Search the KHIT Blog

Friday, June 1, 2012

45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2

I'm ba-a-ack...

I've been gone to my grandson's high school graduation festivities in Windermere FL. Congratulations, Keebo. Just getting back into the blogging thing after the "respite."

I thought about having my name legally changed to "Authorized Personnel" (particularly since "World Peace" has already been squatted). Make U-turns on the interstates, go into all these otherwise off-limits places in the casinos...

PHI privacy and security. I've addressed these issues before. "45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2 ("substance abuse" data privacy)"? Yeah, and those are just the major federal compliance regulations. Add in a crazy-quilt of HIPAA-trumping state laws and regs, well, can you say "job security"? or Counsel's "Billable Hours" (or, can you say "ahhh.. we'll never get audited"?)


45 CFR 164.308...(2)

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (PHI Security)

45 CFR 164.530(a)(1)

Standard: Personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. (PHI Privacy)

While there's a pretty clear picture of the "job duties" for these Security and Privacy positions, the academic and work experience requirements are far more varied -- problematic, in fact. The federal regulations are silent regarding "minimum qualifications." One upshot of which is now a metastasizing cottage industry of pricey commercial "certifications."

Along with a raft of budget web offerings.

We will examine all of this shortly in detail. Lots to discuss. Can both of these roles be filled by the same person? Yes. Can they both be outsourced to "BAs" (Business Associates)? ONC/CMS isn't commenting for the record thus far on that count.



Searching some of the job search engines to see what skills/experience sets criteria people are asking for these days turns up stuff like this:
Job Description
Employer is seeking a Compliance Analyst with experience in Corporate Information Security. Qualified candidates will work in a fast-paced, dynamic, collaborative, growing environment. In addition to their responsibilities with corporate information security compliance, the Compliance Analyst will be the HIPAA Security Official [emphasis mine] for our employer-sponsored healthcare model that operates and manages medical clinics at employer's sites and other businesses. This position will lead all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the security of; and access to, patient health information (PHI) in compliance with federal and state laws and the healthcare organization’s information security practices.

Key Responsibilities

  • Develops administrative procedures, establishes physical safeguards and implements technology solutions in line with the Health and Human Services (HHS) guideline, the Health Information Portability and Accountability Act (HIPAA), organization management and legal counsel.
  • Conducts gap analysis and risk analysis from security perspective and implement changes, enhancements and education to ensure employer's overall compliance with HIPAA. Performs ongoing security audits to assess effectiveness of policies and procedures and system security safeguards.
  • Oversees, directs, delivers, or ensures delivery of initial security training and orientation to all employees, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties and continues to foster information security awareness within the organization and related entities. 
  • Ensure ongoing integration of information security with business strategies and privacy requirements and participate in strategic planning of the security policies and procedures.
  • Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the organization’s security policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
  • Reviews all system-related information security plans throughout the organization’s network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department.
  • Maintains current knowledge of Federal and state privacy and security laws and regulations as well as industry best practices. Revises the security program as necessary to comply with the changes in the law, regulations, professional ethics, and accreditation requirements and as necessary because of changes in patient mix, business operations, and the overall healthcare climate.
  • Serves as information security consultant to the employer's for all departments and appropriate entities including assisting in the design and implementation of a corporate education, training and communication campaign.
  • Cooperates with the Office of Civil Rights, other legal entities and organization officers in any compliance reviews or investigations.
  • Bachelor’s degree in information technology or management information systems or related field.
  • A minimum of three years’ experience in a healthcare or related field, demonstrated expertise in healthcare operations, health information knowledge and compliance preferred.
  • Expert knowledge in health information security development, applying principles of HIM (Health Information Management), project management and change management.
  • CISSP (Certified Information System Security Professional), CISM (Certified Information Systems Manager) or CHIPS (Certified Healthcare Privacy and Security) certifications preferred.
  • Demonstrated organization, facilitation, communication and presentation skills.
SEBMF-1113165: Manager, Health Information/HIPAA Privacy Officer
The Sutter East Bay Medical Foundation is a not for profit corporation that exists to provide medical services, research and education. The foundation provides the infrastructure for the delivery of physician services, and contracts with a separate corporation comprised of physicians and other care providers to deliver the clinical services. This multi-specialty foundation will provide a platform from which new physicians can be recruited to continue to provide physician services in a nonprofit, community setting. The Foundation's vision is to create a medical group that will deliver high quality, market competitive medical services.

