“Breach Notification: Omnibus Style”

 

 

 

 

 

April 8, 2013 by Mac McMillan, posted on Healthcare Informatics.

Mac McMillan recently featured a blog post for Healthcare Informatics that reviews the Breach Notification Rule with the new Omnibus Rule, and reminds readers that the rule went into effect last month.  He analyzes the controversies of the previous “harm provision” and how the Omnibus Rule addresses the previous shortfalls under the “harm provision”.

McMillan reports on the four considerations of risk to account for when assessing if a compromise happened.  First, not all breaches are equal. It’s dependent upon how much and how sensitive the PHI is. Next, look at who used/received the info and then what they did with that info.  He points out there is a big difference between someone who receives PHI and destroys it, versus it falling into hands of someone that will commit identify theft with it. Last, it is important to consider is if/how the compromised information will be exploited.

McMillan then points out that notifications have not changed much. An incident compromising 500 or more individual records must still be reported within 60 days of knowing about the incident, and incidents with less than 500 records still have up until 60 days after the calendar year. However, there is a minimal change that smaller breaches can now be reported during the year that the incident was uncovered rather than the year of the occurrence. Also, under the new Omnibus Rule, McMillan points out that a risk analysis is only required if the organization is uncertain of the compromise.

Last, McMillan provides four simple tips to do before enforcement takes effect on September 24th. First, now is the time to revise internal breach notification programs and policies, and then educate the workforce of these new procedures. He also suggests to implement a new risk analysis and ensure documenting the analysis.

For the full article, click here to visit Healthcare Informatics site.

Attestation To Audit: A Serious Responsibility

Written by Mac McMillan, FHIMSS, CISM | February 15, 2013

The final statement in the Attestation that Healthcare providers have to sign says it all.  “I certify that the foregoing information is true, accurate and complete.  I understand the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this attention I am a claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment, may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties.”  And the Federal government is beginning to get serious about making sure those statements are indeed accurate.   If they are not, it puts the organization at risk of having to return incentive payments received, as some have had to do already, or worse face additional fines or criminal penalties.  At a time when the industry is struggling with small operating margins, the cost of implementing CEHRT and other technologies, and additional compliance related costs we can ill afford to have this happen.

So what is required to meet the privacy and security requirements of Meaningful Use for Stage 1?  Essentially organizations must meet Core Measures 12 and 15 and be able to demonstrate three things.  The first is that they have acquired and implemented a Certified Electronic Health Record Technology (CEHRT) in a meaningful way.  Meaningful way, as it relates to security, is defined as fully implemented and using all of the security functionality (technical controls) that the system offers.  Second, they must demonstrate the ability to provide access to the patient’s medical record and information upon request in accordance with Core Measure 12 and the Privacy Rule requirements around proper uses and disclosures.  Third, they must conduct or review a risk analysis in accordance with the original HIPAA Security Rule requirement prior to attesting and address remediation of gaps identified during the attestation period.  The reason the requirement specifically says “conduct or review” is because if the organization has already completed a risk analysis, which they should have to meet HIPAA compliance, then they are not required to conduct a full blown risk analysis, but simply review the one they have already completed taking into consideration for their CEHRT system.  Essentially there is nothing in Meaningful Use Stage 1 that is not already required by HIPAA.

Meaningful Use Stage 2 builds on Stage 1 and makes minor changes and additions to the security requirements, but again it does not change the basic requirements specified in HIPAA.  For Stage 2 the Risk Analysis requirement is broadened to include documentation of encryption use and it becomes an annual requirement in conjunction with the attestation year.  The basic requirement however remains the same, conduct or review a risk analysis in accordance with the HIPAA Security Rule standard.  Stage 2 adds the requirement for both Eligible Providers (EP) and Hospitals (EH) to demonstrate the ability to communicate securely with patients and provide secure access to their medical information.  For EPs there is a measureable component to this requirement for a small percentage of patients to use secure communications with them.  Stage 2 also rearranges some of the functionality requirements of the CEHRT, but it does not change them.  The basic technical controls called for in the HIPAA Security Rule are still required.  Procedurally there are a couple of changes, such as identifying specifically who can activate the Emergency Access Procedure, as opposed to simply having an emergency access procedure.  Again there is nothing required here that is not already present in HIPAA.

In the early part of 2012 the General Accounting Office conducted a review and called for better oversight of incentive payments under Meaningful Use, citing that CMS was not actively verifying that healthcare organizations applying for such funds were providing accurate information during the attestation process.  In response CMS launched an audit program with an outside audit firm to collect information concerning attestations.  Coincidentally the HHS OIG also launched a survey, which by the nature of its questions regarding CEHRT implementation and barriers to, also provides insight into the accuracy of those attestations. Many are already saying that the audits do not go far enough to verify these attestations.  Audits in the future may take on more of an OCR HIPAA audit like approach involving on-site review, interviews as well as documentation review.  The point is that this is a serious responsibility with potentially serious consequences.  Organizations need to ensure that security readiness is an integral component of their Meaningful Use compliance projects.  The good news is that this should not be a major challenge if an organization is already meeting their HIPAA Security Rule requirements.  The Office of the National Coordinator for Health IT has produced an excellent guide to help organizations understand and meet these requirements.

