Earlier this month, in response to a request by Congress, the College of Healthcare Information Management Executives (“CHIME”) reported that complying with HIPAA is not sufficient to prevent data breaches and, further, that such compliance can, in some cases, result in a lessening of health care cybersecurity defenses and data security.
After a discussion of potential benefits to health care automation, the report concludes that notwithstanding the benefits, automation introduces new risks to the confidentiality, integrity, and availability of health care data. The report notes that HIPAA compliance is a minimum standard that covered entities and business associates must meet. But being compliant does not mean that such entities are well protected against cyberattacks.
The authors of the study apparently believe that the resources spent on HIPAA compliance may not leave the resources available to protect against actual cyberattacks. The report went on to note that the punitive enforcement of HIPAA may be counterproductive as opposed to a greater effort devoted to helping entities recover from breaches, learn from them, and share the lessons learned with other covered entities and business associates.
CHIME has also called for DHHS to issue better guidance for health care providers to help them assess threats that are within their control. According to the CHIME report, when considering enforcement actions, OCR should assess the level of effort that has gone into protecting protected health information (“PHI”), and it should reward covered entities and business associates for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework. Also according to the CHIME report, these efforts by DHHS would encourage providers to invest more in cybersecurity, thereby preventing breaches with the benefit of avoiding the high cost of mitigation.
The main takeaway from this study is that being HIPAA compliant, particularly at any one point in time, is insufficient to properly protect PHI. Covered entities must update their risk analyses under the HIPAA Security Rule Evaluation Standard, see 45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii). And simply minimally meeting the Security Rule Standards and Implementation Specifications may be insufficient to adequately protect PHI from the sophisticated threats existent in today’s computer environment.
To read the full letter, go to https://chimecentral.org/wp-content/uploads/2019/03/CHIME-Response-to-HELP-on-Health-CostsvFINAL.pdf.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if DHHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.