» meaningful use

HIPAA Security Risk Analysis. – Are You One Of The 3,300?

Posted on January 25, 2012 by Dan Berger in Main | Leave a comment

Get ‘er Done!

I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare &Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun or not. You’ll need to plan your 90-day qualification period and be ready to attest before the 2012 deadline. Don’t let the HIPAA Security Analysis become “the tall pole in the tent.”

If the $4 million dollars ($2m Medicare, $2m Medicaid) is not enough of an incentive, don’t forget that the new Federal HIPAA compliance and audit program has begun. The Department of Health and Human Services’ Office for Civil rights announced the specifics of the audit program last year, fulfilling the mandate from the HITECH Act (part of the overall ARRA bill passed in 2009). 150 organizations will be audited in 2012 by KPMG (under contract with OCR) and the first 20 covered entities have already been selected and notified.

Although the primary goal of the audit program is security improvement, significant corrective action and civil monetary policies resulting from these audits have not been ruled out. As Leon Rodriguez, OCR’s new chief, likes to say “enforcement improves compliance.” OCR officials have suggested that most of the remainder of the audits will be conducted in the 2nd half of 2012. Even more reason for hospitals to get their HIPAA Security Risk Assessments completed as soon as possible. Better to have had a run-through with a 3rd party, objective, IT security assessment company of your own choosing and taken corrective actionbefore the federal auditors arrive.

Lastly, some hospitals put off allocating resources to meaningful use efforts in 2011 until their individual states had begun their Medicaid EHR Incentive Programs. But the 2012 national landscape already looks much different. 41 of 50 states have now launched their programs with another 5 or 6 to commence in Q1/2012. In all likelihood, all 50 state programs will be in place and making payments by July 2012.

HIPAA Audits – Paying a Little Attention Now Will Pay Big Benefits Later

Posted on August 3, 2011 by Dan Berger in Main | Leave a comment

In July, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.

The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. “Certainly, if we uncover in the course of the audit major violations or potential violations … we will be dealing with those … in the same manner we would through our formal enforcement process,” she said recently, according to www.healthcareinfosecurity.com

Details of the focus and scope of HIPAA audits have yet to be fully defined. However a few things are clear. Each audit will follow a “typical onsite audit process” with an in-person visit and interviews with key management personnel such as the CIO, privacy officer, legal counsel, and health information management/medical records director. Draft reports will be shared with the organization before they are completed, and management responses will be incorporated in the final audit report.

Fair enough, but further details are a little murkier.  Ms. McAndrew goes on to say that the audits will “initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues.” For covered entities, it must be a little confusing to see the words “comprehensive assessment” juxtaposed with “rather than specific, narrower issues.”

At Redspin, we use the term “comprehensive security assessments” to mean that we include specific, narrow issues. After all, we’re guided by the HIPAA Security Rule— 84 pages long, even in its simplified version! See following link: (Administrative Simplification Regulation Text, March 2006). It’s also unclear how the OCR and KMPG will select organizations to audit. While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to your organization fairly low – keep in mind, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well.

We think it would be prudent for a healthcare organization to consider what it can do now, knowing there’s a possibility of a HIPAA audit sometime in the future.  An old Scouting motto comes to mind: “Be Prepared.” This is a good time for covered entities and business associates to review their HIPAA privacy and security programs and ensure that their documentation is up to date.

Most importantly, given the increased civil penalties and liabilities for PHI breach, it can now be considered a fiduciary responsibility for healthcare companies to assess whether their security programs are effectively safeguarding electronic protected health information (ePHI). Organizations participating in the EHR “meaningful use” plan already have a compelling incentive to “conduct or update a security risk analysis” but note, with or without meaningful use, this is a mandatory requirement for all covered entities and business associates, taken verbatim from the HIPAA Security Rule itself.

To help you prepare, let’s fast forward to what an actual HIPAA security audit may look like. The first thing any security auditor looks for is the policies and controls that you have in place, how they are documented, implemented, communicated, enforced, and lastly, how effective they’ve been. They’ll want to review whether or not you have identified vulnerabilities within your organization in the past and what steps you’ve taken to mitigate them.  At Redspin, we’ve worked with IT auditors for nearly a decade in our banking and financial practice. We’ve found that companies that have previously engaged independent firms like Redspin to conduct comprehensive Security Risk Assessments (rather than checkbox compliance solutions) benefit greatly when audit time rolls around.

