News from 2019 HIPAA SummitWe come bearing news from the 2019 HIPAA Summit, today.  Officially, it was The 28th Annual National HIPAA Summit.  The event happened in March from Washington, DC.  Thankfully, they have offered a webcast option along with onsite attendance for years.  I sat in on the HIPAA Summit sessions again via webcast and there is much to share.

HIPAA For MSPs by David Sims HIPAA Summit 2019 News
00:00:00 00:00:00

Many people ask me why I attend these kinds of events if HIPAA is what I do, why do I need it.  I learn something every single time.  That is why.  It is amazing how many things you may not have thought about are discussed in sessions.  Also, you get to hear directly from the people who are making decisions and setting direction.  For our businesses, we follow what OCR directions tell us.  We do not try to make interpretations or get creative with how it applies.  Our approach is “here is what the law says how you address that is your business decision”.  It always seems safer to refer to law and guidance first.  My opinions of the law and guidance mean nothing when someone asks if we are following regulations or not.

Here are my notes from various sessions of the three-day event.  I attempted to group them but sometimes they all overlap each other in different views of the same content it was easier to just talk big picture sometimes.

OCR and Privacy Sessions at HIPAA Summit

Director Severino kicked off the HIPAA Summit with his keynote address.  He hit on a lot of familiar topics but did add some new points to make note of for the rest of us.  Other members of the OCR staff spoke on different topics including enforcement information and plans for 2019.  There was a consistent theme mentioned repeatedly which relates to the patient right of access.  We do a deep dive into that topic next week.

Patient rights of access to medical records is a hot topic.

OCR is launching a 2019 enforcement initiative due to the continued problem.
  • Severino told the story about how he was not allowed to get records for his own mother.  The fact that he only thought about saying “Do you know who I am?” and never actually did is very telling, IMHO.
  • Although, my bet would be that those providers that treated his mother better be prepared for an audit!  And that audit will likely be sooner than later.
  • The way they find those enforcement cases is when patients file complaints

The next phase of the random audit process will be enforcement-based not compliance-based audits as has been done in the past.  We still haven’t heard any enforcement settlements that came from the previous round of audits.  But, last year they strongly implied that some of the audited organizations had been turned over for investigations based on what they found.

Speaking of settlements there were several tips mentioned in covering their banner year for enforcement actions.  For example, many of the settlements we have heard about in the past involved entities that ignored the initial requests from OCR or did not take them seriously.  OCR made it very clear that ignoring them does not move you to the bottom of the pile.  It will move you faster to the top of the pile.

I have never had any problems working with the folks at OCR.  They want to make sure patient rights are protected.  It isn’t about being mean to someone.  They are concerned that those of us with access to highly confidential data treat it properly.  I respect them for doing their job and do my best to advise my clients to provide exactly what is requested.  It is more clear that you are trying to do the right thing if you show that during an audit or investigation.

A few specific points that were shared come from cases that you know these things happened.  You don’t just make them up.  I know I don’t have to do it and none of these sound like something I would be shocked to hear actually happened.

  • Don’t tell the OCR HIPAA lawyers that they don’t understand their own regulations.
  • Do NOT get “creative” with the discovery date you use to calculate your 60 days for a notification deadline.
    • You don’t start the 60 days when you get the name of all the patients
    • You don’t start the 60 days when you do forensics and they find a breach, you start it when an incident occurs that made you bring in forensics
  • Do not take the four-factor assessment lightly.  It isn’t something you discuss over coffee and decide what to do.  You document it and have it available for review for 6 years.
    • If OCR asks why you didn’t report this thing that happened 3.5 years ago do not say that the “IT guy” said you were ok so you didn’t report.
    • Even worse when they ask to speak to the “guy” who decided that, you say they don’t work there any longer and they didn’t leave any documentation about it.

Of all the specifics they shared about recent settlements I found the Advanced Care Hospitalists settlement was one I kept saying wow over and over as they explained it.  The breach happened when billing got behind and office mgr said: “I’ve got a guy”.  The guy was using software that wasn’t his to do billing and giving her a kick-back.  Since the software wasn’t properly used, the “guy” exposed all of their data on the public internet.  No real security in place at all.

In February 2014, one of their hospitals notified Advanced Care that they had patient information viewable on the billing company website.  By the end of the breach investigation, 8,855 patients had their data exposed.  When OCR came knocking they were not happy with what they found.  This company had no HIPAA program at all.  None, nada, zip.

Apparently, they believed that all they needed for HIPAA was handled by the doctors being trained at the hospital.  They didn’t need any of that other pesky stuff like BAAs and security concerns.  The $500K and 2 year CAP were evidence that OCR isn’t totally vengeful.  They clearly could have taken everything they wanted to get out of them and didn’t put them out of business.

