|
It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. A community health care provider hacked by a disgruntled employee may be dragged into a compliance quagmire because it's not clear that the organization took basic steps to revoke his access. And to top it off, the U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.
Worried about audits?
The first HIPAA audit by the HHS has been widely reported. Atlanta's Piedmont Hospital received notice of the audit, and much has been made of the information requested. But did we not see this coming?
With governance reform and example-making in legislative vogue (even if not entirely well-informed or evenly applied), it's surprising that some health care organizations behave as if nothing will come of the HIPAA rules. But audits are merely an examination; organizations ought to think more than a step ahead about discovery of failed controls or the immediate effect of a breach.
Covered entities are responsible
The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]
Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."
The reader is right. When a systems or network administrator with broad access leaves an organization, hand-waving does not constitute proper revocation of access. Sure, the reality of working in a small organization means that separation of duties may be a luxury (and the HIPAA rules allow more leeway for small health care providers). However, that's no excuse for lack of monitoring to the degree that one simply does not know what the administrator installed or had access to, nor is it an excuse for failing to close off access before a new administrator arrives.
Sometimes an errant but trusted employee comes back to bite mere moments after termination, and the HIPAA enforcement rule (download PDF) allows for this. But the rule specifically notes that covered entities have 30 days to fix violations after discovery (§160.410 (b)(3)(ii)(A)). If an organization has an all-powerful administrator walk or be escorted out the door, one can instantly infer that there's an access violation, and that means the clock is ticking. If CCC took two months, then it has a problem.
The employee strikes back
Beyond sloppy implementation, the HHS is looking for what's referred to in the law as "willful neglect" -- a "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." An employee of Providence Health System in Portland, Ore., was asked to store backup tapes off-site in his car, and when the car was broken into, media with unencrypted personal information on 365,000 patients was stolen. After Steven Shields reported the incident to the authorities, Providence terminated his employment in what he claims is a retaliatory action prohibited by whistle-blower protection laws.
Various sources and a commenter to the Computerworld article indicate that Providence's Home Services division -- where Shields was employed -- operated an independent IT group with lax or absent governance oversight or compliance review. In an unfortunately common situation, it's likely that Shields was asked by a manager to take the tapes off-site in a superficial attempt to follow the HIPAA security rule.
However, sending tapes home with an employee accomplishes the off-site requirement but breaks numerous other rules. An off-hours employee in his home is not the same thing as a service provider. Unless the person contractually agrees to provide controlled, monitored, and secure transport and storage of data -- in a service contract that meets the business-associate rules -- then the data is intentionally out of control of the covered entity. If this isn't "willful neglect" of the HIPAA provisions, I don't know what is.
It really can get worse
For those still waffling between the hassle of compliance versus the risk of getting an unpleasant and prolonged visit from HHS, have a look at two parts of the HIPAA enforcement rule, linked above. Pay special attention to Subpart C, §160.310, "Responsibilities of Covered Entities" -- yes, covered organizations really do have to open their doors and let auditors tromp around in their records as well as the physical site.
As if the disruption and potential work stoppage from an audit isn't enough, the enforcement rule includes my favorite tool for behavior modification: public humiliation. Buried in Subpart D, §160.426, there's a section entitled "Notification of the public and other agencies." Serious violators can be sure the HHS will follow a final penalty (fines and/or jail time) with public notices and notification letters to state and local medical and professional organizations, state agencies administering or supervising appropriate health care programs, "appropriate utilization and quality control peer-review organization[s], and the appropriate state or local licensing agency or organization."
Ow.
Just read it
There's no twist or unexpected sardonic ending here. The simple lesson is that organizations subject to HIPAA regulations should think twice about lame excuses and willful ignorance of security requirements. Sadly I continually encounter people responsible for HIPAA compliance (or worse yet, "expert" consultants) who quite simply have never read the security rule.
Here's a secret those freshly minted experts don't seem to know: The security rule is not only pretty clear but is short -- if you know where to look. Click on the unobtrusive "Regulations" link on the left side of the Centers for Medicare & Medicaid Service's Security Standard Web site, and find the "Security Final Rule (download PDF)." If you're just getting acquainted with HIPAA, skip to the last 13 pages of the document, and start with definitions on page 8,374 (don't worry, the document starts with page 8,334). Pay special attention to the difference between "required" and "addressable" security implementation specifications in Section 164.306.
Believe it or not, all the stuff that matters -- the administrative, physical and technical safeguards, followed by two small sections on organization and required documents -- is between pages 8,377 and 8,379. That's right... just three pages. And it's followed by a nice one-page summary table of all requirements.
And it's not a complicated law.
Read it.
Do it.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.
Computerworld
Jon Espenschied
September 10, 2007
The HIPAA Flash is an opt-in monthly newsletter. The content is for informational purposes only. Nothing herein constitutes legal advice - if you need legal advice, please consult a competent attorney. To unsubscribe from this monthly newsletter, reply to hipaaflash@hipaarx.net with the word "UNSUBSCRIBE" in the subject line.
HIPAA Solutions Rx is your best source for compliance workbooks, online training, disclosure tracking systems, network scanning tools, backup facilities, certifications, consulting ... HIPAA from A to Z. For the most complete suite of HIPAA compliance products available, visit us at: http://www.hipaarx.netor call us at 1-866-447-2211.
HIPAA Solutions is a BridgeFront Company. For training in OSHA, JCAHO, Nurse CE, Long Term Care, Revenue Cycle Management and much more, visit http://www.bridgefront.com.
|
