Tuesday 7.19.11 @ 2PM ET
This webinar gives an overview of the state of HIPAA compliance today, the effect of the HITECH act on data security, the implications of cloud hosting on HIPAA, and will give various recommendations on how to safely host your data in the cloud and compliant with HIPAA regulations. Moderated by Yan Ness, CEO of Online Tech, with special guest speaker Joe Dylewski of ATMP Solutions.
Yan: Welcome to our webinar. We are going to try and bring some clarity to HIPAA today: what it means; recent developments; how you know if you are responsible; and how you do HIPAA hosting in the Cloud. Let me begin with Joe Dylewski of ATMP Solutions. Joe has many years of experience and many audits, including some for our own data centers.Joe why don’t we kick it off by explaining HIPAA. What does it stand for? What does it mean?
Joe: Thanks Yan. HIPAA was developed in 1996 and the acronym HIPAA stands for: Healthcare Insurance Portability and Accountability Act. In the beginning it was meant to help the public with insurance portability. With that they also built administrative simplifications that involved a lot of electronic, medical record technology and other components. They also built a series of privacy tools around that.
Yan: Were there a couple of pillars that they were really trying to go after?
Joe: Yes, the two biggest things they tried to accomplish were: 1) one was to make it easier when patients moved from one insurance to another to continue coverage, for example to COBRA.2) they recognized that about 30% of healthcare costs were tied up in administrative costs. So they attempted to add simplicity to the administrative piece of it. The whole idea of EDI (electronic data interchange) in healthcare was introduced in HIPAA. However, they realized that if they started exchanging data electronically there had to be some privacy and security rules protecting the confidentiality, integrity and availability of that information. This was to both process the business operations within healthcare and also protect the information that patients would need to receive care.
Yan: The three dimensions you mentioned were confidentiality, integrity and availability. Give us some real world examples of why they focus on these things. People understand confidentiality and integrity, but why availability? Why would regulations care about availability?
Joe: Great question. Most people have heard of HIPAA in relation to privacy in the doctor’s office or the confidentiality of information, but truly think about this situation. You have a child in an ambulance. Aside from the importance of the confidentiality of that child’s information, you also need it readily available. If you are out of town and going to a remote hospital, the availability of that information is key. The second part is the integrity of the information that is provided to the caregiver is in fact valid. Again, using the example of being on vacation, getting the information that that child has an allergy or has a prior history with treatment is something the physician needs to know about.
Yan: Confidentiality, integrity and availability make sense. What are some of the recent developments? I have been reading a lot about heavy duty fines recently and I know there was the HITECH Act. What’s going on there?
Joe: Another good question. For the longest time, 13 years actually, everybody focused on the privacy of data. That was simply, because within the healthcare market the whole idea of electronic medical records hadn’t been proliferated to the degree that they felt it was extremely critical. In 2009 as part of the American Recovery and Reinvestment Act (ARRA), there was an act within that called HITECH. It was specifically designed to profligate all the patients electronic medical records. There were incentives offered to physicians in private practices, as well as institutional practices to implement and adopt electronic medical records. They saw some need to put teeth around the data to protect it and keep the integrity and availability of it. The idea was to take the data that resides in one location where patient care is provided and offer that same data across multiple organizations for access. Again, the idea was to drive down the cost of healthcare through electronic means. HIPAA changed as a part of that, because they had to put some tighter rules around making sure the data was kept secure.A couple things happened here. One, they changed the enforcement levels on HIPAA violations. They looked at organizations that took care and did the do diligence to protect the information, versus organizations that willfully neglected their responsibility to protect that data.There are a series of fines that escalate as you go through that spectrum. Another key component to HITECH was that business associates of covered entities, as well as the covered entities themselves, were responsible for the same level of HIPAA compliance. A covered entity being an insurance company, hospital, doctor’s office, etc. While a business associate is an organization that provides a service to those entities, whether it is IT services, document destruction or clinical staffing. So, if there were a breach, and it was in the hands of the business associate, the business associate is held equally liable.
