“The Compliant and The Negligent”
by Sean Weiss, Partner & VP of Compliance
In the words of Edward Porter Humphry “True wisdom is to know what is best worth knowing, and to do what is best worth doing.” When it comes to compliance, and especially Public Law 104-191 Part 160 better known as The Health Insurance Portability and Accountability Act (HIPAA), Humphrey’s words hold true because we must know what we must do when it comes to HIPAA as it is mandated in law! One of the great things about working at DoctorsManagement is the depth of knowledge that exists within each department. In most consultancies, siloed departments don’t work – obviously, for a lot of reasons – but at DoctorsManagement, it works well because no one person or persons has to be the “Jack of All Trades – Masters of None.” And this is precisely the reason why I have avoided having to deal with HIPAA in the same depth that I deal with Office of Inspector General (OIG) compliance. Until 2 years ago, I had moved away from handling matters involving the Office for Civil Rights (OCR) since there really was not a lot of oversight and enforcement on Privacy and Security. However, a number of things began to happen that forced the government into action and thus began what I consider in several cases of OCR significantly exceeding its authority by statute with regard to assessed civil monetary penalties beyond statutory caps.
Over the years and leading up to 2017, I handled and or engaged with counsel in maybe a dozen cases where a violation of the Privacy or Security Rule happened. Typically, we would reach out to OCR notify them of the incident or breach, work with their team to determine the best course of action, and set out with a solid go-forward corrective action plan to safeguard PHI and ePHI. Seldom was there a penalty attached and, if there was, it was minimal or at least fit the violation. However, starting in 2017 or maybe even in 2016, Congress decided to put some real teeth into the enforcement authority of OCR and I am here to tell you, they took that to heart and have been on the warpath ever since.
In my opinion, I believe the aggressiveness within the OCR can be attributed to the overzealous comments and actions of Director Roger Severino and his influence over the investigators at OCR. In October, 2018 “The Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) put on their 11th annual HIPAA conference in Washington, DC. Titled “Safeguarding Health Information: Building Assurance through HIPAA Security,” the two-day event pulled together varied perspectives from government and industry sectors to discuss agency priorities and programs. Day 1 kicked off with helpful insights from OCR Director Roger Severino during which he cited his famous quote from last year’s conference as “B.J.E.” – referring to his statement that OCR was looking for big, juicy, egregious cases for enforcement.”
What is more concerning is that Director Severino made clear “There are no foreseeable changes to the HIPAA Security Rule on the horizon. Pointing to recurring compliance gaps the agency still sees on a regular basis, Severino noted that many entities are still not even doing the basics. He also emphasized the intentional flexibility of the Security Rule, declining to answer black and white questions about implementation specifications. In short, the agency will not tell you things like how frequently to force password changes. This allows entities of varied sizes and sophistication, resources, and most importantly risk levels, to implement scalable controls appropriate to their environments while allowing for constantly evolving technology.”
Again, this lack of clear “Black and White” guidance demonstrates why OCR will continue to have a difficult time in a lot of cases where “Reasonable” steps to ensure Privacy and Security won’t constitute willful neglect. Additionally, Director Severino stated, “The percentage of lost/stolen devices has gone down substantially while hacking and other attacks have increased substantially. Specifically, compromises stemming from email hacks shot from 11% for 2009-2017 to 31% in 2018 alone.” I believe (and as stated in the above cited source) “The Security Rule will not be changed; covered entities and business associates need to implement scalable controls appropriate to risks within their organizations.” Again, this statement to me demonstrates the subjectivity surrounding Security protocols within the industry given the lack of clear and binding guidance from OCR. Below, is OCR’s chart containing all 2018 settlements reached.
Now, I know there are those out there whose focus is on HIPAA Security that will read this and may very well disagree with me, but I believe when OCR hides behind statutes such as 45 C.F.R. §164.308(a)(l)(ii)(A) and 45 C.F.R. § 164.308(a)(l)(ii)(B), it creates an environment that becomes an uphill battle for health care entities and their IT or consulting firms that support them. Both statutes are void of any definitive guidance and the OCR investigators claim “Checklists” are insufficient and fail to demonstrate a thorough analysis of the risks of a system have been performed and completed even though they themselves use templates and checklists and they provide those to the industry on their own websites. Take for example what I consider to be a very comprehensive HIPAA Security Checklist provided by Holland & Hart: https://www.hollandhart.com/pdf/HIPAA_Checklist.pdf. This tool is, in my opinion, very thorough. It addresses each specific section of the statute and compels the users to address the specific safeguard as to whether it is required or addressable. In addition, it provides a status check as to whether the safeguard was completed or is not applicable to the entity. Yet, OCR during a call for a case in which I am involved indicated this tool is not sufficient even though they “overlaid” on their template. Ahh! The hypocrisy of our government agencies at its finest.
Since I am in the middle of a huge case right now on behalf of a law firm, the more I read on the Security Rule tied to Risk Analysis Requirements the more I am convinced of the confusion within the statutes and the more confident I become in the applicability of templates/checklists (Yes/No/Completed/N/A, etc.) Again, templates alone do not take the place of documenting the steps and outcomes of your Risk Assessment so make sure you, in consultation with your IT professional(s) and if necessary your General or outside Counsel, conduct what in your opinion is “Thorough and Reasonable” for your organization and be prepared to defend it to the hilt.
Take this excerpt from Guidance on Risk Analysis Requirements under HIPAA Security Rule:
[RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?]
These questions all lend themselves to checklists and while they indicate they are not “prescriptive,” the guidance is void of definitive steps an entity must take to ensure a “Thorough and Reasonable” assessment to use OCR’s terms.
As you read through the guidance document, you can focus on the last paragraph of pg. 2 where they talk about the Rule and “addressable” vs. “Required”. “Addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.”
Additionally, you can install and complete the SRA Tool produced by the Office of the National Coordinator for Health Information Technology (ONC). You will notice, that at the end of the day, this tool is no different than the tools used by various experts in the industry you can hire to perform a Risk Assessment. But using this tool in my opinion gives your argument more teeth with the OCR if necessary since you are using their tools and guidance documents. The SRA is can be found and downloaded here: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Again, everything issued by HHS and OCR specifically states “Overall, there must be “continuous, reasonable, and appropriate security protections.” This statement further puts an exclamation on my point made earlier regarding OCR investigators overlaying Risk Assessments done by entities and their third-party consultants and that, when OCR claims your Risk Assessment is not “Thorough and Reasonable” to safeguard ePHI, you can argue the subjective nature of their findings.
In conclusion, my opinion and more importantly those of other experts in the industry that there just is not enough education provided by HHS/OCR for what constitutes a compliance risk analysis from the governments perspective! What further muddies the waters is the interchangeable use of terms by OCR and other governmental agencies regarding “Risk Assessment” and “Risk Analysis”. “A risk analysis is focused on how your IT infrastructure works and how it protects the ePHI that is created, transmitted, and received in it whereas “gap analysis” is focused on how you comply with HIPAA or some other standard of conduct.”
“A risk analysis is a specific administrative safeguard requirement under the HIPAA Security Rule and that is to assess the potential threats and vulnerabilities to all the ePHI in your system.”
In short, there are 9-elements of a HIPAA Risk Analysis outlined by OCR:
- Scope of analysis
Account for potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits in any form and/or location.
- Data collection
Identify where the ePHI is stored, received, and maintained by reviewing past and/or existing projects, performing interviews, reviewing documentation, and using other data gathering techniques.
- Identify and document potential threats and vulnerabilities
Identify and document reasonably anticipated threats to ePHI and vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of ePHI.
- Assess current security measures
Assess and document the security measures an organization uses to safeguard ePHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.
- Determine the likelihood of threat occurrence
Consider the probability of potential risks to ePHI and document all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability, and integrity of ePHI of an organization.
- Determine the potential impact of threat occurrence
Assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability and document all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability, and integrity of ePHI within an organization.
- Determine the level of risk
Assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. Document assigned risk levels and a list of corrective actions to be performed to mitigate each risk level.
- Finalize documentation
Requires the risk analysis to be documented but does not require a specific format. The risk analysis documentation is a direct input to the risk management process.
- Periodic review and updates to the risk analysis
Conduct continuous risk analysis to identify when updates are needed. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities.
Taking the time to understand and making reasonable efforts to comply with the Rule and Statues surrounding HIPAA and more specifically the Security Rule the better chance you have to avoid stiff penalties during a HIPAA Breach Investigation. The fines are painful especially when you hit Tiers 2-4 even with the fines being lowered in 2019. So work hard but, more importantly, work smart!
What to do next…
- If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at firstname.lastname@example.org.
- Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.