HIPAA Omnibus: Compliance UpdateMany Smaller Organizations Delaying Compliance Efforts
The success of ongoing HIPAA Omnibus Rule compliance efforts depends, in large part, on the leadership of an organization setting appropriate expectations, says compliance expert Margie Satinsky.
"Attitude counts for a lot," says Satinsky in an interview with Information Security Media Group [transcript below]. "[It] counts for the way in which you accomplish what needs to be accomplished."
Now that HIPAA Omnibus enforcement is under way, Satinsky says organizations and business associates need to take their security and privacy programs seriously.
"If you say, 'The government passed this law; it's really a pain in the neck,' the staff is going to react just like that," she says. "But if you stand up and say, 'This is the law. We want to do everything we can do be compliant,' you're going to get a completely different reaction from the workforce."
For those organizations still working on HIPAA Omnibus compliance efforts, Satinsky recommends starting with a risk analysis. "Use a risk analysis and begin with what's in place and take it from there," she says. "But if you don't start with a look at [your whole program], you don't really know where you are."
In the interview, Satinsky also discusses:
- The excuses that some business associates and start-up vendors are making for their lack of compliance;
- Steps smaller organizations should take to avoid breaches involving mobile computing devices;
- Cloud computing and HIPAA compliance.
Satinsky is president of Satinsky Consulting, LLC in Durham, N.C., which provides business consulting services to small medical practices. She has assisted more than 80 practices with HIPAA privacy and security rule compliance. Satinsky is the author of three books and numerous articles on healthcare management and has written regularly for the North Carolina Medical Board.
Biggest MistakesMARIANNE KOLBASUK MCGEE: What are the biggest mistakes that you see covered entities making in their HIPAA Omnibus Rule compliance efforts? MARJORIE SATINSKY: One of the biggest mistakes is that HIPAA really has changed significantly since the law was passed in 2002 for privacy, and a little bit later than that for security. People do not understand that there have been changes and, more important than that, they're trying to save a dime. If they're faced with some choices about whether to cut and paste the business associate agreement or a notice of privacy practices, if they cut and paste for less money they don't particularly want to get involved in doing what's really necessary to become compliant. That bothers me tremendously. I can only give advice; I can't force anybody to take it. But I think they're making a very serious mistake by just putting on a Band-Aid on something that really requires a larger dressing, so to speak.
MCGEE: When it comes to them trying to put a Band-Aid on the problem, where are they putting the Band-Aid?
SATINSKY: Let me give you an example. The concept of notice of a breach, if somebody has made a mistake and there has been a disclosure of PHI, protected health information, the [requirement for breach notification under HIPAA Omnibus] is completely different from what it was at the beginning and in 2009 ... People don't understand that at all. If they're simply changing the wording in the notice of privacy practices or a business associate agreement without delving into what those changes mean for notice of a breach, they're not getting it. They're completely missing the point, and I think that they're putting themselves in a very vulnerable position. That's just one example of ignoring what's really important and just trying to do what's efficient, fast and the least intrusive into somebody's daily work schedule.
MCGEE: What steps should they be taking to correct these missteps that they're already making?
SATINSKY: I suggest that people start with two risk analyses, one for each rule [HIPAA privacy and security]. A risk analysis is a list of questions. You go through it, answer the questions, and the answers will tell you where you are with respect to the requirements for compliance. Some people can go through and see that they're doing quite a bit, even though they have some more to do, and other people go through and they haven't done anything at all. The risk assessment is a way of finding a base from which to operate. Once you know where you are, you know what you have to do and you can take it from there for both of the rules and make a list of the action items, assign responsibility, put some timelines with it and measure the results. But if you don't organize yourself with either rule, it's very hard to go forward. ...
Working with Limited Resources
MCGEE: Many smaller [physician group] practices have limited money and limited people resources to address their compliance issues. What's your advice to them? Where should they be focusing their limited resources?
SATINSKY: That's a really good question because resources to most people mean money. It also means time. In a small practice, in most cases, you find that the office manager or the practice manager - whichever it is - is either the privacy official and/or the security official, and they don't have a lot of time to work on projects of this type of magnitude. My suggestion to them is that they take advantage of two external resources. Most of them have an outside IT support company, and that company or the individual that they have hired to help them can really be of great value with respect to security. Everybody with whom I work, the first thing I say about the security rule is to get your IT person involved, because he or she may have an easy solution to some of these things and it may be more technical than you have the ability to really understand. The help is there; use that person.
The second thing is to hire somebody to help you organize the workload of what has to be done. ... A consultant who understands the big picture and has all the work, the solutions or the sample solutions organized can be of great value. That way, there's less time that an individual office manager or practice manager has to spend on structuring the type of response that they're going to make to the compliance requirement. ...
MCGEE: What are you seeing in terms of HIPAA Omnibus compliance efforts from business associates, especially the smaller vendors?
SATINSKY: Many of the business associates with which I work are small start-up companies, and in terms of their political thinking - which really has no place in HIPAA compliance - they're anti-government. They can't quite get over the fact that this is a law. This ... isn't a maybe; this is a must. If you don't comply, there ... can be serious repercussions. ... The truth of the matter is, they should be spending their time on compliance. ... In terms of what's at stake, the business associates are now certainly responsible for complying with security. ... They're liable if they don't meet security requirements; and the penalties are significant.
The other issue here is simply a marketing issue. Many of these small companies provide services to covered entities like medical practices, large hospital systems or insurance companies, and the covered entities are saying to the business associates, "We need you to comply with HIPAA." They're jeopardizing potential business by not being HIPAA compliant, and that's really what's driving this. ... Most of the ones who have come to me have said, "The covered entity ... with whom I'm working ... wants me to be compliant and I need to get my act together and do it." That's what's driving most of the small business associates that I'm working with.
Protecting Mobile Devices
MCGEE: A common cause of many breaches has been lost or stolen unencrypted computing devices. Since the Department of Health and Human Services is promising to ramp up HIPAA enforcement, what's your best advice for the easiest and most secure way that smaller organizations can make sure that their mobile devices are protected?
SATINSKY: ... First of all, in many of these small companies ... they really encourage bring-your-own-device or BYOD. The devices may have different capabilities. ... Some may be able to encrypt and some may not be able to encrypt. It's preferable that workforce members use a company-owned device with that ability for encryption. If that doesn't happen, however, there needs to be company rules about security and up-to-date virus protection. That's a very common issue. If you're using a device via personal or a device that's owned by your company, don't lend it to family and friends. That way, you can often get yourself into trouble.
Another very common problem here is people taking devices to a very public place - Starbucks or some other place - that has an open Wi-Fi where you don't need to use a password to sign in. That's a risky situation and that's not advisable given the HIPAA requirements.
Another suggestion is to recycle any computers that you're not using, but make sure to wipe the hard drive first. You don't want to just throw something in the trash, leaving all this private data on it that should be either wiped or in some other way taken off.
... All of these hand-held devices, access should be with usernames and passwords. I know it's a pain in the neck. Most people don't like to do it, but when there's secure information either residing on a device or available on a device, there really needs to be security protections taken.
Finally, I'll say something about the cloud because certainly my business associate clients have a misperception about the cloud. I've been told 101 times that if somebody uses cloud computing and there's no server in the location where they're working that everything is just fine, everything is secure and there's no need to do anything else. That's not exactly how it works. ... There's a great misperception about the cloud, simply relieving people of the responsibility to comply with HIPAA.
MCGEE: Finally, any last tips for smaller organizations to ensure that they're compliant with HIPAA Omnibus?
SATINSKY: I do have a couple of suggestions. Number one is to take it seriously. ... Use a risk analysis and begin with what's in place and take it from there. You might find as a covered entity or a business associate that you do have a lot in place and all you need to do is make some changes, corrections or enhancements. But if you don't start with a look at the whole thing, you don't really know where you are. ...
The very last thing is attitude counts for a lot. Attitude counts for the way in which you accomplish what needs to be accomplished. It also counts for the receptivity that anybody's workforce is going to have to training about HIPAA. If you stand up there and you say, "The government passed this law. It's really a pain in the neck. We've had to spend so much time doing it and I wish that it weren't here," the staff is going to react just like that. But if you stand up and say, "This is the law. We want to do everything we can to be compliant. Here's what we're going to do," you're going to get a completely different reaction from the workforce. I think that's very important. Attitude counts. Make it positive.