[BreachExchange] Reviewing OCR HIPAA Guidance to Maintain Compliance

[Audrey McNeil]

https://healthitsecurity.com/news/reviewing-ocr-hipaa-guidance-to-maintain-
compliance

Covered entities should not be afraid to regularly review OCR HIPAA
guidance and ensure that they remain compliant, even as they add new
technologies into the daily workflow, according to OCR Senior Advisor for
HIPAA Compliance and Enforcement Iliana Peters.

Peters presented a HealthITSecurity.com webcast earlier this week,
discussing key areas of HIPAA compliance such as vendor risk management,
business associate agreements, and the importance of ongoing risk
assessments.

Covered entities must review their policies and procedures, and make
necessary updates as needed. This includes having an updated risk
assessment, proper employee training, and documented business associate
relationships.

Peters also broke down the key differences between an OCR HIPAA audit
investigation and an OCR investigation stemming from a potential data
breach.

“The difference is really the purpose of the inquiry and the instigating
event,” Peters stated. “Any particular investigation that OCR does will be
generated by one of several circumstances: either a complaint is field with
us or we start a compliance review that has started as a result of a breach
report, news report, or a referral from another agency.”

OCR has broad authority to begin what we call compliance reviews, she
added. This essentially includes any review of the compliance activities of
an entity based on any type of instigating event or potential report.

“The audit program is really more focused on determining compliance in the
industry more generally,” Peters explained. “As for now, it isn’t really
meant to result in corrective action, technical assistance, settlement
agreements, or civil monetary penalties. It’s really just for the purposes
of trying to figure out how our industry is doing from a compliance
perspective and what tools and guidance we need to provide or what best
practices we can share.”

“That’s our current approach to our audit program,” she continued. “That’s
how we’ve approached the last two phases we have undertaken after the
passage of the HITECH Act, which included the audit requirement. How we
move forward in the future, is still a question that is open for our office
and is something we’re looking at as we move forward in the audit program.”

Peters then touched on going beyond HIPAA privacy notices when changes
occur with an EMR vendor that is performing research on behalf of a covered
entity. Peters stressed that she could not provide a legal or advisory
opinion, but that covered entities need to ensure they understand their
relationship with any business associate.

“If you’re engaging a business associate for any purpose, whether or it’s
for purposes of helping you do research as a covered entity or it’s doing
back office billings functions, supplying cloud services, or supplying
storage services for your electronic data, etc., you do need to ensure you
have a really good business associate agreement in place with that BA,”
Peters said.

Covered entities need to understand how a business associate is going to
protect its data, she maintained. At the end of the day it is the covered
entity’s data. It might not only be patient data that has really important
privacy concerns, but it could also be intellectual property.

“You really need to ensure you understand how that entity is going to
protect the data that you hand over or that it creates for you,” she said.
“You need to know how it’s going to notify you in the case of not only a
breach but also a security incident. If they have a security incident that
doesn’t necessarily rise to the level of a breach, how are you going to
deal with that? If there is in fact a breach, who’s going to do the
notifications and when?”

The Privacy Rule does not necessarily require that any one particular
entity provides notifications, she added, but the covered entity is
ultimately liable for making those notifications. If the covered entity
wants the business associate to do that, then that’s something the
organizations should work out before a breach occurs.

“Once that 60 day [notification] clock starts ticking, any business
associate breach is attributed to the covered entity during that 60 day
period,” Peters warned. “If your business associate doesn’t notify you
until day 59, it’s going to make it very difficult for you to deal with any
particular breach notification situation in a timely manner.”

“That’s the case whether it’s notifications to OCR, individuals, or to the
media, which are all required in cases where more than 500 individuals are
affected,” she continued. “It’s really important that in any business
associate relationship you understand the purpose for the relationship. If
it’s research, cloud computing, billing, document storage, document
destruction, whatever the relationship is with your vendor, you must
understand what the safeguards are that need to be in place on that data.”

That way, the data that the business associate is holding, creating, or
transmitting, the covered entity knows what types of safeguards need to be
in place to keep that information secure.

Organizations also need to know what kind of responsibilities that business
associate is going to have. How are they going to flow those safeguards
downstream?

“You need to think about the life cycle of the data just as you do with
your risk analysis in any business associate relationship and ensure that
you understand: okay, what are we handing over? What are the risks to this
data? How are we expecting our BA to protect it? What’s going to happen
when there’s a breach?”

Peters added that covered entities also need to think about what happens at
the end of the relationship. How will you get your data back? How are you
going to ask that business associate to destroy that data?

“These are all issues that you should look at in any business associate
relationship,” she concluded. “We have a bunch of guidance on our website
about business associates, including sample business associate provisions.
Our cloud guidance walks through these as well. Any research questions, I
would refer you to guidance we did with the National Institute of Health,
on issues specific to research.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170922/9c40f767/attachment.html>