The annual conference hosted by NIST and OCR Safeguarding Health Information: Building Assurance through HIPAA Security and the repeated message on day one of the conference was “HIPAA is the floor” which started with OCR Dir Severino’s keynote. We always get information at some point that makes these conferences worth the time. What did we get from this one?
This particular conference does address more technical topics than the HIPAA Summit which takes place at the beginning of the year. Speakers from NIST, OCR, ONC and more offer a lot of insight into the direction that privacy and security programs are moving. Here are some important points we picked up from all of those different areas of the wide range of privacy and security activity that is happening around health information.
The conference started and ended with OCR presentations. Dir Severino covered the direction of the Office and policies they are focused on in the coming months. He was brought out a boot as a prop which was interesting. He discussed issues that his family has dealt with in our arena several times, like his first address revealed that his father had dealt with identity theft and his concerns for the stress it caused and the impact it had on their lives. At the beginning of the year, he discussed the problems they went through trying to get his mother’s medical records when she needed medical care while visiting him in DC from California.
Today, the boot was about his own healthcare issues. According to his story, he tore his Achilles tendon while playing soccer earlier this year which meant that his foot was flopping around until they could do surgery. They showed him the boot and explained why he needed it and then told him it cost $423 but, as he said, he couldn’t just have his foot flopping around until surgery, so he took the boot. When he got home he checked on Amazon and the same exact model was on Prime for $70.
That was his lead-in to how they are looking at different ways they could use HIPAA regulations to address providing information to patients, transparent information about pricing, and stopping surprise billing. Billing information is part of PHI that is a point that many people either don’t understand or they forget.
Information Sharing Under HIPAA
A lot of sessions at this conference talked about information sharing and interoperability as did Severino’s which talked about sharing records between providers. It was an interesting point he brought up when talking again about his mother’s records when they had to make sure themselves that the records got from DC to the doctor in California and then to her new doctor when she changed doctors in California. Why doesn’t the system just make that happen if we fill out paperwork at the ER doctor or the new doctor?
HIPAA says that providers “may” share information under TPO, but they are not required to do so at any time which is both good and bad. There are some groups that send records for TPO free of charge without a hassle whenever they receive the proper requests which is the way it really should be working from a patient-care standpoint. There are plenty of cases where that does not work out that way since some offices require more paperwork or make patients pay a fee even for TPO records access no matter what you do. Well, of course, you could write some emails referencing all kinds of HIPAA rules and guidance when asked to do something like pay a flat $25 fee for your records to go to another doctor. I would imagine that may help get things done free of charge instead of paying the fee but it doesn’t seem to change the procedures of the offices when that has been done, er, um, at least that is what I hear.
The whole information sharing thing plays into the patient right of access, though, and they are still trying to get the word out to explain how important it is to follow the rules and get patients their records in the format they request within 30 days. We have reviewed this recently on multiple episodes and nothing new was included in the information shared other than to make a specific point about sending data to an app when the patient requests it. They made it clear that if the patient asks you to send data to the app then you are not liable for what happens with that app once you do what the patient asks. However, if you provide the app and tell the patient to use it we are in a new world of BAAs and liability for securing the information in the app.
Along with saying HIPAA is the floor for privacy and security another common message is we all agree that we need to have more patient education about their privacy rights and securing their information with these consumer apps. It was mentioned over and over but no one seems to know how to solve that problem to educate the public on these topics.
Some points they made that didn’t explain specific cases but you know it relates to things that are going on behind the scenes.
If a healthcare app is selected by the patient and asks you to look at the data, there are no HIPAA obligations tied to the information in the app. But, if a provider or payer offers the app to their patients then the app must meet HIPAA requirements. If it is your app, you should get a BAA – they mentioned that several times in the same conversation.
There was another mention of helping educate patients to understand that the security of the apps they choose does not fall under HIPAA they should make sure they secure it properly.
The push for interoperability of apps continues with the implementation of the 21st Century Cures Act requirements. We will soon be up against the penalties for information blocking which could also be $1m for failure to participate properly and block the flow of information where it is supposed to be going. One point they made there that got my attention was that there will be a high likelihood that most info blocking actors will be a covered entity or business associate. Duh, that makes sense if you have to be one to be messing around with PHI in the first place. This is certainly an area I will have to do some more digging into as the requirements are ironed out.
Security Rule Updates
Someone Severino if they were looking at making updates to the Security Rule any time soon. His response made me crack up! At first, he is talking about all the other things going on and then it was like he paused for a minute to decide what or how to say came next. He added something to the effect of we are having problems getting people to do the basics in the rule today. When we don’t have that much working what is the point of adding more to it now? It was true in a sad and funny way.
Serena Mosely-Day actually closed the conference with enforcement discussions and Severino opened the conference with direction and overview discussions. He mentioned a CMP was just signed the day before and would be coming out soon. That did happen this week which will probably be on our next episode. It is interesting that it involved a civil money penalty of $2.1m and not a settlement. But let’s not give that away.
