Tag: U.S. Department of Health and Human Services (HHS)

HHS Extends Comment Period For Proposed Rules To Improve the Interoperability of Electronic Health Information

Image result for hhs logoToday, the U.S. Department of Health and Human Services (HHS) announced it is extending the public comment period by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology (health IT) and enabling patients to electronically access their health information. The new deadline for the submission of comments – June 3, 2019 – will allow additional time for the public to review the proposed regulations.

The extension of the public comment period coincides with a release by the HHS Office of the National Coordinator for Health Information Technology (ONC) of the second draft of the Trusted Exchange Framework and Common Agreement, along with a related Notice of Funding Opportunity. HHS also today released of a set of frequently asked questions (FAQs) from the Office for Civil Rights (OCR).

The FAQs address the Health Insurance Portability and Accountability Act (HIPAA) right of access as it relates to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.

On February 11, 2019, HHS announced two proposed rules to support the seamless and secure access, exchange, and use of electronic health information (with Federal Register publication on March 4, 2019). The rules would increase choice and competition while fostering innovation that promotes patient electronic access to and control over their health information. Together the proposed rules address both technical and healthcare industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Addressing those challenges will help to drive an interoperable health IT infrastructure across systems, enabling healthcare providers and patients to have access to health data when and where it is needed.

This extension responds to requests from a variety of stakeholders, including healthcare provider organizations and industry representatives. The Centers for Medicare & Medicaid Services (CMS) and ONC understand that both rules include a range of issues having major effects on healthcare. The extension of the public comment deadline will maximize the opportunity for meaningful input and further the overall objective to obtain public input on the proposed provisions to move the healthcare ecosystem in the direction of interoperability.

For more information on the ONC proposed rule visit: https://www.healthit.gov/NPRM

For more information on the Trusted Exchange Framework and Common Agreement and the Notice of Funding Opportunity, visit: https://www.healthit.gov/TEFCA

To receive more information about CMS’s interoperability efforts, sign-up for listserv notifications, here: https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12443

For a fact sheet on the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/newsroom/fact-sheets/cms-advances-interoperability-patient-access-health-data-through-new-proposals

To view the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/Center/Special-Topic/Interoperability-Center.html

To view OCR’s FAQ, please visit: https://www.hhs.gov/hipaa/for-professionals/faq/health-information-technology/index.html

Decoding the New HIPAA Privacy and Security Rules

Andrew Hicks

Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire

In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?

First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.

James D. Brown

Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking.  Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.

Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.

It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.

Here are the top five issues that organizations need to be aware of:

1.       Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.

2.       Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.

3.       Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.

4.       Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.

5.       Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.

We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.

James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.

Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.