As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.
But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.
The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.
Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.
Creating and conducting an organizationwide risk analysis: Part 2
Editor's note: This is part two of a series about implementing an organizationwide risk analysis. See the May 2016 issue of BOH for part one.
Performing a regular organizationwide risk analysis is a basic HIPAA requirement and also simply good business practice. Beyond checking off an item on the HIPAA compliance list, a risk analysis will help an organization identify and rank security weaknesses, efficiently use resources to address them, and ultimately protect the security and integrity of an organization's data, including PHI, financial, and business operations information. Yet in a world of competing demands and limited resources, a risk analysis may be put off until it's too late. Even if one is completed, security officers may encounter obstacles when trying to act on the results of the risk analysis.
The purpose of a risk analysis is to develop a strategic plan of action that addresses and corrects vulnerabilities, and shouldn't be used to simply create a report on the current state of security, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "Only when an organization performs periodic and as-needed risk assessments, and then mitigates significant risks, can the ISO [information security officer] and leadership have the confidence that their security program is functioning and adequate," she says.
A risk analysis is one of several activities that is part of a risk management program, says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of risk advisory and forensic services at Wipfli, LLP, in Eau Claire, Wisconsin. The risk management program is about managing risks to the organization (i.e., business mission, image, reputation, and patient safety and privacy), organizational assets, and workforce. An organization can't mitigate risks it isn't aware of and doesn't understand.
Risks are first identified, then analyzed and evaluated based on what action is needed, Ensenbach says. They also must be monitored on an ongoing basis, a vital step that if missed can undermine an otherwise solid risk management program.
Editor's note: This is part one of a series about medical identity theft. Look for part two in an upcoming issue of BOH.
Privacy and security officers are sitting on a hoard of valuable data: medical identity information. Social Security numbers. Medicare, Medicaid, and other insurer numbers. Credit card and bank account information. This data can fetch a high price on the black market, and medical identity theft costs patients, providers, and insurers millions of dollars a year. The lure of medical identity information makes healthcare organizations an appealing target for criminals, from large operations launching sophisticated hacking schemes to smaller groups running tried and true fraud scams.
A 2015 study conducted by the Ponemon Institute and sponsored by the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that medical identity fraud nearly doubled between 2010 and 2014. More than 2.3 million adults were victims of medical identity theft and fraud in 2014 alone. The average cost per victim was $13,500 and the combined out-of-pocket cost was approximately $20 billion. But the financial impact is only the tip of the iceberg. Medical identity theft can result in physical harm to a patient if the medical record is altered to include another person's information such as allergies, disease status, or blood type.
Healthcare organizations often absorb some of the costs, and if the stolen PHI was used to commit Medicare or Medicaid fraud, they could be investigated by the OIG.
The stakes are high but by raising awareness and championing education and robust security programs, privacy and security officers can help their organizations stay one step ahead of criminals.
Creating secure passwords, guest wireless networks, and emailing PHI
by Chris Apgar, CISSP
Q: I work at a doctor's office. If a patient calls and asks to have a copy of his or her medical records sent to his or her home address, are we required to obtain any additional verification beyond checking that the address matches the one we have on file? We have a patient portal where most of our patients are able to access their records, but some still prefer to have copies sent to them.
A: As with any request for PHI from an external party, whether it be the patient or someone else, proper authentication is necessary. This means you need to ask questions such as what is the patient's birthdate before agreeing to send the patient a copy of his or her medical record or designated record set (DRS).
It's a good idea to ask the patient to make the request in writing. Per the HIPAA Privacy Rule, "The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement" (45 CFR §164.524(b)(1). This is not a "you shall." It's a "may" so in the end you may elect to not require the request be in writing. However, this might leave your practice vulnerable to the risk of someone impersonating the patient and requesting the record or the patient later complaining you sent a copy of his or her DRS without his or her permission.
If you require patients to make the request in writing, you can't make it too burdensome. For example, you can't require patients get the signed request notarized or walk the request in to the doctor's office. OCR recently published guidance regarding a patient's right to access his or her DRS (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access). It provides more detailed information about the dos and don'ts of meeting the HIPAA Privacy Rule requirement that patients are entitled to view or request a copy of their DRS.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Creating and conducting an organizationwide risk analysis: Part 1
Editor's note: This is part one of a series about implementing organizationwide risk analyses. Look for part two in an upcoming issue of BOH.
OCR's breach settlements, corrective action plans (CAP), and penalties often take organizations to task for not completing a regular organizationwide risk analysis, yet it's all too easy for this important job to fall by the wayside. A lack of resources and competing demands within an organization can push the risk analysis to the bottom of the list of priorities. But this leaves an organization vulnerable to threats it will only see in hindsight. It also often leads to scrutiny from OCR and the public.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the larger American Recovery and Reinvestment Act of 2009, was created to encourage and regulate the use of technology in healthcare. HITECH brought meaningful use, an incentive plan designed to increase the use of certified electronic medical records, and amendments to the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although some provisions of HITECH have not been implemented (e.g., the more robust three-year accounting of disclosures for electronic protected health information [PHI]), the following is a list of the major topics that have been amended with the adoption of HITECH:
