Cost-Effective Protection Against HIPAA Enforcement

Cost-Effective Protection Against HIPAA Enforcement

October 25, 2011 2:00 pm

(Save to cal)

Online

The first webinar of the series discusses HIPAA enforcement and penalties in the event of a HIPAA violation and how to avoid a HIPAA breach using the most cost-effective methods. 

Hosted by Online Tech with special guest speaker Certified HIPAA Security Specialist (CHSS) Joe Dylewski.

 

 

 

View Slides


April Sage: Hi everyone and thanks again for joining us today. Today's webinar will be over "Cost-Effective Protection Against HIPAA Enforcement." I'm excited to introduce our guest speaker today Joe Dylewski, who is going to share his experience as a Certified HIPAA Professional and as a Certified HIPAA Security Specialist with us today. Joe works with large and small organizations as well as covered entities and business associates to help them with their HIPAA Compliance issues. Joe, thanks so much for joining us today.

Joe Dylewski: My pleasure.


April: So Joe, it seems like every week we are witnessing an escalation in the number and severity of patient information breaches. Combining that with the $800 million of medicare and medicaid incentive programs and losses that are reaching upwards of $5 billion, it is no surprise that people are more concerned and placing greater priority in protecting patient data.

At the same time, there is a lot of confusion and we are seeing more complexity and more questions about how to achieve HIPAA Compliance and who exactly needs to be HIPAA compliant. Can we start by talking about who needs to be HIPAA compliant and discuss the best way to get there without breaking the bank?

Joe: Yes, absolutely!


April: So how does a company know if they need to be HIPAA compliant? It's readily obvious that hospitals and physician groups need to be HIPAA compliant, but what about vendors that work with these companies? And companies that may write EMR software that's used in a healthcare setting? Do vendors need to be HIPAA compliant in addition to the covered entities themselves?

Joe: The way HIPAA was written, one of the purposes was to protect and safeguard protected health information (PHI). In doing that, they set aside two classifications of organizations that have their hands on PHI.

  1. Covered Entity - The covered entity is typically the companies who provide the treatment, payment, and operations in healthcare services.
  2. Business Associate - The business associate is an organization that provides services to either a covered entity or another business associate and has potentially physical and or virtual access to PHI.

As of 2009, both of those organizations are now bound to the same set of requirements and regulations.

Another thing to point out is that HIPAA was introduced in 1996, and for the majority of time from 1996 to 2009, the focus was really placed on privacy and making sure how doctors disclosed and used the information. And as you mentioned, with the entire inception of the incentive programs specifically involving small practices to start implementing electronic standards, they really realized that they had to put tighter controls around all of the electronic PHI.

One of the outcomes of that was they recognized that in any type of relationship whether its through a hospital or a small doctor's office, there might be anywhere between 2 to 30 companies that outside the organization that may have access to that PHI.

Just to give you an idea of the impact that we have seen so far with regards to business associates, lets look at some statistics. From September 2009 to August 2011, there were a total of 300 breaches that were reported to the Office of Civil Rights, who enforces HIPAA violations. Business Associates were involved in 20% of those breaches.

However, because business associates have visibility to potentially a number of clients, we will see that the total number of individuals affected (view slides) was in upwards of over 6 million, more than 1/2 of the total. We can also see that under Average Individuals per Breach is also exponentially higher with a business associate even with them being involved in 20% of total breaches during that span.

Because of this, organizations seem to be putting a greater emphasis on the business associates and making sure they have all of the appropriate safeguards in place. So, there is definitely a more concentrated focus on making sure business associates are responsible and I suspect that if there are attendees to the webinar who are business associates, that they have or will be highly scrutinized by their covered entities to somehow produce some sort of HIPAA compliance effort.


April: Joe, where does the liability end? It sounds like anyone who is a direct vendor or a covered entity needs to worry about protecting that patient data. Let's say its a software company writing EMR software and they host their software as a service (SaaS) at a hosting provider like Online Tech, what are the obligations of the hosting provider? When you get farther removed from the covered entity, is there any point along the way where the responsibility for protecting patient data ends?

