CMS HIPAA Security Review: Encryption & Employee Background Checks Mandatory, MT Providers Next Under The Microscope?
From the blog of attorney Adam Russo comes a review of an article from Report On Patient Privacy newsletter regarding the recent HIPAA Compliance Review Analysis report issued by the Centers for Medicare & Medicaid Services (CMS):
The first batch of government reviews of covered entities (CEs) for
compliance with the security rule revealed a host of deficiencies,
ranging from failure to conduct even an initial risk assessment to
inconsistent employee training, according to a summary of findings and
recommended corrective actions recently released by CMS.
But what is perhaps most interesting is CMS’s apparent belief,
expressed in the report, that encryption is mandatory and its statement
that risk assessments should be repeated every three years, at a
minimum.
CMS said it chose the 10 CEs to review based on “complaints filed
against the entities, identification of potential security rule
violations through the media, or recommendations from OCR.”
During the reviews, CMS (or its contractors) conducted interviews
with individuals at the CEs “to understand the nature of the incident,
discuss corrective actions taken since the incident occurred, and
identify existing or new processes which protected the confidentiality,
availability, and integrity of electronic protected health information
(ePHI),” the agency says.
“In addition, CMS examined documented policies and procedures which
supported the security of ePHI. For selected key processes, CMS
conducted analysis to assess whether the processes were operating
effectively and as intended. To maintain visibility of the process, CMS
provided regular status reports to the CE throughout the review, and
discussed potential gaps in compliance with their representatives.”
CMS concluded that these CEs were “struggling” most with risk
assessments; keeping their policies and procedures current; training
employees on security compliance; conducting clearance checks on
employees; ensuring adequate workstation security; and ensuring
encryption is properly employed.
“The two themes that stand out to me in the CMS summary are the
importance of well-developed policies and procedures and the obligation
of ongoing compliance,” says Chris Bennington, an attorney in the Cincinnati-Dayton office of
Bricker & Eckler LLP, whose practice includes health care data
privacy issues. “Not surprisingly, many
of the compliance issues highlighted by CMS focused on the covered
entities’ policies and procedures.”
“A covered entity must not simply develop its security rule policies
and procedures, put them in an employee handbook, and then never think
about them again,” he adds.
Another problem area, as noted, is “workforce clearance procedures.”
The rule requires “appropriate access,” which CMS takes to mean
“background investigations on personnel,” for both those with on-site
and remote access.
Background investigations on personnel should be conducted before
they are given access to electronic PHI, the report states. The audits
found CEs sometimes completed such checks after the employee had
already been granted such access.
John Parmigiani, president of John Parmigiani & Associates, LLC, an information security consulting firm in Maryland, points out that, as a result of this year’s HITECH Act,
BAs are now responsible for complying with nearly the same requirements
as CEs, effective Feb. 18, 2010.
He believes that within a year of that date, CMS will likely start
auditing BAs and putting them under a microscope the same way it has
with CEs. To prepare, BAs should also review the compliance summary, he
says.
“I think if you are a BA, you need be mindful of everything that is
required, because I do believe that enforcement is being stepped up,”
he warns. “I think we will see an audit of a big BA, maybe a
transcription company or a practice management company, so that CMS can
show that they are out there” reviewing BAs as well as CEs, he says.
If in fact business associates such as transcription service providers will be expected to adhere to the same requirements as covered entities--including mandatory encryption and employee background checks--the impact this will have on the MT industry is going to be enormous. The days of small-time MT operations may well be numbered, and government regulation will be the reason why.