In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security.
Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August 29, 2016 issue of Environment of Care Leader entitled “OCR: Providers need to assess cybersecurity response.” Full text can be found in the August 29, 2016 issue, but a synopsis is below.
Litten and Kline observed that the Guidance provided less specificity than prior guidance releases in the HIPAA area and seemed to be more geared to large providers and managed healthcare systems. Nonetheless, Litten observed, “The bar [for PHI security] is higher than what some providers thought, especially if you read this with the [contemporaneous OCR] guidance on ransomware. So you may need [to take more steps] to protect your software.” Kline added, “OCR is going to say that if we tell you to do this and you don’t, tough on you.”
Some of the tips provided by Litten and Kline in the article include the following:
Litten: Protect your electronic patient information if you haven’t done so already, taking into account your particular resources and limitations. “You don’t need a forensic analyst on staff, but you may want the contact information of one in your address book. If you’re not sure how to proceed or even where to start, you may need to hire a consultant to help you.”
Kline: Develop policies and procedures to address cybersecurity. “The fact that you’ve done something constructive and documented that you’ve tried to comply, you’re so much better off [if you get audited by OCR].”
Kline and Litten: Review your cybersecurity response policies, plans and procedures annually.
Litten: Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems. “You want to make use of tools you have or at least know what you don’t have.”
Kline: Understand that OCR considers a cybersecurity incident, not just a breach and not just ransomware, a reportable breach that must be put through the four-part risk analysis to determine whether that presumption can be refuted. “It’s not just [clear] breaches that need a HIPAA risk analysis.”
Kline and Litten: Document all of your plans, policies and procedures your facility has to respond to a cybersecurity incident and what you have done if you have been subject to one.
Litten: Use free or easily available resources when you can. For instance, OCR has tools on its website, such as a sample risk analysis to determine vulnerabilities of electronic patient data. Your local medical societies may also offer tools, webinars and training.
Litten: Make sure that your business associates also have cybersecurity protections in place. “The [G]uidance specifies that business associates as well as covered entities need to have this capability. Because it’s the covered entity that’s ultimately responsible for protecting its patient data and for reporting security breaches, it falls to the entity to ensure that the business associate complies.” So you need to ask business associates what their cybersecurity response plans entail and make sure that they’re adequate, include the fact that they have such a plan in the representations and warranties of your business associate agreement, require swift reporting to you of any cybersecurity incidents suffered by a business associate and make sure that business associates limit access to your patients’ data. “You don’t want seepage of patient protected health information.”
In light of the clear concerns of OCR that covered entities and business associates, both large and small, pay sufficient attention to security of PHI, current compliance efforts should evidence relevant concrete policies and procedures that cover not only privacy but also security. Documentation of such efforts should specifically address current issues such as ransomware and risk analysis to demonstrate that the covered entity or business associate is staying current on areas deemed to be of high risk by OCR.