First impressions are always important, and when an auditor sees that you’ve already conducted a Security Risk Assessment in accordance to the HIPAA Security Rule, they know their work is more than halfway-done. And so is yours. The follow-up demands on your organization’s time and resources will be much lighter and the outcome is virtually guaranteed to be more positive. You’ll be able to show well-documented policies and procedures, an objective rating of the effectiveness of your controls, the actions management has taken to address known vulnerabilities and how your security risk posture has improved over time.

When Redspin conducts a Security Risk Analysis, we make all of the information above accessible to you from our secure, web-base client portal. This further enhances your ability to navigate through large amounts of information quickly and present summary results in a compelling, graphical, easy-to-understand format. Lastly, if requested, we’ll stand side-by-side with you during an audit. Redspin security engineers are always available to you to discuss the results from your assessments. We’re also happy to discuss those findings, validations and final reports with outside auditors at no additional charge.

 

Building Assurance through HIPAA Security, Washington D.C., May 10th-11th

Posted on May 15, 2011 by Dan Berger in Main | Leave a comment

Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference ballroom.

The room was packed with 400+ attendees – literally standing room only until the conference organizers could arrange for more chairs to be brought in. The congregation included providers, government policy-makers, healthcare lawyers, academics, vendors, and consultants.  From the start of the conference at 9AM Tuesday morning to well after 4PM Wednesday afternoon, there was a sense of purpose in the air. Healthcare IT transformation is well underway and IT security will play a major role in whether or not we, collectively, succeed as an industry, as a major part of the U.S. economy and as a country.

While I gained a wealth of information and education from this conference, I want to summarize a few of the most important “take-away” items here.

-   The development of Stage 2 “meaningful use” requirements is well underway.  Security will remain a key focus. New providers will be expected to conduct a HIPAA security risk analysis (SRA) and Stage 1 qualifiers will be ask to “update and re-assess” the previous SRA they completed in order to meet Stage 1 attestation.

-  While still likely stopping short of mandating encryption, Stage 2 meaningful use will also “shine a spotlight” on the security of data at rest, according to Deven McGraw, co-Chair of the HIT Policy Committee “Tiger Team” and Director of the Health Privacy Project at the Center for Democracy and Technology.

-  A batch of final regulations dealing with healthcare privacy and security issues will be issued in one “Omnibus” package to be released this year and likely within months, if not within weeks. This will include:

  • HITECH Act modifications to the HIPAA privacy, security and enforcement rules.
  • The final version of the breach notification rule, replacing the current interim version.
  • Formalizing privacy provisions under the Genetic Information Nondiscrimination Act that forbids use of genetic information for insurance underwriting and categorizes such use as a violation of both privacy and non-discrimination regulations.

-  Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR) called the HIPAA security risk analysis provision a foundational element of HITECH, along with updating the SRA regularly and implementing reasonable and appropriate safeguards.

-  Ms. McAndrew further confirmed and clarified that business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule and therefore must conduct their own HIPAA security risk assessments. Within 12 months from the issuance of the Omnibus NPRM, business associates will be directly liable for the breach of protected health information (PHI) under HITECH Act sections 13401 and 13404.  She went on to describe this extension of directly liability to business associates “a sea change” in the regulations.

-  Stepped-up enforcement of the HIPAA security and privacy provisions is on the way. Federal enforcement training of State Attorneys Generals offices was done in Texas this past April, and will be conducted in Atlanta and Washington D.C. by end or May and in San Francisco in early June.

 

Public Comments on The Federal Health IT Strategic Plan, 2011-2015

Posted on May 6, 2011 by Dan Berger in Main | Leave a comment

One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC must publish and update its strategic plan for improving healthcare through the use of information technology.

The Federal Health IT Strategic Plan, 2011-2015, first released in draft form in March 2011, paints a rapidly evolving health IT landscape. It sets 5 overriding goals for “unlocking the vast promise of electronic health information to improve decision making, help individuals better manage their health, and improve the health system’s capacity for rapid learning.”

Making this plan public and in fact, inviting public comment, is helpful to the cause. It gives the ONC a vehicle to communicate priorities, solicit input, guide efforts and influence allocation of resources.