The Manager, Health Information/HIPAA Privacy Officer [emphasis mine] directs, establishes and plans the overall policies and goals for the Health Information/Medical Record Departments in support of strategic objectives and program planning of the organization. Ensures compliance with regulatory requirements. Oversees either directly or indirectly the responsibilities for staffing, budgeting, fiscal planning, telecommunications, equipment purchases and maintenance, and facility development for care center medical record departments. Oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization’s information privacy practices.
A Bachelor’s Degree in Business Administration is preferred. Accreditation in Health Information is also preferred, proven appropriate experience and education may be substituted.
Must possess five years professional experience in a health care environment which includes progressive management experience; strong leadership, communications, analytical, and interpersonal skills. Experience in project management and implementing hardware and software systems in a medical transcription and health information environment. Expertise in software application implementation within the medical transcription arena. Experience negotiating a minimum of three contracts per year with service vendors required. Experience in overseeing large organizational compliance with both federal and state laws with regards to privacy of health information.
Extensive knowledge of health information and transcription functions in a hospital or ambulatory care setting. Extensive knowledge of electronic systems and applications for transcription and dictation systems required.  Knowledge of terminal digit filing system is required. Knowledge of basic medical record activities to include filing, record retrieval, archival as well as destruction in accordance to guidelines is required. Extensive experience/knowledge of release of information procedures is required. Extensive knowledge sufficient to insure compliance with Federal and State regulations guarding the portability and management of protected health information. A knowledge of basic telecommunication procedures is desired.
Special Skills/Equipment:
Organizational, analytical and problem solving skills. Must have excellent command of medical language so as to act as a resource to medical transcription employees.  Must have excellent customer service skills as well as the ability to respond to requests in a prompt and courteous manner. Ability to read, hear, and verbally communicate in English to the degree required to supervise personnel, and communicate with department Directors, Administration, and Physicians both orally and in written form.  Must be able to enlist cooperation and build consensus in environments that are resistant to change.
From what I can see thus far, the compensation package offerings for these kinds of positions are not bad, for candidates with time-in-the-seat experience, demonstrable BoK fluency, and one or more credible and germane Certs.

This is problematic for the smaller EP primary care outpatient shops. "Yo, Suzy, up at the front desk... tag, you're it, you're now our HIPAA Privacy and Security Officer. Fit this in when you're not answering calls or scheduling patients, OK?"

To the extent they comply with 164.308 and 164.530 at all.

Moreover, it should be noted that these responsibilities reciprocally bleed over into 164.4 (PHI Breach):
§ 164.414
Administrative requirements and burden of proof.
(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j)...
Ask Phoenix Cardiac Surgery about the upshot of non-compliance.

A brief graphic diversion, on the subject of "compensation packages."

OK. Chump change. Google "Boaz Weinstein." He's 38. Last year he reportedly made $90 million. He's the guy who recently successfully, massively shorted JP Morgan's London "hedge" unit, causing a huge Wall Street and political dustup.

The Average Salary of Cardiac Surgeons

A cardiac surgeon, also known as a cardiac thoracic surgeon, is responsible for treating and repairing injuries of the heart and lungs. A cardiac surgeon is primarily employed in hospitals, surgery centers or private practices and averages an annual salary of $116,653 to $483,875, depending on experience.

Any time someone starts grumbling to you about "greedy, overpaid doctors" and "meddlesome bureaucrats," just reply "Google Boaz Weinstein," and ask "how many lives did he save last year?"


Nothing new to report.


By David Schultz
JUN 03, 2012

As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.

Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.

On May 14, federal prosecutors charged one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment.

Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients' files onto a personal laptop, which was stolen from the contractor's car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers -- and, in a few cases, "diagnosis-related information."

