Office of Management Budget Acknowledges Receipt of Omnibus Rule for Review/Release

Finally the Omnibus Rule that will address many of the HITECH Act revisions has been officially acknowledged as received by the Office of Regulatory Affairs at OMB starting the final review process before it is published.  The Omnibus Rule was officially registered with OMB on Saturday March 24, 2012.  The rule will cover many of the outstanding aspects of HITECH and include:

• Changes to the HIPAA Privacy and Security protections
• The Final Breach Notification Rule
• Enforcement and Compliance Interim Final Rule, and
• The proposed rule covering GINA

Accounting for Disclosures (AOD) will come out separately and is very close to being ready.  Language that supports AOD can be found in the recently released NPRMs for Meaningful Use Stage 2 and Implementation Standards and Certification Criteria that are both out for public comment now.  AOD is still expected to cover accounting for access to information related to Treatment, Payment and Operations and require and automated accounting.  Several write ups of the NPRMs have already alluded that requirements in those rules are geared towards supporting automated auditing and the ability to produce an audit list, something that was very controversial when the AOD NPRM first came out last year.

Between the OCR Audit Program and the Omnibus Rule 2012 is shaping up to be a busy and exciting year for healthcare privacy and security.

OCR Rules Activity Update

There has been some rule making activity in the last month that we all should be aware of.  Namely HHS released the two new NPRMs for Meaningful Use Stage II and Standards, Implementation Specifications and Certification Criteria for comment.  Both have implications for Privacy and Security, but the latter deserves real scrutiny because embedded in its principles is a discussion of Accounting for Disclosures.  So be on the look out for these documents which can be found on the OCR website as well as the HIMSS website along with several other useful documents.  The Obama Administration also rolled out a new Internet focused Consumer Privacy Bill of Rights.  This latter document while not yet reinforced by legislation is none the less still enforceable by the FTC.  During the ONC’s Mobile Security Round Table the representative from the Federal Trade Commission reminded everyone that privacy pledges by organizations on websites or other corporate materials were enforceable under the unfair trade practices statutes reinforcing that the Administrations Bill of Rights doesn’t necessarily need legislation to be enforced.  Last but certainly not least we know that the Omnibus rule is sitting over at OMB awaiting release.  When that happens there will be plenty for everyone to deal with, but probably most anticipated will be the expected changes to Business Associates and OCRs initiation of enforcement actions regarding them.  Now is the time to get your program in order.

ONC Holds Mobile Security Round Table

I had the opportunity to attend and participate in the ONC Mobile Security Round Table held in Washington DC today at the Health & Human Services Headquarters.  The event was well attended and provided a well rounded, no pun intended, coverage of the issue starting with a Regulatory enforcement overview by all of the Agencies within the USG with a role in that area, a great session with multiple physicians providing first hand insight into how they use mobile devices and how they fit into their workflow, and then a session to close with multiple practitioners talking about the Privacy and Security risks associated with mobile technologies.  the Round table was kicked off with an introduction by Dr. Mostashari who did an excellent job of framing the discussion that needs to be had regarding mobile technologies.   All in all it was a fairly balanced discussion that highlighted both the benefits and risks of the mobile device landscape.  One thing that was notable was the overwhelming agreement that it was access that was critical not having the data on the device itself that was the priority.  In fact, the physician panel was consistent that the value and the need for these devices was to enable access and communication, but that they preferred not to have live information resident on the device thereby increasing risk.  Also notable was their agreement that anyone who wanted to connect to a hospital network using a personal device should be ready to meet security requirements such as applying passwords, antivirus protections, locate and wipe controls if lost, and multifactor authentication for access to clinical applications.  They also discussed the increasingly important role of texting, but recognized its limitations, and its inappropriateness for conveying certain types of information, placing orders and its inability to communicate effectively with the EMR.  All in all it was a good discussion, and credit should be given to the ONC and OCR for engaging the community in this dialogue.  It also highlighted that we still have a long way to go in establishing an effective security framework for mobile technologies.  It was also nice being able to spend some time visiting with the folks in OCR prior to and after the Round Table.

Where Is The Omnibus Rule?

HITECH happened in April of 2009 and we are now approaching its third anniversary and still haven’t seen many of its provisions enacted through rules yet.  However, many of those provisions are included in the Omnibus Rule that revises the HIPAA security rule.  One of its elements is new requirements for Business Associates.  HITECH expanded HIPAA’s reach to those who do business with covered entities involving access to protected health information, but no enforcement is expected until the final rules are released.  This of course represents a huge gap in HIPAA enforcement and as we have seen from just the large breaches reported a serious risk.  Business Associates account for somewhere around 30% of the total number of breaches reported, but nearly 75% of the records potentially exposed.  Even the OCR audits are not expected to address the Business Associate community.  We talk about taking a risk based approach to data security, addressing the biggest risks first.  Business associates represent a far greater aggregation of patient information than most health care providers, yet it has taken more than two years for us to define our expectations of them, we still haven’t published those requirements yet, and its other covered entities who are still receiving all the attention.

More on Vendor Management

It seems vendor management is an important topic and for the OCR as well based on their audit focus.  The new audit program launched by OCR this past November is just ramping up with the first 20 audits, but already we are beginning to see some of the areas that they are placing emphasis on.  One of those is the relationship between the Covered Entity (CE) and the Business Associate (BA).  Questions asked by auditors covered the entire lifecycle of the contracting process and relationship with business associates.  This should hardly be a surprise to anyone given that nearly half of all major breaches reported in 2011 involved vendors and more than 70% of the records exposed have been associated with these incidents.

Areas addressed included the service evaluation for minimal necessary, the contracting process, the business associate agreement, evaluation of vendor security, monitoring of vendor security, joint responsibilities if security incidents occur and actions upon termination.  The emphasis was on attaining appropriate documentation to demonstrate enough due diligence to warrant sharing of PHI with confidence.

The implications are clear.  If audited, organizations need to be able to demonstrate that they have exercised due diligence in their contractual relationships that require or involve sharing of access or receipt of ePHI.  This means making sure that security is addressed in contractual documents, that there is a formal BAA in place, that they have received and reviewed things like SAS-70, SAES-16, Disaster Recovery and Back Up Plans, etc. and can attest to the vendors ability to safeguard the data/systems they are sharing adequately.  It means understanding and communicating the minimal amount of access/information necessary to support the business purpose of the agreement.  It means monitoring the relationship through periodic updates of documentation, conducting site visits when appropriate, etc.  It means having clear policies and procedures for responding to suspected security incidents and notification protocols in the event of a breach.  And it means understanding and planning for contract termination and disposition of the information access appropriately.  It means receiving documentation of services provided when appropriate such as Destruction Certificates from vendors who dispose of systems or sensitive information.  It means being able to connect the dots between your vendor management policy, the contractual requirements of the relationship, and actual vendor performance through multiple checks and documentation.

This of course only covers the compliance waterfront.  CEs will want to address other matters such as indemnification and costs associated with security incidents.  For those I’ll allow my legal colleagues to comment.  Suffice it to say vendors represent a very important part of the business and vendor management is going to require much more serious consideration going forward.

Definition of PII Expands

On January 6 the U.S. District Court of Massachusetts held that “zip codes” are Personal Identifiable Information under Massachusetts law.  This is the second state to broaden its definition of PII to include zip codes.  California was the first.  What this means for businesses with breach laws that include PII is that there is another whole subset of data that they will now need to be concerned with.  If this trend continues data classification guides as well as approaches for collecting and safeguarding this information will need to become more sophisticated.