With the close of the public comment period today (5/6/2011) and in advance of next week’s NIST/OCR HIPAA Security Rule Conference in Washington, D.C., I felt this was an opportune time to publicly self-publish my public comments! Here goes:

The Blumenthal era smartly focused success around the concept of “meaningful use,” first as a measure of electronic health record (EHR) adoption and usage, and later as a rallying cry for IT health transformation in general.

Usage is, after all, tantamount to success. And the converse is also true. “No one knows how many computer-based applications designed at great cost of time and money are abandoned or expensively overhauled because they were unenthusiastically received by the intended users.” (“Power, Politics, and MIS Implementation,” M. Lynne Markus,  M.I.T. June 1983)

This is a critical point. The draft Health IT Strategic Plan has, as its ultimate end-goal, improved patient outcomes. This goal cannot be achieved without widespread public adoption of EHR’s. But does the Strategic Plan do enough to address the potential pitfalls and impediments that could undermine EHR usage?

In my opinion, no. Security and privacy requirements must be made more prominent both in the plan and in practice, with more stringent, regular testing and reporting.  Although security and privacy are one of the 5 primary goals of the Plan, the topic commands only 6 pages of the 80-page document (pp 29-35). Also by being listed as Goal number 3 out of 5, the implication is these critcial issues are third in priority or third in time sequence.

While perhaps an unintended impression, it still conveys the wrong message. Privacy and security are not simply goals; they are foundational to adoption and usage. Thus they are necessary conditions for achievement of all of the other 4 primary goals, and of any continued advancements of the health IT agenda.

Even the language used in describing “Goal III” is tepid (“stepping up protections,” “discussing major investment in education and outreach”). Notably absent are calls to action that inspire real commitment to regular monitoring and measuring, self-enforcement, and driving continuous improvement.

Perhaps the ONC believes that more stringent breach notification requirements and increased financial penalties will act as “an invisible economic hand” that guides healthcare providers to implement reasonable and appropriate measures to safeguard ePHI. But a fully comprehensive strategic plan must also include contingency planning – what if breaches continue to increase despite strict breach notification rules and more costly penalties?

And how does the ONC address the inherent incongruity of requiring public breach notifications for large incidents (500 records or more), while aiming to “inspire confidence and trust in health IT.” How can the health care industry combat the undermining of public trust by being forced to publicize its biggest failures? Personal notification for those impacted is an obvious necessity but is there a cumulative psychological impact to frequent breach PR’s, a repetitive stress injury to the ultimate goal if you will.

We suggest immediately elevating privacy and security to a higher plane. Rather than a goal, make it as foundational an element as meaningful use, the bedrock of the strategic plan. At Redspin, we suggest calling it “Meaningful Healthcare IT Security.” In fact, we’ve applied to trademark the tagline, not for any proprietary purpose, but to make a point. (We’ll gladly license its use to the ONC for free).

So what is “Meaningful Healthcare IT Security?” First, it’s an acknowledgement of the complex challenges healthcare organizations face in meeting the sophisticated levels of privacy and security necessary to protect the public. This will not simply materialize out of the “carrot and stick” approach of incentive payments and breach penalties. Second, privacy and security need to be understood as pre-conditions to meaningful use not just a “part of.”

Next, the “security risk analysis” identified as Core Measure 15 should be defined as more than compliance with the HIPAA security rule. Effective security is a process-driven cycle of regularly-scheduled assessments, validation, remediation, and reporting that delivers continuous and durable improvements in information security and helps develop a culture of security awareness within organizations.

We want to help meet the ONC’s ultimate goal of improving patient outcomes “by unlocking the vast promise of electronic health information.”  But we don’t want to leave any doors unlocked that should be protecting privacy and security.

How to Apply for Meaningful Use

Posted on May 4, 2011 by mmarshall in Main | Leave a comment

If you are an eligible hospital or eligible professional then meaningful use incentives and qualifying for them is likely top on your mind. If you are a vendor of EHR technology you have been working to get your software certified for meaningful use so your customers can qualify for the incentives.

Many organizations are in the midst of a tremendous amount of work to meet meaningful use and qualify for the incentives.   Based on our conversations most organizations have not yet applied, and are not clear how the actual application process will work.  For example: Will they need supporting documentation? What kind of output is needed from the HIPAA Risk Analysis? I thought it would be useful to provide a high level walk through of what to expect when you actually go through the registration/attestation process.  If your organization hasn’t applied yet, this will give you a sense of what is going to be required when you do. We will look at the process for eligible hospitals, but the process is similar for eligible professionals.