Ronald J. Harris, Howard University's top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.

Still it could have been worse. Much worse.

Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people -- more than one of every four residents of the state...
Rest of the story here.

Lots of employment opportunities here. But, one will be continually shooting at moving targets, given the ever increasing interface of digital technologies and cyberspace -- on the 164.308 "HIPAA Security Official" side.

to wit:
Understanding cyberspace is key to defending against digital attacks
By Robert O’Harrow Jr., Published: June 2, Washington Post

Charlie Miller prepared his cyberattack in a bedroom office at his Midwestern suburban home.

Brilliant and boyish-looking, Miller has a PhD in math from the University of Notre Dame and spent five years at the National Security Agency, where he secretly hacked into foreign computer systems for the U.S. government. Now, he was turning his attention to the Apple iPhone.

At just 5 ounces and 4 1/2 inches long, the iPhone is an elegant computing powerhouse. Its microscopic transistors and millions of lines of code enable owners to make calls, send e-mail, take photos, listen to music, play games and conduct business, almost simultaneously. Nearly 200 million iPhones have been sold around the world.

The idea of a former cyberwarrior using his talents to hack a wildly popular consumer device might seem like a lark. But his campaign, aimed at winning a little-known hacker contest last year, points to a paradox of our digital age. The same code that unleashed a communications revolution has also created profound vulnerabilities for societies that depend on code for national security and economic survival.

Miller’s iPhone offensive showed how anything connected to networks these days can be a target.

He began by connecting his computer to another laptop holding the same software used by the iPhone. Then he typed a command to launch a program that randomly changed data in a file being processed by the software.

The alteration might be as mundane as inserting 58 for F0 in a string of data such as “0F 00 04 F0.” His plan was to constantly launch such random changes, cause the software to crash, then figure out why the substitutions triggered a problem. A software flaw could open a door and let him inside.

“I know I can do it,” Miller, now a cybersecurity consultant, told himself. “I can hack anything.”

After weeks of searching, he found what he was looking for: a “zero day,” a vulnerability in the software that has never been made public and for which there is no known fix.

The door was open, and Miller was about to walk through...

Keeping sensitive personal information private while enabling "authorized personnel" to access it for legitimate transactions will not get any easier. See the Washington Post "Zero Day" series.

On the "HIPAA Privacy Official" side of things (45 CFR 164.5, and 42 CFR 2 federally, at a minimum), while legal and regulatory developments may indeed move at a slower pace relative to the IT space (I follow these assiduously for my HIE), they are no less elaborate, by any means. And, "privacy" stuff is significantly less check-off list friendly.

Anyone capable of effectively filling both of these roles in a setting of any appreciable complexity will continue to be in increasingly high demand. Rightfully so, as it's not "work/life balance" friendly (kinda like, say, my wife's job), given the relentless challenges and the high-dollar (and reputation risk) stakes.


"Dr. Oz on Challenges Faced by Small Practices"

Hat tip to Shea Steinberg of EHR Bloggers.

More quick news:

EHR certification lacking usability factor, doctors say
Organized medicine groups express concern that certified products will become obsolete as the meaningful use incentive program evolves.
By CHARLES FIEGL, amednews staff. Posted June 4, 2012.

Washington Federal health officials overseeing standards for electronic health records systems should revise system certification criteria to take usability concerns into account, the American Medical Association and other physician organizations said in comments on a proposed regulation...

...More than 1,700 EHR products have met previous certification standards, but the process itself provides no information to physicians on usability or which systems would best fit a particular practice. The AMA recommended that HHS hold a survey on satisfaction with these systems. Results would be disseminated and incorporated into future certification of the technology.

The AMA and other physician organizations also have serious doubts about the long-term viability of these products, leaving physicians who invested in the technology vulnerable.

“Another potential impact is the possibility that an EHR vendor or product might be bought or discontinued,” wrote Michael H. Zaroukian, MD, PhD, chair of the medical informatics committee at the American College of Physicians. “This has happened already, leading to additional costs for providers as they have to purchase another certified EHR to qualify for the EHR incentive.”