Yan: So, what are business associates and covered entities? Explain those.
Joe: The best way to look at a covered entity is someone who provides treatment, payment and operations in healthcare. It could be a doctor’s office, dental office, hospital, and home healthcare agency.
Yan: What about a IT company that services or supports them?Joe: They are considered a business associate. Any organization that provides support in the treatment, payment or operations is considered a business associate.A real common example in a physician’s office is an IT company. Perhaps a billing company that does all of their billing and claims processing, or a document destruction company, a telephone service provider, accountant, lawyer and so on. It’s anyone who has access to patient information, whether that is directly, indirectly, physically or virtually.
Yan: And that’s a business associate?
Yan: So how do I know if I am responsible for Private Healthcare Information (PHI)? Or, if I’m a service provider, how do I tell if I even need to worry about this stuff?
Joe: Well there is a two-part answer to that. First, going back to the definition of a covered entity, ultimately the covered entity is responsible for the protection of that information. And its incumbent on that covered entity to do business with business associates who understand the protection of that information. It’s the covered entities responsibility to identify the locations, or those who might have access to that PHI and do diligence to make sure that their business associates are compliant and putting the necessary safe guards in place to protect the data.
Yan: Let’s say I am one of these business associates. How does it affect me? What do I need to do and focus on?
Joe: Whenever I work with business associates, I separate the activities of those business associates. The business associates have a responsibility from an institutional perspective to achieve and maintain HIPAA compliance in terms of all of the internal, administrative and technical safeguards. The second piece of that is the solution they provide. There is a difference between an organization and their solution. In terms of the solutions, there are Business Associate Agreements. A Business Associates Agreement is an agreement standard document that basically defines what the business associate does in the relationship and what the covered entity does in the relationship. Separating the responsibility, it clearly pinpoints what each party is responsible for. The other key piece of the Business Associates Agreement I find, is that a lot of businesses sign Business Associate Agreements saying they will take the appropriate steps to implement the appropriate administrative, physical and technical safeguards. Those three items are not just big industry terms. Those are very specific HIPAA standards.
Yan: Let’s say I’m a service provider and somebody wants me to sign a business associates agreement. Should I sign it? How do I know whether I should sign it? How do I know where I am?
Joe: There are a couple of things I would do. One is always seek legal advice before signing any contract. Secondly, understand where you are in the HIPAA perspective as an organization and the way to do that is through a HIPAA audit.
Yan: What’s a HIPAA audit? How does that work?
Joe: A HIPAA audit is if someone has been through an ISO or PCI audit. It’s based off a set of regulations, standards and implementation specifications. The audit is a gap analysis to answer these questions: What are the standards? Where does that organization sit? And what steps need to be taken to get that organization compliant?
Yan: If I’m going to provide services for a covered entity, or if I’m going to have an application that I might host in a cloud that would provide to a covered entity or a provider of a covered entity, I need to get one of these HIPAA audits?
Yan: And how often do you do an audit?
Joe: HIPAA actually has a piece of the regulation that is called an evaluation. So, once you perform that and take the steps to become compliant, you have to have periodic evaluations to make sure you remain compliant. My recommendation is once a year. And that’s specifically at a minimum once a year. That’s because technology changes, different components are added to an organizations infrastructure and they should be re-evaluated.
Yan: Take us back a moment to these fines and recent developments. I understand that the Office of Civil Rights does the fining. So doing these audits once a year, are those pieces of evidence that you are not guilty of any willful neglect?
Joe: Yes. The key thing to remember in any compliance is that you are trying to protect information. You always have a human element with things you can’t control. And if there were in fact violations and the Office of Civil Rights decided to investigate that and enforce these rules, they look at the degree of effort you put into being compliant. If you are in violation you will be fined, but the degree of that fine depends on the diligence you have taken to protect yourself in becoming compliant.
Yan: Talk to me about these fines a little bit, because these audits are not that cheap. Describe what these audits cost and the penalty for not being compliant. Give us some magnitude.
