Understanding the Proposed HIPAA Revamp
Walsh is one of the featured speakers in an upcoming HealthcareInfoSecurity.com web seminar, "HIPAA Modifications & HITECH Rules: A Guide to the Security Essentials." Another security specialist, Kate Borten of The Marblehead Group, will address the final rules for the HITECH Act's Medicare and Medicaid incentive program for electronic health records.
In a recent exclusive interview, Walsh said the HIPAA modification proposal's most significant components are:
- An explanation that ignoring the HIPAA rules amounts to "willful neglect" and can result in the maximum penalties;
- A clarification that business associates and their subcontractors must comply with HIPAA; and
- A description of patients' rights to access their health records.
Walsh advised business associates to take a closer look at all their security safeguards. "Business associates really have to take a more serious look at their environment," he contended. "They need to look at their administrative, physical and technical safeguards and controls in a more serious light."
He also advised hospitals, clinics and other "covered entities" to get ready to rewrite their business associate agreements as well as the "notice of privacy practices" they give to patients.
Walsh said he's disappointed that the proposal includes relatively few changes to the HIPAA security rule. For example, he contended that the proposal should have addressed the issue of ensuring security for remote access to information systems. "The technical environment that we live in today is much different than it was in 2003," he noted.
Walsh is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies.
Following is a transcript of the interview, conducted by Howard Anderson, managing editor at HealthcareInfoSecurity.com.
HOWARD ANDERSON: The HHS Office for Civil Rights on July 8 issued a proposal calling for modifying the HIPAA privacy, security and enforcement rules. So Tom, what do you consider to be the most significant components of the proposal?
TOM WALSH: Well Howard, I think there are three things that just stood out to me as being significant components. The first is the expansion of some of the privacy provisions and the security rule to business associates and their subcontractors.
Before, there were a lot of folks trying to look for wiggle room so that they wouldn't have to do the HIPAA security rule, and the old business associate agreements just said they had to make sure that there were "appropriate administrative, physical and technical safeguards." Now it is pretty clear you have to comply with the HIPAA security rule.
The other thing I thought was interesting was that the proposal talks a lot about willful neglect. We find that sometimes that people think, "Yeah, yeah, yeah, the government puts out these rules but I don't have to worry about it unless they catch me." Now...ignoring the rules can result in some of the highest fines.
In the enforcement piece it talks about four different tiers for which fines or penalties would be levied, and willful negligent, meaning simply ignoring it and not doing anything about it, would put you in that highest category.
Most large healthcare systems and community hospital are aware of the rules and they do the right things; they don't want to be found in neglect. But I find that smaller providers are really are clueless sometimes when it comes to HIPAA, especially the security rule.
A lot of doctors' offices think that issuing a "notice of privacy practices" is all they have to do to comply with HIPAA. When I start asking them questions about the security rule they look at me like, "What? I don't know what you are talking about. We are HIPAA compliant."
So this is a wake-up call...
The third one that kind of stood out to me...is the patient's right to access their information, regardless of the format. The HITECH Act says that we have to give it to them in an electronic format if they request it.
So what was interesting to me is that they gave some examples in the rule about a patient requesting the access to their data in electronic format and it talked about USB drives. So you could imagine the security challenges we are going to have as patients start showing up with their USB devices and saying "put my data on here." We are going to have to check those to make sure there are no viruses or any other hidden, malicious codes.
And it also mentioned encryption in the example when it was talking about the rights of patients to obtain records in electronic format....There is nothing in the rule that talks about the requirement for giving the patient data in an encrypted format, but it was in the example that they gave.
So those three things were the most significant.
ANDERSON: So what was left out of the proposal, if anything, that you would have liked to have seen included?
WALSH: I was a little bit disappointed with the changes to the security rule because really all they did was add wording for the business associates. So since 2003, there have been no changes. And this bothers me because the technical environment that we live in today is much different than it was in 2003. So that means the security rule still remains very vague.
Now interesting enough, we have seen documents that the Centers for Medicare & Medicaid Services has put out there as samples of what you might expect if you were ever being audited -- the things that they would be looking for. In there they list a lot of things that are not required in the HIPAA security rule. So, for example, they wanted you to address things like wireless networks, vulnerability scans and penetration tests. They also talk about some of the ways that you manage access control; they want to see user provisioning tied to training.
So these were things that came out of audits that CMS conducted. I was expecting they were going to address that in the HIPAA modification proposal, but there's nothing. Nothing about remote access, nothing about user provisioning tied to training....So it is not required in the HIPAA security rule, they didn't update the rule to add it but yet there is an expectation that you are going to do these things. I just wish they would have taken the time to put a little more work into that piece. Most of the changes really dealt with privacy.
ANDERSON: Do those changes in the privacy rule affect business associates?
WALSH: The privacy rule was really written more for a provider environment and also for a payer environment and not necessarily for a business associate. But some of the provisions, as far as uses and disclosures, now apply to the business associate. So yes, they did apply some of the privacy provisions to business associates, but not all. Business associates aren't expected to issue, for example, a notice of privacy practices; they don't have to do that.
ANDERSON: Based on this preliminary proposal, which likely will be revised before it is finalized, what advice would you give to business associates on how they should be preparing now to comply with the eventual new HIPAA rules?
WALSH: Business associates really have to take a more serious look at their environment. They need to look at their administrative, physical and technical safeguards and controls in a more serious light. They may even want to consider something like the HITRUST (Health Information Trust Alliance) guidance. Or they may also want to look at some of the NIST (National Institute of Standards and Technology) documents.
Some business associates know how to secure data; for others, this is new territory and they may need outside help in getting through this. Some covered entities are going to start sending business associates questionnaires to ask more specific questions about what they are doing to protect the data, not just assuming they are because they signed an agreement. So for business associates I think there is a lot of work ahead.
ANDERSON: What about for hospitals, physician group practices, insurers and other covered entities? What should they be doing to prepare for compliance with these new rules?
WALSH: There are several things they have to look at. One is they are going to have to do new business associate agreements. They are going to have to create new notice of privacy practices.
I think one of the biggest challenges...will be honoring patients' requests for restrictions on releases of information to insurance companies, as the proposal would require.
There were some really good examples that came out in the Notice of Proposed Rulemaking, where it talks about if you have a patient who pays for their service out of pocket in full and then requests that you don't send this information to the insurance company -- how are you going to ensure that request gets through the whole organization and is included in any other releases of information to other providers?
The example they gave, which I thought was really good, is they talked about a person who comes in for treatment and asks you not to share information with the insurance company and then the doctor orders some medications and sends a prescription through. The way things work today, a lot of those doctors will just ask the patient which pharmacy they like to use and they will send an electronic prescription to the pharmacy. And by the time the patient goes to pick up their prescription, the pharmacy may have already billed the insurance company without the patient's approval. So that to me was a real big eye opener.
So it is challenging enough to honor this restriction, and the rule was very specific. Again, here is where we could be guilty of willful neglect; we can't say, "Sorry I'm not going to honor the request because I don't have the technology or the capability to do it" or it's too much of a hassle. It is in the rule and we have got to do it.
There is a lot of work ahead, and I think that is going to be one of the biggest challenges, particularly to covered entities -- honoring that request for restriction.
ANDERSON: Thanks very much Tom. We have been talking today with security consultant Tom Walsh. This is Howard Anderson of Information Security Media Group.