HIPAA Security ... Integrity Matters

The HIPAA Security Rule requires Covered Entities and their respective Business Associates to maintain certain Administrative, Physical and Technical safeguards to protect Electronic Protected Health Information ("e-PHI").  Specifically, these safeguards are designed to ensure the Confidentiality, Integrity and Availability of all e-PHI that is created, received, maintained or transmitted by the Covered Entity or its Business Associates.  45 CFR 306(a).

Whereas the Security Rule's Confidentiality requirements support those of the HIPAA Privacy Rule, the two additional goals  -- Integrity and Availability -- are also equally important.  According to the Security Rule, the term "Integrity" means that e-PHI is not altered or destroyed in an unauthorized manner.  The term "Availability" means that the e-PHI is accessible and usable on demand by an authorized person.  45 CFR 164.304.   

Beyond HIPAA, the term "integrity" hails from the Latin word "integer" and typically carries two definitions in most English dictionaries.  The first definition concerns a quality -- the quality of "being honest and having strong moral principles; moral uprightness."  The second definition concerns a state of being -- the state of "being whole or complete, undivided."   For purposes of this discussion, the second definition is most closely aligned with the Security Rule definition.  

HIPAA policies must specify the Administrative, Physical and Technical safeguards that have been adopted to safeguard the Integrity -- or the accuracy and completeness -- of a particular individual's e-PHI.  At a minimum, these policies should incorporate the following:  

1. A glossary of defined and capitalized terms that incorporates the definitions arising under HIPAA and any other more stringent requirements that hail from state law (e.g., Designated Record Set ("DRS"), e-PHI, Electronic Media, etc.) plus any Covered Entity-specific definitions which typically address, for example, such things as the "legal health record" which is different from the DRS and represents the official business record of the entity for evidentiary purposes (*); 
2. A provision that addresses the procedures for identifying and managing any erroneous or replaced e-PHI that has been relegated to an "obsolete" folder that technically remains a part of the legal health record;
3. A provision that incorporates the most stringent record retention requirements adopted by the covered entity, whether under HIPAA, state law or at the direction of the entity's  legal counsel (e.g. legal hold) and/or professional liability carrier (e.g. litigation); and
4. A provision that addresses the procedures for identifying and managing the destruction of any data following the expiration of all mandated record retention requirements.  

It remains my premise that the adoption of these and other HIPAA policies safeguards not only the state -- or the "big I" Integrity -- of the Covered Entity's information systems but also the quality -- or the "little i" integrity --  of those individuals who conduct patient care and related business operations on behalf of the Covered Entity, all in accordance with applicable requirements.  Truly a win-win in today's complex world.  

(*)  Note:  The DRS includes all PHI whereas the legal health record typically only includes the PHI used to make Treatment decisions.  For additional information, see AHIMA. "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version.

That Tight Shoe

We brought in the New Year last eve, dining at one of our favorite little Italian restaurants, sitting at the bar eating probably the best Bucatini all’ Amatriciana in town.  We talked about the decision to look forward -- not back -- and to celebrate the many next generation(s) of family, friends, neighbors, students, colleagues, clients and others who continue to give meaning to our life. 

            
Trust me, it often requires intention (aka attitude) to celebrate the future and to shape our life experiences going forward.  To keep my momentum, I long ago posted a one-page chart from a well-worn book above my standing desk.  The chart lists numerous traits or symptoms that best describe both an “Open” and a “Contracted” life experience …

OPEN	CONTRACTED
Ease	Effort
Prevailing trust	Constant worry
Relaxed body	Congestion
“Can do” attitude”	“Can’t happen” attitude
Collaborative	Competitive
Curious, asking questions	Judgmental, defensive
Sees opportunities	Sees obstacles
Generous	Withholding
Willing to take risks	Hyper-cautious
Laughs easily at self	Takes self too seriously
Energized	Exhausted
Fighting FOR	Fighting AGAINST
Resilient	Resigned
Grateful	Keeping score
Releasing things easily	Hanging on
Makes clear requests and agreements	Unspoken or value expectations
Generative, accountable	Consumptive, “victim”
Wholehearted, courageous and bold	Conflicted, fearful and timid

Victoria Castle, The Trance of Scarcity (2007)

To celebrate the future is like taking off that tight shoe.  It is a choice that does not happen by itself -- it requires not only intention but also action, especially during these complex times.  For that, be bold and remember Mr. Wendell Berry’s words which always spur me on … “It may be that when we no longer know what to do, we have come to our real work and when we no longer know which way to go, we have begun our real journey.”   Happy New Year. 

HIPAA Business Associates ... How Do I Know Thee?

HIPAA Business Associates ... How Do I Know Thee?

HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a business associate (BA) as a result of their access to protected health information (PHI) in the performance of services on behalf of a covered entity (CE). 

