2009 HIPAA forecast
Partly cloudy with enforcement likely and a chance of legislation
Now that 2008 is in the books, it’s time to look ahead to 2009 and explore the privacy and security challenges awaiting providers in the new year. So we asked our experts to weigh in on what they believe could be the defining issues of 2009.
Disaster recovery planning
Disaster recovery planning has always been a challenge, but it will pick up steam in 2009 because of the continued automation of healthcare records in the industry, says William M. Miaoulis, CISA, CISM, manager of HIPAA Security Services at Phoenix Health Systems in Montgomery, AL. To know whether your current disaster plan is up to par, Miaoulis says providers must first ask themselves these important questions:
- If your computer systems went down, would you have access to medication history and lab results?
- What would be the effect to your current patients?
- Would the way you deliver care be affected?
“All too often, healthcare organizations are not prepared to treat patients in the event of a loss of computer processes,” he adds. “Patient safety requires organizations to conduct a HIPAA application and criticality analysis (business impact analysis), which I believe should focus on a patient impact analysis.”
Minimum necessary standard
The minimum necessary standard, a key protection of the HIPAA privacy rule, requires covered entities to make reasonable efforts to limit PHI to the minimum necessary.
The challenge is defining what is “reasonably necessary” and determining how you will manage these uses, disclosures, and requests.
“It’s still not understood by providers. Many think it applies to treatment,” says Susan A. Miller, JD, chief operating officer and chief privacy officer of HealthTransactions.com. Miller says training is critical for setting the record straight on this issue in 2009. Otherwise, lack of communication could lead to problems in patient care if providers exchange insufficient information.
The minimum standard does not apply when information is:
- Requested by a provider for treatment
- Authorized by the patient
- Needed by HHS or the OCR for a complaint investigation or compliance review
- Required by law
- Required for HIPAA compliance
Solving this confusion in 2009 will require “education, education, and more education,” Miller says.
The Office of Inspector General (OIG) released a report October 27, 2008, regarding how well CMS is enforcing the security rule.
Although the OIG’s report did not specifically state whether the OIG has scheduled another performance review, it is highly likely that it will revisit CMS’ progress and activity in carrying out its HIPAA enforcement responsibilities, which should signal a red flag for organizations, says John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and chair of the team that created the HIPAA security rule.
Organizations need to be aware that CMS and the OIG are continuing to audit for HIPAA security compliance. Health information technology initiatives, increased consumer awareness of data losses, and a new administration are additional drivers for increased compliance with healthcare privacy and security safeguards enforcement. Organizations may need to increase the money and internal resources they set aside for security compliance, says Parmigiani.
Medical identity theft
Healthcare organizations should also be aware of the Federal Trade Commission’s Identity Theft Red Flags rule under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), says Miaoulis, adding that the regulation requires many healthcare organizations to implement programs to prevent and detect identity theft by May 1.
Miaoulis says to mitigate the risk of identity theft, organizations should take the following steps:
1. Research the FACTA Identity Theft Red Flags rule.
2. Implement the HIPAA minimum necessary standards to include demographic information. “Specifically, organizations should inventory which systems maintain the Social Security numbers and patients’ birth dates,” Miaoulis says.
3. Determine who has access to information and whether access is appropriate. For roles that require the use of patients’ Social Security numbers, determine whether limiting access to the last four or five digits of the number would be sufficient. Organizations could also consider limiting the use of patients’ birth dates, Miaoulis says, noting that it may not compromise patient care to see someone was born in May 1970 versus May 15, 1970.
Legislation in new congress
A new administration is in office in Washington, DC, and the change may have a significant effect on healthcare.
“The complaint has always been that HIPAA has teeth but it doesn’t bite,” Parmigiani says. “That might change.”
For example, there is the potential for incentive in the form of carrots and sticks for providers to move to electronic health records, Miller says. In addition, we may see pay-for-performance models that take payment away from providers who don’t move toward an electronic environment, she says.
Parmigiani says he believes there will soon be federal legislation that will expand the definition of covered entities to include business associates (BA).
For example, BAs working on behalf of covered entities are not required to abide by HIPAA privacy and security standards.
The burden has always been on the covered entity to ensure that the BA is keeping its information safe, says Parmigiani, adding that he also sees possible movement in the direction of a national preemptive privacy/data protection law that would embody the strongest aspects of data security that are espoused in the ever-increasing and more stringent state data protection laws.
In 2009, organizations must do a better job of understanding where their information resides and with whom it is shared, particularly if the information travels outside facility walls. Mobile ePHI may come to reside in easily accessible locations, says Miaoulis, who recommends performing a data flow analysis to show where data reside.
This is also important in the event of a lawsuit and to comply with e-discovery regulatory requirements, says Parmigiani. “It forces a better awareness of what data is generated, where it is stored, and if we can quickly retrieve it,” he says.
Further, organizations should regulate the use of e-mail by employees who send files to their home computers for work-related purposes.
Organizations should also monitor employees who carry PHI on thumb drives, backup disk drives, external portable hard drives, or other portable storage devices.