HIPAA Omnibus: Educating VendorsA CISO Describes Challenges with Smaller Business Associates
Covered entities are finding it difficult to comply with a HIPAA Omnibus requirement to accommodate patients who pay out of pocket and don't want their treatment information disclosed to insurers, says Jeff Cobb, CISO at Capella Healthcare.
"The technology is not quite ready to fulfill that type of request," says Cobb, chief information security officer for the Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, in an interview with Information Security Media Group [transcript below].
To carry out such non-disclosure requests, manual processes may be an organization's best bet, he says. "If a patient does make a request to withhold that information based on a cash payment for service, technology is really not set up to do it," Cobb says. "[There need to be] internal conversations to figure out what processes we can put in place to try to prevent it, as well as discussions with vendors to figure out what their roadmap is."
In the interview, Cobb also discusses:
- The challenges involved in working with smaller business associates on HIPAA compliance;
- The competition with other healthcare providers for information security talent;
- Why many organizations are still struggling with addressing basic security measures.
As CISO for Franklin, Tenn.-based Capella Healthcare, Cobb is responsible for information security and privacy. He has more than 12 years of experience in information technology and security, primarily in healthcare. Previously, Cobb served in leadership and consulting positions with Ingenuity Associates, UnitedHealth Group and AIM Healthcare, now part of Optum. He is also president of the Middle Tennessee chapter of the Information Systems Security Association and chair of the Metro Nashville Information Security Advisory Board.
Top Privacy, Security Issues
MARIANNE KOLBASUK MCGEE: To start, what are the biggest privacy and security projects you're working on these days?
JEFF COBB: This year with the Omnibus Rule, the updated HIPAA security and privacy language, there has obviously been a lot of work to do with regard to updated policies, updated business associate agreements and vendor management. While mechanically it's the same, there's a lot more scrutiny with it. We really have to take a look at the vendor space and their maturity level, given their increased liability around data security and privacy. I would say with the Omnibus Rule this year, that's been a lot of our focus for the past several months.
HIPAA Omnibus Compliance
MCGEE: As you worked on HIPAA Omnibus compliance, what provisions were most difficult? What were the biggest challenges with that work, and are you still working on it?
COBB: We're definitely still working on it, and I think the vendor space is probably one of the more challenging pieces of it. Given that we're a smaller healthcare system, we have smaller vendors - local vendors and retail vendors of small sizes. They're not going to have mature security programs. They're not going to have dedicated security individuals to run those things. The education to help them understand what their compliance obligations are now, to work and partner with them to identify the bigger risk areas and work toward a corrective action plan or a remediation schedule - that's going to be an ongoing conversation for us. That itself is never going to go away. Hopefully, when it happens again, as we continue to partner and work with our vendors where we're getting an increased level of comfort with how they handle our data, they're updating security and privacy processes and initiatives to meet those needs.
Adhering to Patient Requests
MCGEE: Speaking with other healthcare organizations, I've been told that one of the trickier provisions in HIPAA Omnibus is the provision that healthcare organizations must accommodate patients' requests to not disclose to their health insurer information about a product or service for which the patient paid out of pocket. Are there certain technology measures or best practices that you're putting into place to tackle this? Have you figured out a way to achieve this?
COBB: I wish you could see the smile on my face. That's a very timely question. We have meetings coming up within the next couple of weeks to be more focused on that particular area, so there's a lot of work to do. ... The technology is not quite ready to fulfill that type of request so there has got to be an interim solution. The way we're looking at it is potentially a manual process, a manual intervention, to be able to take those data elements. If a patient does make a request to withhold that information based on a cash payment for service, technology is really not set up to do it. [There need to be] internal conversations to figure out what processes we can put in place to try to prevent it, as well as discussions with the vendors to figure out what their roadmap is, what's the development effort going to look like, and where we could have some automation through the EHR systems to take the load off for that requirement. It's very tricky. A lot of people are talking about it, and not a lot of people I have talked to have the answer quite yet. So I think we still have more questions than answers right now.
Managing Privacy Laws
MCGEE: Capella has hospitals in six different states. As privacy laws often differ from state to state, what sorts of challenges does that present you and your team and how do you handle that?
COBB: What we try to do ... is to meet all of our requirements. We've got federal requirements; we've got internal business requirements; we've got all kinds of things that we're concerned about. It's taking our security control framework and making sure that our controls are mapped to those requirements and what those elements are. First and foremost, federal being obviously the higher visibility point, we've got those mapped pretty well right now. The individual states are a little bit tricky. You've got some states, while they're a little bit different, I think fundamentally there's a lot of similarity between the types of data elements that they take into account that would identify a breach.
I think it's more along the lines of is there any particular reporting requirement that's different from one than the other, whether it's timeline or a certain process, that kind of thing - it goes in our review process just like an annual review of any changes with HIPAA. The same thing we did when the Omnibus Rule came out is you've got to continually look at those things so that you can identify any changes, and then you go back to your control framework and make sure you've got controls in place to answer to those. That way, if you do have gaps, you can get those identified and put a work plan in place to work toward those.
Finding Qualified Security Pros
MCGEE: Many organizations also say they have a difficult time finding professionals with the mix of security skills and experience that they need. Has that been a problem for Capella and how are you addressing that?
COBB: Hopefully I get to address it next year [during] budget conversations for 2014, but I would say, in general, myself and others here in the Middle Tennessee community all face that same challenge. There's only a certain size of the talent pool and, depending on what those skills and requirements are, sometimes it's easier to find that person to fit; sometimes it's not. The one thing that I try to do is look at it more from the personality and the aptitude side. With what we do, you have to be so business-facing. You have to be able to sit down and talk to people. You have to have conversations. You have to be able to promote the initiatives that you're trying to work on.
Personality is very key for me and then aptitude. I don't necessarily need somebody to have seven to 10 years of experience walking in the door. They may be able to come up to speed a little quicker, pick up something and run with it. But without the personality and without that aptitude to learn, I think the runway for them is very short. I tend to look toward maybe more of an entry-level to medium-level type where I can put them in a good environment, help mentor them in a way that their career's moving forward and we're also getting the work done that we need to do to succeed.
Emerging Security Best Practices
MCGEE: Are there any emerging security technologies, developments or best practices that you think are promising and deserve further investigation for adoption by the healthcare sector?
COBB: Our focus has been so much on the security 101 stuff. We've had several talks here during the ISSA International Conference in Nashville that there's a resounding theme that, while there are new technologies, new approaches, new threats out there and things to consider, some of us dealing with the basic blocking and tackling are not to the maturity level ... to support what you want to do going forward - and that's anything from patching, asset inventory to even managing virus software in some cases.
While I keep an eye on the technologies and the improvements of where things are going, our major focus for the last 12 months of the work plan has been more of let's get security 101 nailed down. We can't do everything perfectly, but let's at least do that 80 percent of stuff and feel really good about it before we can then sit down and say, "Where's the secret sauce, and what do we really want to try to do to move that needle to a higher level of maturity?"
Top Priorities for 2014
MCGEE: Finally, looking ahead to next year, besides continuing to work on HIPAA Omnibus, what are your other big privacy and security priorities?
COBB: Regulatory is still going to be there. One of the big things for us is audit preparedness. I was having this conversation earlier today that it's a very interesting dynamic for our company, as well as others, where reform, sequestration and the reimbursement cuts, and all those things are putting pressure on revenue. But we have to spend more time and more resources defending that amount of money that we get in the door. How can we be better prepared to defend ourselves when that time comes? It's not a matter of 'if' - it's just a matter of 'when.' That event could be OCR [HHS Office for Civil Rights] knocking on the door; [it] could be a meaningful use attestation audit. There are all kinds of things that go on in a regular basis that we need to be better prepared for so we can properly respond to meet those needs.