What Next with HIPAA Omnibus?David Finn of Symantec on Top Compliance Challenges
The HIPAA Omnibus enforcement date has come and gone. What areas have covered entities overlooked, and what must they address as top priorities? David Finn of Symantec shares insight.
See Also: Building the Modern SOC
It's time for healthcare organizations to ensure they have done what they already should be doing, says Finn, health information technology officer at Symantec.
"Actually, I think Omnibus should have provided everyone the chance to fine tune where they were with HIPAA and HITECH," he says. "Read your policies and procedures; review the regulations again - particularly the changes."
Most importantly: Review changes within your own organization. "This really is the chance to adjust and move forward into the post-Omnibus world of HIPAA and HITECH," Finn says. "If you didn't [already] take that opportunity, now is the time to do it."
In an interview about top HIPAA compliance challenges, Finn discusses:
- Areas most overlooked by covered entities;
- How to address mobility and social media;
- What to do now to ensure compliance.
Prior to his current role, Finn was the chief information officer and vice president of information services for Texas Children's Hospital, the largest pediatric integrated delivery system in the United States. He also served as the privacy and security officer for Texas Children's. Prior to that, Finn spent seven years as a healthcare consultant with IMG, Healthlink and PwC, serving last as the EVP of operations for Healthlink.
Finn has 30 years experience in the planning, management and control of information technology and business processes. He is focused on enabling operating efficiency and deriving business value through the optimization and control of technology. His key skills include IT governance and control, project management, systems selection and implementation, business and IT partnering, and IT audit, control and security.
HIPAA Omnibus: Steps Organizations Must Take Now
TOM FIELD: As we talk, the HIPAA Omnibus compliance deadline has come and gone. For those organizations that are not already in compliance - and we're hoping there are only a few of them - what must they do now?
DAVID FINN: What they must do now is what they should have been doing since 2003 for privacy, which is the year that the privacy rule went into effect, and certainly what they should have been doing around security, including the risk assessments, since 2005 when the security rule went into effect. Actually, I think Omnibus should have provided everyone a chance to kind of tune up and fine-tune where they were with HIPAA and HITECH. Read your policy and procedure. Look at the regulations again, particularly the changes, and not just the federal law, because most states now have their own privacy rules, and some have security rules. Most importantly, look at the changes in your organization and your environment.
Minimally, we know there are changes to the notice of privacy practices; there are some changes in marketing. If you didn't have a breach notification policy and processes around that, you really need to go over them now and, if you had the old ones, align [those] with the new standards because there are different criteria for breach now. I'm guessing that people had changes in this interim period to people, processes and technology, and Omnibus was really a chance to readjust and move forward into the post-Omnibus world of HIPAA and HITECH. If you didn't take that opportunity, now is the time to do it.
Risk Assessment Challenges
FIELD: Risk assessments is a key component here and a critical foundational element. In your experience, where do you find organizations challenged when it comes to conducting their own risk assessments?
FINN: There are two really big challenges around the risk assessment. First is starting the risk assessment, and second is keeping it current. If you can get over those two, you should be well on your way. I'm only being partly facetious in that answer. The biggest issue frankly with the risk assessment is when you look at it, the scope of a risk assessment can really be overwhelming. To complicate issues, the risk assessment that you might have done in 1996 - the year that HIPAA became law - is completely different than what you would have done in 2005, for example, the year of compliance for the risk assessment. And that's different from what you need to do in 2014, which is right around the corner from us.
Back when everything lived in your data center, was on physical devices and you may have had terminals or even desktop PCs, it was a big job, but it was doable. Since then, we've gone virtual at the server, in the storage environment and at the desktop. We've gone mobile with laptops, smart phones and tablets. And we've gone to the cloud, be it private, public or a hybrid cloud. When you could inventory machines and know you had found all the data, life was good. But today it isn't about machines anymore, or where processes are supposed to happen or what devices or operating systems or databases you're using. It truly is about the data, and the data - ePHI in particular - has to be understood in this new working environment, with an ever-increasing need to manage risk on an ongoing, near-real-time, basis.
Even more critically, this understanding has to extend beyond IT in today's world to all the operational users of patient information, from med-techs to clinical engineers to billing clerks and coders to caregivers, and even the patients themselves we've got coming up. Given the rapid changes in the healthcare delivery model, the delivery of information will have to expand to meet those needs, and that means understanding where data's created or captured; how it comes into an organization, from where and from whom; how it's used inside the organization; who uses it; where it rests and how it flows through your organization; and finally where you send it. You can't really determine the risks and vulnerabilities, nor design strategies to protect that data, until you understand all that information about the data.
Finally, as the need for data goes to round-the-clock, 24/7 by 365, the need for services and systems that are never down becomes an increasing demand.
To get back to your question more concisely, the first challenge is really getting started with this new approach to risk. The second challenge is really keeping your risk assessment current. We all get focused on the risk assessment, but the point of the law was not to do a risk assessment for the sake of a risk assessment, but to build a foundation to develop an ongoing risk management process. The pace of change in IT would be problem enough, but when you couple that with healthcare - an industry that frankly is being turned completely on its head - the pace of change is absolutely staggering. And every change in people, process or technology represents a new risk for data being lost, stolen or unavailable or incorrect or going to the wrong person or place. That really is the new challenge looking at it in a new way and keeping it current.
FIELD: There are a number of areas that healthcare organizations may be overlooking as they try to comply with HIPAA Omnibus, and I will ask you about a couple of these. First is mobile technologies. What perhaps are they missing there?
