Based on draft rules published on July 14, 2010, the new HIPAA rules explicitly define Business Associate obligations, which are a subset of the obligations of “covered entities”. This subset includes

• the entire HIPAA Security Regulation
• the “minimum necessary” provision of the HIPAA Privacy Regulation
• the prohibition from any use or disclosure of Protected Health Information (PHI) that would be a violation for a covered entity to use or disclose
• the obligation to put subcontractors who use PHI under a HIPAA Business Associate contract. (The draft regulation clarifies that these subcontractors are also “Business Associates”.)

The HIPAA obligation for EHR authors and VARs is created by their activities and services through which their employees are exposed to the PHI of their clients. Examples of these services include on-site support, remote support that includes access PHI, training, data conversions, operation of hosted data centers, on-line backup services, operation of patient access portals, value-added services like off-site document scanning and other VAR services.

Because EHR Author and VAR operations are vastly different than the health providers they serve, the compliance obligations are also different. Consequently, “off-the-shelf” HIPAA manuals used by physicians and hospitals will be insufficient.

While HHS was directed by the HITECH Act to write these rules by February 17 of 2010, the draft rules have not yet been finalized. When will they be released? Who knows! However, HHS has indicated their intent to provide a 6 month grace period once the final rules are published. Proactive EHR authors and VARs are advised to prepare early for these new obligations.

On the one hand, social media have been proven to be a powerful vehicle to advance the aims of the organization. Social media are being used to increase the visibility of the organization, promote products and services, enhance fundraising, increase public support and to recruit employees.

Similarly, the same media provide visibility to disgruntled customers, patients and employees and can mar the reputations of even powerful organizations.

Employee productivity is another dimension. Do employees waste time while on the job by spending hours on Facebook instead of working? And, do employers have the right to regulate employee behavior while they are off the job, on their personal time?

Covered entities must consider all of these factors, along with compliance with laws and regulations. The National Labor Relations Board (NLRB) has been weighing in recently to protect certain employee rights to use Facebook when discussing compensation and working conditions, and to prohibit certain employer policies. Regarding the HIPAA regulations, covered entities should have at least two policies:

Acceptable Use of Computers. As part of HIPAA security regulations, covered entities should have an acceptable computer use policy. Good practice will address what employees may and may not do on company-supplied equipment. This includes what websites employees may access. Some organizations enforce these legitimate policies with firewall rules to prevent access to disallowed sites. Other organizations will place time limits on an employee’s use of the organization’s equipment for personal use (such as online shopping, personal use of Facebook, instant messaging and email) without banning it.

Facebook and Social Networking Policy. Organizations should have a policy governing acceptable use of Facebook and other Social Networking sites both on and off the job. This policy should address non-HIPAA and HIPAA issues. Regarding HIPAA, the following issues apply:

1. No Protected Health Information (PHI) may be posted. HIPAA privacy clearly specifies allowed disclosures of PHI, and Facebook posts are not on the list. This applies whether the employee posts while on the job or on his or her own time.
2. Friending. Organizations should evaluate their unique circumstances and render an opinion regarding whether it is acceptable for an employee to “friend” a patient. Issues of confidentiality and professional ethics may apply.
3. Instant Messaging. Social Media sites include the capability to send private messages to friends. In general, this form of electronic communications does not meet the security requirements imposed by HIPAA and must not be used for communications with patients.

“It is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” This statement appears in the JCAHO Frequently Asked Questions section regarding their Standards.

Texting was in its infancy when the HIPAA Security and Privacy regulations were drafted sometime in the early 2000s. Now it is a mainstream communication method that many find convenient, practical and efficient.  Evaluating SMS text messages in the context of HIPAA requires some analysis of the technology and interpretation of the regulations.

HIPAA has numerous requirements that must be considered in regard to texting. Information systems must include unique user identification, or User Ids, so that users can identify themselves. Once identified, the systems must provide a method of “authentication”, which is usually a password, to prove that he or she is the individual involved. The lack of this functionality in the context of a physician sending a text message to a nurse appears to be part of JCAHO’s thinking with this guidance.

Other HIPAA factors to consider  include the security of the message while in transit. Data in motion must be encrypted according to the HIPAA regulations. It is not clear that all cell carriers provide “end-to-end” encryption of their text messages.  It is certainly not a part of any service guarantee.

Finally, we have the issue of including storing confidential information on millions of cell phones. Text messages are usually saved by default, and cell phones are routinely lost or stolen. This poses a risk that must be addressed as part of the HIPAA requirement to insure “physical, technical and administrative safeguards” to protect the confidentiality of protected health information.

One might point out that voice phone calls, which are used every day at every hospital across the US, do not include robust authentication capabilities.  This is true, however the federal government has asserted that voice phone calls are not regulated by the HIPAA Security Regulations.