Including usability standards in the certification process would help ensure that physicians purchase products that will work best for them over the long run, the AMA said...
Yeah, "usability," that noble hardy perennial. I've addressed the topic before, here, and here.


Interesting HITRC Privacy and Security CoP webinar/conference call today. Lots of anxiety expressed with regard to potential REC liability in connection with EPs' attestations to Meaningful Use Core 15, e.g.,
OBJECTIVE: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
MEASURE: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
My irascible 60 second Photoshop reaction?

While it's clear the the EPs and EHs are on the legal hook with CMS and HHS/OCR for having complied with Core 15 and -- HIPAA more broadly (or not), a number of REC CoP callers voiced concern anew over what ONC might -- post-hoc -- regard as the satisfactory extent of REC documentation in Salesforce that our clients had indeed complied (yeah, we have to use Salesforce).

A bit late in the day for that, discomfort no?

My REC is not going there.**

We give our clients all of the information and tools sufficient for Core 15/164.3 compliance, and stress to them repeatedly the importance of doing so, but we are not about to become proxy CMS/ONC/OCR ePHI Security auditors. We are not staffed for it. It's all I can do to get my clinics to give me adequate face time to engage in more than MU compliance basics and pro forma workflow analysis.

A corollary concern was raised during the call: does it suffice that a practice, having identified one or more Core 15/45.CFR.164.3 deficiencies, simply document in its remedial action plan the requisite measures via which to achieve eventual compliance?

The long answer? No. (IMO)

Read the measure. "correct identified security deficiencies as part of its risk management process."

I'll have to find and review my handwritten HIMSS12 notes, but I specifically recall a curt response to that very question during one of the CMS sessions. The MU participant must correct any identified 164.3 nonconformances prior to attesting.
 ** Why stop/start there, anyway? What if an EP/EH subsequently is shown via audit to have in fact failed to meet one or more other Stage 1 MU measures post- attestation? Do they have to refund the reimbursements? Do we have to then also give our MU3 milestone money back?


NEWS UPDATE (via Linex)
Chronicle of Data Protection
Hogan, Lovells
HHS OCR Director Leon Rodriguez Warns of Low Tolerance for HIPAA Noncompliance and Announces that Release of HITECH Rule is Imminent

Director of the HHS Office of Civil Rights Leon Rodriguez warned today that the HIPAA enforcement agencies’ tolerance for noncompliance with HIPAA is “much, much lower” than in years past.  Presenting at the Safeguarding Health Information: Building Assurance through HIPAA Security Conference in Washington, D.C. (co-hosted by OCR and the National Institute of Standards and Technology), Rodriguez made clear that expectations regarding HIPAA compliance by covered entities and their business associates is higher than before, particularly in light of the abundant guidance, tools, and assistance OCR and NIST have provided to covered entities over the years.

During his presentation, Rodriguez reported that the HITECH rule to modify HIPAA Privacy, Security and Enforcement Rules is “very close” to completion.  He highlighted one of the rule’s major changes, namely, extension of HIPAA liability to business associates, and urged business associates to begin compliance efforts if they haven’t already.  Rodriguez also cautioned that attorneys general may increasingly broaden their sights to include HIPAA enforcement for business associates.

Finally, Director Rodriguez discussed OCR’s audit program, designed to help OCR find and address weaknesses in protections for both paper and electronic information.  He reported that the agency has found many vulnerabilities that the standard compliance program failed to identify and expects the audit program to become permanent going forward.  Senior OCR advisor Linda Sanches commented that audits for 115 covered entities—selected from among 3.3 million covered entities in the nation—are in process.  Initial reports from the first 20 audits suggest that most problems were found in the area of security protections. 

Contingency planning and user activity monitoring were also highlighted areas much in need of improvement.  Sanches indicated that the OCR system for auditing business associates will likely go live in 2013.  The audit criteria used for the initial audits will soon be available on OCR’s website and will be useful for mapping compliance efforts going forward. 

No comments:

Post a Comment