Healthcare Compliance News

HSCC Publishes Privacy and Security Coordination Guide

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, a public-private industry council of more than 400 healthcare providers, pharmaceutical and medtech companies, payers, health IT entities, and government agencies, has released a new guide for healthcare organizations to help coordinate privacy and security functions to improve efficiencies, effectiveness, and overall compliance.

The HSCC said it has found significant evidence that neither regulation nor enterprise and risk management programs are approaching privacy and security with coherent and coordinated policy and practice. Privacy roles are concerned with supporting compliance with laws, regulations, standards, and practices, monitoring internal policies and procedures, identifying gaps, and establishing new policies concerning the handling of electronic and physical healthcare data. Security roles are concerned with identifying vulnerabilities and risks and implementing technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic healthcare data. Within the healthcare sector, privacy and security often function within separate and distinct silos, even though privacy and security have a great deal in common.

The guidance is intended to help organizations identify factors that contribute to disharmony between their privacy and security efforts. Conflicting priorities can lead to a disconnect between privacy and security, which increases organizational risk. The guidance is aimed at privacy and security officers and their teams, and others who are looking to develop best practices for their privacy and security programs and provides practical recommendations for collaborative practices to get privacy and security teams working together more proactively and cohesively.

The post HSCC Publishes Privacy and Security Coordination Guide appeared first on HIPAA Journal.

What is Healthcare Regulatory Compliance?

Healthcare regulatory compliance is the practice of meeting or exceeding the requirements of all applicable federal, state, local, and industry regulations and any voluntary standards a healthcare organization adopts in order to demonstrate a good faith effort to comply with the regulations. Due to the number of regulations and standards a healthcare organization may have to comply with, healthcare regulatory compliance is complex and has the potential for failure in many different areas.

Most healthcare organizations are required to comply with dozens of federal, state, local, and industry regulations. The regulations can cover subjects as diverse as building safety, data security, codes of conduct, the regulation of controlled substances, and the provision of medical assistance in emergency circumstances. To complicate the challenge of healthcare regulatory compliance, some regulations conflict with each other, while others duplicate standards from other regulations.

It can also be the case that some regulations exempt healthcare organizations from complying with some standards, but not with other standards. An example of this scenario is when a state privacy law exempts HIPAA covered entities from complying with its standards relating to Protected Health Information (PHI), but not from complying with its standards for individually identifiable non-health information maintained by the same organization in a separate non-protected record set.

The Importance of Regulatory Compliance in Healthcare

To understand the importance of regulatory compliance in healthcare, it is necessary to understand the purposes of federal, state, local, and industry regulations and why they exist. Although it is not practical to provide a synopsis of – and the reason for – every healthcare regulation, the following list provides a cross section of regulations a healthcare organization may have to comply with.

The Health Insurance Portability and Accountability Act (HIPAA)

The purpose of HIPAA was to reform the health insurance industry. But, due to concerns that the cost of the reforms would be passed onto employers and employees in the form of increased, tax-deductible premiums – and the impact this would have on Treasury revenues – Congress adopted measures to mitigate the costs to the health insurance industry by reducing fraud, waste, and abuse in the healthcare industry and simplifying the administration of healthcare transactions.

The measures to simplify the administration of healthcare transactions led to the HIPAA Privacy, Security, and Breach Notification Rules. These Rules stipulate permissible uses and disclosures of PHI to protect patient privacy, the safeguards required to ensure the confidentiality, integrity, and availability of electronic PHI, and the procedures for alerting individuals when their health information has been accessed, viewed, or acquired without authorization.

The Conditions of Participation in Medicare and Medicaid

The original conditions of participation in federal Medicare and Medicaid programs were published in 1966 by the Social Security Administration to provide a baseline of care for qualifying beneficiaries throughout the country. As the Medicare and Medicare programs expanded, further conditions for participation have been added, and the responsibility for enforcing compliance transferred to HHS’ Centers for Medicare and Medicaid Services (CMS).

The penalties for non-compliance with the conditions of participation are the same as the penalties for non-compliance with HIPAA – plus non-compliant organizations can also be excluded from federal health programs. CMS has yet to issue a civil monetary penalty for non-compliance with the conditions of participation, but has referred non-compliant healthcare organizations to HHS’ Office of Inspector General when there is evidence of fraud, abuse, or misconduct.

HHS’ Office of Inspector General Exclusions List

HHS’ Office of Inspector General (OIG) investigates individuals and organizations suspected of fraud, patient abuse and neglect, or other incidents of misconduct – for example, violations of the Social Security Administration’s Anti-Kickback Statute or the Stark Law. Individuals and organizations found guilty of fraud, abuse, or misconduct are excluded from the Medicare and Medicaid programs in addition to being fined and/or given a custodial sentence.

In the context of healthcare regulatory compliance, healthcare organizations are prohibited from conducting business with, or engaging the services of, an individual or organization that appears on the HHS OIG Exclusions List. Healthcare organizations that violate this condition of participation can themselves be excluded from the program, fined up to $20,000 per violation, and made to repay up to three times the amount claimed for non-compliant services or items.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

Another way in which healthcare organizations can be excluded from federal health programs is by violating EMTALA. Congress passed EMTALA in 1986 to eliminate the practice of “patient dumping” – a practice in which healthcare organizations refused to provide emergency medical treatment to individuals because of their inability to pay. The Act also prohibits healthcare organizations from discharging patients prematurely because of high anticipated treatment costs.

