Tips for Improving Risk AssessmentsTracking the Flow of Information
That's because under the rule, these companies must comply with federal privacy and security regulations for protected health information or face penalties for HIPAA non-compliance.
"The real challenge is to meet all of the requirements of the HIPAA security rule, which they have not had to deal with before," he says in an interview with HealthcareInfoSecurity (transcript below). "People are really being forced to revisit their security programs," Nahra says, "to go through a more focused analysis of what it is they're trying to do and how they deal with different risks."
For BAs and covered entities alike, a persistent HIPAA compliance challenge is conducting risk assessments, that are ongoing, thorough and well-documented, he says.
"What [the Department of Health and Human Services] is really encouraging and pushing people [for] is to be more focused, more organized and more consistent in how these risk assessments are done," he says.
In the interview, Nahra also discusses:
- How healthcare providers, health plans and their business associates can improve their risk assessments;
- Other regulatory issues that healthcare entities need to closely monitor, including state privacy laws;
- The biggest privacy and security worries patients have about their electronic health information.
Nahra is a partner at the law firm Wiley Rein LLP who specializes in privacy, information security, compliance programs and insurance fraud issues. He served as the co-chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community. Nahra is also a member of the board of directors at the International Association of Privacy Professionals.
Meeting the Deadline
MARIANNE KOLBASUK MCGEE: As the HIPAA Omnibus [enforcement] deadline of September 23 is approaching, what are you hearing from IAPP members and your healthcare clients in terms of what's keeping them most busy these days?
KIRK NAHRA: HIPAA Omnibus - and it may be useful to set the stage - is basically the set of changes to the HIPAA privacy and security rules that are coming out of the HITECH Act from a few years ago. There are two parallel things going on. People are adjusting to the changes that are coming out of the rules in terms of particular parts of the rules where practices have to be changed.
There's also a very significant expansion of who these rules apply to. They now apply to all kinds of service providers to the healthcare industry. That group for the first time really has to worry about these rules, and, for the core healthcare industry, they're just worried about technology changes, business changes, new enforcement and new penalty possibilities. While they're dealing with these changes, they're also trying to generally improve what they're doing on privacy and security, given the ongoing risks in that area.
Biggest Compliance Challenges
MCGEE: What are the biggest challenges they're having so far with HIPAA Omnibus compliance that you can see?
NAHRA: From the vendor side - those are the people that have to comply for the first time - the real challenge is to meet all of the requirements of the HIPAA Security Rule, which they have not had to deal with before. That's a combination of things. It's a very process- and documentation-heavy regulation. But in reality they're trying to make sure - in a business that's changing constantly with all kinds of new technologies, new uses and disclosures of information, a new means of interacting with both business partners and with patients - that those technological opportunities can keep pace with the privacy and security requirements. People are really being forced to revisit their security programs, to go through a more focused analysis of what it is they're trying to do and how they deal with different risks. They've got to adjust that every time they change their processes and enter into new business relationships and new kinds of products being offered.
Generally, [they're] trying to make sure that they can protect the information that they have while still, frankly, serving their business, serving their customers. ... It's really an ongoing challenge of how to make sure that we can achieve our healthcare goals while still, at the same time, protecting the data that's so important to so many patients.
HIPAA Risk Assessments
MCGEE: Based on HIPAA audits and breach investigation findings by the Department of Health and Human Services, many health entities have a hard time going thorough HIPAA risk assessments. They do a poor job with that. Why do you think that's the case? What steps do you suggest healthcare organizations take to improve their risk assessments?
NAHRA: There are a couple of different things going on with this. What HHS has done is basically a pilot audit program that has gone on over the past year or so where they've looked at  different healthcare providers and health insurers of all different sizes, shapes and magnitudes. One of the key findings was that there was a general weakness in conducting risk assessments. I think there are a couple of elements to that. One is documentation of risk assessments. For many companies, what we're seeing is a lack of writing things down and documenting what they've done, perhaps even more so than the actual risk assessment themselves.
What HHS is really encouraging and pushing people [for] is to be more focused, more organized and more consistent in how these risk assessments are done. The risk assessment is something that companies have done across their businesses as long as there has been information technology. But it's now required to touch on so many more aspects of a business and so many more contact points with different business partners, with patients and internally. What the risk assessment really requires healthcare providers, health insurers and their service providers to do is think about their business. Think about where they're getting information, where it's coming from, what they do with it, where it's going, and put on their thinking caps about what problems can exist at different points of time.
If you're a hospital, you need to think about how you control your workforce because there are people all across your workforce who can access information. You need to think about where you're sending information, in terms of parties with which you have an arms-length relationship, like the health insurers. You have to make sure it's going to the right places. You have to make sure your connections are secure. You have to make sure you're only giving them the right information and also thinking about people that are working for you and their service providers. It requires people to think about what's happening and what can go wrong. When you think about what can go wrong, your challenge is to figure out how to take the right steps to protect against what can go wrong.
You have to always at the same time recognize that there's never going to be perfection in that area. The only way to make sure that a transmission of information never goes wrong is to never transmit the information in the first place, which isn't an option in this industry. It's not an option in most industries, but particularly in the healthcare area where we need to have information flow. You're looking for the most effective ways of protecting this information while still getting your business done, and that's the real challenge. It really pushes people to think in a systematic and organized way about what those risks are and how you can protect against them.
Top Privacy, Security Issues
MCGEE: Besides complying with HIPAA Omnibus, what other key privacy and security regulatory issues should healthcare organizations be keeping their eyes on? What's on the horizon?