Joe: Let's present this from the covered entity's perspective because ultimately, the covered entity (doctors offices, hospitals) is ultimately responsible for that data. I will give an example to clarify.

If you have been keeping up with the breach notifications, there was a breach reported at Stanford University Hospital and it was a breach made by a smaller billing and/or accounts receivable collection agency. The negative press that came out of that really was not centered around the business associate, it was centered around Stanford University. As a result of that, it really comes down to risk mitigation from the covered entities themselves.

The way that the Office of Civil Rights (OCR) and Health & Human Services have detailed the levels of breach and how deeply they enforce it is based on how much work you are willing to accomplish. So if I am a covered entity, it is my goal to continue and increase my degree of compliance effort and along the way I am decreasing my compliance risk. So if I look at a covered entity's relationship with a business associate, there are similar steps along the way or a parallel where the more effort I do, the more I decrease my compliance risk.

A lot of people may have been asked to sign a business associate contract. A business associate contract is a document or agreement between a covered entity and a business associate that details the type of work being done, the responsibilities of both the business associate and the covered entity, and also talks about very specific things that the business associate has to do and have in place. I do talk with business associates who are reluctant to sign this document because they feel it puts them in a liable position. The truth is that by not signing the document, it puts them in a willful neglect position. So its always better to understand this by taking the steps along the way, because at the end of the day the individuals and the organizations that enforce this want to see diligent steps as opposed to doing nothing. So the next logical step would be to have a Business Associate Agreement (BAA) in place.

The next logical step would be for that business associate to conduct a risk assessment. A risk assessment is a very specific implementation specification within HIPAA. Out of that usually comes steps to remediation. In which they remediate any deficiencies they find and leading to HIPAA compliance. If I am a covered entity, I would like my business associate to be following this sort of process at some point. The further along they are, the more it decreases my risk and my potential vulnerability.


April: There are a lot of companies that are making claims that they are offering HIPAA compliant solutions, or that they are HIPAA compliant. How do you know? If you are doing business with a partner, what should you ask for? What is the clear indication that a business associate has a HIPAA audit by an independent third party?

Joe: While we get to that, I would also like to go over a business associate's claim to HIPAA compliance. The way I view it is that there are two types of HIPAA compliance.

The first type is solution compliance. There are a number of companies that offer things such as desktop encryption, backup services, document shredding and so forth. What you willl read is that they are offering you a HIPAA compliant service. What that means is that the solution itself has all of the appropriate HIPAA safeguards put into that solution and they supplement whatever you are doing from the organization's perspective to help you achieve that HIPAA compliance.

It is important to understand that by selecting a HIPAA compliant solution, that does not necessarily make you HIPAA compliant from an institutional perspective. So what I typically ask for is "Who has access to the PHI?" For example, if I am an EMR company, there are specific things that the EMR must have to be HIPAA compliant. They include:

  • Encryption of data at rested transit.
  • Login IDs.
  • An audible transaction record.

You always have to look if that particular EMR company is not only providing the software, but they may be providing the hosting of that software in some offsite facility. Or they may be providing support where their personnel have to physically go into a client's database to repair something or make changes. Then they have to make sure that not only is the solution compliant, but also that the organization has all the institutional safeguards, specifications, and requirements in place as well and the bottom line is that there is a good chunk of rules that indicate whether or not you are a business associate. One of the first things I would recommend is to start with a simple checklist. Take what HIPAA requires, go through that, and make the determination of what activities need to be done.

Frankly, the purpose of putting in all of this work is to mitigate the risk of a potential customer who could be a covered entity. When you do all of this work, apart from HIPAA making just good business sense and the need to protect patient information, is that you want to set yourself up in a position where if something did happen. This is also a very important statistic as well. I am also a probability and statistics professor, and if you ask me "What is the probability of being audited by the Office of Civil Rights?" I would say that it is very low. However, you are really not trying to protect yourself from an audit. You have to deal with the day to day occurrences that happen.

