HIPAA Updates

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

Posted by HIPAA Journal

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program

 

In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

The post Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management appeared first on HIPAA Journal.

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Posted by HIPAA Journal

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights.

The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is expected to appoint a new OCR director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules and how rigorous those enforcement activities are.

Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity. Last year, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches – a record year of enforcement for OCR.

Jocelyn Samuels also oversaw the second phase of the much delayed second phase of HIPAA compliance audits. Last year, the audits finally commenced with approximately 200 covered entities and HIPAA business associates subjected to a HIPAA compliance desk audit. Full compliance audits have been scheduled for early 2017 as part of the second phase. Samuels was keen to increase financial penalties for HIPAA violators and ensure non-compliance was identified and corrected, but the leadership changes place future HIPAA enforcement in doubt.

However, given the number of data breaches experienced by the healthcare industry in the past 12 months, it seems unlikely that OCR enforcement efforts will be scaled back.

“As 2016 has seen an acceleration in the number of breaches to patient data, we expect healthcare cybersecurity and privacy protection will be a central focus of the incoming administration.  We hope to see a much-needed focus on keeping patient data protected and out of the hands of criminals and malicious insiders,” says Robert Lord, ICIT Fellow and CEO of Protenus.

Could HIPAA Rules be Amended by Price?

HIPAA Rules are viewed by many physicians to be overly restrictive. Tom Price is a physician, and as such, he will be well aware of the burden on doctors to comply with HIPAA regulations. While it is not clear where Price stands on the Privacy, Security, and Breach Notification Rules, he has previously advocated the easing of Meaningful Use burdens by extending the timeline for compliance with the financial incentive program. How his past role as a physician will affect his decisions as HHS secretary remains to be seen.

An update to the HIPAA Security Rule is certainly due, although President Trump has made it quite clear that his administration is against excessive regulation. For each new regulation issued by an agency, two regulations need to be eliminated. The increase in healthcare cybersecurity breaches may warrant an update to the Security Rule and increased regulation, but for the foreseeable future, increased HIPAA regulations are perhaps not to be expected.

Any easing of HIPAA Rules is likely to have a negative effect on data security. Since many healthcare organizations focus their cybersecurity programs toward achieving compliance with HIPAA, any easing of HIPAA restrictions could see cybersecurity efforts scaled back. If covered entities are required to do less to keep data secure, this would likely lead to an increase in healthcare data breaches. HIPAA Rules may therefore remain unchanged for the foreseeable future.

The post Will HHS Secretary Tom Price Ease HIPAA Regulations? appeared first on HIPAA Journal.

OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones.

The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples.

OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death.”

The recipient can be a “patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” but also any other individual that is a nominated personal representative of the patient. A personal representative of a patient must, as far as the Privacy Rule is concerned, be treated as the individual for purposes such as exercising the patient’s Privacy Rule rights, including providing access to their health information. There are limited exceptions, which are detailed in 45 CFR 164.502(g).

OCR has confirmed that covered entities are permitted to share a patient’s PHI with same-sex partners, and explains that the list of potential recipients of PHI is in no way affected by an individual patient’s sex or gender identity, and neither by the sex or gender of the potential recipient.

OCR also sought to confirm who can be classed as a personal representative of the patient, saying “the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.”

For example, if a state grants legally married spouses health care decision making authority for each other, a covered entity would be in violation of the Privacy Rule if access to the patient’s information was not granted if requested by a spouse, regardless of the sex of that individual.

While the covered entity should seek permission from the patient concerned prior to sharing information, in cases when the patient is incapacitated or not available, covered entities should use their professional judgement if the sharing of information is in the patient’s best interest. Should a patient be deceased, information can be shared with a person who has been involved in the patient’s care or who has made payment for medical services prior to the patient’s death.

OCR’s Privacy Rule clarification can be found – and downloaded – from the HHS on this link.

The post OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals appeared first on HIPAA Journal.

OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels.

Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to reveal sensitive information. In this case, the emails contain a link to the website of a cybersecurity firm. The website does not appear to be malicious in nature, instead, the email appears to be a marketing ploy to get healthcare organizations to sign up for the firm’s services.

The firm uses the HIPAA compliance audits to lure email recipients into clicking on the link. The emails claim to be official communications about the current round of HIPAA compliance audits and the possible inclusion of the recipient’s organization in the audit program.

Samuels says in the OCR’s official email about the scam, “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.” Samuels also said OCR takes the unauthorized use of OCR material very seriously, although no mention is made about whether any action will be taking against the firm.

The warning was sent via email on November 28 and a follow up email was sent on November 30 providing further information about the scam. The second communication includes the email address that is beinbg used by the cybersecurity firm – a variation of the official email address used by OCR to communicate with healthcare organizations that have been selected for a HIPAA compliance audit.

OCR communicates with healthcare organizations about HIPAA audits using the email account – OSOCRAudit@hhs.gov. The fake emails from the security firm have been sent from the email account: OSOCRAudit@hhs-gov.us. This is a common tactic used by spammers and scammers to make their email campaigns appear genuine. In this case, the spoofed domain was registered on November 18, 2016 by a cybersecurity firm based in Miami, Florida.

The incident highlights how important it is for healthcare organizations to exercise caution when opening and responding to any official-looking email about HIPAA compliance. If in any doubt about the authenticity of an email from OCR relating to the HIPAA compliance audits, an email should be sent to OSOCRAudit@hhs.gov to confirm whether the email is genuine. If in any doubt about a domain, it is possible to conduct a check to find out the owner of the domain on whois.com.

The post OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails appeared first on HIPAA Journal.