They covered the other recent cases that we addressed when they came out. I found two quotes from Roger Severino that I don’t think get enough attention. “We’re not out to bankrupt companies to make a point.” and more importantly in the next sentence he said:
THE NOTIFICATIONS HAVE TO BE MADE WITHOUT UNREASONABLE DELAY – SHE SAYS IT THREE TIMES in a row. You notify on day 5 if you know the patients involved not in 60 days.
Sometimes just because the person has an ax to grind they report things. That doesn’t mean the information they supply in the complaint is bad. Yes, the person has an ax to grind but that doesn’t change the fact that you are failing to meet your obligations under HIPAA. ( Let me just say I have heard this one before.)
Training is essential
Training employees is essential and discussed repeatedly throughout the conference. It was good to hear that even OCR is hit with phishing tests constantly. Phishing attacks is one of prime threat vectors for everyone was a point made over and over, as well. Mosely-Day even admitted to finding herself tempted by one that included an offer for federal employees to have a 4-day work week in the summer.
Fake tech support scams are happening enough that they are aware of them so must be some breach notices taking place. I hate those things and it drives me nuts when people fall for them. People, I beg of you, do not let someone connect to your computer unless you are certain who they are and who they work for because it isn’t Microsoft!
When Severino added that real time monitoring of your systems is needed now it only enforced more of what we have been saying about paying attention to access. He was discussing the requirement for termination controls to make sure that people are no longer accessing information after they are no longer employed.
Mosely-Day added another training specific which is:
A few more things that were said to point out:
- HIPAA is the floor – picked up by other presenters.
- Breach is not the only enforcement efforts we have going on.
- In an investigation we will not just look at the breach we look at the whole HIPAA compliance program and the actions you took in response to the breach and its aftermath.
- Risk analysis is the single most important thing you can do to protect yourself from these threats.
- Don’t be asleep on the job – always be ready, be aware, be awake, be enthusiastic about protecting patient information.
- Remember the notification is about protecting your patients.
- Sharing information for treatment purposes are far more lenient than other purposes. Then, it is about saving lives and caring for people properly. Other purposes require minimum necessary.
- A BAA does not make you a BA the work you do makes you one.
- This is about people’s confidence in the healthcare system.
That last one touched close to us since we have been making that argument for years.
There are new guides and updates happening right now in fact so much is going on we will split this topic into its own episode.
Verizon Data Breach Investigations Report (DBIR)
The numbers included in their report is just the tip of the iceberg because there are many potential breaches that couldn’t be confirmed, so they aren’t in these numbers. Also, industries that are not required to report breaches look way lower than they really are because, well, they don’t tell anyone about them.
Attackers able to fully compromise a network in less than 7 days almost 100% of the time. Healthcare is a bit better. Compromise is about 80% of the network within 7 days.
Phishing is the king of social attacks. “If your only defense is to tell people not to click” then you will fail.
Organized crime also recruits those currently in jobs with access to data to provide data or access plus now they are actually sending people in to get jobs and compromising data is the only reason they are getting the job.
ONC and NIST Projects
Remember HIPAA is the floor, not the ceiling. It is becoming even more important when you look at the massive amount of data we are collecting every single day now. The more data we collect the better we can use AI and other advances but that also means we have more data to protect.
A discussion about a PACS testing project to find the best way to secure the devices was both enlightening and scary. It was cool how they had put together a collection of parts to properly secure the device. However, it took lots of working parts and people to do it. When one of the engineers on the panel said that many of these devices come with a default setting of allowing anyone on the network to connect and pull PHI I wanted to pause just to yell for a minute.
The Phillips PACS device CAN encrypt connections to systems with DICOM transmissions but that doesn’t mean people are doing it. In fact, many times Phillips is having to tell people what devices are actually communicating DICOM images back and forth with them because the facilities have no idea.
There are projects going on trying to solve these problems. Two different projects are building Privacy Frameworks to apply to various situations. And there is continued work on the Security Risk Assessment tool which is now on version 3.1. After having the developers proudly show you all the things the app can do now the panel started taking questions. The bottom line after the questions were answered is this: The tool only works on Windows devices via a download and it really should only be used if you are a small entity you aren’t doing anything else to fully evaluate your risk. Below are the bullets I got out of the whole discussion on SRA Tool 3.1
- Is it a get out of jail free card with OCR? – NO, OCR doesn’t expect you to use it.
- It is not a LoProCo assessments
- The tool looks at risk areas in aggregate but larger organizations will have to analyze other things not in the tool individually. They will have to add documentation showing you look at additional ones to do a full risk analysis with this tool.
- Documentation is how you show your work without it the tool is just like a checklist you filled out.
- Tool is good to educate very small providers and those who have their head in the sand about HIPAA just to get them started.
- No limit on size that can use the tool but it is designed for more basic situations.
- It is a tool not a solution – only as good as what you put into it
- You may need to add vulnerabilities that are not included in the tool
- This is directed towards small providers to lead them through it. They get a report from the tool but still need to include it with the appropriate documentation they have to create to demonstrate a risk analysis has actually been done.
There was so very much more covered in the conference, but we can’t review two full days of sessions in one hour of us talking. This is a quick review of our notes but it is just the tip of the iceberg of the things covered. Most importantly, we need to remind everyone that HIPAA is the floor, not the ceiling when it comes to privacy and security.