By: Ted Schmidt, RPh, CERM
With the recent changes to the enforcement of HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act), “covered entities and their business associates” (aka hospitals and their providers) will now be subject to fines/penalties for noncompliance. Since HIPAA was enacted in 2005, the consensus is that there has been little enforcement of these requirements. Since the advent of HITECH in 2009, there is actual language in that act that calls for enhanced enforcement. This enforcement will come from HHS as well as the states Attorney Generals. With all of the recent publicity regarding hospital data breaches and PHI ransoms, we can expect to see much more activity in the enforcement arena.
The enforcement of the "rules" from HHSs Office of Civil Rights (OCR) is now happening and findings of non-compliance can bring the hospital or entity significant fines. Fines and penalties can go as high at $250,000 for “willful neglect” and up to $1,500,000 for repeat offenders. A recent article stated that a nursing home system in Pennsylvania was fined $650,000 for repeat issues related to these rules. In today’s healthcare economy, that's money that the hospital or entity could better use somewhere else. No margin, no mission! Writer’s Note- since I first started this article, it was announced that a health system in Oregon paid a $2.7 million fine to HHS for two (2) HIPAA breaches.
The HIPAA and HITECH rules can be classified into three sets, which include: Privacy (with 81 requirements), Security (with 78 requirements) and Breach Notification (with 10 requirements). These requirements form the foundation for the enforcement audits. Maintaining compliance to these 169 requirements is not only required, but failing to do so can increase risk to your patients AND your hospitals reputation and of course, your bottom-line.
Compliance begins with conducting a risk assessment. Federal law states that all healthcare organizations that are covered entities or business associates under the HIPAA Privacy and Security Rules conduct a thorough and accurate Risk Assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity (45 CFR Part 164.308(a)(1)(ii)(A)). While there is much speculation about these security risk assessments, the government does give us some insights on the conduct of these assessments. As reported on the HealthIT.gov website, the Top 10 Myths about Conducting your Security Risk Analysis can give some structure and understanding to the scope of this activity. This “top 10 list” dispels some rumors about the intensity, frequency and methods that must be used to conduct this risk analysis. However, as is typical in government requirements, the government does not give specific direction on “how” to do the risk analysis, but rather, “what” has to be done. On the same webpage (HealthIT.gov), there are other valuable resources: a Security Risk Assessment (SRA) tool and a SRA Tool User Guide. Both of these resources are valuable and available for download.
The relationship between your NIAHO accreditation and HIPAA/HITECH is more evident with the recent updates from the US Department of Health and Human Services (HHS) and the release last year of ISO 9001:2015. There are many controls that currently exist in your accreditation (NIAHO and ISO) that affect your compliance to these rules from HIPAA/HITECH. The following list of common HIPAA/HITECH findings are coupled with existing accreditation controls that would mitigate these findings:
Common Finding #1- Business associates (aka "suppliers", aka "contractors") are a common source of noncompliance. These persons are controlled per your purchasing and contracting controls in ISO and NIAHO. Properly written contracts will detail specific internal controls for managing devices, PHI, computer access, etc. Also, required re-evaluation of these business associates will ensure compliance based on data collection, analysis, evaluation and possible actions of those highest risk activities. NIAHO GB.3 and ISO 9001:2015 (8.4) are a part of your accreditation and your management “system”. For instance, a business associate that has performance criteria (based on risk) in their contract will have metrics associated with those performance criteria. Using the system of ISO 9001, when those metrics are measured, analyzed and evaluated, the results dictate if action is necessary. This action could be no action, corrective action or preventive action (aka risk avoidance/mitigation).
Common Finding #2- Improper disposal of PHI. Controls regarding disposition and protection of documented information (soft and hard copy) exist and all employees should be educated in this process. This finding is strongly supported in your accreditation in ISO 9001 control 220.127.116.11.b (documented information adequately protected-which by the way includes soft and hard copy), 18.104.22.168.a & d (distribution and access of documented information and retention and disposition) and in NIAHO MR.4 (medical record confidentiality).
Common Finding #3- Hacking of computer systems. Controls regarding maintenance of the infrastructure (hardware and software), addressing risk (which includes cyber-risk) and opportunities (ISO 6.1.2) as well as Physical Environment (PE.1) all require maintaining infrastructure from hacking.
Common Finding #4- Lack of authorization for disclosing PHI. There are controls to protect and safeguard patient property (ISO 9001 8.5.3), which includes PHI. There are also controls in Medical Records (MR.4) to assure confidentiality of patients’ medical records.
There is a silver lining that can be found in all of this complexity that we call hospital life…and that is your current accreditation provides the foundation for managing these potential, although common, HIPAA/HITECH non-compliances.
When you look at the basic structure of your accreditation, you’re reminded that it is built around the ever popular and ever effective, Plan, Do, Check, Act (PDCA) model. This foundational structure is created to allow for full integration of a multitude of current other systems in your hospital, such as occupational health and safety, risk, environmental management, energy management, business continuity and even corporate social responsibility. Managing your HIPAA/HITECH requirements should be no exception, as it relates to organizational risk.
Your Security Risk Assessment (SRA) should be a part of an enterprise Risk Management system, not a risk assessment in it’s own silo. There is too much opportunity for leaving white space blank, increasing redundancy and miscommunication when your HIPAA/HITECH risk assessment only considers the HIPAA/HITECH requirements. The effect that other processes (risk and operational) have on your HIPAA/HITECH outcomes is mostly unknown until you consider risk from an enterprise perspective. For instance, if you allow business associates to access your computer network remotely, are you certain that their access is appropriately protected so as not to compromise your network? That’s how Target and Home Depot got hacked of their credit card data. Could your business associates unknowingly leave a gate open when they leave your network? In either case, your hospital is now vulnerable and your hospital is responsible to pay any penalty for a PHI breach.
Risk is risk no matter where it falls in your compliance requirements such as OSHA, FDA, HHS, DEA, state requirements, etc. HIPAA/HITECH risk, therefore, should be fully integrated with all hospital risk processes. Risk should also be fully integrated at all levels, from the strategic level down to the transactional level. In short, risk management for HIPAA/HITECH should be part of an enterprise risk management system.
We’ve seen the unsafe and embarrassing results of not managing our processes on an enterprise level (remember the IOM study “To err is Human”) and we’re still trying to dig out of that mess. Fast-forward over 15 years and we’re still dealing with the same patient safety issues. Why is that? Aren’t we dedicated, smart people who come to work every day to help our patients? We have failed in managing our processes properly but now we are hearing all about enterprise risk management. To be certain, our risk management attempts will fail if we do not properly manage our processes and properly integrate risk with these processes.
There are a multitude of management systems that are designed to help you manage your PHI that are integrated systems. These include ISO 27001, Sans Top 20, COBIT 5 and NIST has several options to consider. The primary consideration should be that your risk and process management systems be fully integrated into one system that covers your business as well as your clinical processes. You’d never believe that your current accreditation meets this need.
Ted Schmidt is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates, LLC. BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He currently advises and instructs hospitals in quality, risk, safety and environmental management systems. Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration. He is a Senior Member of the American Society for Quality and a certified Lead Auditor in quality management systems by Exemplar Global.