To comply with EMTALA, healthcare organizations must implement policies for ED workforces to ensure an appropriate screening exam is provided and, if the patient has an emergency medical condition, stabilizing treatment is provided or the patient is transferred to a facility with appropriate capabilities. In addition to being excluded from federal health programs, healthcare organizations that violate EMTALA can be fined up to $129,233 per violation and subject to civil damages.

The Occupational Safety and Health Act

The Occupational Safety and Health Act (OSH Act) in 1970 created the Occupational Safety and Health Administration (OSHA). The Administration was authorized to develop standards for workplace safety and health to reduce the number of avoidable accidents, injuries, and workplace illnesses attributable to poor working conditions. The Administration enforces the standards via a program of inspections and investigations in response to accident reports and workforce complaints.

OSHA compliance consists of complying with applicable safety and health standards, maintaining injury and illness reports, and providing safety training to members of the workforce exposed to specific risks (i.e., bloodborne pathogens). Healthcare organizations that fail to comply with the OSHA requirements can be fined up to $161,323 per violation depending on the nature of the violation, the organization’s history of compliance, and its cooperation during an investigation.

Payment Card Industry Data Security Standards (PCI DSS)

PCI DSS is a contractual obligation (rather than a rule or regulation) that has the objective of ensuring the security of debit and credit card transactions and protecting cardholders against fraud, theft, and the misuse of their personal information. The actual standards themselves closely match the Technical Safeguards of the HIPAA Security Rule, so healthcare organizations that comply with the Security Rule will automatically be in compliance with PCI DSS.

However, when personal information and/or payment information is stored independently of PHI, different breach notification procedures apply if the information is accessed, viewed, or acquired without authorization. The procedures are most often governed by states’ data breach rules; but it is important to be aware that some data breach laws extend across state boundaries and apply to citizens of the state regardless of where the breach of personal or payment information occurs.

Food and Drug Administration (FDA) Regulations

Among other responsibilities, the FDA ensures the safety and effectiveness of drugs, biologics, and medical devices. However, because the Administration is the enforcer of more than two hundred laws, regulations, and standards, there is no one-size-fits-all approach to FDA regulatory compliance in healthcare. It is up to each healthcare organization to determine which FDA laws, regulations, and standards apply to their activities and implement compliance programs for each.

To ensure compliance with healthcare-related laws, the FDA’s Office of Regulatory Affairs conducts regulatory assessments, inspects drug facilities, oversees laboratory testing and clinical trials, and investigates fraudulent or other criminal activities that threaten public health. The Office has the authority to seize unregulated goods, obtain injunctions against healthcare organizations operating unlawfully, or pursue criminal convictions through the FDA’s Office of Criminal Investigations.

Physician Payments Sunshine Act /CMS Open Payments

The Physician Payments Sunshine Act is an Act requiring the transparency of financial relationships between healthcare organizations and drugs companies – including suppliers of biologics, medical supplies, and medical devices. The purpose of the Act is to prevent conflicts of interest that could result (for example) in a patient being provided with an unsuitable medication or an unnecessary treatment because the healthcare provider has a financial interest in doing so.

CMS oversees compliance with the Act via the Open Payments Program, which does not prohibit healthcare organizations from receiving payments or items of value from drugs companies, but requires that payments are reported accurately, completely, and in a timely manner. CMS has the authority to audit healthcare organizations in federal health programs for compliance with the Sunshine Act, and can impose civil monetary penalties of up to $1 million per violation for non-compliance.

State Privacy and Data Security Legislation

State privacy and data security legislation can create more compliance headaches for healthcare organizations than the web of federal legislation. To date, thirteen states have passed some form of consumer protection, privacy, and/or data security legislation, while a further eighteen states have legislation at the committee stage or beyond. In many cases, state legislation can increase an organization’s healthcare regulatory compliance obligations by filling the gaps in federal legislation.

An example of this is the Texas Medical Record Privacy Act which defines covered entities as any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. This means that a healthcare organization that does not qualify as a HIPAA covered entity or business associate still has to comply with the HIPAA regulations in respect of any PHI relating to a resident of Texas – regardless of where the healthcare organization is located.

Local Fire, Building, Noise, and Safety Codes

Local fire, building, noise, and safety codes can also increase an organization’s healthcare regulatory compliance obligations by requiring more stringent protections for patients, the workforce, and the community in which the organization is located. Although the financial penalties for local code violations are minor in relation to the penalties for violations of federal or state regulations, citations can be issued for some unusual violations (i.e., the failure to remove graffiti from a building).

With regards to requiring more stringent protections than federal or state regulations, there are likely examples of this in every location. For example, in Dallas, §403.11.1.3 of the local Fire Code has more stringent qualifications for standby personnel than OSHA; in New York, §28.103.21 of the Construction Code has more stringent injury reporting requirements than OSHA; and hospitals in Atherton, CA, are not be permitted to use gas-powered leaf blowers under §8.16.040 of the Atherton Municipal Code.