Joe: There are four categories of HIPAA violations. I’ll give you the minimum fines and maximum per year. There is a category called ‘Due Diligence.’ In other words an organization is in violation, but they have taken every possible step they could have foreseen to prevent that. The minimum fine is $100 per incident.The second category is called ‘Reasonable Cause.’ The steps have been taken, but it puts you in that category where something was not addressed. For example, a company went into a HIPAA audit, they provided a gap analysis but something wasn’t addressed yet. Then the minimum fine moves up to $1,000 per incident. Those are the minor fines. Then you get into the major fines. One is ‘Willful Neglect.’ In other words, you ignored it. The minimum fine for the base willful neglect is $10,000 per incident. There is also a second category of Willful Neglect in which something was pointed out and you did nothing about it. The maximum fines for that are up to $1.5 million per calendar year. It really depends on how much information you put in to being compliant.
Yan: Some of those I’ve been reading about in the paper. Those must be the really willfully neglected cases. The $3 and 4 million fines levied towards some hospitals, those were a bit gregarious.
Joe: There is also a separation of civil and criminal penalties attached to HIPAA. The civil penalties are where there are violations. On the criminal side, in the case of accessible data, that can prosecute criminally with 10 years of prison possible and hefty fines associated with that.
Yan: So that’s if I knew I was stealing the data?
Joe: Or if there was some sort of systematic data theft. If someone knew they had patient data and was systematically taking from a business prospective and selling it.
Yan: So can I just not sign any business associates agreements and just say I don’t sign them as a way to avoid all of that?
Joe: It doesn’t matter. If you have protected health information and you know it, then you are by law a business associate whether you sign an agreement or not.
Yan: Would not signing an agreement border on willful neglect?
Joe: It would certainly raise eyebrows, yes. If you willingly didn’t sign a BAA because you knew you weren’t in compliance, it would certainly raise flags.
Yan: So in summary, confidentiality, integrity and availability. Get an audit. Do a Business Associates Agreement that you and your lawyers can live with. That’s all on the regulation and compliance side. Now, lets look at the IT side. I see I need to go do those things, I’m going to go do those things and I’ve got this application. What are some things that are important in looking for a cloud provider as I figure out what the cheapest, most effective way to meet all that criteria is and still get the benefit of cloud computing?
Joe: The key thing in going out and looking for a solution is that the covered entity, the organization that uses the information for treatment, payment and operations, is ultimately responsible for making sure that data is protected. From a business associate, if I’m looking for a partner to help me in a cloud-computing environment, there are two things I am going to look for. One is that the organization itself is compliant from an institutional perspective. They have gone through all of the safeguards, they understand HIPAA, they have done training around it, etc.
Yan: That means that they have gone through a HIPAA audit themselves?
Joe: Yes. The second is that the actual solution itself is HIPAA compliant. There is a difference in that a little bit. So, from an institutional perspective, there are a certain number of policies that practices around being an institution that is compliant. Making sure my employees are trained, making sure physical security around my building is safe, making sure I know who is accessing my client’s information.
Yan: Is there a list of prescribed things that you need to do that this audit uncovers?
Joe: There are general regulations. However, HIPAA as strict as it may sound, does not prescribe very specific, technical solutions to all of it. It allows you to take reasonable steps. The reason for that is HIPAA was designed to be scalable for everything from a small doctor or physician practice up to a large, multiple campus health entity. The degree to which those have to be implemented, depends on the operation. So that’s the compliance on the side of an institution. On the solutions side, I will use the example of an organization that does offsite cloud backup. The institution practice wants to take the data from their servers or workstations and somehow back that up. In order for that covered entity to be HIPAA compliant, they have a backup routine that sends it off to a cloud. Within the chain of events that happens, there might be two or three organizations that ultimately touch that data. There might be an organization that sets up the entire backup environment. And then there might be a hosting center where the data is ultimately stored.
Yan: What about the circuit that it transports on?
Joe: HIPAA is strict about that. It names the circuit carrier a conduit. A conduit, or circuit provider, believe it or not, falls in the same realm as the United States Postal Service or FedEx. They actually move the data from one point to another.
Yan: So, they are considered agnostic or anonymous and not considered a business associate. So it’s the IT guys that set up the equipment at the doctor’s office and it’s the hosting company that you focus on?
Joe: Yes. That’s what constitutes a compliant solution. Making sure that those individual pieces are compliant and then understanding that the data in transit must be encrypted. That all makes up part of that solution.
Yan: So you have to use things like VPN’s with data encryption? Or does the VPN not matter as long as the data is encrypted? Can you even use a VPN or do you need to use a private circuit?
Joe: Many healthcare organizations use VPN technology to accomplish that.
Yan: The data is encrypted at both ends?
Yan: Or is it encrypted the whole time with the hosting company?
Joe: Or within the VPN itself. Within Point A to Point B in the VPN there is encryption.
Yan: Does it need to stay encrypted at the hosting company? Or if you wanted to decrypt and do something with it, does that create any issues? How do you make sure you can do that?
Joe: Technically, yes. The data at rest and the data in transit should be in an encrypted format. For example, an organization that distributes electronic medical software. They have requirements within the software development piece of that to make sure that the data at rest is encrypted. Or if the data is moving from point to point it is encrypted. Which really brings up a whole other side, because the EMR vendor’s and application vendor’s have to have certain requirements within their development to maintain that usage in HIPAA compliance including individual, unique logins, automatic logoffs and monitoring capabilities. Technically, you should be able to account for the usage of any sort or electronic, medical records. Whether that is in an EMR format or even is it’s an Excel format. You should be able to track who used it and who touched it. Another interesting piece of legislation that is being debated is the public’s access to the information of usage on any of their protected health information. It’s incumbent on the covered entity to use software that provides that.
Yan: So for example, I should be able to call my doctor’s and they should be able to give me a list of everyone on their end that has had access to my data?
Joe: Yes. If you think about that, you go to a doctor’s office and they may send a prescription from Point A to Point B or they send a lab request and that lab sends back information. There might be litigation or a subpoena where that information was disclosed. All of that in electronic format has to be provided to the patient. It’s in discussion right now.
Yan: So, I’m a provider providing one of these EMR systems. Basically I need to build a monitoring system in my application, because I am going to have to generate some reports for my users to tell them where their data is. I’m also going to need to build, if I put it in the cloud architecture, something in the architecture to keep my data encrypted with my own firewalls, passwords, private hardware, private networking, etc. And for availability you need to, somehow/ someway, always be able to have high availability in the architecture. Plus some kind of IT disaster recovery or offsite backup component and all of those things are not prescriptively covered by the HIPAA audit, but the effect of those things needs to be in place. Is that right?
Joe: That is exactly right. At the root of this is the location of the protected healthcare information. As you build off of the location of the PHI, you start identifying things. For example, in terms of the isolation of that information, I’m going to implement a cloud based solution, I need to be assured that my PHI is securely isolated from anybody’s else’s either inside or outside.
Yan: Even if it’s encrypted?
Joe: Even if it’s encrypted.
Yan: Time to wrap up. Give a couple takeaways or key things people need to make sure they do no matter what in going forward here.
Joe: One thing is don’t ignore it. It’s out there and ignoring it is the worst thing you can do. If something does happen where the Office of Civil Rights contacts you, treat it like you would the IRS. Respond honestly, prudently and promptly on any inquiries. The worst thing you can do is be in denial. Don’t bury that responsibility. I encounter a lot of organizations that try to rationalize why they shouldn’t be HIPAA compliant. I advise not to take that route. At least try to understand to a minimal degree where you need to be complaint and if you have responsibility or liability in that, because the worst thing you can do is ignore it and willfully neglect it.
Yan: Right. We see a lot of data, not just HIPAA, but PCI and a lot of encrypted data. We encourage our operations team to keep in mind that could be their data, their credit card information or personal health information and to treat it with as much confidentiality. You would also recommend getting an audit?
Joe: Handle the whole thing like you would taxes and accounting. Get some help understanding what your responsibilities. And in the event of an incident handle it prudently.