Multiple vendors provide services and applications that address all of these HIPAA concerns.  However, these approaches usually require that individuals download an application onto their phones.  Consequently, the trade-off is that some of the convenience of text messaging is lost when these approaches are used.

Medicare and Medicaid contractors, and hospitals will be scrutinized for their security controls to prevent the loss of HIPAA Protected Health Information stored on portable media including laptops, jump drives, backup tapes and disposed equipment. They cited NIST Special Publication 800-53 and NIST Special Publication 800-53A as accepted control frameworks for the Medicare and Medicaid Contractors.

The Office of Civil Rights (OCR) itself will be reviewed to determine whether its oversight and enforcement of the HIPAA regulations. They will look at two separate pieces of OCR’s enforcement obligation: first, they will look OCR’s investigation policies, procedures and mechanisms to assess broadly whether they are adequately enforcing the Privacy Rule.

The second OCR probe will focus on their enforcement of the new Breach Notification Rule, enacted in August of 2009. They will evaluate their policies for investigating breaches, and explore whether Medicare Part B-covered entities (which include physician practices, home health agencies, physical therapy clinics and a variety of other providers) have policies in place to mitigate breaches.

This scrutiny reflects the ever increasing number of data breaches resulting from the rapid proliferation of mobile devices. All organizations should take the time to review their policies, controls, and technologies to protect against data breaches. Encryption technologies have become mainstream and should be implemented, with proper attention to employee training regarding proper use of the new technologies.

OCR contracted with KPMG of McLean, Virginia to implement the pilot audit program which was designed by consultant Booz Allen Hamilton. As previously reported, this pilot program will include 150 compliance audits over the next 13 months.

Entities selected for audit will be notified by mail and asked to submit documentation of compliance efforts in advance of an onsite visit. The onsite portion of the audit is expected to take between 3 and 10 business days depending on the size of the audit. Audited entities will have the opportunity to review a draft report and provide comments which will be incorporated into the final report submitted to OCR.

According to OCR, these audits are primarily a compliance improvement activity. Should an audit indicate a serious compliance issue, OCR may “initiate a compliance review to address the problem.” While OCR did not explicitly say this, the compliance review could lead to civil monetary penalties, a negotiated settlement along with a “corporate integrity agreement” and/or referrals to the Department of Justice in the event that criminal conduct is suspected. OCR’s official statements can be viewed in their entirety at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.

Because of the complexity of the HIPAA regulations, the generally lax enforcement to date, and the widespread failures uncovered by earlier CMS compliance audits of hospitals, this author believes that these audits will reveal widespread compliance failures. Proactive organizations can prepare by conducting their own internal audit, and/or contracting with an outside organization to conduct this audit. An effective compliance audit will include a prioritized remediation plan so that organizations can correct the most serious problems first.

Penalties for violations were significantly increased.  The new civil monetary penalties are $5000/violation in cases of negligence, $25,000/violation if committed knowingly, $250,000/violation if done for financial gain, up to $1.5 million/year when repeat violations constitute a pattern of practice.  Further, in egregious cases licenses may be revoked.  For entities that delay a “breach notification”, penalties can be as high as $100/person for each day of delay, which even for a solo physician office could quickly reach the maximum of $250,000 for a single breach.

The state was given new powers to both request audits by federal officials and to conduct their own audits, as well as to request certain remedies.

Businesses are required to strengthen employee training.  New employees must be trained within 60 days of hiring, and all employees must receive refresher training at least every two years.   Training must explain the state and federal privacy laws as they relate to the employers business and specifically to the employee’s job.

A number of other miscellaneous provisions are included; any Texas business which uses patient medical information is advised to update their compliance program early.

If OCR’s database of covered entities catalogs, say, 500,000 entities, the chance of a compliance audit in 2012 would be about 3/100 of 1%. The report also revealed that in 2010 there were 243 complaints filed regarding HIPAA Security Violations and 8,524 complaints for HIPAA Privacy Violations. Also, in 2010 there were 210 reported security breaches involving 500 or more individuals. From these statistics, a covered entity’s most likely encounter with the Office of Civil Rights would come from a Privacy Rule complaint. In 2010, the top issues in investigated cases, with Corrective Action, were:

• Impermissible Uses & Disclosures
• Inadequate Safeguards
• Not Providing Patients Access to their Records
• Violations of the Minimum Necessary Provision
• Issues with the Notice of Privacy Practices

The full report can be viewed at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancerept.pdf.