Healthcare Regulatory Compliance Issues and Challenges

In addition to the healthcare regulatory compliance issues and challenges that have already been mentioned (i.e., conflicts, duplications, and partial exemptions) a further issue is that – although individual regulations may not change frequently – because a healthcare organization may have to comply with (say) twelve regulations, if each regulation adds or changes a standard once a year, it is the equivalent of a change to the healthcare regulatory compliance requirements once a month.

The frequency of regulatory changes is not necessarily a challenge if, for example, the change relates to a little used process or a process that is used by a small number of the workforce (i.e. electronic signatures in healthcare transactions). However, larger scale changes – such as changes to the HIPAA Privacy Rule – will have an impact on most healthcare organizations, their Notices of Privacy Practices, workforce policies and procedures, and sanctions for impermissible disclosures.

When regulatory changes represent a material change (for example, the changes to disclosures of reproductive health information), it is also necessary for healthcare organizations to provide members of the workforce whose roles are affected by the changes with additional HIPAA training. While it can be the case that the timing of the mandated training coincides with scheduled refresher training, it can equally be the case additional resources may be required to comply with the training requirement.

As one-off events, these healthcare regulatory compliance issues and challenges are usually manageable. However, over the next year or so, a large number of regulatory changes are scheduled that could create simultaneous compliance challenges for organizations impacted by the FDA’s proposals for remote regulatory assessments, the new CMS requirements for hospital epidemic preparedness, and HHS’ recently released Cybersecurity Performance Goals.

The Benefits of Adopting Voluntary Healthcare Standards

Voluntary healthcare standards are standards that most often exceed the healthcare regulatory compliance requirements to better protect patients, healthcare data, or members of the workforce. Examples include the Joint Commission accreditation standards, ISO 7101:2023, SOC 2, and the American Institute of Architects’ Acoustic Guidelines in Healthcare Facilities (which benefits patients, visitors, and members of the healthcare organization’s workforce).

Adopting voluntary healthcare standards often requires just a little more effort than complying with regulatory standards. For example, if an organization already complies with HIPAA, OSHA, and CMS’ conditions for participation in Medicare, there are minimal training, administrative, and documentation requirements to complete before an organization can apply for ISO 7101:2023 certification to demonstrate it has an effective healthcare quality management system.

The benefit of adopting a voluntary healthcare standard in this example is that organizations that achieve ISO 7101:2023 certification must continue to monitor clinical and non-clinical performance to continually improve their processes and results. Healthcare organizations that comply with this voluntary requirement will simultaneously be complying with matching HIPAA, OSHA, and CMS mandatory requirements – mitigating the risk of non-compliance across the matching requirements.

In addition, achieving an accreditation or certification of voluntary compliance not only demonstrates a good faith effort to comply with mandatory healthcare regulations – which can mitigate a penalty for non-compliance in certain circumstances – but it can also enhance an organization’s brand reputation and can give it a competitive advantage. This may be extremely valuable for a business associate being evaluated by a covered entity for a lucrative contract.

How Software can Support Healthcare Compliance Efforts

It is not difficult to see how the number of mandatory regulations and voluntary standards a healthcare organization may have to comply with – and the volume of changes that might occur as a result – can increase the potential for compliance failures. Nor is it difficult to see how a well-resourced compliance team using a mature risk management strategy might still overlook a critical implementation specification due to the number of similar requirements.

To mitigate the risk of being swamped by regulations and standards, or overlooking a critical implementation specification, healthcare organizations should evaluate customizable healthcare regulatory compliance software. Software solutions for healthcare regulatory compliance are getting more sophisticated, and can be used to determine when one standard conflicts with or duplicates another, or when a state regulation partly exempts an organization from compliance.

When configured to meet an organization’s requirements, healthcare regulatory compliance software can produce guided risk assessments for each business unit and, once the risk assessments are concluded, a corrective action plan if compliance gaps are identified. The software can also be used to assess what changes to policies, procedures, and business practices may be required due to changes to or new regulatory standards. Organizations interested in taking advantage of healthcare regulatory compliance software are advised to seek professional compliance advice.

The post What is Healthcare Regulatory Compliance? appeared first on HIPAA Journal.

What is Risk Management in Healthcare?

Risk management in healthcare is the practice of analyzing healthcare practices and processes to identify risks and opportunities, assess their likelihood and potential impact, and implement controls to prevent losses and optimize profitability. Within each organization, the practice of managing risk can be influenced by the nature of the organization’s structure, the organization’s risk culture/appetite, and the resources available to conduct risk analyses.

The Definition of Risk Management in Healthcare

There is no one-size-fits-all definition of risk management in healthcare because a risk in healthcare is defined as the likelihood of a particular threat triggering or exploiting a particular vulnerability, resulting in harm or damage to a patient, an organization, or its workforce. (Abridged from the definition of risk in HHS’ Guidance on Risk Analysis).

Using this definition of risk, the “traditional” definition of risk management in healthcare is the identification, assessment, and minimization of the organization’s exposure to risks in order to improve patient care, reduce liability risks, and prevent financial losses. However, using this definition of risk can lead to the management of risks being conducted by separate business units in “risk silos”.