The last position you want to be in is to have something unexpected happen, for example a laptop being stolen, and then have to go through these activities. I detailed a couple of slides here with what is required in an investigation. So if I am a business associate or I am a covered entity and I have a breach and I report that breach by law, what is going to be required from me once that breach is reported? I don’t want to go into all of this detail and I am happy to send it to anyone who would like a copy, but ultimately the office of Civil Rights is going to come back and ask for these thirteen bullet points.

You want to have them in a prepared state, because they give you I believe a total of 21 days from the day of the notice to put all of this together and return it to them. It is not always feasible to do all of this work after a breach has already happened. I hear the word daunting a lot and this exercise does not need to be complicated. It is just a matter of being able to draw the line between what does HIPAA require and what are my responsibilities around them.


April: Well it seems like preparing for the worst case scenario certainly would give someone an action plan and a place to begin. What mistakes do you see companies making costing them a lot of unnecessary time and extra money as they are trying to become HIPAA compliant?

Joe: The mistake, I mentioned earlier, is trying to rationalize why they do not have to go through this. It always leads to bad things and ultimately places them in that wilful neglect category, because by definition they are willfully neglecting their responsibilities. That is the first mistake I see being made out there.

The second one, and I have a general feeling that many think HIPAA is around patient privacy. You know we read about some medical center out on the west coast that leaked some celebrities patient information in using their Facebook accounts and that is what gets a lot of the negative press, but what does not get the press is the various breaches that happen because of electronics and technology. So the second mistake I see is people over looking the security portion of it. That is just as important, critical and sensitive as sharing information along the way. Those are the two most common mistakes I see being made.


April: What would you say are the top three things a company can do to become HIPAA compliant as cost effectively as possible?

Joe: The first is understand what HIPAA requires. The second is draw a parallel with an individual business model to understand where your responsibilities lie. And the third is do not hesitate to contact someone who can help you and do not assume that this is something that can be tackled with limited knowledge.


April: Good advice. It looks like we have some great questions along these lines, lets take a look at what some people are asking for some input on. One question near and dear to our hearts here at Online Tech, is would a web hosting company be considered a business associate and if so, what responsibilities do they have if there is no claim of being HIPAA compliant would it still need to be so just, because a health care provider purchases a website from them?

Joe: That is a great question actually and one that I am asked often. Is there protected health information? There has to be some kind of internal analysis to determine if there is exposure or vulnerability around protected health information. If the PHI exists on the premise, then absolutely there are HIPAA compliant responsibilities. The second piece of this for example, is if I am a web hosting company and I put up a portal for patients to submit questions or just have any kind of patient interaction and the likelihood of that patient posting something or submitting a question through an entry form exists, then there are absolutely HIPAA responsibilities. It all centers around the location of the protected health information.


April: It really boils down to where the PHI is located.

Joe: Yes.


April: So here we have got a question from the opposite perspective. We are being asked to sign Business Associate Agreements, but truly we do not need PHI to provide our products to the covered entity and we should not have access to such patient information. How do we convince the covered entity that we do not need a business associate contract, because they should not share that information with us?

Joe: You may not be able to convince them. The larger organizations are making it a requirement to do business and as such you may not be able to convince them. However, there is always the hospitals and covered entities perspective on this and they view visibility to protected health information in a couple different ways. We used the example of PHI residing in a hosted facility. The other way to look at this through a couple of examples is a staffing company. So I have a staffing agency and my employees are working in an environment where they may have some type of physical access or visibility to the protected health information.

So the covered entity may say you are not specifically working with it, but your personnel are in my office everyday and they are either hearing conversations or they have some sort of physical or virtual access potentially to this data so the covered entity is going to err on the side of caution. Again, I look at it from the parallel that I drew. It is safer for the covered entity to blanket these types of policies than to selectively endorse some over the other. From a covered entities perspective, they are going to continue to perform reasonable diligence to make sure their business partners are on board with their compliance policies.


April: That makes a lot of sense in light of the fines that are being levied and everyone wanting to sleep better at night and certainly this is an issue of consternation we are seeing arise more and more.