  • Preparation:
    • Actually applying means that you have already done the hard work of meeting the meaningful use requirements. Most organizations are in the midst of this process right now. This includes:
    • Using certified EHR technology – The vendor needs to have gotten their EHR solution certified to meet meaningful use. The list of certified vendors/products is available here: http://onc-chpl.force.com/ehrcert
    • Configuring the chosen EHR technology to meet the meaningful use criteria and ensuring that the implementation adequately secures ePHI.
    • Performing a HIPAA Risk Analysis during this process.

The actual application process is broken up into two parts.  The first is Registration, which has been available since January 3, 2011.  Second is Attestation, which has been available since April 18, 2011.

  • Registration
  • Attestation
    • You will need the CMS EHR Certification ID for your implemented EHR. This is available from: http://onc-chpl.force.com/ehrcert
    • Enter the EHR Certificate ID for your EHR technology and select the start and end dates for the reporting period.
    • For each of the core objectives where no exclusion applies you will enter the numbers of patients the objective applied to and the number that met the core objective. For example 100 patients requested electronic copies of their discharge instructions, and they were provided to 99.  So 99% met core objective 12 during the reporting period.  Complete this process for the Core Measures, Menu Measures and Clinical Quality Measures.

You are attesting to the implementation and data is not required to be submitted during the attestation process.  Although you will need to keep supporting data for six years in case of an audit.

If you meet all the criteria you can submit the attestation.  Congratulations!  You are now officially a “meaningful user”.

For more information see:

CMS Registration Site

CMS Video Tutorial

You can do a test run to ensure that you meet the necessary objectives:

Meaningful Use Calculator

A Primer on HITRUST, EHNAC, Meaningful Use, HITECH, and Their Relationship with the HIPAA Security Rule

Posted on April 4, 2011 by perlbot in Main | Leave a comment

At the risk of over simplifying the role each of these groups play in the healthcare industry, the essence is the same – different people trying to figure out the best way to securely use electronic protected health information (ePHI) and supporting technology. However, without a single, industry-developed and accepted approach to securing ePHI, we are left with a federal statute, the HIPAA Security Rule, to drive the information security programs of our payers, providers, and business associates. Unfortunately, as we all know, a compliance-driven security program is often insufficient.

Rather, frameworks, accreditation programs, incentives, and penalties need to be developed that enable security programs to support business objectives as well as address compliance requirements. Each of the following are trying to do just that:

Health Information Trust Alliance (HITRUST)
Throw every infosec framework, standard, and data security law into the blender, press the “innovate” button, and pour yourself a best-of Common Security Framework (CSF) smoothie. But don’t forget to pay at the counter. Here at Redspin, we are all in favor of the best practice approach, as our own services often leverage lessons-learned from each industry. However, the CSF will have a hard time reaching critical mass until the framework is freely accessible to all.

Electronic Healthcare Network Accreditation Commission (EHNAC)
A non-profit, standards development organization, EHNAC has developed a number of accreditation programs to improve transactional quality, operational efficiency and data security in healthcare. Specific to data security, they have opted to select a subset of safeguards from the HIPAA Security Rule to measure an organization’s information security program. The accreditation process involves a self-assessment questionnaire (including documentation of implemented controls), follow up on-site visit(s), an annual fee, and you are accredited for two years.

Centers for Medicare & Medicaid Services (CMS) “Meaningful Use” Incentive Program
The last (but certainly not least) stage 1 core requirement for hospitals and professionals to show meaningful use of EHR technology is to “Protect Electronic Health Information” by implementing a single HIPAA Security Rule safeguard: Perform a Security Risk Analysis. If you have to pick one, CMS got it right by selecting the one safeguard that has to be done first to align the management of the security program with necessary operational and technical controls.

Health Information Technology for Economic and Clinical Health (HITECH) Act
What if the HIPAA Security Rule is perfect as is, but we just need better enforcement and a broader range of institutions that it applies to? Please welcome the HITECH Act that 1) created a breach notification provision, 2) strengthened enforcement by increasing the financial penalties per violation, and 3) widened the scope of the Security Rule to include business associates. Time will only tell if the public spotlight and financial penalties on data security breaches will have a positive affect in the industry.

Let’s review. One purpose, yet four different applications of the HIPAA Security Rule:

  • HITRUST = Security Rule + entourage
  • EHNAC = Security Rule/2
  • Meaningful Use = Security Rule/100, and
  • HITECH Act = Security Rule on steroids.

