Posted on January 24, 2008 by Helen Oscislawski

CMS to Audit 10-20 Hospitals In Next 9 Months

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

 

Helen's HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 


So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.


 

Tags: ,
Posted on January 4, 2008 by Helen Oscislawski

New Year, New Laws . . . Some Items to Watch In 2008

  • What the HIPSA?!!   After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose."   But, here it may come..... Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions.  HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information.  The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations.  Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
  • New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728.   As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008.  NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan.  That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information. 
  • Ban On Data MiningOn December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians' prescribing trends.  The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information.  Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
     
  • States Amending Privacy LawsLook for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated.  For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems.  In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.  

  • Identity-Theft Prevention Laws.  As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft. 

Tags: