Sunday, January 28, 2018

Recent OCR Resolution Agreement and HIPAA Corrective Action Plan ... Lessons Learned

During December 2017, the Health and Human Services' Office of Civil Rights ("OCR") entered into yet another Resolution Agreement after investigating a serious breach incident involving the electronic protected health information ("e-PHI") of over 2 million patients that was maintained by a Florida health care organization. https://www.hhs.gov/sites/default/files/21co-ra_cap.pdf   As with so many other past investigations, the OCR made findings that the organization lacked a thorough HIPAA security risk assessment or the necessary security measures and review procedures to safeguard the  e-PHI maintained on the organization's information system.  Lastly, the OCR determined that the organization had disclosed PHI to third party vendors, acting as business associates, without obtaining satisfactory assurances by way of written business associate agreements.

Under the terms of the Resolution Agreement, the organization was required to pay OCR $2,300,000 to settle the potential civil money penalties associated with the above violations.  Additionally, the Resolution Agreement required the organization to enter into a Corrective Action Plan ("CAP") for a two (2) year term that set forth the following terms and conditions:

  1. Compliance Representative.  Designation of an individual Compliance Representative ("CR") responsible for the direction and oversight of the organization's CAP implementation; 
  2. Security Risk Analysis/Risk Management Plan.  Completion of a thorough risk analysis and risk management plan and documentation of all security measures implemented to reduce all identified risks and vulnerabilities to a reasonable and appropriate level, all within 120 days of the CAP implementation date; 
  3. Policies and Procedures.   Review and revision of certain of the organization's HIPAA policies and procedures with copies submitted to OCR within 90 days, subject to OCR approval; 
  4. Distribution of Policies and Procedures to Workforce.  Adoption and distribution of OCR-approved policies and procedures to all existing and newly hired workforce who were subject to the requirements; 
  5. Ongoing Review and Update of Policies and Procedures.    Routine review and update of these policies and procedures to reflect any changes in applicable requirements, the organization's operations or other OCR guidance; 
  6. Business Associate Accounting/Agreements.  Completion of an accounting of all business associates, in addition to execution of all necessary business associate agreements, with copies submitted to the OCR within 120 days of the CAP implementation date; 
  7. Written Plan for Internal Monitoring of CAP Compliance.    Adoption of a written plan to internally monitor the organization's compliance with the CAP, a copy to be submitted to OCR within 60 days of the CAP implementation date, subject to OCR approval, all of which requires ongoing review and update to reflect any changes in applicable requirements, the organization's operations or other OCR guidance; 
  8. Assessor.    Selection and engagement of a duly qualified "assessor" within 60 days of the CAP implementation date, subject to OCR approval, who is responsible for implementing a written plan that complies with the "assessor's plan" requirements set out in the CAP, again subject to OCR approval, all of which shall result in ongoing assessor "reviews" that are submitted to OCR in regard to the organization's continuing compliance with the CAP; 
  9. Record Retention.   Record retention obligations on the part of the organization, the compliance representative and the assessor; 
  10. Validation Reviews. Agreement to permit OCR, in its discretion, to conduct any validation review necessary to confirm any assessor review or report; and
  11. Mandated Reporting Obligations.    Internal reporting obligations that require all workforce with access to the organization's e-PHI databases to report to the compliance representative any violation of the organization's HIPAA related policies and procedures that come to their attention, all of which shall be investigated and reported to both the assessor and OCR to the extent any investigation confirms a violation that qualifies as a reportable event.  
Much like the terms and conditions of a Corporate Integrity Agreement, entered into by health care entities and the Health and Human Services' Office of Inspector General ("OIG") , this CAP sets out a very stringent process by which the health care organization is required to implement, monitor and update its HIPAA compliance program under the direction of a designated "compliance representative" and subject to the ongoing review of the OCR and an external "assessor" process.  For any HIPAA covered entity or business associate that has endured a reportable breach incident, the prompt implementation of an internal corrective action plan that incorporates many of these interventions may be a very useful (and proactive) risk management tool, even before any OCR investigation or other involvement becomes necessary.   Lessons learned.  


Posted by at No comments:

Sunday, January 21, 2018

HIPAA Security ... Integrity Matters

The HIPAA Security Rule requires Covered Entities and their respective Business Associates to maintain certain Administrative, Physical and Technical safeguards to protect Electronic Protected Health Information ("e-PHI").  Specifically, these safeguards are designed to ensure the Confidentiality, Integrity and Availability of all e-PHI that is created, received, maintained or transmitted by the Covered Entity or its Business Associates.  45 CFR 306(a).