FINN: I think everyone thought they had done this a couple of years ago with mobile device management. MDM was the hue and cry, and then some questions started popping up like, "What if this isn't the hospital's device?" or, "What if your user is using the same device at multiple hospitals?" Bring-your-own-device kind of upset that apple cart, and we started looking at managing the applications, wrapping them and adding management and version control to the apps, and that worked for a bit in certain circumstances.
But at the end of the day, my experience shows that clinicians are the most creative users of technology that exists. If they need the data, they will get it where and when they need it, regardless of the device or who owns it, and regardless of the application controls you put on it. It has to be about the data, and the technology is just now starting to catch up with those issues. Frankly, I see a lot of providers that have lots of mobility and mobile solutions, but they don't have written and enforced policies around mobile devices. At that point, you're really just looking for trouble. You need to make sure that your policies say what you're going to do and that you're doing it.
FIELD: The next area that might be overlooked and perhaps is related is social media. What are your thoughts?
FINN: Social media is kind of a tag-on to the mobility. I see even less policy and procedure in this area. That doesn't mean organizations aren't using social media. It just means that you don't have the policy and procedure around it, which means you probably haven't thought through all the issues, and we know it's the issues that you haven't thought of that always catch up. You want to be as prepared as possible, knowing that there's always stuff you haven't thought of.
Right in line with the mobile and social media question is we know we've got Stage 2 of meaningful use coming up, which includes patient engagement. That's likely going to include mobile, e-mail, portals and social media, but I don't really see anyone adding those things to their assessment. They go back and essentially do the same risk assessment without addressing the people, processes and technology changes that you're going to have in place to meet Stage 2 of meaningful use.
FIELD: The final topic under potentially most over-looked, and perhaps the biggest one, is business associates. What are organizations missing there?
FINN: I think that's the biggest topic, and for once I have to tell you I thought the providers were not going to get the worst of it. This was directed at the business associates by making them accountable to the same level of protection as a covered entity and subject to the same prosecution under the law. I think Omnibus turns the world upside down for a business associate.
Unfortunately, what we're seeing fall to the covered entities is education for these business associates, explanations of very complicated laws, even training of business associates and subcontractors. The poor covered entity still doesn't get a break here, and I'm starting to hear a lot of right to audit from the providers, but we need to get realistic here. I'm not aware of any provider that has the time, money or staff to go audit all their business associates, or even key ones. You have to make them do it and you have to get the results from their efforts or their third-party audits. It's going to be imperative that covered entities monitor and know what the business associates are doing, but they're not going to realistically be able to do that themselves.
The question as it is with all these issues is, do you want to just check the box and protect yourself legally and maybe shift some of the financial liability, or do you really want to protect your patients' information when you provide it to a business associate? That gets into the whole risk management question.
Enforcement of New HIPAA Components
FIELD: In your opinion, how are federal regulators going to proceed with enforcing HIPAA's new components under the Omnibus Rule?
FINN: That is, as they use to say, the $64,000 question, but maybe today, under the new civil monetary [penalty] piece, I should say it's the $1.5 million question. Clearly, under Omnibus, the Feds have more leeway in terms of enforcement action. Willful neglect is something of a game changer in my opinion, although I'm not sure that industry sees it that way yet. There was a time when the strategy of plausible deniability worked: "I didn't know about this so I couldn't have reasonably protected against it." But willful neglect pretty much does away with that approach, and the increased civil monetary penalties on top of that will certainly get more attention than they have in the past. There's no doubt that the dreaded OCR audits are coming back, and if they will use this new authority I think it will get the industry's attention.
The other thing I learned recently is that OCR can utilize the funds they collect across fiscal periods so they can bank fines and use them for enforcement going forward, which also changes the game a little bit.
We do know a couple of things. One [is] that there will be a focus on the risk assessment going forward; not only have you done one, but is it reasonable and are you doing it consistently and tracking improvements over time. The second thing we know is that it isn't just going to be covered entities anymore; they will be looking at business associates as well. I think OCR has the tools now, just how they will use them is the question and only time will tell us the answer to that. But I can tell you that if I were a provider today or a business associate, I would not want to be the one that becomes the example.
Strategies, Solutions for Covered Entities
FIELD: I've got a final question for you to sum things up here. We've covered a lot. We've talked about risk assessments, mobility, social media and business associates. Bottom-line from you as a health information technology officer: What are the strategies and solutions that are going to best serve covered entities as they seek to comply?
FINN: I can wrap that up in three bullet points. One is to understand your data. Two is protect it appropriately. What I mean by that is I see organizations spend a fortune protecting data that doesn't seem to me to be that critical, and then I see ePHI sitting out on public shares on their network or in a DMZ. Protect it appropriately, and understand the data and the risk to that data.
Finally, number three is remember that the collection of data actually represents a human life, and this is from an HHS publication, not my quote. While I can find a lot of things to interpret or argue with HHS about, this is one I absolutely and completely agree with. Collection of data represents a human life and it needs to be treated that way. IT people who don't think of themselves as being in healthcare - they think they're technologists - need to take a second look. The CEO and CFOs who think the information and the information technology is not really as critical to their business need to take another look. It's their business today.
Like I said, this all should have been going on for a decade or close to it. The healthcare delivery models and reimbursement model changes, the changes in regulation and enforcement, the need to share more data more broadly with more protection than ever before, combine to make information and information technology not an adjunct to healthcare, which is the way it has always been treated. But rather, information and information technology is now a strategic imperative of the healthcare business from a clinical and business perspective.