Most people in the industry believe HIPAA requires notification of a breach to the federal government and affected individuals within 60 days of discovery (unless preempted by state requirements). However, HIPAA’s breach notification timeline is actually “without unreasonable delay,” but not longer than 60 days after the breach was discovered.
Therefore, 60 days is the absolute maximum amount of time permitted, but a shorter timeframe might be reasonable, and thus, ‘required.’
This can be a challenging requirement to comply with, as what is really required is highly fact specific. There is little – if any – formal guidance to assist in determining what type of delay might be reasonable and what might be unreasonable. The best tactic is to not focus on the 60 day aspect, but to do a swift and efficient incident investigation and breach determination. To do so within the 60 day window, and to notify the respective regulators and affected individuals within that timeframe, would eliminate any question whether the notification was reasonable or not. The worst case would be to have been able to effectuate notice sooner, but instead notice was delayed until closer to the 60 day ceiling. That would seemingly be an unreasonable delay, and could result in increased penalties.
Breach notification is never a pleasant situation, especially not for those potentially affected. HIPAA is drafted to provide timely notification to those affected, while still allowing flexibility to conduct a thorough and proper investigation. While HIPAA may allow up to 60 days for notification, a shorter timeframe is often reasonable most appropriate.
Most people with even a casual understanding of HIPAA realize there is a great deal of gray area involved in the implementation of the Rule. This is another way of saying lawmakers intended to provide the regulators with flexibility in HIPAA enforcement. After all, this is a Rule that applies to everything from single doctor practices to multiple-site hospital systems. It is this flexibility – specifically regarding “addressable specifications” of the Security Rule – that makes HIPAA such an implementation nightmare. However, navigating the gray areas, and determining what is “reasonable and appropriate” for your organization is not as challenging as it may seem.
First, you must establish what you need to analyze to determine whether a safeguard is “reasonable and appropriate.” HIPAA provides the factors as follows,
The size, complexity and capabilities of the organization;
The technical infrastructure, hardware, and software capabilities;
The costs of the safeguards being considered; and
The probability and criticality of potential risks to PHI.
Once the criteria is established, the method of analysis must be determined. The Rule provides the answer to that as well, a Security Risk Analysis. This is a systematic approach to identifying and determining the likelihood of organizational risks and vulnerabilities. There are many of these available on the market, HHS even provides one free of charge. The two most important things to consider when completing a risk analysis is 1) ensure it covers your entire organization, and 2) ensure it is well documented.
Once you are equipped with the information from the risk analysis, you will understand the scope of your risks.
Based on your organization’s size, complexity, technical capabilities, and associated costs you will then be able to clearly determine what safeguards are required.
The FBI announced last week that cyber criminals are targeting the medical and dental industries through File Transfer Protocol (“FTP”) services operated in “anonymous” mode. The criminals are exploiting this vulnerability to inappropriately access Protected Health Information (“PHI”).
According to the FBI, the anonymous extension of FTP allows a user to authenticate to the FTP service with a common username like “anonymous” or “FTP” without submitting a password or by submitting a generic password. The criminals are also using FTP servers in anonymous mode and configured to allow “write” access to store malicious tools or launch targeted attacks. Any misconfigured or unsecured server operating on your network exposes any PHI on the network to unauthorized access, and thus a HIPAA breach.
To correct this vulnerability, you should request your IT services to check networks for FTP servers running in anonymous mode. If there is a legitimate business reason for operating a server in anonymous mode, you should ensure no PHI is stored on the server.
As we discussed it Part 1 of this Blog becoming secure and compliant doesn’t have to be overwhelming or cost-prohibitive. There are several software solutions to guide your project and allow you to focus on only what you really need to do. This can make being HIPAA compliant a cost effective and potentially revenue enhancing initiative. So what steps should you take right now?
At a minimum you should complete basic HIPAA HITECH security activities to minimize risks and be prepared to respond to business partners and new customer requests. This means completing at least the following:
- Risk Assessment to understand where PHI is stored and used, identify critical technology risks that must be controlled and understand what mitigating actions need to be taken.
- Gap Analysis to prioritize remediation activities and develop a work plan to systematically close identified requirement gaps
- Workplan to have a plan and strategy so progress can be measured and tracked
- Remediate Critical Risks and Implement Mitigating Controls to reduce risk and implement a secure and protected environment. Key activities include:
- Develop and implement core security and privacy policies and procedures.
- Implement ongoing monitoring tools to secure your technology, networks and physical environments
- Develop Core Risk Management Plans including
- Incident Response
- Contingency/ Business Continuity
- Physical Security
- Conduct workforce training to ensure staff understand what security risks exist and what actions every staff member must do daily to maintain a secure environment.
The other key initiative to reduce risk is to ensure you have Business Associate Agreements (BAAs) in place with any organization you exchange PHI with. Here are some quick Business Associate Agreement best practices:
- Single Repository: Your organization should have one place where all executed Business Associate Agreements are stored. There should also be a master list of all organizations you receive, transfer and/or store PHI data with.