This can result in a lack of communication, coordination, and oversight which limits the effectiveness of risk management activities. To make risk management in healthcare more effective, there is a growing trend away from risk silos and towards organization-wide “enterprise” risk management in healthcare – defined by the American Society for Healthcare Risk Management (ASHRM) as:

“Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value”.

The ASHRM’s definition of risk management in healthcare suggests that the management of risks should not only serve the “traditional” purpose, but also be used to identify ways in which processes can be improved, healthcare activities can be made more efficient, the demand on healthcare resources can be reduced, and patient satisfaction/workforce retention can be increased.

More about Enterprise Risk Management in Healthcare

The ASHRM’s model for enterprise risk management in healthcare consists of eight “risk domains”.  Not all eight domains will apply in all risk scenarios, but it is important for those with the responsibility for managing risks to be aware of the domains and to consider the possibility of risks and opportunities (both value opportunities and opportunities to learn) existing in each domain.

1.      Operational

Operational risks occur when a vulnerability in an internal process or system – or an event attributable to human error – affects business operations. Such risks could include a failure in the process for data breach incident response, a failure in a data backup system, or a failure by a workforce member to configure software securely which undermines other security measures.

Analyzing healthcare practices and processes in the operational risk domain might not only identify areas where controls need to be implemented to prevent the risks (i.e. adding failover support to the data backup system), but can also identify opportunities for improvement. For example, building DevSecOps best practices into all application development.

2.      Clinical/Patient Safety

The clinical/patient safety domain relates to the delivery of care to patients, residents of care homes, and other recipients of healthcare. Clinical/patient safety risks can include medication errors, surgical mistakes, patient misidentification, hospital acquired conditions, and patient or visitor injuries attributable to slips, trips, and falls or other hazards covered by the OSH Act.

Most potential clinical and patient safety risks are well chronicled, and risk managers should be able to locate risk management checklists that cover these risks. As a note of interest, it was the analyses of clinical and patient safety that led to the Centers for Disease Control and Prevention (CDC) revising its Guidelines for the Prevention of Catheter-Associated Urinary Tract Infections in 2009.

3.      Strategic

Strategic risks are risks associated with the focus and direction of the organization and can include the failure to adapt to changing best practices, technologies, and patient priorities, or failing to act quickly enough when regulatory changes occur. These failures can result in losses to competitors, reputational damage, or enforcement action being taken by regulatory authorities.

As well as applying to operational units, the strategic domain in ASHRM’s model for enterprise risk management in healthcare can apply to business units such as managed care partnerships, media relationships, marketing, etc. As well as identifying risks in these units, an effective risk analysis can also identify ways for each unit to operate more efficiently.

4.      Financial

In the healthcare industry, the financial sustainability of an organization can be at risk from events theoretically under an organization’s control – such as fraud (both internal and external), malpractice lawsuits, regulatory fines, etc. – and events that are outside of an organization’s control, such as increasing capital equipment costs and interest rates, or unpaid bills.

While it is impossible to implement controls that manage risks outside of an organization’s control, it may be possible to identify ways to mitigate the impact of such events. For example, to mitigate the impact of increasing capital equipment costs and interest rates, it may be better to lease capital equipment on a fixed rate basis – potentially saving thousands of dollars across the organization.

5.      Human Capital

An organization’s human capital is its workforce; and, as most healthcare organizations will have experienced during the COVID-19 pandemic, the workforce is the key component of any healthcare organization. As a result, it is important risks to the wellbeing of the workforce are prioritized in order to prevent avoidable illnesses and injuries, low morale, and recruitment costs.

As well as using a risk assessment to identify, assess, and control risks to the workforce, healthcare organizations should use a risk assessment to identify areas in which the wellbeing of the workforce can be enhanced – for example, by implementing policies that encourage members of the workforce to confidentially report workplace violence or sexual harassment.

6.      Legal/Regulatory

The legal/regulatory risk domain includes the failure to identify, manage, and monitor compliance with federal, state, and local laws and regulations – for example, a healthcare organization in Dallas would likely have to comply with at least HIPAA, CMS’ conditions for participation in Medicare and Medicaid, OSHA, the Texas Medical Records Privacy Act, and the City of Dallas Fire Code.

When compliance with laws and regulations of this nature are managed in separate risk silos, the danger exists that compliance efforts will be duplicated. When they are managed holistically, similar compliance requirements can be combined to reduce the regulatory burden. In this example, the fire prevention requirements of the Dallas Fire Code, OSHA, and CMS’ conditions are almost the same.

7.      Technology

The technology risk domain not only covers software and data, but the systems they run on and the devices on which the systems run. In addition, depending on what enterprise risk management activities are conducted in the operational and strategic domains, the technology risk domain can also cover operational processes and automated decision making technologies.

The potential opportunities in this domain depend on the degree of integration between technologies. For example, patient scheduling software integrated with a practice management system and EHR system can improve the patient experience, accelerate billing and payment processes, and support HIPAA compliant messaging (among other benefits).

8.      Hazard

The hazard domain is a catch-all domain for other types of foreseeable risks that could cause business interruption. This domain includes natural disasters and facility issues (i.e. construction, renovation, etc.) and will soon also include hospital preparedness for emerging infection disease epidemics such as the COVID-19 pandemic.

