HIPAA Regulatory Alert

Free tool assesses privacy risks

12 steps to survive OCR investigation

Frequent news stories and headlines about the Department of Health and Human Services (HHS) Office for Civil Rights' (OCR) crackdown on covered entities that have reported data breaches or other privacy rule violations increase the importance of continually assessing compliance with privacy and security rules.

A free, interactive toolkit that helps healthcare compliance, privacy, and information security officers assess and mitigate risks within their organizations is available from ID Experts, a Portland, OR-based software company.

The toolkit also offers information to help organizations prepare for OCR investigations. "The biggest challenge is that every OCR investigation is different, and the only way an organization will survive one is if it is completely aware of the potential paths of the investigator and prepared," said Rick Kam, CIPP, president and co-founder of ID Experts.  

Twelve steps that healthcare organizations can take to prepare for an OCR investigation are:

1. Assign privacy and security responsibility. Ensure accountability for patient privacy with a specifically designated privacy official in your organization.

2. Conduct an annual risk analysis. Carry out an annual risk analysis intended to identify privacy/security risks and vulnerabilities.

3. Address security vulnerabilities. Implement security measures to reduce risks and vulnerabilities identified in most recent risk assessment.

4. Train workforce. Train workforce members including management and volunteers in patient privacy and security requirements, and document evidence of security awareness enforcement.

5. Develop policies and procedures. Develop thorough policies and procedures for safeguarding protected health information (PHI) and for unauthorized disclosure of PHI.

6. Prepare for privacy incidents. Develop procedures and tools for compliant investigation, analysis, and review.

7. Report incidents. Capture and maintain a copy of the incident report that was created/submitted that triggered concern that a potential breach has occurred.

8. Analyze incidents. Develop and document a detailed description of the facts of the incident and the incident risk assessment that you carried out to determine if the incident requires notification to affected individuals and authorities.

9. Document patient notification. Develop and document your notification to individuals affected by the data breach, including all means used to ensure delivery of the notification.

10. Mitigate harm to affected individuals. Describe actions taken to mitigate the harm to individuals/patients affected by the breach.

11. Send notifications to regulators and media. Develop and document your notifications to necessary regulatory authorities including HHS/OCR as well as media.

12. Determine root cause and corrective actions. Determine and document actions to determine the root cause of the incident and to address the root cause with corrective actions.

To access the free toolkit and checklist, go to www2.idexpertscorp.com and select "Breach Tools" from the top navigation bar. At the next page, scroll down to "OCR Survival Tool," then "Download Tool Here."



HIPAA Regulatory Alert

Survey shows security is not improving

$100,000 breaches occur daily

In spite of increased focus on regulatory compliance, a survey of over 100 information technology (IT) administrators, managers and executives of healthcare organizations reports ongoing data breaches.

The survey, conducted by Boston-based Global Sign, an accredited public certificate authority, showed that although 56% of IT security teams are spending between 25% and 100% of their workweeks devoted to compliance, breaches that cost organizations as much as $100,000 per incident are happening every day.

Exacerbating the problem is the sheer number of applications and solutions flooding the market that claim to satisfy security and compliance requirements, according to survey respondents. In fact, results revealed that 79% of respondents find that identifying effective tools that can provide both security and compliance is moderately to extremely challenging.

Other results of the survey included:

• 54% of respondents are devoting the most of their time to HIPAA compliance procedures;

• 37% of respondents spend no more than 25% of their workweeks devoted to improving security and ensuring data privacy;

• 34% of respondents' organizations have experienced a patient-records data breach within the past two years;

• 10% of respondents believe that data breaches that cost organizations $100,000 per incident occur daily.



HIPAA Regulatory Alert

Doctors may not be ready for 5010

Over 45% have not implemented upgrades

As the January 2012 deadline for hospitals to convert to HIPAA Version 5010 quickly approaches, a survey conducted by the Medical Group Management Association (MGMA) has found that medical practices are lagging in the race to meet 5010 deadlines. The results are:

• 45.2% of practices report that they have not yet started implementation or software upgrades.

• While 53.4% of the respondents said that they are fully aware of these HIPAA mandates, the majority said that they have not yet scheduled internal testing. Another 84.8% said that they have not yet prepared an impact analysis detailing how this conversion will affect operations.

• Of the respondents, 42.9% said that their practice management vendor is geared up to replace or upgrade their system to accommodate the newer version, 34.5 percent said they are not.

• Only 9.2% of practices said that they have begun internal software testing and 2% said that they do not plan to start internal testing until after the January 2012 deadline.