- Good Contracting Practices: If your organization receives a Business Associate Agreement for signing, ensure that it has been reviewed by your attorney beforehand. Small changes can have significant consequences in these agreements.
- Due Diligence: When entering into a new business associate or subcontractor relationship, ask two important questions about their HIPAA preparedness. Have they done a risk assessment in the last year; and who in the organization will be the Chief Compliance Officer? Remember, you have an obligation to end the transfer of PHI to any organization you have reason to believe is not able to safeguard the data.
- Audit: Review your Business Associate Agreements at least once a year. Also, look at all vendors you do not have Business Associate Agreements with and make sure you are not transferring PHI with these organizations.
In summary, the time for taking effective steps to secure protected health information is now. Debt buyers, medical billers and debt collectors are coming under the microscope of regulators and business partners and must be able to demonstrate their safeguard protocols. As businesses and consumers become ever more computer savvy and as large data breaches are announced frequently, they are already asking “is my Personal Healthcare Information data secure and do you follow good security and privacy practices?” As technology advances and interoperability becomes more prevalent, standards to do business in this environment will be increased.
When Can You Accurately Say You Are HIPAA Compliant?
If you have been paying attention to the healthcare industry you have probably noticed the phrase “HIPAA Compliant” being tossed about in increasing number. In some instances it is used by healthcare practices in an effort to reassure their existing patients or potential new patients that their data is safe. Other times, “HIPAA Compliant” has been used by vendors as a descriptor of a service or technology. These claims beg the questions: “When were you compliant?” and “Who decided you were compliant?”
Determining HIPAA compliance is a constantly moving target. If you are determined compliant today, but fail to train a new hire tomorrow, you are no longer compliant. A business or technology that wants to say it is compliant must do more than have technology in place that meets HIPAA’s required security safeguards. Instead, it must be able to demonstrate it has implemented appropriate safeguards over a significant period of time (three to six months). Additionally, the organization must demonstrate these protections are in place to an unbiased third party that will validate the implementation and utilization of these safeguards. This requires producing not only all the policies and procedures that verify safeguards are in place, but logs and records to validate they are utilized in practice.
Unfortunately, our industry does not have a group in a position to offer this type of validation for the vast majority of the market. Therefore, we must proceed with caution when vetting new partners or technologies.
Spend some time looking under the hood and kicking the tires before deciding to share PHI with a new partner. Unfortunately, you cannot take all claims of HIPAA compliance at face value.
It Pays to Be HIPAA Compliant!
Technology is rapidly changing and as healthcare providers and vendors to the medical profession, we must all recognize our roles in the safekeeping of our patient’s health information in a world of ever increasing threats to the security of that data. Business Associates like Billing and Collection companies, Application Developers and Data Analytics Companies must be compliant with the HIPAA HITECH regulations. We must ensure the security and privacy of personal health information (PHI) and fully comply with the HIPAA HITECH requirements.
If you handle PHI, you are a business associate and must comply with all the HIPAA HITECH requirements including critical items like performing periodic risk assessments, documenting and implementing security and privacy policies and procedures, conducting HIPAA awareness training, and regularly testing disaster recovery and business continuity plans. But you may ask: “should I worry if I’m not compliant? Could my business operations be disrupted by a data breach? Am I prepared if, my customers and partners require me to be HIPAA compliant?” The answers to all of these should be an unqualified Yes.
The risks are real and they need to be managed. Here are just a few:
- There has been years of underinvestment in technology (especially security) in both the healthcare and medical billing/collections industries
- Healthcare records contain large amounts of personal information
- Mass digitization of patient data has greatly increased attack opportunities
- The value to thieves of a healthcare data record is 50 times that of a credit card record
- Mobile devices have become the primary computing vehicle increasing the potential for lost and theft
A KPMG study reported that 81% of healthcare organizations have been hit with a breach in the last two years. Some speculate that number could be even higher given that there could be some data breaches that remain undetected or go unreported. Furthermore, over 50% of respondents believe healthcare related organizations will remain the industry most at risk in 2017. What do you think is the largest privacy and security threat in your organization?
Most business associates have similar gaps. Do these sound like what your organization looks like?
- Incomplete or out-of-date risk assessment;
- Missing security and privacy policies and procedures;
- Limited or no HIPAA awareness training;
- Untested disaster recovery plans;
- Ad hoc data breach incident response;
- Limited or no encryption of PHI; and
- Unmonitored access controls.
Being HIPAA HITECH compliant can pay dividends to your organization. It can help you generate more revenue and increase new potential business opportunities. If you haven’t already noticed, more and more business partners are asking, are you HIPAA compliant? Many will not work with you if you can’t answer affirmatively to that simple question. Being HIPAA compliant can also be a business development differentiator; reduce the impact of a costly lawsuit over PHI mishandling or access; prevent reputational damage and consumer mistrust; and minimize potential fines from breaches and audits.
While not easy by any standard, becoming secure and compliant doesn’t have to be over whelming or cost prohibitive. This investment will pay for itself many times over. Part 2 of this Blog will show you what you need do. So get ahead of the curve. Bottom line…It pays to be HIPAA compliant!
When Can You Accurately Say You Are HIPAA Compliant?