While this domain is a bit of a grey area in terms of risk assessment responsibilities, it provides an opportunity for an organization to demonstrate a commitment to mitigate the impact of risks in the operational, clinical/patient safety, financial, and human capital domains – enhancing an organization’s reputation while protecting its future operational capabilities.

Risk Management Strategies in Healthcare

In its guide to the history of risk management in healthcare and the evolution to enterprise risk management, ASHRM argues the case that every member of a healthcare organization’s workforce is a risk manager – from the housekeeper that ensures the correct germicide is used on the correct surfaces for the correct amount of time to the organization’s CEO.

While it is difficult to disagree with this argument, it is necessary for there to be an oversight of how risks are managed. This involves determining what frameworks, models, and processes are used to identify vulnerabilities, how risks are analyzed in the context of the organization’s risk culture, and what controls are implemented to correspond with the organization’s risk appetite.

However, when risk management strategies in healthcare are executed by separate business units, inconsistencies between the strategies can result in the same frameworks being used in different ways to obtain conflicting results. Even simple probability/harm risk matrixes can produce different results due to ambiguous inputs or qualitative ratings being assigned to quantitatively smaller risks.

It is for this reason that ASHRM advocates an enterprise risk management model (also known as a holistic or integrated risk management model) in which a risk management team liaises with C-Suite Executives to communicate the risk management strategy, coordinate risk management activities, and oversee the controls put in place to prevent losses and optimize profitability.

Enterprise Risk Management in Healthcare Examples

The enterprise risk management model is particularly effective in healthcare because few activities impact just one domain. However, when multi-domain activities are being analyzed, it is important to have “subject matter experts” liaise with the risk management team in order to broaden the assessment of a potential risk and identify opportunities to create value for the organization.

Actual examples of effective enterprise risk management in healthcare do not appear in the public domain. However, ASHRM has produced a theoretical example of how risk assessing a change of process can result in the creation of value across all eight domains – in this case, changing the process of using a transporter to escort all discharged patients out of the hospital in a wheelchair.

The background to this risk assessment is that engaging a transporter to escort discharged patients out of the hospital in a wheelchair fulfils the organization’s duty of care for safe patient discharges. But what would be the risks and the value if this discharge process was used more selectively?

  • Value in the operational domain is acquired by reducing the number of transporters and wheelchairs required for a room turnaround.
  • Patients who can safely walk out of the hospital increase value in the clinical/patient safety domain by eliminating wait times (for a transporter) and vacating rooms quicker for the next admission.
  • The strategic value lies in the fact that a discharge has been performed to the patient’s satisfaction, which can increase confidence in – and the reputation of – the organization.
  • The improved patient throughput – even if by only 30 minutes per patient – can have a positive impact on profitability and other metrics in the financial domain.
  • Reduced transportation requirements may facilitate the better use of resources in the human capital domain, or enable flexible schedules to increase employee satisfaction.
  • Giving patients the choice of whether they would prefer to walk or be escorted increases the legal/regulatory perception that organizations are recognizing patient preferences and rights.
  • If the discharge process becomes discretionary (for patients), existing technologies could be put to better use to support the discharge process and communication during the process.
  • The hazard domain is both win and lose, as there is an increased risk of patients falling, but there is also the reduced risk of fewer wheelchairs being a trip hazard in cluttered hallways.

Why Risk Management is Important to Healthcare Facilities

Risk management is important to healthcare facilities because there are many areas of a healthcare organization’s activities in which vulnerabilities and opportunities may exist. Preventing the exploitation of vulnerabilities while exploiting potential opportunities is a challenging task which is best approached holistically to prevent inconsistencies in risk management strategies and ensure risks are analyzed and controlled according to the same risk culture/appetite.

However, building an enterprise risk management program from scratch, or transitioning from the traditional approach to an enterprise approach, is not without its own challenges. Possibly the biggest challenge is settling on a risk management strategy and risk culture/appetite that everyone can agree on. For example, a Chief Financial Officer or Chief Compliance Office will likely be more risk averse than a Chief Marketing Officer or Chief Business Development Officer.

Once this challenge is resolved, the next challenge is to justify the benefits of enterprise risk management to the Chief Officers who have had to compromise their risk appetites. This can be a difficult challenge to overcome initially due to the different levels of risk awareness in separate business units and because risk management teams will be under pressure to deliver positive outcomes, and this pressure could get in the way of preventing negative outcomes.

One way to overcome these issues is to implement customizable software for managing risks that can be configured by the risk management team with guided risk assessments and automated corrective action plans for each business unit. This solution resolves the issue of different levels of risk awareness, while delegating the responsibility for risk assessments to subject matter experts in each business unit – enabling the risk management team to focus on identifying positive outcomes.

Organizations that are interested in adopting an enterprise approach to risk management in healthcare should discuss their plans with a compliance expert with knowledge of customizable software for managing risks. While risk management is important to healthcare facilities, it is equally important that risk management activities are conducted effectively in order to prevent unmanaged risks resulting in harm, damage, or the loss of a value opportunity.

The post What is Risk Management in Healthcare? appeared first on HIPAA Journal.