Joe: That is a great point April and it is important to understand that from a fine perspective there are a number of categories of fines. I know there is a webinar down the road that may talk about some of that, but a lot of this has to do with the covered entity and their effort to mitigate risk and exposure. For example if a business associate were to breach, then that business associate by HIPAA law has responsibilities with the fines.

However, that does not take care of the covered entities damage control with the press and the media, because there are certain things a covered entity must do if there is a breach of a certain size. These breaches you see in the media are the result of a requirement from HIPAA to actually publish this in the mass media so that all of the people effected are somehow notified of this. So the greatest fear a covered entity has in HIPAA is to go out to the news with a press release and report this, because it damages credibility. So they are putting in the extra effort to make sure the right pieces are in place from a business partner perspective.


April: Joe, is there a place where one can find any risk assessment forms they can use to self evaluate?

Joe: There are actually. The place I always direct people is the Department of Health and Human Services website. I will qualify that by saying that every business is different. Every business associate is different and every business associate conducts business differently. You may find going to any site out there that there are a lot of opinions on how this is done and a lot of different ideas about how to do a risk assessment, but the bottom line and easiest thing to do is to look at the HIPAA regulations and compare those to your individual business model and see where the gaps lie. So the first place I would point people is to the HHS website (http://www.hhs.gov) where all of the HIPAA requirements are detailed.


April: I do not know if you are willing to speak about international territory, but we did have a question here asking if business associates in other countries can be held accountable for HIPAA breaches?

Joe: That is a good question. I honestly do not know if there is legal precedence around any kind of enforcement in regards to international companies. However, I would recommend this, if I was a covered entity and I was doing business with an international organization, for example I was hosting any sort of data off-shore, I would go through the rigorous process of making sure that organization was HIPAA compliant and responsible for taking the responsible steps to protect the data.

April: That makes sense. And as someone who is doing business with a business associate would it be expected to sign the same type of contractual obligation as the business associate? I think that is kind of where we come to this how many steps removed do we have to be before the responsibilities end.

Joe: There is a third type of classification that is under the umbrella of the business associate and that is called a subcontractor. The company is a subcontractor to the covered entity. The subcontractor is under the same umbrella of the business associate with the same rules, requirements and regulations as the other two parties are.


April: Great, thanks for that. The last question I see here is what are the component costs for a business associate to be HIPAA compliant? And maybe we can just briefly outline what someone may expect as they are going through the process of being HIPAA compliant and point out those that companies may need to be especially prepared for and set up some outside resources for.

Joe: Sure. There are a couple of steps in the process that are defined. The first is to complete that risk assessment. Whether that is taken on internally or a third party is hired, complete the risk assessment and figure out where the gaps lie. The second phase of that is remediation. The remediation may involve a couple different components. Remediation may require changes to an infrastructure or it may require technical upgrades to an infrastructure.

The second side of that is the policy side. One of the things that HIPAA stresses, and you will notice this from the list I showed earlier, is not only do you need to have the safeguards in place, but how you go about protecting that data is documented in detail as well. An example of that is if I am a company who provides some kind of hosting services that all of the individuals who have potential access to that are given access through an authorization process and that authorization process is documented. Having said that, they will look at the technical pieces in place as well as the policies surrounding those technical pieces. The third piece is to have a final attestation issued after the remediation that says, “Yes, this is where we originally started and here is where we are today and this is what makes us compliant.” If I am a covered entity, I am looking for the document that says I have completed that third step.

April: Is that through a third party, independent audit?

Joe: It does not have to be. For example, we do that work, but it does not have to be. A lot of people rely on companies like ours, because HIPAA is not necessarily clear to everyone and sometimes people need help. The other piece to this is that sometimes the company does not want to be a HIPAA expert, their core competencies lie somewhere else so they look to people to help them.


 

April: Joe, that was some fantastic information. Thanks so much for joining us today. I hope that we had a chance to address most of the questions presented. If your question was not answered, we will be sure to connect you with Joe to follow up on those. Here is his contact information:

Name: Joe Dylewski

Company: President, ATMP Group

Phone: (734)-713-7471

Email: jdylewski@atmpgroup.com



Webinars    |    Online


Get started now. Exceptional service awaits.