OIG audited 7 hospitals and identified 151 vulnerabilities, of which 124 were categorized as “high impact.” “Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”

The most frequent vulnerabilities at hospitals were:

• Wireless Access. 15 vulnerabilities were identified at 5 hospitals including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted SSIDs, no authentication required to enter the wireless network, the inability to detect rogue devices, and no procedures for continuously monitoring the wireless networks.
• Access Control. 38 vulnerabilities were identified at 7 hospitals involving domain controllers, servers, workstations, and mass storage media. Vulnerabilities included inadequate password settings, computers that did not log users off after inactivity, unencrypted laptops containing PHI, and excessive access to root folders.
• Audit Control. 9 vulnerabilities were identified at 5 hospitals involving servers, routers, firewalls, databases, and wireless access points. The five hospitals had audit logging disabled for one or all of the above. In addition, their network administers did not routinely review operating system and application audit logs.
• Integrity Control. 21 vulnerabilities wre identified at 7 hospitals on PCs and servers. These included uninstalled critical security patches, outdated antivirus updates, operating systems no longer supported by the manufacturer and unrestricted internet access.

Other high impact vulnerabilities identified included Transmission Security, Authentication, Facility Access Control, Device and Media Control, and lack of Contingency Plans.

As of July 27, 2009, Secretary Kathleen Sebelius transferred authority for enforcing the HIPAA Security rule from CMS to the HHS Office of Civil Rights.

Microsoft's new Beijing Facility, home to Microsoft Research Asia

Reporting from Beijing, China.  Microsoft is hurrying to fix a significant problem with windows at its Beijing facility. Recently, Microsoft constructed a new, dual-tower facility in the Haidian district of Beijing to consolidate its 3000 software engineers here in China’s capital city.  This facility houses multiple Microsoft R&D units under the umbrella Microsoft Asia-Pacific Research and Development Group.   This group contributes to Vista, Windows 7, Windows Server Products, and multiple other Microsoft offerings.  During a visit this week to the facility I learned about a serious windows vulnerability affecting security, safety and other critical matters.

Nonetheless, Eagle Consulting’s Beijing contacts have helped piece together the components of the remediation effort.  Immediately after the incident, the front entrance was closed and a security perimeter was established for pedestrian safety.  A protective canopy was constructed along the rear and employees and visitors were directed to use the rear entrance.  Then, the inspection and correction of any problems on the front was conducted.  Now that phase is complete, attention has turned to the rear of the building.

Replacement Windows on Site at Microsoft Facility

A security perimeter is currently established around the building as a safety precaution.  Replacement windows are on-site at the location.  Any visitors to the Beijing facility are advised to obey posted safety precautions to avoid a personal blue screen of death.   Stay tuned for progress updates on this critical fix to Microsoft’s windows.

Traditional virus protection, or anti-malware software, uses on a unique “virus signature” to identify a specific virus. The virus is studied, removal methods are developed, and both cataloged in a database. There are multiple problems. First, the number of unique viruses exploded in 2010, with 20 million new viruses found, a 70% increase in the cumulative total, which has overwhelmed traditional methods.   Second, virus writers have learned to evade detection by creating many variations, and other techniques, so that traditional detection methods are thwarted.  Countermeasures, such as “heuristic” techniques used by anti-malware writers, are ineffective in detecting all of these new viruses.

Compounding the dramatic increase in malicious software is an alarming rise in defects in popular programs. Just what is vulnerable? The most common targets are programs on the individual user workstations.   According to recently released research from security firm Secunia, the median user has 66 programs installed on their computer from 22 different vendors. Using as an example a user with the Top 50 Programs installed, 26 are provided by Microsoft and 24 by 14 other vendors. During calendar year 2010, number of vulnerabilities in these 50 programs increased from 426 to 729, a 71% increase.   Almost all of this increase came not from Microsoft programs, but from the 14 other vendors.

You may ask who is behind all of this malware.    Most of the growth is a partnership between nefarious technical experts who create “attack kits” – software that empowers a criminal (or groups of criminals) of lesser technical expertise to create their own cybercrime enterprise. The motivations include online banking theft, blackmail, theft of trade secrets, identify theft, ATM theft, on-line fraud such as sale of bogus anti-virus software, corporate espionage, and political activity. Be particularly careful about your own online banking!

The appropriate countermeasure is to update, or “patch” the vulnerable programs on your computers. These include popular titles like Adobe Acrobat Reader, Adobe Flash Player, Apple ITunes, RealPlayer, Google Picasa, Apple QuickTime, Mozilla Firefox, Google Chrome, Apple Safari, etc.   When the program is updated, or “patched”, the vulnerability is eliminated and you will not be harmed by malware which attempts to exploit this vulnerability.   Unfortunately, it is not easy update all of this software on a timely basis on one computer – much less on all the computers in your organization.   Home users may benefit from the free Personal Software Inspector (PSI) from Secunia to help with this task. Stay tuned in for future posts that deal with practical solutions for organizations.