NIST Finalizes HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) has published the final version of its guidance on implementing the HIPAA Security Rule. The document, Special Publication 800-66r2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, was developed by NIST in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and guides HIPAA-covered entities and business associates through conducting a risk analysis to identify risks and vulnerabilities to electronic protected health information. The document also identifies activities that HIPAA-regulated entities should consider as part of their information security program and offers guidance on achieving and maintaining compliance with the HIPAA Security Rule and improving cybersecurity posture.

The HIPAA Security Rule sets minimum standards for security and has been in effect since April 2005. Despite being in effect for more than 2 decades, HIPAA-regulated entities are still struggling with compliance. Both sets of HIPAA audits conducted by OCR in 2011 and 2016/2017 identified widespread noncompliance with the HIPAA Security Rule. The second phase of HIPAA audits showed compliance had improved since the first phase of audits, but none of the 63 audited entities achieved the top rating of 1 for risk analysis. A rating of 1 indicates the entity is fully compliant with the goals and objectives of the risk analysis standard of the HIPAA Security Rule. The majority (41) achieved a rating of 3 or 4, meaning minimal or negligible efforts have been put into compliance with the standard. It was worse for risk management, with 44 of the 63 audited entities receiving a 4 or 5 rating. A rating of 5 means the entity did not provide OCR with evidence of a serious attempt to comply with the risk management standard of the HIPAA Security Rule.

While compliance with the HIPAA Security Rule should have improved in the 7 years since the last round of HIPAA audits, the number of healthcare data breaches now being reported suggests otherwise. In 2017, 368 data breaches of 500 or more records were reported to OCR, and 5,131,289 healthcare records were breached. In 2023, 725 data breaches were reported, and more than 133 million records were breached. Hackers have increased their attacks on the healthcare sector in recent years but the number of successful attacks strongly suggests that HIPAA-regulated entities are not fully complying with the risk analysis and risk management provisions of the HIPAA Security Rule.

In February 2023, OCR announced that it is seeking feedback on its audit program which suggests that the HIPAA audit program is about to be resurrected. With OCR in desperate need of funding, the next round of audits may also result in fines for noncompliance. HIPAA-regulated entities should therefore consume the guidance and apply the recommendations to their information security programs.

The post NIST Finalizes HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching.  These small data breaches usually need to be reported by March 1; however, since 2024 is a leap year, this year’s deadline is February 29.

The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the Office for Civil Rights (OCR) breach reporting portal.

The HIPAA Breach Notification Rule requires large data breaches – those that affect 500 or more individuals – to be reported to OCR no later than 60 days from the date of the discovery of the data breach, but there is more flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches.

If a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.

All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breaches and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches, reporting these breaches may take some time. It is therefore best not to wait until the last minute to report these small data breaches.

The post February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.

ONC Expands TEFCA with Two Additional Health Information Networks

The Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS) has announced that two new organizations have been designated as Qualified Health Information Networks (QHINs) and have been added to the nationwide data exchange governed by the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA was envisioned by the 21st Century Cures Ac to support nationwide interoperability and became operational in December 2023 when the first five QHINs were designated by ONC – eHealth Exchange, Epic Nexus, Health Gorilla, KONZA, and MedAllies. The addition of two new QHINs – CommonWell Health Alliance and Kno2 – brings the total up to seven.

ONC has confirmed that CommonWell Health Alliance and Kno2 can immediately begin supporting the exchange of data under TEFCA and can provide shared services and governance to securely route queries, responses, and messages across networks for healthcare stakeholders including patients, providers, hospitals, health systems, payers, and public health agencies.

“These additional QHINs expand TEFCA’s reach and provide additional connectivity choices for patients, health care providers, hospitals, public health agencies, health insurers, and other authorized health care professionals,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “On behalf of ONC, I want to congratulate CommonWell Health Alliance and Kno2 for their achievement.”

The post ONC Expands TEFCA with Two Additional Health Information Networks appeared first on HIPAA Journal.

5 Best Practices for Healthcare Data Breach Incident Response and Reporting

Healthcare data breach incident response and reporting is a key area of regulatory compliance for organizations in the healthcare industry, yet there are many examples in HHS’ Breach Report where the Office of Civil Rights has had to “provide technical assistance regarding [compliance with] the HIPAA Breach Notification Rule”. This implies that covered entities and business associates are failing to respond to and report healthcare data breaches in a timely manner.  

The Archive section of HHS’ Breach Report is a mine of valuable information about the true causes of HIPAA data breaches. Most of the 5,000+ entries have a dropdown box which reveals the nature of the breach, how it occurred, and the steps taken by the notifying entity to mitigate the consequences of the breach and to prevent it happening again. However, in more than 1,500 cases it is noted the Office for Civil Rights provided technical assistance regarding the HIPAA Breach Notification Rule.

Most of the 5,000+ data breaches were avoidable. Had the covered entity or business associate responsible for the breach implemented reasonable safeguards and provided adequate HIPAA training, many would never have happened. But while there may be excuses for security shortcomings and human errors, there are no excuses for failing to comply with the HIPAA Breach Notification Rule because the few requirements of the Rule need little understanding.

A further cause for concern is that the 5,000+ data breaches in HHS’ Breach Report are data breaches affecting more than 500 individuals. Each year, HHS’ Office for Civil Rights is notified of more than 60,000 data breaches affecting fewer than 500 individuals. If approximately one-in-three of the accessible reports indicate failures of healthcare data breach incident response and reporting, this implies up to 20,000 data breaches each year are not responded to or reported in a timely manner.