Whereas the Security Rule's Confidentiality requirements support those of the HIPAA Privacy Rule, the two additional goals  -- Integrity and Availability -- are also equally important.  According to the Security Rule, the term "Integrity" means that e-PHI is not altered or destroyed in an unauthorized manner.  The term "Availability" means that the e-PHI is accessible and usable on demand by an authorized person.  45 CFR 164.304.   

 Beyond HIPAA, the term "integrity" hails from the Latin word "integer" and typically carries two definitions in most English dictionaries.  The first definition concerns a quality -- the quality of "being honest and having strong moral principles; moral uprightness."  The second definition concerns a state of being -- the state of "being whole or complete, undivided."   For purposes of this discussion, the second definition is most closely aligned with the Security Rule definition.  

HIPAA policies must specify the Administrative, Physical and Technical safeguards that have been adopted to safeguard the Integrity -- or the accuracy and completeness -- of a particular individual's e-PHI.  At a minimum, these policies should incorporate the following:  

  1. A glossary of defined and capitalized terms that incorporates the definitions arising under HIPAA and any other more stringent requirements that hail from state law (e.g., Designated Record Set ("DRS"), e-PHI, Electronic Media, etc.) plus any Covered Entity-specific definitions which typically address, for example, such things as the "legal health record" which is different from the DRS and represents the official business record of the entity for evidentiary purposes (*); 
  2. A provision that addresses the procedures for identifying and managing any erroneous or replaced e-PHI that has been relegated to an "obsolete" folder that technically remains a part of the legal health record;
  3. A provision that incorporates the most stringent record retention requirements adopted by the covered entity, whether under HIPAA, state law or at the direction of the entity's  legal counsel (e.g. legal hold) and/or professional liability carrier (e.g. litigation); and
  4. A provision that addresses the procedures for identifying and managing the destruction of any data following the expiration of all mandated record retention requirements.  
It remains my premise that the adoption of these and other HIPAA policies safeguards not only the state -- or the "big I" Integrity -- of the Covered Entity's information systems but also the quality -- or the "little i" integrity --  of those individuals who conduct patient care and related business operations on behalf of the Covered Entity, all in accordance with applicable requirements.  Truly a win-win in today's complex world.  


(*)  Note:  The DRS includes all PHI whereas the legal health record typically only includes the PHI used to make Treatment decisions.  For additional information, see AHIMA. "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version.
Posted by at No comments:

Monday, January 1, 2018

That Tight Shoe

We brought in the New Year last eve, dining at one of our favorite little Italian restaurants, sitting at the bar eating probably the best Bucatini all’ Amatriciana in town.  We talked about the decision to look forward -- not back -- and to celebrate the many next generation(s) of family, friends, neighbors, students, colleagues, clients and others who continue to give meaning to our life. 
            
Trust me, it often requires intention (aka attitude) to celebrate the future and to shape our life experiences going forward.  To keep my momentum, I long ago posted a one-page chart from a well-worn book above my standing desk.  The chart lists numerous traits or symptoms that best describe both an “Open” and a “Contracted” life experience …

OPEN
CONTRACTED
Ease
Effort
Prevailing trust
Constant worry
Relaxed body
Congestion
“Can do” attitude”
“Can’t happen” attitude
Collaborative
Competitive
Curious, asking questions
Judgmental, defensive
Sees opportunities
Sees obstacles
Generous
Withholding
Willing to take risks
Hyper-cautious
Laughs easily at self
Takes self too seriously
Energized
Exhausted
Fighting FOR
Fighting AGAINST
Resilient
Resigned
Grateful
Keeping score
Releasing things easily
Hanging on
Makes clear requests and agreements
Unspoken or value expectations
Generative, accountable
Consumptive, “victim”
Wholehearted, courageous and bold
Conflicted, fearful and timid
Victoria Castle, The Trance of Scarcity (2007)

To celebrate the future is like taking off that tight shoe.  It is a choice that does not happen by itself -- it requires not only intention but also action, especially during these complex times.  For that, be bold and remember Mr. Wendell Berry’s words which always spur me on … “It may be that when we no longer know what to do, we have come to our real work and when we no longer know which way to go, we have begun our real journey.”   Happy New Year. 


Posted by at No comments:
Subscribe to: Posts (Atom)