: (1) organizational commitment to quality; (2) processes related to monitoring and improving quality; and (3) outcome measures related to quality.

Some of the tools recommended to assist the board in evaluating these issues included:

  1. Promote Active Questioning by the Board – The board of directors needs to ask questions as to (1) why a quality problem occurred, and (2) what management is doing to fix the problem and to prevent it from happening again. Simply put, board members should not be afraid to ask difficult questions.
  2. Retain an Outside Expertise/Consultant – The board could engage an external expert or consultant to review the organization’s policies, procedures, and processes, as needed.
  3. Monitor Staff Training and Turnover – Lack of staff competency and high staff turnover could indicate that the organization’s processes are not adequate. Staff education should be provided on an ongoing basis due to staff turnovers and to ensure that the organization has trained, updated staff.

Based on my professional experience with long-term care organizations, I viewed the report as practical measures for board and management to effectively address organizational quality.

The idea of retaining outside expertise is another plus for the report, since consultants have the expertise to review organizational policies and procedures and in turn, share their findings and skills with the board and management.

Monitoring staff training and turnover caught my attention, since all too often training lacks the prioritization of other LTC business functions, yet training is the basis for quality care. To put training in perspective, imagine pilots, physicians or accountants lacking training or continuing education. Then apply that same concept to those who deal 24/7 with our loved ones.

The “Challenges and Opportunities” breakout group discussions related to broader issues of board of director involvement with quality of care and the use of a Quality of Care Dashboard. One of the challenges and opportunities suggested,  “Quality and financial data are interwoven. When a facility is having cash flow problems, the quality of care delivered may suffer. Similarly, care will suffer when there are insufficient funds for training, education, and staffing. Money and quality are two sides of the same coin. When board members are effectively monitoring the quality indicators at a facility, they will also be learning valuable information about the financial health of the entity” (emphasis added).

Bottom Line.
While it’s true that quality and financial data are generally interwoven, I see the opportunity for LTC board and management to engage consultants that are willing to partner in the goal of achieving quality, despite a tight budget – and that of course is the challenge.

Consultants can help to deliver compliance tools using Web-based programs that unify all locations and standardize such things as HIPAA policies & procedures, forms, required logs, reports, training and more.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

HIPAA Security Training: A Flexible Approach

Whether your organization is an insurance company, hospital, clinic, dental group, elder-care facility or anything in between, security awareness and training is required of all members of its workforce (including management).

So how must healthcare organizations plan to meet the Security and Awareness Training Standard? As a first step, I often caution clients to review specific standards and the references made as a part of the standard – for example, §164.308, the Security Awareness and Training Standard must be read in conjunction with § 164.306 Security Standards: General rules, since the General Rules help the organization understand the general intent of the standards and guidance for implementing them. Take a look at the General Rules and see for example the guidance on a “Flexible Approach” -

§ 164.306 Security Standards: General Rules

(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under sub-part E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach. (Emphasis added)
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii)The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv)The probability and criticality of potential risks to electronic protected health information.

As you can see, the General Rules help answer the question…”We are a clinic and cannot afford a large scale training program like a hospital, what can we do?” By reading § 164.306 Security Standards: General Rules, healthcare organizations of any size will realize the “flexibility” built into the regulations are designed to accommodate healthcare operations of any size.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us