What is a Healthcare Data Breach?

A HIPAA healthcare data breach is defined by HHS as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of Protected Health Information (PHI)”. As the Security Rule protects a subset of information covered by the Privacy Rule, the cause of a healthcare data breach can range from a nurse being overheard when discussing a patient’s health condition to a hacker misusing an employee’s credentials to access millions of records in a healthcare database.

It is important to be aware that since 2009, a healthcare data breach includes any event in which PHI is out of a covered entity’s or business associate’s control – i.e., due to a stolen laptop, ransomware attack, etc. Although it may not be possible to determine that an impermissible use or disclosure has occurred, a burden of proof exists for covered entities and business associates to demonstrate an impermissible use or disclosure has not occurred if not responding to or reporting the event.

It is also important to be aware that additional reporting requirements exist in some states, while other states exempt covered entities and business associates from reporting breaches of PHI, but not breaches of individually identifiable information maintained outside a designated record set (i.e., Colorado). Healthcare organizations should bear these additional requirements in mind when applying the following 5 best practices for healthcare data breach incident response and reporting.

5 Response and Reporting Best Practices

The following 5 best practices for healthcare data breach incident response and reporting are the minimum measures a healthcare organization should implement. The best practices follow a logical order and it is important they are conducted as quickly as possible. The longer an individual is unaware their personal information has been compromised, the less time they have to protect themselves against medical identity theft, fraud, and other misuses of the compromised data.

1.      Implement Internal Breach Reporting Procedures

The most important element of healthcare data breach incident response and reporting is getting a message to those responsible for response and reporting as soon as possible. In some cases, Security Incident and Event Management (SIEM) systems can be configured to automatically alert SOC teams to unauthorized network access, but it is more often the case a healthcare data breach is identified by a member of the workforce, a business associate, or a third party – such as a white hat hacker.

In such events, not only is it important for there to be an effective system of communication, but it is also important that internal breach reporting is encouraged by workforce members. It has been estimated that 40% of IT security incidents are “hidden” by workforce members because they believe they will get into trouble if they report them. Tougher sanctions will not resolve this issue, so organizations must develop a culture of forgiveness for IT incidents attributable to human error.

2.      Conduct a Risk Assessment to See if a Breach is Notifiable

While every breach must be responded to, not all are notifiable to affected individuals, HHS’ Office for Civil Rights, and – where applicable – State Attorneys General. Before notifying a data breach, HHS’ Office for Civil Rights recommends conducting a risk assessment to determine whether PHI has been impermissibly used or disclosed. The risk assessment should consist of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

It is not mandatory to conduct a risk assessment prior to notifying HHS’ Office for Civil Rights of a healthcare data breach; but if a risk assessment finds there is a low probability of PHI having been compromised – or that an exception exists to the HIPAA Breach Notification Rule – organizations can avoid the potential disruption of a compliance investigation. It is also a good business practice not to unnecessarily worry an individual that their personal data has been stolen if you don’t have to!

3.      Advise a Law Enforcement Agency of the Breach

There is a clause in the Breach Notification Rule (45 CFR §164.412) that permits organizations to delay making the required breach notifications if making the notifications would impede a criminal investigation. Without knowing what criminal investigations are ongoing – and notwithstanding that the FBI recommends reporting all Internet crime – it is impossible to determine whether a delay is justified without advising a law enforcement agency of the healthcare data breach.

In addition, it has been calculated that 35% of all data breaches in healthcare are attributable to “insider threats”. It may be in an organization’s best interests to request a law enforcement investigation in order to determine whether a breach is attributable to an insider, and whether it may be repeated. In all circumstances, the law enforcement agency will be able to advise the organization if the organization can go ahead with notifying the breach or if a delay would be advisable.

4.      Notify Individuals and Regulatory Agencies

Subject to the result of the risk assessment and law enforcement advice, individuals who are affected by the data breach should be notified of the data breach as quickly as possible. The content of the notifications and the method of notification are stipulated in 45 CFR §164.404, and it is important to note that the time allowed to notify affected individuals may be shorter in some states than the maximum of 60 days allowed by the by the HIPAA Breach Notification Rule.

With regards to notifying regulatory agencies, the notification requirements vary depending on the size and nature of the breach. For example, HHS’ Office for Civil Rights requires breaches affecting more than 500 individuals to be notified within 60 days, while the limit in Alabama is 1,000 individuals. In addition, in some states it is only necessary to notify data breaches attributable to cybercrime. In these cases, oral and paper data breaches do not have to be notified to the state.

5.      Address the Real Cause of the Breach

Returning to the Archive section of HHS’ Breach Report, many of the data breach descriptions claim the notifying entity or their business associate was the victim of an unspecified cyberattack, ransomware attack, or phishing attack. However, these events do not happen by themselves, and although cybercriminals have access to sophisticated malware, the cybercriminals still have to “get in the door” before the cybercriminals can deploy the malware and execute their attacks.

