The KHIT Blog: 45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2

Friday, June 1, 2012

45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2

I'm ba-a-ack...

I've been gone to my grandson's high school graduation festivities in Windermere FL. Congratulations, Keebo. Just getting back into the blogging thing after the "respite."

I thought about having my name legally changed to "Authorized Personnel" (particularly since "World Peace" has already been squatted). Make U-turns on the interstates, go into all these otherwise off-limits places in the casinos...

PHI privacy and security. I've addressed these issues before. "45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2 ("substance abuse" data privacy)"? Yeah, and those are just the major federal compliance regulations. Add in a crazy-quilt of HIPAA-trumping state laws and regs, well, can you say "job security"? or Counsel's "Billable Hours" (or, can you say "ahhh.. we'll never get audited"?)

"DESIGNATE PRIVACY AND SECURITY OFFICIALS"

45 CFR 164.308...(2)

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (PHI Security)

45 CFR 164.530(a)(1)

Standard: Personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. (PHI Privacy)

While there's a pretty clear picture of the "job duties" for these Security and Privacy positions, the academic and work experience requirements are far more varied -- problematic, in fact. The federal regulations are silent regarding "minimum qualifications." One upshot of which is now a metastasizing cottage industry of pricey commercial "certifications."

Along with a raft of budget web offerings.

We will examine all of this shortly in detail. Lots to discuss. Can both of these roles be filled by the same person? Yes. Can they both be outsourced to "BAs" (Business Associates)? ONC/CMS isn't commenting for the record thus far on that count.

___

HIPAA SECURITY / PRIVACY OFFICIAL

Searching some of the job search engines to see what skills/experience sets criteria people are asking for these days turns up stuff like this:

Job Description
Employer is seeking a Compliance Analyst with experience in Corporate Information Security. Qualified candidates will work in a fast-paced, dynamic, collaborative, growing environment. In addition to their responsibilities with corporate information security compliance, the Compliance Analyst will be the HIPAA Security Official [emphasis mine] for our employer-sponsored healthcare model that operates and manages medical clinics at employer's sites and other businesses. This position will lead all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the security of; and access to, patient health information (PHI) in compliance with federal and state laws and the healthcare organization’s information security practices.

Key Responsibilities

Develops administrative procedures, establishes physical safeguards and implements technology solutions in line with the Health and Human Services (HHS) guideline, the Health Information Portability and Accountability Act (HIPAA), organization management and legal counsel.

Conducts gap analysis and risk analysis from security perspective and implement changes, enhancements and education to ensure employer's overall compliance with HIPAA. Performs ongoing security audits to assess effectiveness of policies and procedures and system security safeguards.

Oversees, directs, delivers, or ensures delivery of initial security training and orientation to all employees, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties and continues to foster information security awareness within the organization and related entities.

Ensure ongoing integration of information security with business strategies and privacy requirements and participate in strategic planning of the security policies and procedures.

Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the organization’s security policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.

Reviews all system-related information security plans throughout the organization’s network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department.

Maintains current knowledge of Federal and state privacy and security laws and regulations as well as industry best practices. Revises the security program as necessary to comply with the changes in the law, regulations, professional ethics, and accreditation requirements and as necessary because of changes in patient mix, business operations, and the overall healthcare climate.

Serves as information security consultant to the employer's for all departments and appropriate entities including assisting in the design and implementation of a corporate education, training and communication campaign.

Cooperates with the Office of Civil Rights, other legal entities and organization officers in any compliance reviews or investigations.

Qualifications

Bachelor’s degree in information technology or management information systems or related field.

A minimum of three years’ experience in a healthcare or related field, demonstrated expertise in healthcare operations, health information knowledge and compliance preferred.

Expert knowledge in health information security development, applying principles of HIM (Health Information Management), project management and change management.

CISSP (Certified Information System Security Professional), CISM (Certified Information Systems Manager) or CHIPS (Certified Healthcare Privacy and Security) certifications preferred.

Demonstrated organization, facilitation, communication and presentation skills.

SEBMF-1113165: Manager, Health Information/HIPAA Privacy Officer

Description
The Sutter East Bay Medical Foundation is a not for profit corporation that exists to provide medical services, research and education. The foundation provides the infrastructure for the delivery of physician services, and contracts with a separate corporation comprised of physicians and other care providers to deliver the clinical services. This multi-specialty foundation will provide a platform from which new physicians can be recruited to continue to provide physician services in a nonprofit, community setting. The Foundation's vision is to create a medical group that will deliver high quality, market competitive medical services.