Cybersecurity at the HIPAA Summit

There is a whole day of the HIPAA Summit dedicated to Security Rule topics.  While the law includes only 8 pages dedicated to security requirements you can tell that even at events like the HIPAA Summit security issues matter more now than ever.  As expected, there is a lot of information to cover.

HICP discussion

As expected, they covered the newly released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) that we covered a few weeks ago.  There were several points I thought were helpful to understand how to use it and why they elected to use some of the methods they included.

First, I found it interesting that they made a specific point about which guide to use (Small, Medium, Large).  If your security stance in place right now sucks wind then use the small even if you aren’t small.  Using the small one at least gets things done that you should be able to implement quickly.  Once you get those addressed then do the Medium.  Once there look to see if any Large parts fit you.

As we discussed in our episode, they used the flu concept for explaining some of the information in the general guide.  They explained that they did that because they actually ran tests of different methods of explaining these things to clinicians and the flu example really worked in those tests.  As we already know, they do understand that if I don’t get a flu shot and now I get the flu I am now a threat to others.  In fact, I should be disconnected from everyone else until I am over the infections.

They did bring it up several times that this guide is not specifically related to HIPAA.  There is some concern people will use this as a checklist for HIPAA security which it is absolutely not supposed to be done.  We agree and are trying to spread the word.

Other points I noted that were covered in the security sessions include:

Your HIPAA security program should be risk-based not compliance-based.
  • Vet your cloud vendors closely.  Make sure, though, that you know if it is sales who is actually answering your questions and not the security team you need to ask to speak to someone else.
  • Doing the SRA process over and over is what cybersecurity is about so there isn’t like a do this one thing to fix that one specific thing approach.  You have to do the work, not a checklist.
  • Check all of the apps that you use to make sure the developers have worried specifically about security.
  • By moving things to the cloud you haven’t removed your data from your office completely.  As we mention over and over, being in the cloud does not mean there is zero ePHI in your office.
  • Take one of your devices and look at what is on it.
    • Can you get into your cloud services if you had control of the device?
    • Compromise of a single endpoint is the first step in any attack. Then they pivot to other connected devices and services
  • The Privacy Officer’s role means they need to know who accessed what and when. That is their concern, period.  If security can’t tell them those things then Privacy Officers can’t do their jobs.  It is the Security Officer’s job to make sure that question can be answered.
  • If I do an SRA for my third party’s risk analysis then am I possibly culpable if there are failures in the SRA?  There hasn’t been a case we know about concerning that but everyone expects it will happen at some point.
  • Big insurance companies are now asking more questions on cybersecurity policy applications (22 pages was one example just on risk assessment portion of the application)
  • More discussion about making vendors be CEs.  If you are an EHR vendor or PM vendor there is a continuing discussion that you should be a CE, not a BA.  I can see some of the issues there.  There is probably more data moving through those systems than what clearinghouses manage for transactions.  Clearinghouses are CEs under the original HIPAA law.  Why aren’t these businesses considered clearinghouses?  If OCR reviewed and interpreted the
  • Complexity makes it harder to manage because all of the devices connecting.
    • ICU may have 10 different connected devices on one patient
    • My wireless monitor after surgery let them monitor everyone in my unit from one room
      • What if that got hacked and either turned off all notifications or turned ON all notifications

As humans, we make things more complex.  Started with paths, then roads, then cobblestone, then tar, and it keeps moving along to highways and interstates.  Building and maintaining these things keep getting harder as they get bigger and more complex.  If no one walked down a path it didn’t get maintained.  If you turn on a state highway you expect it to not be a mud path with two tracks.

Don’t expect Federal Privacy law this year or next.  After 2020, at least that is what most of those lawyers.

FHIR is becoming a thing.

  • Attachments required to do Prior Authorization (PA) and no one can get attachments exchange working properly. The PA is more conversational than ANSI transaction exchange expects.  That is where FHIR and HL7 seem to be a much better fit.
  • They were able to do some very fast set up of applications in the test they did for making transactional applications.  I am excited to hear how well this solution pans out to solve many of the data exchange issues that plague all of the healthcare industry every day.
  • Watch for code set standards changes to address this issue.  It is huge from the provider side of things.

Whew, that is a lot of information.  Imagine soaking all of the discussions in over the three day period.  I always enjoy what I learn.  It is a great time to take a step back and look at the big picture.  It is also great to hear how things are going with others out in this part of the healthcare behemoth.  I will be back online (or maybe in person) next year.