While there is not industry consensus, we certainly are moving in the right direction.

The Federal Health IT Strategic Plan and the Final Four

Posted on March 28, 2011 by Dan Berger in Main | Leave a comment

I just finished reading the ONC’s (Office of the National Coordinator for Health Information Technology) draft document The Federal Health IT Strategic Plan (“the Plan”) while watching the Butler-Florida game in the quarterfinals the 2011 NCAA Championships.

One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC is must publish and update its strategic plan for improving healthcare through the use of information technology. Making this plan public and in fact, inviting public comment, is helpful to the cause. It gives the ONC a vehicle to communicate priorities, guide efforts and influence allocation of resources. What’s not quite clear is how frequently the ONC is required to update the plan. The last plan was dated June 3, 2008 and covered the 5 year period 2008-2012. This latest plan is intended to cover 2011-2015. Is that sufficient? Let’s turn to basketball for a moment. .

While watching Butler beat Florida, I noticed how frequently the TV commentators used the word “adjustment” to describe mid-game coaching decisions. At this level of competition, both teams clearly started the game with a strategy for winning. So did these adjustments or tactical maneuvers reflect changes in their strategy? No. Theoretically, the development of a comprehensive strategy should include contingency planning (e.g. If X happens, do Y; if A occurs early, respond with B). Butler’s strategic plan to win the game included limiting Florida’s ability to score from the 3-point range. Yet, even having achieved that, they were losing by 11 points with 9 minutes left in the game. Contingency time. Since star player Matt Howard was in no danger of fouling out of the game, Butler could risk having him play very aggressively during the games final minutes. The strategy with contingency plan was successful. Game won.

How is this relevant to The Federal Health IT Strategic Plan? Last published in 2008, I’ll give the updated plan points for “adjusting” to the rapidly changing landscape of health IT. The past few years were marked by truly major legislation – the HITECH Act and the Patient Affordable Care Act have galvanized  organizations throughout the industry; each mapping out their own specific organizational goals and initiatives.  We are now on the verge of dramatic changes. With that, the ONC’s new 5-year plan builds on the foundation of meaningful use (both as a rallying cry and as a measure of electronic health record (EHR) adoption and information exchange), with the ultimate goal of improving health care outcomes.

The Strategic Plan sets 5 overriding goals for “unlocking the vast promise of electronic health information to improve decision making, help individuals better manage their health, and improve the health system’s capacity for rapid learning.” These goals are listed below:

  • Goal I, the health information exchange strategy focuses on first fostering business models that create health information exchange, supporting exchange where it is not taking place, and ensuring that information exchange takes place across different business models.
  • Goal II, we discuss how integral health IT is to the National Health Care Quality Strategy and Plan that is required by the Affordable Care Act.
  • Goal III, we highlight efforts to step up protections to improve privacy and security of health information, and discuss a major investment in an education and outreach strategy to increase the provider community and the public’s understanding of electronic health information, how their information can be used, and their privacy and security rights under the HIPAA Privacy and Security rules.
  • Goal IV, we recognize the importance of empowering individuals with access to their electronic health information through useful tools that can be a powerful driver in moving toward more patient-centered care.
  • Goal V, we have developed a path forward for building a “learning health system,” that can aggregate, analyze, and leverage health information to improve knowledge about health care across populations.

Admirable. But is it a winning strategy? Since the ONC has asked for public comment, I’m going to give it. In the 80-page document, only 6 pages are dedicated to privacy and security (pp 29-35), nowhere near sufficient. Also, efforts to improve privacy and security are listed as Goal #3 on a list of 5. This gives this very important topic the imprimatur of being either third in priority or third in time sequence. Even if an unintended impression, it is at best misleading as privacy and security are necessary conditions for achievement of all of the other 4 goals. Also to be fully comprehensive, the ONC’s Strategic Plan must address contingencies – what if breaches continue to increase despite more stringent breach notification rules and more costly penalties? How can the industry combat the undermining of public trust by publicizing its failures?

