The 21st National HIPAA Summit

February 19-21, 2013, Washington DC

The National HIPAA Summit focuses on new HIPAA laws and regulations, and timing could not be better with the passing of the final Omnibus Rule.  During the Summit, leading regulators from the Centers of Medicare & Medicade Services, the Office for Civil Rights, and the Office of the National Coordinator for Health IT will share their expertise with attendees over three days of educational sessions.

Mac McMillian, CEO of CynergisTek and Chair of the HIMSS Privacy & Security Policy Task Force, has the honor of participating as one of the HIPAA Privacy Experts.  He will co-present with Linda Sanches, Sr. Advisor at OCR, in an informative session, “Lessons Learned From the 2012 Audits”.  Together they will present examples from the OCR random audits, trend analysis and lessons learned, providing insight to any attendee trying to improve their own security programs and readiness.  Several of the focus areas highlighted in the OCR audit protocol are the direct result of findings from previous breaches and complaints that the OCR has handled as a part of their HIPAA enforcement responsibilities.

Download Mac McMillan’s introduction to “Lessons Learned From the 2012 Audits”, as well Linda Sanches’s detailed information on the OCRs initial analysis during the 2012 Random Audit Program.

Government Health IT Discusses Mac McMillan’s Thoughts on Omnibus Rule

CynergisTek’s CEO, Mac McMillan was recently interviewed and cited by Government Health IT.

Omnibus HIPAA’s Rule’s Impact on Data Breach Notification  January 18, 2013 by Tom Sullivan, Editor and Mary Mosquera

WASHINGTON – “The Omnibus Rule will come out this year,” Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek explained earlier this week, “and when it does OCR will have what it needs to investigate their issues.”

And so the HIPAA Privacy and Security final rule arrived late Thursday, to a large extent tracking what was in the proposed rule, but also bringing some significant changes that will impact the industry, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.

“The one that will probably get the most attention is the definition of a breach,” Belfort added. “There’s been a lot of controversy over the ‘risk of harm’ standard.”

[Q&A: Belfort on the delicate dance of data breach notification]

Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but HHS indicated it might rethink that, Belfort explained, and in the omnibus rule replaced it with an assessment of whether the improper disclosure compromises PHI (protected health information).

“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort said. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity so if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk of harm standard.

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee said this is a very positive development.

[See also: Final HIPAA rule brings changes to fundraising, marketing of PHI]

“It continues to give organizations the right to do an investigation about what happened in the breach, and to make the judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”

The rule also, as McMillan pointed out, arms OCR to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.

Belfort expects the uptick in audits and fines currently under way to continue.

“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”

http://www.govhealthit.com/news/omnibus-hipaa-rules-impact-data-breach-notification

Mac McMillan, Accepted to Speak at HIMSS13

Mac McMillan,  has been accepted to speak at HIMSS13:

Mac McMillan, CEO of CynergisTek had his proposal accepted on “Business Associate Management under HIPAA: More than just a contract.”  Mac McMillan has accepted the opportunity and will await to hear details. This will be the third consecutive year he has been accepted to speak at HIMSS.

What is HIMSS: 

The Healthcare Information and Management Systems Society (HIMSS) is a nonprofit organization whose goal is to promote the best use of information technology and management systems in the health care industry.

Founded in 1961, HIMSS provides a forum for collaboration among the various stakeholders in health care IT, using advocacy, education and collaboration to further its mission. Its membership base of more than 44,000 individual and 570 corporate members includes health care providers, students, IT vendors, consultants and other stakeholders in the health IT industry. HIMSS currently focuses its attention on health IT topics such as electronic health record systems, HIPAA security and privacy provisions, software interoperability and technical standards.

HIMSS produces an annual conference that brings together health IT stakeholders for several days of education and networking. The organization also offers a research arm known as HIMSS Analytics and a philanthropic group known as the HIMSS Foundation.

Children’s Hospital Association Conference

Auditing Security: Update on HIPAA, OCR Audits and Lessons Learned

Date: Friday, September 14th, 2012

Presented By: Mac McMillan FHIMSS/CISM, CEO CynergisTek, Inc., Chair, HIMSS Privacy & Security Policy Task Force

Agenda:

• Why Data Security is Important
• OCR’s New Random Audit Program
• Enforcement’s New Face
• Questions/Discussion

About CynergisTek
CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

HITECH Stage 2 Rules: An Analysis

Experts Sort Through Privacy, Security Provisions

By Marianne Kolbasuk McGee, August 29, 2012.

Some privacy and security experts that have dug into the 1,446 pages of final rules for Stage 2 of the HITECH electronic health record incentive program say they are mostly pleased with provisions included to protect patient data (see: HITECH Stage 2 Rules Unveiled).

Both rules are hefty – 474 pages for the electronic health record software certification criteria rule and 672 pages for the meaningful use requirements. And each contains key provisions related to data security.

The most notable security provision, experts say, is the software certification rule requirement that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

The requirement is significant, given that 54 percent of the largest health information breaches since 2009 have involved the loss or theft of unencrypted computing devices or storage media, according to the official breach tally from the Department of Health and Human Services’ Office for Civil Rights.

“Requiring encryption by default for end-point devices is a sound security control and will help to ensure the growing numbers of breaches caused by loss or theft of these types of devices will be prevented,” says Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates.

“By making the encryption transparent and automatic to the end-user, it will ultimately improve protection of patient information,” she says. “If you leave it up to each of the millions of physicians, nurses and other healthcare workers to do the encryption themselves, recent history shows that the encryption will simply not be done in millions of endpoints.”

Mac McMillan, CEO of the IT security consulting firm CynergisTek, says the software certification encryption provision is just one small step in the right direction. The provision “helps a little, at least with EHR encryption, but it doesn’t cover other systems that contain PHI [protected health information] once you’re disconnected from the EHR,” he notes. That means healthcare providers still will need to be vigilant in ensuring that PHI is protected in all applications where it resides, he adds.

Risk Assessment

In another encryption provision for Stage 2, the meaningful use rule requires that participants conduct a risk assessment that specifically addresses “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.” But it does not explicitly mandate encryption.

Regulators included this requirement, which shines a spotlight on requirements that already exist within the HIPAA security rule, in hopes of improving the protection of stored information.

McMillan applauds the provision because it helps increase awareness that “you will be responsible for the decisions you make” on whether to encrypt stored PHI beyond the encryption that occurs by default through EHRs.

Similarly, Herold says calling attention to the need to consider encryption of stored data is a good idea.

“I know from seeing many inadequate risk assessment methodologies … that including an explicit requirement to check for encryption is good and will make covered entities and business associates think twice before simply deciding that they don’t want to invest in encryption.”

Bill Spooner, CIO at Sharp HealthCare in San Diego, says encrypting data at rest shouldn’t be too tricky for healthcare providers.

“The challenges will be around gaining support from those who view technologies like encrypted thumb drives as inconvenient, and ensuring that we have closed any potential detours around the requirement,” he says. “The focus on end-user device encryption is quite sensible, as loss of such devices has been the most common cause of breaches to date.”

Patient Data Access

Among the final provisions getting a mixed reaction are the meaningful use requirements for hitting a threshold for patients securely accessing their information, such as through a portal with appropriate protections.

The rule requires that 5 percent of all patients who are discharged from the inpatient or emergency department of a hospital view, download or transmit to a third party their information during the EHR reporting period for Stage 2. For physicians, the requirement is that 5 percent of patients take the same action within four days of an office visit. The proposed version of the rule, issued earlier this year, had set a 10 percent threshold for hospitals and physicians.

In addition to the patient record access requirement, another of the original proposed rule’s “most ambitious and controversial measures” deals with referral transactions, says Adam Greene, a partner at the law firm Davis, Wright Tremaine, who formerly worked at the Office for Civil Rights.

The proposed rule would have required that providers, for 10 percent of transfers and referrals, transmit a summary of care record to a recipient with no organizational affiliation and using a different EHR vendor than the sender, Greene says. The final rule, however, drops the specific percentage threshold and instead requires a provider to only send one referral to a recipient that uses different EHR technology than the sender or conduct a successful test, he notes.

The revised provisions on patients accessing their records and on transferring records for referrals “represent strong, continued commitment to the privacy and security issues of improved patient access and secure electronic health information exchange, but recognize that substantial challenges remain in these areas,” Greene says. “In the preamble, HHS makes clear that it will continue to focus on health information exchange and interoperability as it moves toward Stage 3.”

Meeting the Requirement

But Spooner of Sharp HealthCare says that even the reduced requirement for patient access to information could prove difficult to meet.

“I am not thrilled with the accountability for 5 percent of my patients accessing their data online,” Spooner says. “I wonder when the [regulators] last sat through a busy Saturday evening in an emergency room and thought ‘I can’t wait to get home and look up my information online’.”

Spooner calls including hospital emergency room patients in the data access requirement “worrisome,” adding: “These are occasional visits, many by patients without a regular doctor or insurance coverage. It will be a challenge to bring them back to our portals [to access information],” he says.

McMillan, however, does not believe that healthcare providers will find it difficult to get 5 percent of patients to access their data online. “I don’t subscribe to the ‘patients don’t want access [argument],” he says. “When you look at what’s happening online in other industries, people shop, bank,” he says. “My 82-year-old mother goes online for her and my father’s prescriptions.”

Dan Rode, vice president of advocacy and policy at the American Health Information Management Association, contends that some healthcare providers are concerned about the potential for being held responsible for breaches caused by patients once they download their information.

“Providers are concerned that individuals themselves might release their information by accident,” Rode says. “A patient might send their information to Facebook; providers don’t want to be responsible for something like that.”

Data Exchange Standards Lacking

The meaningful use rule includes a signal that more regulations related to health information exchange, which presumably would address privacy and security, could be on the way in Stage 3 if the industry fails to make adequate progress with standards-based information exchange, McMillan, the consultant, points out.

The rule states, “…As we look toward meaningful use Stage 3, we will monitor the ease with which EPs [eligible providers], eligible hospitals, and CAHs [critical access hospitals] engage in electronic exchange, especially across different vendors’ EHRs.” The rule notes that if HHS does not see sufficient progress for standards-based exchange goals being met, “we will … consider other policies to strengthen the interoperability requirements included in meaningful use as well as consider other policies and regulations.”

To exchange data efficiently and securely, “the real issues are interoperability, compatibility, and standards,” McMillan says.

A Nationwide Health Information Governance Rule, now in the works, would set voluntary standards for data exchange.

Security, HIPAA, Breaches, 2012 and Beyond (Video featuring Mac McMillan)

Mac McMillan, CEO, CynergisTek, Inc., summarizes the key issues for 2012 and beyond, the ability of HIPAA to meet today’s IT needs, and avoidable breaches.