Guide to Privacy and Security of Health Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

The 21st National HIPAA Summit

February 19-21, 2013, Washington DC

The National HIPAA Summit focuses on new HIPAA laws and regulations, and timing could not be better with the passing of the final Omnibus Rule.  During the Summit, leading regulators from the Centers of Medicare & Medicade Services, the Office for Civil Rights, and the Office of the National Coordinator for Health IT will share their expertise with attendees over three days of educational sessions.

Mac McMillian, CEO of CynergisTek and Chair of the HIMSS Privacy & Security Policy Task Force, has the honor of participating as one of the HIPAA Privacy Experts.  He will co-present with Linda Sanches, Sr. Advisor at OCR, in an informative session, “Lessons Learned From the 2012 Audits”.  Together they will present examples from the OCR random audits, trend analysis and lessons learned, providing insight to any attendee trying to improve their own security programs and readiness.  Several of the focus areas highlighted in the OCR audit protocol are the direct result of findings from previous breaches and complaints that the OCR has handled as a part of their HIPAA enforcement responsibilities.

Download Mac McMillan’s introduction to “Lessons Learned From the 2012 Audits”, as well Linda Sanches’s detailed information on the OCRs initial analysis during the 2012 Random Audit Program.

Upcoming Webinar – The Final HIPAA Omnibus Rule

 “The Final HIPAA Omnibus Rule:  Big Changes for Business Associates”

Thursday, February 14, 2013, 2:00 PM – 3:30 PM EST (11:00 AM – 12:30 PM PST)

The final Omnibus Rule released on January 17, 2013 will have an enormous impact on Business Associates (BAs). They have until September 23, 2013 to comply with the new requirements.  Under the new regulations, BAs and their subcontractors are officially liable for certain requirements of the HIPAA Privacy and Security Rules, whether a formal agreement exists or not.  The Omnibus Rule now gives OCR the latitude to directly investigate BAs for breaches and they will shortly be incorporated into the random audit program that will likely resume later this year.

In this 90 minute session attendees will learn:

• Details of the final Omnibus Rule
• Business Associates redefined
• How BA agreements need to change
• Breach analysis changes

HCCS, Experts in Healthcare Learning, and CynergisTek cordially invite you to join this free, informative webinar.

 

 

 

More on the Omnibus Rule

The Omnibus Rule Arrives | PhysBizTech.com

by Mac McMillan, January 25, 2013

Mac McMillan provided his thoughts to PhysBizTech.com on the recently released Omnibus Rule.  In the article, Mac explains that the revised guidelines will bring huge changes for covered entities and business associates.  He points out that now business associates can be investigated by the OCR  and that business associates will probably be added into the Random Audit Program that should pick up again later this year.

Mac also proceeds to break down some of the other revised regulations, such as now the “harm” standard has more defined guidelines, fines can be increased up to $1.5 million and there are tighter restrictions on PHI that will it more difficult for marketing and selling it and easier for patients to obtain their records.

The article concludes with a few simple steps that organizations can be doing right now to prepare for the changes that must be made by September 23, 2013.

To read the full article and see what steps to take to prepare for the Omnibus Rule, please visit http://www.physbiztech.com/blog/omnibus-rule-arrives.

Government Health IT Discusses Mac McMillan’s Thoughts on Omnibus Rule

CynergisTek’s CEO, Mac McMillan was recently interviewed and cited by Government Health IT.

Omnibus HIPAA’s Rule’s Impact on Data Breach Notification  January 18, 2013 by Tom Sullivan, Editor and Mary Mosquera

WASHINGTON – “The Omnibus Rule will come out this year,” Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek explained earlier this week, “and when it does OCR will have what it needs to investigate their issues.”

And so the HIPAA Privacy and Security final rule arrived late Thursday, to a large extent tracking what was in the proposed rule, but also bringing some significant changes that will impact the industry, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.

“The one that will probably get the most attention is the definition of a breach,” Belfort added. “There’s been a lot of controversy over the ‘risk of harm’ standard.”

[Q&A: Belfort on the delicate dance of data breach notification]

Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but HHS indicated it might rethink that, Belfort explained, and in the omnibus rule replaced it with an assessment of whether the improper disclosure compromises PHI (protected health information).

“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort said. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity so if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk of harm standard.

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee said this is a very positive development.

[See also: Final HIPAA rule brings changes to fundraising, marketing of PHI]

“It continues to give organizations the right to do an investigation about what happened in the breach, and to make the judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”

The rule also, as McMillan pointed out, arms OCR to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.

Belfort expects the uptick in audits and fines currently under way to continue.

“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”

http://www.govhealthit.com/news/omnibus-hipaa-rules-impact-data-breach-notification