The Manager, Health Information/HIPAA Privacy Officer [emphasis mine] directs, establishes and plans the overall policies and goals for the Health Information/Medical Record Departments in support of strategic objectives and program planning of the organization. Ensures compliance with regulatory requirements. Oversees either directly or indirectly the responsibilities for staffing, budgeting, fiscal planning, telecommunications, equipment purchases and maintenance, and facility development for care center medical record departments. Oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization’s information privacy practices.

Qualifications
MINIMUM POSITION REQUIREMENTS:

Education:
A Bachelor’s Degree in Business Administration is preferred. Accreditation in Health Information is also preferred, proven appropriate experience and education may be substituted.

Experience:
Must possess five years professional experience in a health care environment which includes progressive management experience; strong leadership, communications, analytical, and interpersonal skills. Experience in project management and implementing hardware and software systems in a medical transcription and health information environment. Expertise in software application implementation within the medical transcription arena. Experience negotiating a minimum of three contracts per year with service vendors required. Experience in overseeing large organizational compliance with both federal and state laws with regards to privacy of health information.

Knowledge:
Extensive knowledge of health information and transcription functions in a hospital or ambulatory care setting. Extensive knowledge of electronic systems and applications for transcription and dictation systems required. Knowledge of terminal digit filing system is required. Knowledge of basic medical record activities to include filing, record retrieval, archival as well as destruction in accordance to guidelines is required. Extensive experience/knowledge of release of information procedures is required. Extensive knowledge sufficient to insure compliance with Federal and State regulations guarding the portability and management of protected health information. A knowledge of basic telecommunication procedures is desired.

Special Skills/Equipment:
Organizational, analytical and problem solving skills. Must have excellent command of medical language so as to act as a resource to medical transcription employees. Must have excellent customer service skills as well as the ability to respond to requests in a prompt and courteous manner. Ability to read, hear, and verbally communicate in English to the degree required to supervise personnel, and communicate with department Directors, Administration, and Physicians both orally and in written form. Must be able to enlist cooperation and build consensus in environments that are resistant to change.

From what I can see thus far, the compensation package offerings for these kinds of positions are not bad, for candidates with time-in-the-seat experience, demonstrable BoK fluency, and one or more credible and germane Certs.

This is problematic for the smaller EP primary care outpatient shops. "Yo, Suzy, up at the front desk... tag, you're it, you're now our HIPAA Privacy and Security Officer. Fit this in when you're not answering calls or scheduling patients, OK?"

To the extent they comply with 164.308 and 164.530 at all.

Moreover, it should be noted that these responsibilities reciprocally bleed over into 164.4 (PHI Breach):

§ 164.414
Administrative requirements and burden of proof.
(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j)...

Ask Phoenix Cardiac Surgery about the upshot of non-compliance.
___

A brief graphic diversion, on the subject of "compensation packages."

OK. Chump change. Google "Boaz Weinstein." He's 38. Last year he reportedly made $90 million. He's the guy who recently successfully, massively shorted JP Morgan's London "hedge" unit, causing a huge Wall Street and political dustup.

BTW...

The Average Salary of Cardiac Surgeons

A cardiac surgeon, also known as a cardiac thoracic surgeon, is responsible for treating and repairing injuries of the heart and lungs. A cardiac surgeon is primarily employed in hospitals, surgery centers or private practices and averages an annual salary of $116,653 to $483,875, depending on experience.

Any time someone starts grumbling to you about "greedy, overpaid doctors" and "meddlesome bureaucrats," just reply "Google Boaz Weinstein," and ask "how many lives did he save last year?"

REC TRADE ASSOCIATION UPDATE

Nothing new to report.
___

JUNE 3rd UPDATE

By David Schultz
JUN 03, 2012

As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.

Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.

On May 14, federal prosecutors charged one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment.

Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients' files onto a personal laptop, which was stolen from the contractor's car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers -- and, in a few cases, "diagnosis-related information."

Ronald J. Harris, Howard University's top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.

Still it could have been worse. Much worse.

Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people -- more than one of every four residents of the state...

Rest of the story here.
___

Lots of employment opportunities here. But, one will be continually shooting at moving targets, given the ever increasing interface of digital technologies and cyberspace -- on the 164.308 "HIPAA Security Official" side.

to wit:

Understanding cyberspace is key to defending against digital attacks
By Robert O’Harrow Jr., Published: June 2, Washington Post

Charlie Miller prepared his cyberattack in a bedroom office at his Midwestern suburban home.

Brilliant and boyish-looking, Miller has a PhD in math from the University of Notre Dame and spent five years at the National Security Agency, where he secretly hacked into foreign computer systems for the U.S. government. Now, he was turning his attention to the Apple iPhone.

