The National HIPAA Summit always features some interesting news from OCR concerning guidance, enforcement, and audits. This year was no different. In this episode, we discuss the highlights as we interpreted them anyway.
The HIPAA Summit in March 2018 generated several headlines. The conference lasts for 2 days and there were a lot of things I want to point out.
Throughout the conference, there were points covered in many sessions repeatedly. There are common points we see often. There are also some new things that aren’t new for our listeners.
SRAs and Risk Management are not done correctly. We have heard this for years. The point made often in the conference was there is always a tendency to underestimate the proliferation of PHI on your systems.
Having no Business Associate Agreement in place or having one in place that isn’t current is also a theme we have discussed for years. The topic is still coming up repeatedly but this year there were some additional issues added. We will cover that in our discussion about vendor vetting that will be in the next episode.
Finally, others are saying this is a patient safety issue. Granted, we have been using the tagline about patient care for years. Instead of saying it’s about patient care now they are on the bandwagon of it’s about patient safety. No matter how you name it the same result applies, this should not be a discussion just about nerdy and wonky stuff. Patient care and safety really do become affected by failures to protect patient privacy. HIPAA privacy and security is not just about compliance. It is about patient safety.
Under the what we consider the “rest of HIPAA” there were many discussions about prior authorization has become an even bigger issue for providers. According to the discussions that work required for these authorizations is eating up resources well beyond what most consider reasonable.
Along those same lines, they did have some discussions on requiring implementation of the ANSI 7030 specs. No one on the panels or other discussions about it is in favor of doing it. There is no ROI for making the change and it is a huge drain on resources. Hopefully, that one will be put off for a very long time. The 5010 implementation was a nightmare for many of us.
There were a few things that I felt were big news or at least bigger news than most things mentioned in reports. First, there is a statement that was covered as big news for some. Then, we can talk about what was really big news.
In his speech, Roger Severino mentioned that they were still trying to find a way to “share the wealth” of the fines with the victims. It is a mandate in the HITECH act that has been discussed every year. Suddenly, there was a lot of press about it. While it makes for great headlines, in the end, it really doesn’t make a big difference in most of the big cases.
When you see thousands of people impacted by a data breach and they pay millions of dollars to OCR it seems like people will get a lot of money. Then you do the math and it works out to about $150 per person at best. The costs to the individuals are much more than $100. In some ways, getting such a tiny amount compared to what could happen to the victims would be adding insult to injury.
Yes, OCR is continuing to look at the mandate. However, there are many of reasons that some people would be better off without the implementation of the share for the victims.
What was big news to me? Two things actually.
Also mentioned in Severino’s speech was the current assessment going on about removing the requirement to get a signed acknowledgment of the receipt of the Notice of Privacy Practices. That would be great, in my opinion. There really is no great value in them. People sign the forms and never read the NPP. Plus, even I hate reading an NPP. It would save time, reduce paperwork and confusion. That is some big news that it is being targeted for reduction of paperwork requirements.
The other big news that got my attention came from Zinethia Clemmons, Audit Program Director. We already learned about the scores assigned in the audits from last fall. They scored them a 1 through 5 which was more like A through F in school grades.
The big news here was when she was asked if there had been any enforcement action as a result of the audits. Turns out that answer is not at this time. Audit scores of 4 or 5, which are like a D or an F, may be investigated after all. They have been referred to the regional offices to determine if an investigation is warranted. Stay tuned folks. Some people claim they passed these audits. They better not claim that unless they got no 4 or 5 ratings.
Oh, and one more thing she added was the audit program is not being abandoned as many reports have said over the last few months. They are evaluating the desktop audit results vs doing the onsite audits in the first phase. Then, they plan to announce how the audit program will proceed.
National HIPAA Summit Session Highlights
His commitment to OCR’s mission is that he is dedicated to enforcing the law in a way that makes sense. As I mentioned above the NPP news was big. He also reiterated the ransomware guidance. He made it very clear. Ransomware may be a breach if there is infiltration, exfiltration, loss of data integrity, etc. It does not mean that you must report all ransomware attacks to HHS nor does it mean you can just wipe and restore. It means you need to figure out what happened if patients we impacted in an unreasonable manner.
I did think the analogy he used to end his speech was very good. He said he really hoped that entities would treat their patient records like a bar of gold. If you had a bar of gold that you were responsible for protecting so that it doesn’t fall into the wrong hands what would you do? How would you protect the gold against all those threats that could impact your control or access to the bar of gold? It is that valuable to your patient and those who are trying to get to it. They treat it like a bar of gold so we should too.
Serena Mosley-Day, Acting Senior Advisor for HIPAA Compliance and Enforcement, was a hoot with her naming of cases and reviewing enforcement examples.
The Raleigh Ortho case she calls the “back the truck up” case because a truckload of records disappeared.
It was really interesting when she mentioned that she call the Memorial Hospital case the “it’s 5 o’clock somewhere” case. In that case, people logging into the Memorial systems long after they were terminated by the hospital or some of their affiliated offices. Since it was South Florida she envisioned those ex-employees coming home for their day job with their feet propped up and their cocktails ready to see what patients we can access today. That may be humorous but what wasn’t funny was the $5.5 million settlement and a CAP they are still under.
The really interesting part was in a later session when one of the panel members was Kimarie R. Stratos, Senior Vice President and General Counsel/Chief Privacy Officer for Memorial. She talked about what it means being on a CAP and how they have high-level meetings every Tuesday morning to follow up on the CAP guidelines. She also said they had no idea the fines would be as high as they were for what happened.
A very important and in some ways sad point was that is what it took to make a major change in the culture. Now, it is as important as it clearly should have been beforehand.
Mosley-Day said that her theme for discussions is always Tell Me Why It Matters. Some very intense discussions about the exposure that occurred in the case when the medical records for an HIV patient were faxed to his work number instead of being mailed to him at home as he requested. She delivered that message very strong – it matters to people. It is about patient safety.
A couple of points from her Q&A session that was telling for our next episodes. Doing a BA due diligence is a fact-specific determination, not something there is a yes or no as to doing it. BTW, even FTC speaker says vetting your vendors is a good idea
- Referenced the “I got a guy” case. Hired a company to store medical records. The “guy” uses a team in India to do the work. Suddenly, that team screws up and posts everything publicly accessible online. The “guy” disappeared and cannot be found. No BAA, no SRA, no worries just how cheap will this be for me.
Question – We hire the Prime BA. The Prime BA says they will not be touching PHI because they are outsourcing everything to the subcontractor BA. Who signs the BAA? Either the Prime or both was the final recommendation after much discussion.
That just covers what I got from the first few sessions. Clearly, there is plenty to learn out there even for people like me that live in the world every day. It is a lot to keep up with but that is one of the reasons we do this podcast. The big news to others may not be the big news to us but we will share the news we pick up just as we always do.