I’d suggest elevating privacy and security to a higher plane. Rather than a goal, make it as foundational an element as meaningful use. I’m be submitting my more formal comments by the April 22 deadline via the HSS ONC Health IT Buzz Blog – accessible at http://www.healthit.gov/buzz-blog/from-the-onc-desk/hit-strat-plan/#comment Meanwhile I’d love to hear your thoughts on how we can make privacy and security the bedrock of the strategic plan. Perhaps we can borrow from the “Butler Way,” and agree that the mission to transform healthcare IT “demands commitment, denies selfishness, accepts reality yet seeks improvement every day, while putting the team above self.” This is a game we can’t afford to lose. Go Bulldogs!

A “Reasonable” Approach to HIPAA Risk Analysis

Posted on March 17, 2011 by Dan Berger in Main | Leave a comment

The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318.). But with so much recent interest in IT security driven by the “meaningful use” incentive program, we want to share some our observations and perspectives from recent Redspin client engagements in the healthcare industry.

All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. The importance of safeguarding ePHI cannot be understated. Sure, publicized breach notifications and million dollar penalties damage a healthcare organization’s reputation and bottom line. But more than that, such incidents undermine professional and public trust of electronic health records (EHR). And make no mistake about it – the widespread adoption of EHR is fundamental to future improvements in efficiency, communications and patient care.

So if security is the cornerstone to health IT transformation, what can your organization do to not only comply with the regulations but also contribute to this important mission? First, all heathcare organizations are required to evaluate risks and vulnerabilities in their environments. Then they must “implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.” While “reasonability” is a quintessential element of modern judicial systems, it doesn’t provide a lot of guidance. At Redspin, we suspect there will be little sympathy for major ePHI security breaches no matter what any standard of reasonability might dictate. More simply put, it’s better to be safe than sorry.

Conducting a risk analysis that maps to the HIPAA Security Rule is the first step in protecting ePHI. Note, the Department of Health and Human Services (HHS) does not endorse or recommend any particular risk analysis or risk management model. At Redspin, we think this is wise. From our direct experience, no template or “one-size-fits-all” approach can meet the diverse needs of the healthcare industry. We treat each client individually and conduct a thorough review of their environment even before drafting a scope of work, including:

- size and complexity of the IT environment

- number of physical and logical locations where ePHI is stored

- number of IT staff; their knowledge and experience level

- types of EHR, CPOE and other new applications

- functional responsibilities of team members

- progress-to-date toward EHR completion

- company culture and information security awareness

While a HIPAA Risk Analysis is often project-based, we also consider it the start of a process that will lead to ongoing and durable improvements in information security. The Security Rule itself requires an entity to update and document its security measures “as needed” and specifically recommends conducting continuous risk analysis to identify when such updates are warranted. While the rule does not specify how frequently to do this, it’s a moot point for Redspin’s enterprise security assurance clients. By providing our services on a monthly or quarterly subscription basis, regularly-scheduled assessments, validation and re-testing simply become part of an overall operating environment. Our enterprise solution also tracks and documents all historical findings and remediation via our secure, online web portal. The portal’s dashboard view displays summary information via a compelling graphical user interface, making complex data easier to understand and better enabling you to communicate improvements in your overall security posture to all stakeholders.

In summary, Redspin empowers healthcare organizations to truly integrate their risk analysis and management process. This helps them to accommodate: (1) new technologies (2) evolving business operations, (3) new regulations and (4) personnel changes. And by addressing security risks in a proactive, timely manner rather than fixing problems after implementation, healthcare organizations gain greater value from their investment in IT. Sound reasonable?

Increased Penalties for Healthcare Privacy and Security Violations? Batten Down the Hatches!

Posted on February 23, 2011 by Dan Berger in Main | 1 Comment

The 2009 HITECH Act authorized the Health and Human Resources Office for Civil Rights (HHS OCR) to add teeth to existing security and privacy regulations, and they’ve obviously taken the responsibility seriously.

On the same day that HHS OCR imposed a whopping $4.3 million dollar fine on Maryland-based Cignet Health for violating a provision of the HIPAA Privacy Rule, we also learned that HHS OCR intends to tighten healthcare data breach regulations further and to increase financial penalties across the board for privacy and security violations.

The Cignet Health fine was the first civil fine issued specifically under the existing provision of the Privacy Rule which requires covered entities to provide copies of patients’ health records within 30 days of request. As you may know, as covered entities (CE) and eligible professionals (EP) move to electronic health records (EHR), the time limit for responding to a patient’s request for access will become even shorter. To qualify for meaningful use incentives, an EP must provide EHR access within 4 business days. More recently, OCR suggested that, if patients request copies of the protected health information (PHI) and it is not readily available in the format requested, they must be directed to their EHR.

