Mac McMillan Speaking at Hawaii-Alaska Chapter of HIMSS

Hawaii-Alaska Chapter of HIMSS Brownbag

October 9, 2012 @ 11:30

HMSA Building Multi-Purpose Room (MPR)

OCR Random Audits: A Look Inside

Presenter: Mac McMillian, HIMSS Privacy and Security Policy Task Force

This presentation will allow attendees the opportunity to discuss the OCR Random audit process, learn ways to assess their program and prepare for an audit.

Ø  During this session participants will:

Ø  Discuss what the audit process looks like and what to expect

Ø  Understand how to prepare your facility/department for the audit process

Ø  Understand how to review your program to understand weaknesses

Ø  Participants will review lessons learned from early audits

Ø  Heightened Enforcement and the Omnibus Rule

Ø  Where enforcement is at today and the signal HHS is sending

Mac McMillian serves as the National Chair for HIMSS Privacy and Security Policy Task Force.  The newly-formed HIMSS Privacy and Security Policy Task Force was established to bring together a group of industry thought leaders to support HIMSS’s formal response to new legislation, regulation, as well as to develop HIMSS policy position papers and tools that relate to healthcare privacy and security. One of the goals of the Task Force is to collaborate with fellow professional organizations like HFMA, MGMA, AHIMA, HCCA, etc. to formulate a broader industry response, when appropriate, as well.

___________________________________________________________

 

This is the fourth Brown-bag luncheon with this year’s theme of

“Bringing Healthcare Information Technology to the Consumer”:

–          July – Hawaii Health Connector (insurance exchange), presented by Coral Andrews, the Connector’s executive director

–         August – Update on HIMSS Advocacy, presented by Lee Castonguay, with Colin Underwood from Alaska

–         September  – Can Smart Cards help the consumer get more engaged in healthcare?, Presented by David King-Hurley of LifeNexus

o           UPCOMING – October 9  – OCR Random Audits: A Look Inside, presented by Mac McMillian, HIMSS Privacy and Security Policy Task Force

•                  Using Technology to Keep Seniors at Home

•                  Personal Health Records in the Cloud

•                  HIE for Everyone

•                  Privacy and Identity is a requirement

•                  MU 2 and 3, impacts on the consumer

•                  HIT Day for Public Policy

•                  Analytics and You

•                  Use of Games in Health Care

Can Healthcare learn from the Zappos Breach? You bet!

Some of you may be becoming numb to the reports of data breaches that seem to hit the headlines almost every week now.  Are we developing a mindset that these breaches are just going to happen and that they are just part of business in the digital age?  Boy, I sure hope not!  Because I care about my personal data, the data of my family members and really everyone’s data.  I fear the day that we become accepting of breaches as a business norm.

I read a lot of articles everyday from a variety of sources – blogs, industry press, etc.  I really appreciated Matthew Schwartz’s article in Information Week covering lessons learned from the Zappos breach this week.  It was nice to see an acknowledgement of the preparations and risk management steps that were in place, as well as the opportunities for improvement that exist for Zappos going forward.  It was also really nice to a simple, straightforward presentation and discussion of the points.  At CynergisTek, it is a core value to make security “accessible” to our clients, to relate security efforts to the business and to the people that make that business run.  For us, we are usually talking about hospitals, clinicians and the critical support staff that, 24 x 7 x 365, make healthcare happen.  Anyone can read Matt’s article, learn from it, and take something away from it, as an individual or as an organization.

Some of our healthcare clients might challenge the fact that Zappos or Amazon are a relevant reference point for them, that the business of retail is nothing like the business of healthcare.  For me, it always comes back to the ultimate arbiter – the denominator that is THE DATA and our responsibility for it.  I would argue that our industry assumes the stewardship for a much more significant amount of sensitive data than retail so the call to action or the sense of urgency to establish the technical safeguards and processes is even greater.

I don’t want to sound like a broken record, but there are things, even smaller things, that healthcare can do, which is why I really had an affinity for this article.  There are absolute takeaways for our industry here so read it.  Benchmark your current safeguards and processes against some of the positive attributes of Zappos’ program and response.  Then, make a plan to make ONE aspect of your breach risk mitigation program better.

We say it all the time in healthcare…”An ounce of prevention…”  We need take a healthy slurp of our own koolaid!

Enough of my musings, read Matt’s article here:

http://www.informationweek.com/news/security/attacks/232400457

Healthcare Security Policy: Top 4 Factors that Shape the 2012 Outlook

Prognostications always dominate the headlines as we turn the page to a new year.  While we tend to see lots of “Top 10” lists for project priorities or technology purchases, there have been fewer articles on what we might expect to see on the policy front in 2012.  An election year always makes for interesting policy discussions and debates, but we believe that this is just one of the top  4 factors that will (or should) influence healthcare security and privacy policy in 2012.

The policy discussion is almost guaranteed to be dominated by four factors.

1.  The impact of the 2012 elections and the lack of desire on the part of both politicians and the Administration to address controversial healthcare issues.

2.  The ever expanding impact of privacy and security legislation and outside influences on healthcare.

3.  The expansion of negative influencers such as breach notification and the rising tide of litigation.

4.  The very real need to embrace better security models to support important clinical technical initiatives such as Health Information Exchange, decision support, mobility, telemedicine, cloud computing, etc.

Healthcare, because of its almost universal applicability and expanding regulatory impact, is likely to become the focal point for the privacy and security policy discussion.  As a result healthcare could find itself shaping this debate in 2012.

Politics and the elections this year could very likely impact the privacy and security discussion for several different reasons.  Running for office (or trying to get reelected) is not a trivial process and this Administration and Congress are both expected to be distracted with the election campaign.  On top of this distraction, there is the almost certain trend of  “avoidance” that seems to take over incumbents with respect to  controversial issues. Healthcare reform, of which privacy and security policy is part,  is a lightening rod subject for certain in this election.  Therefore, no one should hold their breath waiting for movement in these policy areas.  That said, privacy and security issues are not going to go away nor will the public’s growing displeasure with the industry’s performance to date.  Privacy and security tend to be bipartisan issues where common ground can be found.  It will be interesting to see if the Senate Judiciary Committee hearings, chaired by Senator Al Franken last fall as a result of the spike in privacy breaches in healthcare, carry any momentum into 2012 or spur more interest in the debate on broader privacy legislation.

Congressional debate on a broader privacy law, one that would impact all industries, has been ongoing since the 1990s.  However, 2012 might be the year that helps focus this discussion.  Why?  Because now, more than ever, it affects more people and more organizations and is receiving much more attention.  HITECH will serve as the catalyst for transforming this discussion because of two important and interrelated policy changes.  HITECH expands HIPAA accountability to business associates and all downstream subcontractors.  This changes the reach of HIPAA from  several thousand covered entities to hundreds of thousands of entities.  This means that a broader representation of this already enormous industry will try to get involved and shape this debate.  Further, businesses that are already under pressure from other regulatory drivers and global business initiatives to embrace the EU privacy model mandates will also likely find their way to the table.  These new players could create new and greater external influences on the privacy and security requirements for healthcare.

The public’s growing awareness of breaches in healthcare and potential traction of recent high profile class action litigation are almost certain to be factors in 2012.  Closely related will be the outcomes from HHS’s random compliance audits launched in December, 2011.  The number of breaches last year got everyone’s attention.  The disastrous month of October, in particular, led to hearings and dominated the media until the end of the year.  The question is whether this will further fuel the Congressional debate for broader privacy protections, and ultimately, a Federal statute that applies to all.  Regardless of what happens on the legislative front, the legal front will definitely bear watching.

Breaches continue to lead to lawsuits which is nothing new.  What is new, however, is the nature of those lawsuits today.  In the past, lawsuits stemming from breaches alleging harm were rejected by the courts unless specific and identifiable damages could be substantiated.  Recent lawsuits have alleged negligence, breach of contract, and in the Sutter Health case in California, they are suing for statutory damages obviating the need to show harm.  If successful the number of lawsuits could grow significantly.  Whether this happens or not, organizations sued still have to deal with damage to their reputation and defense costs at a minimum.

The cost of compliance has also gone up.  In 2011 HHS received tens of thousands of complaints and nearly 20 new major breach investigations were initiated every month.  These investigations have led to Resolution Agreements, Compliance Action Plans and, on rare occasion, fines.  Recently HHS added to its oversight of HIPAA by initiating the random compliance audits called for under HITECH.  It is still too early to tell how the “First 20” will fair, but HHS does intend to use them to inform the process going forward.  Breach notification, lawsuits and HHS enforcement activities are sure to keep a bright light on healthcare and compliance.

Healthcare also has internal drivers that are applying pressure for better privacy and security measures.  Increased reliance on electronic medical records, decision support systems, business analytics, and other systems that support care services will demand absolute integrity.  Health Information Exchanges will need better authentication and identity solutions and specific governance structures.  Mobile devices will continue to proliferate and introduce risk.  Smarter approaches that place more emphasis on data management and device standards will be needed as end point strategies alone fail or become difficult to manage.  New strategies such as telemedicine and cloud computing will need privacy and security solutions.  The evolution in technology and the need to address new privacy and security challenges will see no abatement in 2012.

Healthcare will be a dominant topic in 2012 and there is a good chance that privacy and security will factor significantly because the data matters.  The data that is being generated by the industry is the holy grail that drives all transformation – clinical and financial.  Therefore, the safeguards around that data become more important than ever.    And because healthcare is not the only industry where data is tantamount to transformation, the developments in  healthcare could have a tremendous impact on privacy and security in general.  Political action, regulatory changes, adverse events and operational advancements will shape the privacy and security agenda.  Those who ignore privacy and security will do so at the risk of unwanted consequences.

Deven McGraw’s Testimony to the Senate Committee on the Judiciary Subcommittee on Privacy, Technology and the Law

YOUR HEALTH AND YOUR PRIVACY: PROTECTING HEALTH INFORMATION IN A DIGITAL WORLD

Chairman Franken and Members of the Subcommittee:

On behalf of the Center for Democracy & Technology (CDT), I thank you for the opportunity to testify today.

The Center for Democracy and Technology (“CDT”) is a non-profit Internet and technology advocacy organization that promotes public policies that preserve privacy and enhance civil liberties in the digital age. As information technology is increasingly used to support the exchange of medical records and other health information, CDT, through its Health Privacy Project, champions comprehensive privacy and security policies to protect health data. CDT promotes its positions through public policy advocacy, public education, and litigation, as well as through the development of industry best practices and technology standards. Recognizing that a networked health care system can lead to improved health care quality, reduced costs, and empowered consumers, CDT is using its experience to shape workable privacy solutions for a health care system characterized by electronic health information exchange.

We are at an important juncture in the effort to build a health care ecosystem powered by information technology. The nation is at the beginning of a five-year commitment to achieve widespread adoption and use of electronic medical records by health care providers. The health care system suffers from unsustainable costs and uneven or poor quality, and increased digitization and more robust sharing of health information is widely seen as key to reversing these trends. At the same time, the public consistently expresses concern about the privacy and confidentiality of digital health records. Changes to federal health privacy laws enacted by Congress in 2009 have not been implemented due to regulatory delays, and breaches of electronic health data are far too common.

Failure to build and maintain public trust in the collection and sharing of electronic health information will doom efforts to leverage health information technology (health IT) to promote innovation in the health care sector. In this testimony we discuss some of the key privacy and security challenges that will need to be addressed in order to provide a firm foundation for realizing the benefits of health IT.

Read the complete testimony here.