For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, a health care design consultant responsible for re-design of an emergency triage process, or even a third party responsible for storing PHI off-site. In each case, the drafting and negotiation of a business associate agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements.   Some level of due diligence is also important before the BAA is executed and the CE is in a position to trust the BA with its PHI.  

To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management (SAM), formerly known as the Excluded Parties List System.  

A review of the OIG Corporate Integrity Agreement database can also confirm any prior enforcement actions that may have involved a prospective BA. Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE. Review of business references or a telephone interview with another CE may also be helpful.   

Proof of insurance coverage and some information about claims history should be requested. A general search for any public filings about the BA can provide additional information about their resources, business relationships and reputation. The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE.   

Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors to assist in the performance of services. Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results.   

The CE can conduct its due diligence using a range of techniques. The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire. Selected HIPAA compliance documents may be requested as well. Depending on the nature of services to be performed, an in-person interview or a site visit may be in order.   

Once the BA arrangement has been finalized, pursuant to the terms and conditions of the BAA, the CE should adopt certain safeguards to verify, on a regular basis, the identification of any and all persons who perform services, whether in-person or remotely, so to prevent any risk of an unauthorized actor gaining access to CE PHI.  

For example, the CE contracts with a third party shredding vendor.  On a regular basis, the vendor comes on premises and removes secured documents to be shredded.  Without confirming the identification of any vendor employees before removing the documents, there is a serious risk that a "rogue actor" could represent themselves as a vendor employee and walk away with the CE documents, resulting in a serious HIPAA breach incident.  In the case of a remote or electronic arrangement, the CE and BA should also maintain an up-to-date list of those individuals who are authorized to access CE PHI on behalf of the BA, subject to the host of safeguards required under HIPAA security.  

In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process, not only makes for a proper introduction to the BA but also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line.   Additionally, after the BAA has been executed, the CE should also institute safeguards to ensure that only authorized individuals perform the designated BA services for the duration of the business relationship.  

If you have any questions or require additional information regarding the establishment of a HIPAA-compliant CE-BA business relationship, please contact me through Integrity Health Strategies.

Amateurs

I recently visited the Herman Miller headquarters outside Grand Rapids, Michigan as part of a board retreat for the Nursing Institute for Healthcare Design (NIHD).    Herman Miller has been an innovator in the furniture business for over 80 years.    I left the retreat with a copy of the book, Leadership Jazz, which was written by Max DePree, the former chairman of Herman Miller's board.   An inspiring read, I finished the book before my flight landed in Minneapolis.  

I especially enjoyed the chapter about amateurs.  Frankly, I think we are all amateurs -- curious individuals who like nothing better than learning something new, often with unexpected results.   DePree calls it the "beneficial surprise" that celebrates the amateur's fresh point of view and which often produces a "stunningly elegant solution."    One of my NIHD colleagues likens amateurs to disruptive innovators, the roving leaders who defy definition.  She is spot on.

In addition to my work as a health care consultant and professor, I delight in my work as an amateur. Of course, there are my Wabi Creations that I design as an aspiring maker/artist.   I also enjoy several volunteer roles.  In most cases, the organizations have invited me to the table and welcomed my commitment, my curiosity, my talents.   On occasion, I need a quick "integrity check" when someone refers to me as a "self-taught" in contrast to their formally trained, "professional" status.  Stay the course, Susan.  Stay the course.

Indeed, let's celebrate amateurs of all types.  Let's also celebrate the wise leaders who know enough to seek out, welcome and empower amateurs in their organizations.  According to DePree, "leaders can make a college, a business or any organization hospitable to the person without the usual credentials.  The trick is simply to look at merit naked.  Learn to hear the tune despite the noise."

Thank you for the pep talk for us amateurs, Mr. DePree.  Leadership jazz, indeed.

The HIPAA Phase 2 Audits ... Here's the Skinny!

The Health and Human Services' Office of Civil Rights (OCR) has initiated Phase 2 of the HIPAA Privacy, Security and Breach Notification Audit Program (Program).  

If you are a HIPAA Covered Entity (CE) or Business Associate (BA, here's the skinny ... 

1.   AUDIT PROCESS.  The Program involves a multi-step process: (a) verification of CE and BA contact information; (b) pre-audit questionnaire and random sampling process to select CE and BA audit subjects; (c) notification letter and document request; (d) desk review; (e) on-site review of CE and BA selected from desk reviews and otherwise; (f) draft report; (g) CE (or BA) comment period; (h) final audit report.  

2.   AUDIT PROTOCOL.  The Program uses an Audit Protocol that is organized around the Privacy, Security and Breach Notification Rules.    http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html  

3.   AUDIT GOAL.  The primary goal of the Audits is to review the policies and procedures for CE and BA compliance with selected Rules.  As with the Phase 1 Audits, the process is a primarily a compliance improvement activity, however OCR may initiate a follow up compliance review, as necessary.  