A senior OCR health IT and privacy advisor spoke at HIMMS11 this week. In addition to confirming that the final privacy, security and breach notification rules will be issued simultaneously in 2011, he got everyone’s rapt attention by announcing increases in financial penalties for privacy and security violations. This raises the security stakes considerably. The penalty for a single violation will be increased to $50,000 with a maximum penalty per year of $1.5 million per each provision of the rules. Since many breach incidents can include multiple violations, the corresponding fines could be huge.

Further, OCR is expanding the requirements for business associates. They will now assume direct liability for adhering to privacy and security rules 240 days after the final rules are issued. Subcontractors will also be held to the same standard as business associates. Currently business associates can only be found directly liable under the breach notification rule.

While it’s been publicly reported that over 220 organizations have suffered large data breaches (each impacting >500 individuals), we also got the stunning details that the OCR has been notified of more than 14,000 smaller breaches of PHI (each affecting <500 individuals).

As we noted in Redspin’s 2010 Protected Health Information Breach Report, theft or loss of portable devices such as laptops caused >65% of large breaches. But portable media is here to stay. Instead of trying to restrict where sensitive data is taken, adopt a more data driven view and protect it where it is stored. Solutions like Imation’s Defender product line (encrypted storage: flash, external hard drive and optical) may be right for your organization.

Clearly OCR also understands that business associates are data rich targets and will likely encounter an increase in malicious activity. At present, covered entities must extend their oversight of their business associates IT environment and security posture. This should be included in the CE’s HIPAA Risk Analysis. And with the impending extensions of direct liability to business associates, those organizations should also start preparing to conduct security assessments of their own. And sooner not later.

Of course, at Redspin we think every organization that handles ePHI should have a process in place for external security testing, remediation, validation and retesting. As security consultants, you may think our view is self serving but we consider it an issue in the common interest. After all, even security consultants are healthcare patients at one time or another! We’re all in the same boat – when malevolent storms or hackers strike, we want to avoid data leakage and protect our privacy. So “batten down the hatches – quick men!” (Chambers Journal, 1883)

Unreal Repeal: Healthcare Reform and HITECH

Posted on January 24, 2011 by Dan Berger in Main | 2 Comments

Last Wednesday, Republicans in the House of Representatives (+3 Democrats) voted to repeal the health-care reforms signed into law by President Obama less than 1 year ago. Although the 245-189 vote made good on a GOP mid-term election promise, it was largely symbolic. The Senate is not likely to consider (much less pass) the bill, nor would it ever get past an Obama veto.

Yet, reform of reform is in the air. Spending cuts as the path to deficit reduction are mentioned in every news cycle. It’s possible that congressional budget maneuvering will decrease or delay funding for some of the provisions of Obama’s Health Plan (The Patient Protection and Affordable Care Act).

Thus, it’s not surprising that some healthcare IT professionals wonder if the potential $29 billion in EHR meaningful use incentive payments promised under the HITECH Act are secure. During our January 20th webinar “Assessing HIPAA/HITECH Risks:  What You Need to Know,” I was asked this question several times.

My response? I believe that the HITECH Act will proceed as planned with full funding. Here’s why:

1)      HITECH was passed as part of the American Recovery and Reinvestment Act (ARRA) and not part of Obama’s healthcare reform initiative. It had broad bi-partisan support. As Allscripts Healthcare Solutions CEO Glen Tullman told the Wall Street Journal Health Blog, “Healthcare IT is a nonpartisan issue.”

2)      The goal of HITECH was to create jobs and begin a massive overhaul of the US healthcare system. Right after the mid-terms, Politico healthcare reporter Jennifer Haberkorn addressed a HIMSS press briefing and said cutting back HITECH was “not on the radar. The attitude on [Capitol] Hill is that health IT funding is creating jobs.”

3)      In addition to creating jobs, HITECH provides the foundation for an even broader national economic goal: increasing the efficiency and competitiveness of the U.S. healthcare system in one of the worlds’ largest and fastest growth industries (over $2.2 trillion dollars in expenditures per year).

For these reasons and others, I think HITECH funding is safe for now. That said, I urge covered entities to make achieving Stage 1 “meaningful use” of electronic health records, including conducting a HIPAA Risk Analysis, among their highest priorities. The best guarantee for “staying the course” is the success of the program itself.

1 2   Next »