It has been reported that around 80% of data breaches categorized as “hacking and IT incidents” are attributable to weak, reused, and compromised passwords. Therefore, in terms of addressing the real cause of the breach, healthcare organizations should strengthen password policies, protect sensitive accounts with 2FA, and invest in susceptibility testing. Strengthening all users’ passwords – even those with no access to PHI – is the most effective way to prevent future data breaches.

Keeping Up To Date with Healthcare Data Breach Incident Response and Reporting Best Practices

Healthcare data security is an ongoing process – not only due to the increasing sophistication of internal and external threats, but also due to changing regulatory requirements. Keeping up to date with healthcare data breach incident response and reporting best practices could be vital to safeguard the confidentiality, integrity, and availability of PHI and – as has been proposed – to qualify for participation in CMS’ Medicare and Medicaid programs.

It can be difficult for healthcare organizations to monitor compliance with the healthcare data breach incident response and reporting requirements when compliance with other laws, regulations, and standards also has to be monitored. However, there are software solutions that can help resolve this issue, and organizations interested in investigating software solutions for keeping up to date with all healthcare compliance best practices are advised to seek professional compliance advice.

The post 5 Best Practices for Healthcare Data Breach Incident Response and Reporting appeared first on HIPAA Journal.

Bipartisan Group of Senators Form Working Group to Address Medicare Physician Payment System

A bipartisan group of senators has formed a Medicare payment reform working group which is working on new legislation that will bring long-term reforms to physician payments under Medicare. The new legislation will ensure that healthcare providers receive fair compensation for the services they provide.

For many years, physicians have complained that they are not fairly compensated for providing services under Medicare. The 2015 Medicare Access and CHIP Reauthorization Act (MACRA) made significant strides toward a value-based payment system from a system that paid on quantity, and it aimed to provide physicians with a stable payment system; however, MACRA has not achieved its goals and further action is required to address the reimbursement challenges that come with a system that aligns payment incentives with patient outcomes.

U.S. Sens. Catherine Cortez Masto, (D-NV); Marsha Blackburn, (R-TN); John Barrasso, (R-WY); Debbie Stabenow, (D-MI); Mark Warner, (D-VA); and Minority Whip John Thune, (R-SD) formed the group with the primary goal of investigating and proposing long-term reforms to the physician fee schedule (PFS) and updating MACRA. “As the health care system has evolved since the inception of the Medicare program, the physician payment system has failed to keep pace with the actual cost of care and the improvements in new services and technologies,” explained the Senators. “We believe Congress must make changes to the current Medicare physician payment system to ensure financial stability for providers, improve patient outcomes, promote access to quality care, and incentivize the utilization of emerging health care technology.”

One of the first steps will be to reach out to stakeholders to obtain their feedback on the current problems and potential solutions. The feedback collected will inform the development of policies that will address Medicare physician payment for the long term, increase compensation for physicians who provide services under Medicare, and improve the quality of care for patients.

Action needs to be taken. A 3.4% Medicare payment rate cut took effect on January 1, 2024, on top of a 2% payment reduction in 2023, and the Medicare Economic Index (MEI) was 3.8% last year and 4.6% this year, which is the highest level it has been this century. The American Hospital Association (AHA) recently highlighted that there has been an inflation-adjusted 30% decline in Medicare reimbursement rates since 2001 and the payment freeze will not end until 2026, while the cost of keeping practices open is continuing to soar. “Physicians always put patients first. It is time for our political leaders to prioritize our nation’s physician workforce by correcting the flaws in a Medicare system that unfairly penalizes doctors for the care they provide,” said the AHA. “We can, and must, do better.”

The post Bipartisan Group of Senators Form Working Group to Address Medicare Physician Payment System appeared first on HIPAA Journal.

FDA Issues Guidance on Reporting the Amount of Listed Drugs and Biological Products Under the FD&C Act

The U.S. Food and Drug Administration (FDA) has issued draft guidance to help registrants of drug establishments in submitting reports to FDA on the amount of each listed drug manufactured, prepared, propagated, compounded, or processed for commercial distribution.

In March 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was enacted to aid response efforts and ease the economic impact of the Coronavirus Disease 2019 (COVID–19). One of the requirements of the CARES Act was to enhance the FDA’s ability to identify, prevent, and mitigate potential drug shortages by improving visibility into drug supply chains.

The CARES Act updated the Federal Food, Drug, and Cosmetic Act (FD&C Act) to require persons who register with the FDA under section 510 of the FD&C Act, including repackers and relabelers, to submit annual reports to the FDA on the amount of each listed drug that was manufactured, prepared, propagated, compounded, or processed by such person for commercial distribution.

“With earlier awareness of persistent or emerging supply chain challenges, FDA is better informed and able to take more targeted and timely actions to promote stronger supply chains and reduce drug shortage risks,” explained the FDA.

The guidance document – Reporting Amount of Listed Drugs and Biological Products Under Section 510(j)(3) of the FD&C Act – describes the process that should be used for submitting reports on listed drugs and clarifies who is required to submit reports, what the reports must include, and the timing of reports. While reports are a legal requirement under the FD&C Act, the guidance does not establish legally enforceable responsibilities, instead, it details the FDA’s current thinking and includes best practices that should be followed.

The post FDA Issues Guidance on Reporting the Amount of Listed Drugs and Biological Products Under the FD&C Act appeared first on HIPAA Journal.