4.  COMPLIANCE REVIEWS.  A compliance review may be initiated by the OCR following receipt of a complaint, a breach notification, a media report, an audit report or otherwise, for "no reason." The compliance review is a multi-step process that includes (a) written notification and document request; (2) desk review: (3) on-site review that includes observations, interviews and additional document review that may extend over several days; (4) closing conference.  As necessary, OCR can also initiate subpoenas and other inquiries, as necessary, to complete the process.  Violations identified as a result of the compliance review may result in voluntary compliance, corrective action and/or resolution agreements that may impose multi-year monitoring and civil money penalties, among other requirements, all subject to a fair hearing procedure.  

5.   AUDIT RESULTS.  OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public, subject to FOIA regulations.  

6.   AUDIT READINESS.   How best to prepare for the Phase 2 Audits?  Assemble an in-house work group, print a copy of the Audit Protocol and begin your own self-study of the current policies and procedures and the related forms and documentation that evidence compliance with these policies and procedures.  

Questions or other Phase 2 Audit readiness follow up, please contact Susan Ziel at Integrity Health Strategies -- sziel@ihsconsultinggroup.com or (317) 819-7704.  

Interdisciplinary Journal of Partnership Studies

The InterdisciplinaryJournal of Partnership Studies is now in its second year of publishing new knowledge and successful applications of partnership in its ground-breaking, open access, electronic format that is accessible to everyone around the world, 24/7.  

The Journal celebrates the partnership paradigm of its Editor in Chief, Riane Eisler, JD PhD (hon), who is the President of The Center for Partnership Studies (Pacific Grove, CA).  With the support of an international board of advisors and a "take action" editorial design team, the Journal disseminates scholarship and creates connections for cultural transformation in order to build a world in which all relationships, institutions, policies and cultures are based on principles of partnership.

The two Journal issues published in 2015 included a host of groundbreaking articles plus conversations with world leaders, Archbishop Desmond Tutu, Peter Senge and Jennifer Buffett.  Additionally, each issue celebrates the work of an artist on its cover   The upcoming 2016 Journal will publish four, quarterly issues. 

There are many ways to contribute to the Journal: 

• Conversations: Interviews with scholars, thought leaders, and content experts about partnership worldwide.
• Articles: Scholarly papers from all disciplines about elements of partnership. Examples include analyses, reports of research, essays, and opinion pieces. Suggested maximum length: 20 pages plus reference list.
• Community Voices: Articles about applications of partnership worldwide. Suggested maximum length: 20 pages plus reference list.
• Media Reviews: Reviews of books, articles, films, plays, and television and radio programs dealing with themes of partnership. Suggested maximum length: 10 pages.
• Cover Art: Original artwork in a variety of media, of images related to partnership accompanied by artists’ statements.

For more information, visit the Journal's website, http://pubs.lib.umn.edu/ijps/.

Happy New Year!  

Susan E. Ziel, Managing Editor

Interdisciplinary Journal if Partnership Studies 

LIQUID NETWORKS ROUNDTABLE

SAMEE/SUSTAINABLE ACTS: MOTHER EARTH’S EMBRACE

PRESENTS A ROUNDTABLE CONVERSATION

LIQUID NETWORKS…YET ANOTHER INTERSECTION FOR THE ARTS AND SCIENCES

SEPTEMBER 17, THURSDAY, NOON – 1:30 PM

UMN Environmental Studies Building           

INSTITUTE ON THE ENVIRONMENT, ROOM #380

1954 Buford Avenue, St Paul Campus

According to Steven Johnson, author of Where Good Ideas Come From, liquid networks connects people and ideas. Based on Johnson’s study as an idea evolves and expands it enters into chance encounters with initially unrelated bits and pieces which collide to produce amazing new perceptions—likened to neural networks. Great ideas, he contends, do not happen in isolation. He found that most breakthroughs, be it scientific or artistic, are not in isolation but at a café, coffee house or weekly meeting where many participate and exchange, re-contextualize ideas while interacting with one another. Together we converse to refine and combine our thoughts and experiments which stimulate ways toward a breakthrough.

SAMEE is the conduit for this exciting program.  SAMEE is an inspirational example of a Liquid Network where the arts and sciences intersect to discover ways to understand and further the sustainability of Mother Earth. In this roundtable conversation, we will attempt a definition of the term Liquid Networks, offer examples, and discuss how Liquid Networks can create community in service for sustainable living and learning.

Faculty:  

Roslye Ultan, UMN/MLS Faculty; SAMEE, Curator: Moderator

Susan Ziel, JD, MPH, BSN, Health Care Consultant/Integrity Health Strategies

Joel Carter, MD, Pain & Palliative Medicine/Park Nicollet Health Services

Teddie Potter, PhD, MS, RN, Clinical Associate Professor UMN School of Nursing