At just 5 ounces and 4 1/2 inches long, the iPhone is an elegant computing powerhouse. Its microscopic transistors and millions of lines of code enable owners to make calls, send e-mail, take photos, listen to music, play games and conduct business, almost simultaneously. Nearly 200 million iPhones have been sold around the world.

The idea of a former cyberwarrior using his talents to hack a wildly popular consumer device might seem like a lark. But his campaign, aimed at winning a little-known hacker contest last year, points to a paradox of our digital age. The same code that unleashed a communications revolution has also created profound vulnerabilities for societies that depend on code for national security and economic survival.

Miller’s iPhone offensive showed how anything connected to networks these days can be a target.

He began by connecting his computer to another laptop holding the same software used by the iPhone. Then he typed a command to launch a program that randomly changed data in a file being processed by the software.

The alteration might be as mundane as inserting 58 for F0 in a string of data such as “0F 00 04 F0.” His plan was to constantly launch such random changes, cause the software to crash, then figure out why the substitutions triggered a problem. A software flaw could open a door and let him inside.

“I know I can do it,” Miller, now a cybersecurity consultant, told himself. “I can hack anything.”

After weeks of searching, he found what he was looking for: a “zero day,” a vulnerability in the software that has never been made public and for which there is no known fix.

The door was open, and Miller was about to walk through...

Keeping sensitive personal information private while enabling "authorized personnel" to access it for legitimate transactions will not get any easier. See the Washington Post "Zero Day" series.

On the "HIPAA Privacy Official" side of things (45 CFR 164.5, and 42 CFR 2 federally, at a minimum), while legal and regulatory developments may indeed move at a slower pace relative to the IT space (I follow these assiduously for my HIE), they are no less elaborate, by any means. And, "privacy" stuff is significantly less check-off list friendly.

Anyone capable of effectively filling both of these roles in a setting of any appreciable complexity will continue to be in increasingly high demand. Rightfully so, as it's not "work/life balance" friendly (kinda like, say, my wife's job), given the relentless challenges and the high-dollar (and reputation risk) stakes.
___

QUICK DIVERSION

"Dr. Oz on Challenges Faced by Small Practices"

Hat tip to Shea Steinberg of EHR Bloggers.

More quick news:

EHR certification lacking usability factor, doctors say
Organized medicine groups express concern that certified products will become obsolete as the meaningful use incentive program evolves.
By CHARLES FIEGL, amednews staff. Posted June 4, 2012.

Washington Federal health officials overseeing standards for electronic health records systems should revise system certification criteria to take usability concerns into account, the American Medical Association and other physician organizations said in comments on a proposed regulation...

...More than 1,700 EHR products have met previous certification standards, but the process itself provides no information to physicians on usability or which systems would best fit a particular practice. The AMA recommended that HHS hold a survey on satisfaction with these systems. Results would be disseminated and incorporated into future certification of the technology.

The AMA and other physician organizations also have serious doubts about the long-term viability of these products, leaving physicians who invested in the technology vulnerable.

“Another potential impact is the possibility that an EHR vendor or product might be bought or discontinued,” wrote Michael H. Zaroukian, MD, PhD, chair of the medical informatics committee at the American College of Physicians. “This has happened already, leading to additional costs for providers as they have to purchase another certified EHR to qualify for the EHR incentive.”

Including usability standards in the certification process would help ensure that physicians purchase products that will work best for them over the long run, the AMA said...

Yeah, "usability," that noble hardy perennial. I've addressed the topic before, here, and here.
___

JUNE 5th UPDATE

Interesting HITRC Privacy and Security CoP webinar/conference call today. Lots of anxiety expressed with regard to potential REC liability in connection with EPs' attestations to Meaningful Use Core 15, e.g.,

OBJECTIVE: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
MEASURE: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

My irascible 60 second Photoshop reaction?

While it's clear the the EPs and EHs are on the legal hook with CMS and HHS/OCR for having complied with Core 15 and -- HIPAA more broadly (or not), a number of REC CoP callers voiced concern anew over what ONC might -- post-hoc -- regard as the satisfactory extent of REC documentation in Salesforce that our clients had indeed complied (yeah, we have to use Salesforce).

A bit late in the day for that, discomfort no?

My REC is not going there.**

We give our clients all of the information and tools sufficient for Core 15/164.3 compliance, and stress to them repeatedly the importance of doing so, but we are not about to become proxy CMS/ONC/OCR ePHI Security auditors. We are not staffed for it. It's all I can do to get my clinics to give me adequate face time to engage in more than MU compliance basics and pro forma workflow analysis.