NAHRA: The healthcare industry has had these HIPAA rules since early in the 2000 decade, and what we've seen is an explosion of privacy and security rules both in the United States - at the state and federal level - and also internationally. There's just a wide variety of different rules, some of which don't directly hit the healthcare industry; some of which are directed at other industries but touch on the healthcare industry; some which are applied across the board.
For example, one of the real challenges is a set of laws that are state-based laws, which require certain steps in the event of a security breach. Now, the healthcare industry has its own specific security breach notification law coming out of the Omnibus regulation, but that doesn't mean you don't also have to worry about all these state laws. There are actually 46 different state laws. Each one has their own little tweaks, so if you're a hospital who's dealing with patients from ... whatever number of states, you've got to deal with all those state laws at the same time that you're also dealing with the federal HIPAA rules.
There are a variety of other state laws dealing with security practices. There are a tremendous number of state laws dealing with particular kinds of healthcare information and what you can do with certain information. HIPAA basically treats all information at the same level of protection. It's a strong level of protection but it's all treated the same, whereas a lot of state laws have different levels for particular kinds of conditions.
We're also seeing efforts in Congress to regulate privacy and security more generally. We may see federal data security laws, for example, which will cover all kinds of industries. They may include the healthcare industry. [It's] the same issue with the federal data breach notification law. We're also seeing all kinds of new healthcare programs being implemented, for example. As part of healthcare reforms, each of those new programs is coming up with their own privacy and security rules.
Now, I have a concern about that because I think it creates a lot of confusion. But it's clear that for many of these programs - for example, the health insurance exchanges that are being built or the accountable care organizations - the privacy and security regulations that apply to people operating in those programs are somewhat different than the HIPAA rules. We have to keep an eye on all of that. It's very much a moving target, and it's creating real challenges for healthcare businesses just figuring out what all these rules are. One of the things we have to be careful about is that there aren't so many rules that people get confused and don't do things that they really should be doing, even in terms of sharing information. But that's something that's a real ongoing battle within the healthcare industry these days.
Accounting of Disclosures Rule
MCGEE: It took a while for OCR to finally release the HIPAA Omnibus Rule. When do you think we'll see the long-awaited accounting of disclosures rule from the HHS Office for Civil Rights, and what do you think will be in it?
NAHRA: The accounting of disclosures rule is one of the big enigmas right now in the healthcare industry. The accounting is one of the individual rights given to patients as a result of the original HIPAA privacy rule. It's the right that's frankly been the least utilized by patients. Almost no one asks for HIPAA accounting, and accounting is basically a list of certain disclosures of healthcare information. There are large healthcare entities that have received almost no requests at all from patients. It's a right that very few people utilize.
Congress, in the HITECH law, changed the accounting requirements to make it more difficult to comply with, even though it wasn't clear that anyone's looking for this accounting. Then HHS came out with a proposed regulation that was going to create enormous compliance challenges across the healthcare industry and basically assumed a level of technology that simply doesn't exist these days. That proposed rule has been very heavily criticized. All of the comments that were submitted were negative on the proposed rule. There were varying degrees of negativity, but essentially nobody supported the rule as written, and so HHS has gone back to the drawing board on that. That proposal has always been on a different timeframe. It's also clear that HHS hadn't really done anything between the time the proposed rule came out and a few months ago when the Omnibus rule came out. They're now back at the drawing board on that. I don't think there's any immanent timetable for that.
This is essentially a prediction, a guess - that there will be a new proposal coming out no earlier than the end of this year. But at some point there will be another proposal where HHS will go back to the drawing board and figure out how to implement the congressional direction on accounting without creating, as I said, very significant burdens [and] compliance costs where there really hasn't been a clearly identified corresponding patient benefit from getting this information. It's still a long ways off on getting that accounting rule out, and I'm optimistic that we will end up with a rule that will appropriately balance the burdens with the benefits. The proposed rule just didn't draw that balance very well.
MCGEE: From a patient's perspective, what do you think their biggest worries are concerning the privacy and security of their electronic health data as more of it gets shared?
NAHRA: There are obviously a couple of different things, but I also think it's important to recognize that patients are not a monolithic group. That has actually been one of the challenges from the regulatory perspective. Each person has their own sense of what's important to them and how they would fit their information into the overall healthcare industry. There are lots of ... general public benefits that come out of different kinds of health information. We have research. You want to make sure that the information goes to the right places for the right reasons. I think, to the extent you can generalize, patients are frankly largely nervous because they don't really know what's going on.
Some people just aren't worried about it, but others just don't understand all the places where their information goes. Much of it is appropriate, and the HIPAA rules have basically built a system where certain kinds of uses and disclosures are just part of the healthcare system, and it's a natural element of being involved in the healthcare system. But people want to make sure their information goes to the right places and, frankly, their biggest concern is, "Does it go to the wrong places?" They may have a different view of what the right and wrong places are, and some of that authority is given to the healthcare industry because you can't run this system and let every person decide every single thing that's going to happen to their data. It's just too complicated of a system.
Mainly, people want to have a sense that their information is protected, which is why I think there has been such a good emphasis on security recently and why there needs to be such continued interest in security practices. Bad security means that information is lost for reasons that nobody would justify. If a hacker breaks in and steals information, there's no positive benefit to that. Most of the privacy rules describe what appropriate uses of the information are. We can have a lot of discussion about that, but I think the most important piece, from both a patient perspective and an industry perspective, is to have effective security programs so whatever the rules are on what we can and cannot do they're effective, and inappropriate insiders aren't able to ... access information. ...