A corollary concern was raised during the call: does it suffice that a practice, having identified one or more Core 15/45.CFR.164.3 deficiencies, simply document in its remedial action plan the requisite measures via which to achieve eventual compliance?

The long answer? No. (IMO)

Read the measure. "correct identified security deficiencies as part of its risk management process."

I'll have to find and review my handwritten HIMSS12 notes, but I specifically recall a curt response to that very question during one of the CMS sessions. The MU participant must correct any identified 164.3 nonconformances prior to attesting.

** Why stop/start there, anyway? What if an EP/EH subsequently is shown via audit to have in fact failed to meet one or more other Stage 1 MU measures post- attestation? Do they have to refund the reimbursements? Do we have to then also give our MU3 milestone money back?

___

NEWS UPDATE (via Linex)

Chronicle of Data Protection,
Hogan, Lovells
POSTED ON JUNE 7, 2012 BY MARCY WILDER

HHS OCR Director Leon Rodriguez Warns of Low Tolerance for HIPAA Noncompliance and Announces that Release of HITECH Rule is Imminent

Director of the HHS Office of Civil Rights Leon Rodriguez warned today that the HIPAA enforcement agencies’ tolerance for noncompliance with HIPAA is “much, much lower” than in years past. Presenting at the Safeguarding Health Information: Building Assurance through HIPAA Security Conference in Washington, D.C. (co-hosted by OCR and the National Institute of Standards and Technology), Rodriguez made clear that expectations regarding HIPAA compliance by covered entities and their business associates is higher than before, particularly in light of the abundant guidance, tools, and assistance OCR and NIST have provided to covered entities over the years.

During his presentation, Rodriguez reported that the HITECH rule to modify HIPAA Privacy, Security and Enforcement Rules is “very close” to completion. He highlighted one of the rule’s major changes, namely, extension of HIPAA liability to business associates, and urged business associates to begin compliance efforts if they haven’t already. Rodriguez also cautioned that attorneys general may increasingly broaden their sights to include HIPAA enforcement for business associates.

Finally, Director Rodriguez discussed OCR’s audit program, designed to help OCR find and address weaknesses in protections for both paper and electronic information. He reported that the agency has found many vulnerabilities that the standard compliance program failed to identify and expects the audit program to become permanent going forward. Senior OCR advisor Linda Sanches commented that audits for 115 covered entities—selected from among 3.3 million covered entities in the nation—are in process. Initial reports from the first 20 audits suggest that most problems were found in the area of security protections.

Contingency planning and user activity monitoring were also highlighted areas much in need of improvement. Sanches indicated that the OCR system for auditing business associates will likely go live in 2013. The audit criteria used for the initial audits will soon be available on OCR’s website and will be useful for mapping compliance efforts going forward.

No comments:

Brave New Health

Commonwell Health Alliance

Another important read (pdf)

I love this kind of stuff. It sustains and humbles me. "As politicians, advertisers, salesmen, and propagandists for various political, economic, moral, religious, psychic, environmental, dietary, and artistic doctrinaire positions know only too well, fallible human minds are easily tricked, by clever verbiage... Common language—or at least, the English language—has an almost universal tendency to disguise epistemological statements by putting them into a grammatical form which suggests to the unwary an ontological statement. A major source of error in current probability theory arises from an unthinking failure to perceive this."

Quotes

"An economist is a person who sees something that works in practice and tries to figure out whether it will work in theory."

- J.D. Kleinke, medical economist
___

"The only person who enjoys change is a baby with a wet diaper."

"Every misspent dollar in our health care system is part of somebody's paycheck.

- Brent James, M.D., M.Stat

“We could do healthcare, at markedly higher quality, for everyone in this country, without rationing or denying anybody the care that they need, without having the government dictate how doctors practice or whether hospitals could expand, at half the cost we do it now.”

- Health Care Futurist Joe Flower

Most of the sciences, unlike parts of medical science, are not concerned with the impossible. There is not complementary and alternative physics, or chemistry, or biochemistry, or engineering. These disciplines compare their ideas against reality, and, if the ideas are found wanting, abandoned."

- Mark A. Crislip, MD

"Q: How much alcohol is too much?
A: More than your doctor drinks."

- a physician I once heard speak during a CME presentation

“Just because science doesn’t know everything, doesn’t mean you get to fill in the gaps with whatever fairy tale most appeals to you.”

- Dara O’Briain

'[I]t is one small step from using the computer for "helping" doctors to monitoring them, judging them, dictating to them what to do, and withdrawing payment for computer non-compliance. The use of computer data is a multi-edged sword. It can be used for the "good," facilitating diagnosis and treatment and making it more accurate and up-to-date, and for “evil,” invading privacy, inviting security breechs, and making decisions based on the opinions of remote authorities rather than those present at the patient-doctor encounter.'

- Richard Reece, MD

“[T]here ARE statistics which are non-political. Just because The Washington Post/Fox News reports the temperature is 75 degrees doesn’t mean it’s really snowing and sunscreen is a liberal/conservative plot. Even if you earn a living being ideological.”

- Michael L. Millenson

"It is a generally a fairly convincing argument that people shouldn’t have to be subsidized to undertake a change which is in their best interest.

The reconciliation seems to be that EHR is not supposed to make a doctor’s practice more efficient and higher quality. It is supposed to make the system of care more efficient and higher quality, which is not the same thing. Those of you who took calc recall that maximizing the total of variables is not achieved by maximizing any one variable and this is a perfect example of that.

Those of you have served in combat certainly noticed that too — if everyone works as a team the unit takes fewer casualties. If you try to save your own hide, you might, but at the expense of more casualties overall."

- Al Lewis

"There are two ideas to keep in mind about Bayesian reasoning and how we tend to mess it up. The first is that base rates matter, even in the presence of evidence about the case at hand. This is often not intuitively obvious. The second is that intuitive impressions of the diagnosticity of evidence are often exaggerated."

- Daniel Kahneman, "Thinking, Fast and Slow"

"Physicians apply advanced scientific knowledge, but they must do so without the favorable conditions that experimental scientists create for themselves. Multitasking is forced on physicians, often in chaotic environments and under severe time and resource constraints."

- Lawrence and Lincoln Weed, "Medicine in Denial"

"It’s time to stop the whining about Obama care and acknowledge we already have universal health care. We just pay for it in the stupidest way possible that ensures problems are that much more disastrous and complicated when they’re finally treated."

- Mark Hoofnagle, MD, PhD

"Every act of conscious learning requires the willingness to suffer an injury to one's self-esteem. That is why young children, before they are aware of their own self-importance, learn so easily."

- Thomas Szasz, MD
___

"Of course, one reason that process metrics* are so popular is that processes are much easier to define and measure than outcomes."

- The Skeptical Scalpel
___

"There is an “illusion of validity” for any random data point, a seductive sense that is colored by what we hope will be true. Mountains of pharmaceutical claims are often made from mere molehills of data."

- Danielle Ofri, MD
___

"Joy empowers people. It is a source of energy that enables people to hope and plan and change their lives for the better. Spend some time around someone who is relentlessly negative and how do you feel–drained, right? More and more research shows that joy is not something that just happens to you, like a bolt of lightening out of the blue. Joy is, instead, a habit to cultivate. Negative thinking and despair are the crabgrass of our souls–weeds that take root and spread, sometimes to all areas of life. Joy, in contrast, is a soul’s rose–hardy when cared for, able to put down roots over time and withstand disease and extremes. Like a rose, however, your joy can become blighted from neglect or harsh conditions. We all need to tend to our joy–to prune away the badness, and to know that, even though it may look like a prickly bare root, if you invest time in a joyous outlook, gorgeous things will bloom, even in the harshest conditions."

- Dr. Jan Gurley
___

"'Solutions' exist only in mathematics."

- Karen Martin
___

"The issue of how to regulate clinical software is, in the long run, indistinguishable from the issue of how to regulate medicine. The only difference is that medicine is practiced in the open, without secrecy, subject to peer review, and under a merit-based state license."

- Adrian Gropper, MD
___

"Economist, rope, tree: some assembly required."

- Source unknown

DISCLAIMER:

I write this blog wholly on my own time and my own dime. The views proffered are expressly my own as a concerned and active citizen/taxpayer (in addition to being the result of my substantive experience in the various IT fields), and in no way reflect any policy views of my former employer, notwithstanding that some of the thinking has indeed obviously been spurred by the implications of the work with which I have been doing for them.

FAIR USE POLICY
I cite a ton of news and web sources spanning the breadth of relevant technical and policy domains, sometimes at substantial length. I believe I remain well within the bounds of "Fair Use," as [1] I am not doing any of this for profit, [2] I always provide attribution and links -- which, [3] far from negatively impacting any copyright holders' commercial interests, might actually increase traffic to and interest in their offerings.

Nonetheless, should I post anything of yours regarding which you have any objection, just let me know and I will remove it forthwith.

The KHIT Blog

Search the KHIT Blog

Friday, June 1, 2012

45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2

No comments:

Post a Comment